ML020700311

From kanterella
Jump to navigation Jump to search

Part 3 of 10, North Anna Power Station, Units 1 & 2, Proposed Improved Technical Specifications Comments on Draft Safety Evaluation, Certified Improved Technical Specifications (ITS) & Bases & Proposed License Conditions, Technical Specific
ML020700311
Person / Time
Site: North Anna  Dominion icon.png
Issue date: 02/22/2002
From: Hartz L
Virginia Electric & Power Co (VEPCO)
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
02-053, CM/RAB R0, TAC MB0799, TAC MB0800
Download: ML020700311 (187)
v  d  e


Text

TECHNICAL SPECIFICATIONS BASES FOR NORTH ANNA UNITS 1 & 2

TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTS B 2.1 B 2.1.1 B 2.1.2 B 3.0 B 3.0 B 3.1 B 3.1.1 B 3.1.2 B 3.1.3 B 3.1.4 B 3.1.5 B 3.1.6 B 3.1.7 B 3.1.8 B 3.1.9 B 3.2 B 3.2.1 B 3.2.2 B 3.2.3 B 3.2.4 B 3.3 B 3.3.1 B 3.3.2 B 3.3.3 B 3.3.4 B 3.3.5 B 3.4 B 3.4.1 B 3.4.2 B 3.4.3 B 3.4.4 B 3.4.5 B 3.4.6 B 3.4.7 B 3.4.8 B 3.4.9 B 3.4.10 B 3.4.11 SAFETY LIMITS (SLs)........

Reactor Core SLs Reactor Coolant System (RCS)

Pressure SL LIMITING CONDITION FOR OPERATION (LCO)

APPLICABILITY...

SURVEILLANCE REQUIREMENT (SR) APPLICABILITY.....

REACTIVITY CONTROL SYSTEMS SHUTDOWN MARGIN (SDM).....

Core Reactivity..

Moderator Temperature Coefficient (MTC).......

Rod Group Alignment Limits Shutdown Bank Insertion Limits Control Bank Insertion Limits...............

Rod Position Indication...................

Primary Grade Water Flow Path Isolation Valves PHYSICS TESTS Exceptions-MODE 2.............

POWER DISTRIBUTION LIMITS.

Heat Flux Hot Channel Factor (FQ(Z))...

Nuclear Enthalpy Rise Hot Channel Factor (FAH)

AXIAL FLUX DIFFERENCE (AFD)................

QUADRANT POWER TILT RATIO (QPTR)

INSTRUMENTATION.

Reactor Trip System (RTS)

Instrumentation Engineered Safety Feature Actuation System (ESFAS)

Instrumentation................

Post Accident Monitoring (PAM)

Instrumentation.....

Remote Shutdown System Loss of Power (LOP)

Emergency Diesel Generator (EDG)

Start Instrumentation.............

REACTOR COOLANT SYSTEM (RCS)

RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)

Limits RCS Minimum Temperature for Criticality.......

RCS Pressure and Temperature (P/T) Limits.

RCS Loops-MODES 1 and 2...................

RCS Loops-MODE 3 RCS Loops-MODE 4 RCS Loops-MODE 5, Loops Filled RCS Loops-MODE 5, Loops Not Filled Pressurizer........

Pressurizer Safety Valves..................

Pressurizer Power Operated Relief Valves (PORVs)........

North Anna Units 1 and 2 B 2.1.1-1 B 2.1.1-1 B 2.1.2-1

.B 3.0-1

.B 3.0-12 B 3.1.1-1 B 3.1.1-1 B 3.1.2-1 B 3.1.3-1 B 3.1.4-1 B 3.1.5-1 B 3.1.6-1 B 3.1.7-1 B 3.1.8-1 B 3.1.9-1 B 3.2.1-1 B 3.2.1-1 B 3.2.2-1 B 3.2.3-1 B 3.2.4-1 B 3.3.1-1 B 3.3.1-1 B 3.3.2-1 B 3.3.3-1 B 3.3.4-1 B 3.3.5-1 B 3.4.1-1 B 3.4.1-1 B 3.4.2-1 B 3.4.3-1 B 3.4.4-1 B 3.4.5-1 B 3.4.6-1 B 3.4.7-1 B 3.4.8-1 B 3.4.9-1

.B 3.4.10-1

.B 3.4.11-1 Revision 0, 04/02/02 i

TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTS B 3.4 B 3.4.12 B 3.4.13 B 3.4.14 B 3.4.15 B 3.4.16 B 3.4.17 B 3.4.18 B 3.4.19 B 3.5 B 3.5.1 B 3.5.2 B 3.5.3 B 3.5.4 B 3.5.5 B 3.5.6 B 3.6 B 3.6.1 B 3.6.2 B 3.6.3 B 3.6.4 B 3.6.5 B 3.6.6 B 3.6.7 B 3.6.8 B 3.6.9 B 3.7 B 3.7.1 B 3.7.2 B 3.7.3 B 3.7.4 B 3.7.5 B 3.7.6 B 3.7.7 B 3.7.8 B 3.7.9 B 3.7.10 B 3.7.11 REACTOR COOLANT SYSTEM (RCS)

(continued)

Low Temperature Overpressure Protection (LTOP)

System....................

RCS Operational LEAKAGE.

RCS Pressure Isolation Valve (PIV)

Leakage RCS Leakage Detection Instrumentation....

RCS Specific Activity.....

RCS Loop Isolation Valves..............

RCS Isolated Loop Startup..............

RCS Loops-Test Exceptions..............

EMERGENCY CORE COOLING SYSTEMS (ECCS).........

Accumulators ECCS-Operating ECCS-Shutdown......

Refueling Water Storage Tank (RWST).......

Seal Injection Flow.....

Boron Injection Tank (BIT)

CONTAINMENT SYSTEMS......

Containment......

Containment Air Locks.................

Containment Isolation Valves Containment Pressure Containment Air Temperature.............

Quench Spray (QS)

System Recirculation Spray (RS)

System..........

Chemical Addition System Hydrogen Recombiners PLANT SYSTEMS....

Main Steam Safety Valves (MSSVs).

Main Steam Trip Valves (MSTVs)

Main Feedwater Isolation Valves (MFIVs),

Main Feedwater Pump Discharge Valves (MFPDVs),

Main Feedwater Regulating Valves (MFRVs),

and Main Feedwater Regulating Bypass Valves (MFRBVs).....

Steam Generator Power Operated Relief Valves (SG PORVs)

Auxiliary Feedwater (AFW)

System Emergency Condensate Storage Tank (ECST)

Secondary Specific Activity.............

Service Water (SW)

System..............

Ultimate Heat Sink (UHS)

Main Control Room/Emergency Switchgear Room (MCR/ ESGR) Emergency Ventilation System (EVS)-MODES 1, 2, 3, and 4 Main Control Room/Emergency Switchgear Room (MCR/ESGR)

Air Conditioning System (ACS)

B 3.7.1-1 B 3.7.1-1 B 3.7.2-1 B 3.7.3-1 B

B B

B B

B 3.7.4-1 3.7.5-1 3.7.6-1 3.7.7-1 3.7.8-1 3.7.9-1

.B 3.7.10-1

.B 3.7.11-1 North Anna Units 1 and 2

.B 3.4.12-1

.B 3.4.13-1

.B 3.4.14-1

.B 3.4.15-1

.B 3.4.16-1

.B 3.4.17-1

.B 3.4.18-1

.B 3.4.19-1 B 3.5.1-1 B 3.5.1-1 B 3.5.2-1 B 3.5.3-1 B 3.5.4-1 B 3.5.5-1 B 3.5.6-1 B 3.6.1-1 B 3.6.1-1 B 3.6.2-1 B 3.6.3-1 B 3.6.4-1 B 3.6.5-1 B 3.6.6-1 B 3.6.7-1 B 3.6.8-1 B 3.6.9-1 i i Revision 0, 04/02/02

TECHNICAL SPECIFICATIONS BASES TABLE OF CONTENTS PLANT SYSTEMS (continued)

Emergency Core Cooling System (ECCS)

Pump Room Exhaust Air Cleanup System (PREACS)

Main Control Room/Emergency Switchgear Room (MCR/ESGR)

Bottled Air System.........

Main Control Room/Emergency Switchgear Room (MCR ESGR) Emergency Ventilation System (EVS)-During Movement of Recently Irradiated Fuel Assemblies Fuel Building Ventilation System (FBVS)

Fuel Storage Pool Water Level............

Fuel Storage Pool Boron Concentration....

Spent Fuel Pool Storage................

B 3.7 B 3.7.12 B 3.7.13 B 3.7.14 B 3.7.15 B 3.7.16 B 3.7.17 B 3.7.18 B 3.8 B 3.8.1 B 3.8.2 B 3.8.3 B 3.8.4 B 3.8.5 B 3.8.6 B 3.8.7 B 3.8.8 B 3.8.9 B 3.8.10 B 3.9 B 3.9.1 B 3.9.2 B 3.9.3 B 3.9.4 B 3.9.5 B 3.9.6 B 3.9.7

.B 3.7.12-1

.B 3.7.13-1

..B 3.7.14-1

.B 3.7.15-1

..B 3.7.16-1

.B 3.7.17-1

.B 3.7.18-1 B 3.8.1-1 B 3.8.1-1 B 3.8.2-1 B 3.8.3-1 B 3.8.4-1 B 3.8.5-1 B 3.8.6-1 B 3.8.7-1 B 3.8.8-1 B 3.8.9-1

.B 3.8.10-1 REFUELING OPERATIONS.......

.. B 3.9.1-1 Boron Concentration...........................

B 3.9.1-1 Primary Grade Water Flow Path Isolation Valves-MODE 6......

.. B 3.9.2-1 Nuclear Instrumentation.....

.. B 3.9.3-1 Containment Penetrations.....

.. B 3.9.4-1 Residual Heat Removal (RHR) and Coolant Circulation-High Water Level............

B 3.9.5-1 Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level..............

.. B 3.9.6-1 Refueling Cavity Water Level...............

.. B 3.9.7-1 North Anna Units 1 and 2 ELECTRICAL POWER SYSTEMS AC Sources-Operating AC Sources-Shutdown...........

Diesel Fuel Oil and Starting Air DC Sources-Operating DC Sources-Shutdown..........

Battery Cell Parameters.......

Inverters-Operating..........

Inverters-Shutdown Distribution Systems-Operating Distribution Systems-Shutdown Revision 0, 04/02/02 ii i

Intentionally Blank

Reactor Core SLs B 2.1.1 B 2.1 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core SLs BASES BACKGROUND GDC 10 (Ref.

1) requires that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs).

This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95% probability at a 95% confidence level (the 95/95 DNB criterion) that DNB will not occur and by requiring that fuel centerline temperature stays below the melting temperature.

The restrictions of this SL prevent overheating of the fuel and cladding, as well as possible cladding perforation, that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state peak linear heat rate (LHR) below the level at which fuel centerline melting occurs.

Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.

Fuel centerline melting occurs when the local LHR, or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.

Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.

(continued)

North Anna Units 1 and 2 B 2.1.1-1 Revision 0, 04/02/02

Reactor Core SLs B 2.1.1 BASES BACKGROUND (continued)

APPLICABLE SAFETY ANALYSES SAFETY LIMITS The proper functioning of the Reactor Protection System (RPS) and main steam safety valves prevents violation of the reactor core SLs.

The fuel cladding must not sustain damage as a result of normal operation and AQOs.

The reactor core SLs are established to preclude violation of the following fuel design criteria:

a. There must be at least 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB; and
b. The hot fuel pellet in the core must not experience centerline fuel melting.

The Reactor Trip System allowable values (Ref. 2),

in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, and flow, AFD, and THERMAL POWER level that would result in a departure from nucleate boiling ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities.

Automatic enforcement of these reactor core SLs is provided by the appropriate operation of the RPS and the main steam safety valves.

The SLs represent a design requirement for establishing the RPS trip allowable values identified previously (as indicated in the UFSAR, Ref. 2).

LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)

Limits," or the assumed initial conditions of the safety analyses provide more restrictive limits to ensure that the SLs are not exceeded.

The figure provided in the COLR shows the loci of points of THERMAL POWER, RCS pressure, and average temperature for which the minimum DNBR is not less than the safety analyses limit, that fuel centerline temperature remains below melting, that the average enthalpy in the hot leg is less than or equal to the enthalpy of saturated liquid, or that the exit quality is within the limits defined by the DNBR correlation.

(continued)

North Anna Units 1 and 2 B 2.1.1-2 Revision 0, 04/02/02

Reactor Core SLs B 2.1.1 BASES SAFETY LIMITS (continued)

The reactor core SLs are established to preclude violation of the following fuel design criteria:

a. There must be at least a 95% probability at a 95%

confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience DNB; and

b. There must be at least a 95% probability at a 95%

confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.

The reactor core SLs are used to define the various RPS functions such that the above criteria are satisfied during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs).

To ensure that the RPS precludes the violation of the above criteria, additional criteria are applied to the Overtemperature and Overpower AT reactor trip functions. That is, it must be demonstrated that the average enthalpy in the hot leg is less than or equal to the saturation enthalpy and that the core exit quality is within the limits defined by the DNBR correlation. Appropriate functioning of the RPS and main steam safety valves ensures that for variations in the THERMAL POWER, RCS pressure, RCS average temperature, RCS flow rate, and AFD that the reactor core SLs will be satisfied during steady state operation, normal operational transients, and AOOs.

APPLICABILITY SL 2.1.1 only applies in MODES 1 and 2 because these are the only MODES in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODES 1 and 2 to ensure operation within the reactor core SLs. The main steam safety valves or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function, which forces the unit into MODE 3. Allowable values for the reactor trip functions are specified in LCO 3.3.1, "Reactor Trip System (RTS)

Instrumentation." In MODES 3, 4, 5,

and 6, Applicability is not required since the reactor is not generating significant THERMAL POWER.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 2.1. 1-3

Reactor Core SLs B 2.1.1 BASES SAFETY LIMIT If SL 2.1.1 is violated, the requirement to go to MODE 3 VIOLATIONS places the unit in a MODE in which this SL is not applicable.

The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probability of fuel damage.

REFERENCES

1. UFSAR, Section 3.1.6.
2.

UFSAR, Section 7.2.

North Anna Units 1 and 2 B 2. 1. 1-4 Revision 0, 04/02/02

RCS Pressure SL B 2.1.2 B 2.1 SAFETY LIMITS (SLs)

B 2.1.2 Reactor Coolant System (RCS)

Pressure SL BASES BACKGROUND The SL on RCS pressure protects the integrity of the RCS against overpressurization.

In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere.

By establishing an upper limit on RCS pressure during operating conditions, the continued integrity of the RCS is ensured. According to GDC 14, "Reactor Coolant Pressure Boundary," and GDC 15, "Reactor Coolant System Design" (Ref.

1), the reactor coolant pressure boundary (RCPB) design conditions are not to be exceeded during normal operation and anticipated operational occurrences (AOOs).

Also, in accordance with GDC 28, "Reactivity Limits" (Ref.

1), reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding.

The design pressure of the RCS is 2500 psia. During normal operation and AQOs, RCS pressure is limited from exceeding the design pressure by more than 10%,

in accordance with Section III of the ASME Code (Ref. 2).

To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, according to the ASME Code requirements prior to initial operation when there is no fuel in the core. Following inception of unit operation, RCS components shall be pressure tested, in accordance with the requirements of ASME Code,Section XI (Ref.

3).

Overpressurization of the RCS could result in a breach of the RCPB.

If such a breach occurs in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere, raising concerns relative to limits on radioactive releases specified in 10 CFR 100, "Reactor Site Criteria" (Ref. 4).

APPLICABLE The RCS pressurizer safety valves, the main steam safety SAFETY ANALYSES valves (MSSVs),

and the reactor high pressure trip have settings established to ensure that the RCS pressure SL will not be exceeded.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 2.1.2-1

RCS Pressure SL B 2.1.2 BASES APPLICABLE SAFETY ANALYSES (continued)

SAFETY LIMITS The RCS pressurizer safety valves are sized to prevent system pressure from exceeding the design pressure by more than 10%, as specified in Section III of the ASME Code for Nuclear Power Plant Components (Ref. 2).

The transient that establishes the required relief capacity, and hence valve size requirements and lift settings, is a complete loss of external load without a direct reactor trip. During the transient, no control actions are assumed, except that the safety valves on the secondary plant are assumed to open when the steam pressure reaches the secondary plant safety valve settings, and nominal feedwater supply is maintained.

The Reactor Trip System allowable values (Ref. 5), together with the settings of the MSSVs, provide pressure protection for normal operation and AQOs.

The reactor high pressure trip allowable value is specifically determined to provide protection against overpressurization (Ref.

5).

The safety analyses for both the high pressure trip and the RCS pressurizer safety valves are performed using conservative assumptions relative to pressure control devices.

More specifically, no credit is taken for operation of the following:

a. Pressurizer power operated relief valves (PORVs);
b.

Steam Generator PORVs;

c. Steam Dump System;
d. Reactor Control System;
e. Pressurizer Level Control System; or
f. Pressurizer spray valve.

The maximum transient pressure allowed in the RCS pressure vessel under the ASME Code,Section III, is 110% of design pressure. The maximum transient pressure allowed in the RCS piping, valves, and fittings under USAS, Section B31.1 (Ref.

6) is 120% of design pressure. The most limiting of these two allowances is the 110% of design pressure; therefore, the SL on maximum allowable RCS pressure is 2735 psig.

North Anna Units 1 and 2 B 2. 1.2-2 Revision 0, 04/02/02

RCS Pressure SL B 2.1.2 BASES APPLICABILITY SL 2.1.2 applies in MODES 1, 2, 3, 4, and 5 because this SL could be approached or exceeded in these MODES due to overpressurization events. The SL is not applicable in MODE 6 because the reactor vessel head closure bolts are not fully tightened, making it unlikely that the RCS can be pressurized.

SAFETY LIMIT If the RCS pressure SL is violated when the reactor is in VIOLATIONS MODE 1 or 2, the requirement is to restore compliance and be in MODE 3 within I hour.

Exceeding the RCS pressure SL may cause immediate RCS failure and create a potential for radioactive releases in excess of 10 CFR 100, "Reactor Site Criteria," limits (Ref. 4).

The allowable Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> recognizes the importance of reducing power level to a MODE of operation where the potential for challenges to safety systems is minimized.

If the RCS pressure SL is exceeded in MODE 3, 4, or 5, RCS pressure must be restored to within the SL value within 5 minutes. Exceeding the RCS pressure SL in MODE 3, 4, or 5 is more severe than exceeding this SL in MODE 1 or 2, since the reactor vessel temperature may be lower and the vessel material, consequently, less ductile. As such, pressure must be reduced to less than the SL within 5 minutes. The action does not require reducing MODES, since this would require reducing temperature, which would compound the problem by adding thermal gradient stresses to the existing pressure stress.

REFERENCES

1. UFSAR, Sections 3.1.10, 3.1.11, and 3.1.24.
2.
ASME, Boiler and Pressure Vessel Code,Section III, Article NB-7000.
3. ASME, Boiler and Pressure Vessel Code,Section XI, Article IWX-5000.
4.

10 CFR 100.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 2.1.2-3

RCS Pressure SL B 2.1.2 BASES REFERENCES

5.

UFSAR, Section 7.2.

(continued)

6.

USAS B31.1, Standard Code for Pressure Piping, American Society of Mechanical Engineers, 1967.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 2.1.2-4

LCO Applicability B 3.0 B 3.0 LIMITING CONDITION FOR OPERATION (LCO)

APPLICABILITY BASES LCO 3.0.1 through LCO 3.0.6 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

LCO 3.0.1 LCO 3.0.2 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification).

LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met.

This Specification establishes that:

a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and
b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.)

The second type of Required Action specifies the remedial measures that permit continued operation of the (continued)

North Anna Units 1 and 2 LCOs Revision 0, 04/02/02 B 3.0-1

LCO Applicability B 3.0 BASES LCO 3.0.2 unit that is not further restricted by the Completion Time.

(continued)

In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.

Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications.

The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Actions where this is the case.

An example of this is in LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits."

The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems.

Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience.

Additionally, if intentional entry into ACTIONS would result in redundant equipment being inoperable, alternatives should be used instead. Doing so limits the time both subsystems/trains of a safety function are inoperable and limits the time conditions exist which may result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.

When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.

North Anna Units 1 and 2 B 3.0-2 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and:

a.

An associated Required Action and Completion Time is not met and no other Condition applies; or

b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit.

Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.

This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS.

It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.

Upon entering LCO 3.0.3, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE.

This reduces thermal stresses on components of the Reactor Coolant System and the potential for a unit upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.0-3

LCO Applicability B 3.0 BASES LCO 3.0.3 A unit shutdown required in accordance with LCO 3.0.3 may be (continued) terminated and LCO 3.0.3 exited if any of the following occurs:

a. The LCO is now met.
b. A Condition exists for which the Required Actions have now been performed.
c. ACTIONS exist that do not have expired Completion Times.

These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.

The time limits of Specification 3.0.3 allow 37 hours4.282407e-4 days <br />0.0103 hours <br />6.117725e-5 weeks <br />1.40785e-5 months <br /> for the unit to be in MODE 5 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is reached in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, then the time allowed for reaching MODE 4 is the next 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />, because the total time for reaching MODE 4 is not reduced from the allowable limit of 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.

In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 5 and 6 because the unit is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, 3, or 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.7.16, "Fuel Storage Pool Water Level." LCO 3.7.16 has an Applicability of "During movement of irradiated fuel assemblies in the fuel storage pool." Therefore, this LCO (continued)

North Anna Units 1 and 2 B 3.0-4 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.3 (continued)

LCO 3.0.4 can be applicable in any or all MODES.

If the LCO and the Required Actions of LCO 3.7.16 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of LCO 3.7.16 of "Suspend movement of irradiated fuel assemblies in the fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications.

LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It precludes placing the unit in a MODE or other specified condition stated in that Applicability (e.g.,

Applicability desired to be entered) when the following exist:

a. Unit conditions are such that the requirements of the LCO would not be met in the Applicability desired to be entered; and
b. Continued noncompliance with the LCO requirements, if the Applicability were entered, would result in the unit being required to exit the Applicability desired to be entered to comply with the Required Actions.

Compliance with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provisions of the Required Actions.

When an LCO is not met, LCO 3.0.4 also allows entering MODES or other specified conditions in the Applicability following assessment of the risk impact and determination that the impact can be managed. The risk evaluation may use quantitative, qualitative, or blended approaches, and the risk evaluation will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4),

which requires that risk impacts of maintenance activities to be assessed and managed.

The risk evaluations will be conducted using the procedures and (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.0-5

LCO Applicability B 3.0 BASES LCO 3.0.4 guidance endorsed by Regulatory Guide 1.182, "Assessing and (continued)

Managing Risk Before Maintenance Activities at Nuclear Power Plants."

The results of the risk evaluation shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions. Consideration will be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.

A risk assessment and establishment of risk management actions, as appropriate, are required for determination of acceptable risk for entering MODES or other specified conditions in the Applicability when an LCO is not met. The elements of the risk assessment and risk management actions are included in Regulatory Guide 1.182 which addresses general guidance for conduct of the risk evaluation, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures),

and determination that the proposed MODE change is acceptable.

A quantitative, qualitative, or blended risk evaluation must be performed to assess the risk impact of entering the MODE or other specified condition in the Applicability, based on the specific plant configuration at that time and the risk impacts must be managed in accordance with the assessment results.

From generic evaluations, systems/components can be identified which are equally or more important to risk in MODE 1 than in the transition MODES.

The Technical Specifications allow continued operation with this equipment unavailable during MODE 1 operation for the duration of the Completion Time. Since this is allowable, and since the risk impact bounds the risk of transitioning up in MODE and entering the Conditions and Required Actions, the use of the LCO 3.0.4 allowance for these systems should be generally acceptable, as long as the risk is assessed and managed as (continued)

North Anna Units 1 and 2 B 3.0-6 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.4 stated above. However, there is a small subset of (continued) systems/components that have been generically determined to be more important to risk in MODES 2-5 and do not have the LCO 3.0.4 allowance. These system/components are listed below.

The Applicability should be reviewed with respect to the actual plant configuration at that time. Each individual application of LCO 3.0.4.b, whether due to one or more than one LCO 3.0.4.b allowance at the same time, is required to be evaluated under the auspices of 10 CFR 50.65(a)(4) and consideration of risk management actions discussed in Regulatory Guide 1.182. For those cases where the risk of the MODE change may be greater (i.e., the systems and components listed below), prior NRC review and approval of a specific LCO 3.0.4 allowance is required.

The LCO 3.0.4.b allowance typically only applies to systems and components. The values and parameters of the Technical Specifications (e.g., Containment Air Temperature, Containment Pressure, Moderator Temperature Coefficient, etc.) are typically not addressed by this LCO 3.0.4.b allowance. These values and parameters are addressed by the LCO 3.0.4.c allowance.

A list of the LCO 3.0.4.c specific value and parameter allowances approved by the NRC is provided below.

LCO 3.4.16, RCS Specific Activity In order to support the conduct of the appropriate assessments, each Owners Group has performed an evaluation to identify plant systems or components which are more important to risk in the transition MODES than in MODE 1. To apply the LCO 3.0.4 allowance to these systems and components, prior NRC review and approval is required. These systems are listed in the following table.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.0-7

LCO Applicability B 3.0 BASES LCO 3.0.4 MODE or Other Specified (continued)

System*

Condition in the Applicability RCS Loops (RHR) 5 LTOP System 4, 5 ECCS Shutdown (ECCS High 4

Head Subsystem)

AFW System 1

AC Sources (Diesel 1, 2, 3,

4, 5,

6 Generators)

Including systems supporting the OPERABILITY of the listed systems.

NUMARC 93-01, "Industry Guidelines for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,"

states that the rigor of the risk analysis should be commensurate with the risk impact of the proposed configuration. For unavailable plant systems or components listed on the above table, a plant MODE change has been determined, through generic evaluation, to result in a potential risk increase. Therefore, prior NRC review and approval is required to apply the LCO 3.0.4 allowance to these systems and components.

For unavailable plant systems or components not appearing in the above table, proposed plant MODE changes will generally not involve a risk increase greater than the system or component being unavailable in MODE 1. The risk assessment performed to support use of LCO 3.0.4.b for systems or components not appearing on the above table must meet all considerations of NUMARC 93-01, but need not be documented.

LCO 3.0.4.b may be used with single, or multiple systems or components unavailable.

NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems or components.

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

(continued)

North Anna Units 1 and 2 B 3.0-8 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)

The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS.

In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown.

LCO 3.0.4 is only applicable when entering MODE 4 from MODE 5, MODE 3 from MODE 4, MODE 2 from MODE 3, or MODE 1 from MODE 2. Furthermore, LCO 3.0.4 is applicable when entering any other specified condition in the Applicability only while operating in MODES 1, 2, 3, or 4. The requirements of LCO 3.0.4 do not apply in MODES 5 and 6, or in other specified conditions of the Applicability (unless in MODES 1, 2, 3, or 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, changing MODES or other specified conditions while in an ACTIONS Condition, in compliance with LCO 3.0.4, is not a violation of SR 3.0.1 or SR 3.0.4 for those Surveillances that do not have to be performed due to the associated inoperable equipment.

However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.

LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate:

a. The OPERABILITY of the equipment being returned to service; or
b. The OPERABILITY of other equipment.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.0-9

LCO Applicability B 3.0 BASES LCO 3.0.5 (continued)

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the required testing to demonstrate OPERABILITY.

This Specification does not provide time to perform any other preventive or corrective maintenance.

An example of demonstrating the OPERABILITY of the equipment being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions and must be reopened to perform the required testing.

An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.

LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS).

This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions.

When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability.

However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions.

The potential confusion and inconsistency of requirements related to the entry into multiple support and supported (continued)

North Anna Units 1 and 2 B 3.0-10 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.6 systems' LCOs' Conditions and Required Actions are (continued) eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the support system's Required Actions.

However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.

Specification 5.5.14, "Safety Function Determination Program (SFDP)," ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.

Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. A loss of safety function may exist when a support system is inoperable, and:

a. A required system redundant to system(s) supported by the inoperable support system is also inoperable; or (EXAMPLE B 3.0.6-1)
b. A required system redundant to system(s) in turn supported by the inoperable supported system is also inoperable; or (EXAMPLE B 3.0.6-2)

(continued)

North Anna Units 1 and 2 B 3.0-11 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.6

c. A required system redundant to support system(s) for the (continued) supported systems (a) and (b) above is also inoperable.

(EXAMPLE B 3.0.6-3)

EXAMPLE B 3.0.6-1 If System 2 of Train A is inoperable, and System 5 of Train B is inoperable, a loss of safety function exists in supported System 5.

EXAMPLE B 3.0.6-2 If System 2 of Train A is inoperable, and System 11 of Train B is inoperable, a loss of safety function exists in System 11 which is in turn supported by System 5.

EXAMPLE B 3.0.6-3 If System 2 of Train A is inoperable, and System 1 of Train B is inoperable, a loss of safety function exists in Systems 2, 4,

5, 8, 9, 10 and 11.

If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.

(continued)

North Anna Units 1 and 2 B 3.0-12 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)

TRAIN A TRAIN B System 8

-System 4

_System 9 System 10

-System5 KSystem 11 System 12

-System 6

_System 13 System 1

-System 2

-System 3

__System 71System 14 L-System 15 System 8

-System 4

System 9

-System 10

-System 5

_System 11

-System

-System 12 13 14 15 (continued)

North Anna Units 1 and 2 System 1

-System 2

-System 3

B 3-0-13 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)

This loss of safety function does not require consideration of additional single failures or loss of offsite power.

Since operation is being restricted in accordance with the ACTIONS of the support system, this accounts for any temporary loss of redundancy or single failure protection.

Similarly, the ACTIONS for inoperable offsite circuit(s) and inoperable diesel generator(s) provide the necessary restriction for cross train inoperabilities. This explicit cross train verification for inoperable AC electrical power sources also acknowledges that supported system(s) are not declared inoperable solely as a result of inoperability of a normal or emergency electrical power source (refer to the definition of OPERABILITY).

When a loss of safety function is determined to exist, and the SFDP requires entry into the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely due to a single Technical Specification support system (e.g., loss of automatic start due to inoperable instrumentation, or loss of pump suction source due to low tank level) the appropriate LCO is the LCO for the support system. The ACTIONS for a support system LCO adequately addresses the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple support systems, the appropriate LCO is the LCO for the supported system.

LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unit.

These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions. Test Exception LCOs 3.1.9 and 3.4.19 allow specified Technical Specification (TS) requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.

(continued)

North Anna Units 1 and 2 B 3.0-14 Revision 0, 04/02/02

LCO Applicability B 3.0 BASES LCO 3.0.7 (continued)

The Applicability of a Test Exception LCO represents a condition not necessarily in compliance with the normal requirements of the TS. Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.0-15

SR Applicability B 3.0 B 3.0 SURVEILLANCE REQUIREMENT (SR)

APPLICABILITY BASES SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

SR 3.0.1 North Anna Units 1 and 2 SRs SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs.

This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO.

Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency.

Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:

a. The systems or components are known to be inoperable, although still meeting the SRs; or
b.

The requirements of the Surveillance(s) are known not to be met between required Surveillance performances.

Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the requirements of a Specification.

Unplanned events may satisfy the requirements (include applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normally precluded in a given MODE or other specified condition.

(continued)

B 3.0-16 Revision 0, 04/02/02

SR Applicability B 3.0 BASES SR 3.0.1 (continued)

SR 3.0.2 Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply.

Surveillances have to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status.

Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per..."

interval.

SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers unit operating conditions that may not be suitable for conducting the Surveillance (e.g.,

transient conditions or other ongoing Surveillance or maintenance activities).

The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS.

An example of where SR 3.0.2 does not apply is the Containment Leakage Rate Testing (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.0-17

SR Applicability B 3.0 BASES SR 3.0.2 (continued)

Program. This program establishes testing requirements and Frequencies in accordance with the requirements of regulations.

As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25%

extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25%

extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.

The provisions of SR 3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.

SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.

This delay period provides adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance.

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being (continued)

North Anna Units 1 and 2 SR 3.0.3 B 3.0-18 Revision 0, 04/02/02

SR Applicability B 3.0 BASES SR 3.0.3 performed is the verification of conformance with the (continued) requirements.

When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance.

However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence.

Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required to perform the Surveillance or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the (continued)

North Anna Units 1 and 2 B 3.0-19 Revision 0, 04/02/02

SR Applicability B 3.0 BASES SR 3.0.3 (continued) importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.

This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit.

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or component to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

A provision is included to allow entry into a MODE or other specified condition in the Applicability:

a. When the associated ACTIONS to be entered permit continued operation in the MODE or other specific condition in the Applicability for an unlimited period of
time, (continued)

North Anna Units 1 and 2 SR 3.0.4 B 3.0-20 Revision 0, 04/02/02

SR Applicability B 3.0 BASES SR 3.0.4

b. After performance of a risk evaluation, consideration of (continued) the results, determination of the acceptability of the MODE change, and establishment of risk management actions, if appropriate, or
c. When a specific value or parameter allowance has been approved by the NRC.

However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes.

The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS.

In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note as not (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.0-21

SR Applicability B 3.0 BASES SR 3.0.4 (continued) required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs' annotation is found in Section 1.4, Frequency.

SR 3.0.4 is only applicable when entering MODE 4 from MODE 5, MODE 3 from MODE 4, MODE 2 from MODE 3, or MODE I from MODE 2. Furthermore, SR 3.0.4 is applicable when entering any other specified condition in the Applicability only while operating in MODES 1, 2, 3, or 4. The requirements of SR 3.0.4 do not apply in MODES 5 and 6, or in other specified conditions of the Applicability (unless in MODES 1, 2, 3, or 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

North Anna Units 1 and 2 B 3.0-22 Revision 0, 04/02/02

SDM B 3.1.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM)

BASES BACKGROUND According to GDC 26 (Ref.

1), the reactivity control systems must be independent and one must be capable of holding the reactor core subcritical when shut down under cold conditions. Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel.

SDM requirements provide sufficient reactivity margin to ensure that acceptable fuel design limits will not be exceeded for normal shutdown and anticipated operational occurrences (AOOs).

As such, the SDM defines the degree of subcriticality that would be obtained immediately following the insertion or scram of all shutdown and control rods, assuming that the single rod cluster assembly of highest reactivity worth is fully withdrawn.

The system design requires that two independent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These requirements are provided by the use of movable control assemblies and soluble boric acid in the Reactor Coolant System (RCS).

The Rod Control System can compensate for the reactivity effects of the fuel and water temperature changes accompanying power level changes over the range from full load to no load. In addition, the Rod Control System, together with the boration system, provides the SDM during power operation and is capable of making the core subcritical rapidly enough to prevent exceeding acceptable fuel damage limits, assuming that the rod of highest reactivity worth remains fully withdrawn. The soluble boron system can compensate for fuel depletion during operation and all xenon burnout reactivity changes and maintain the reactor subcritical under cold conditions.

During power operation, SDM control is ensured by operating with the shutdown banks fully withdrawn and the control banks within the limits of LCO 3.1.6, "Control Bank Insertion Limits." When the unit is in the shutdown and refueling modes, the SDM requirements are met by means of adjustments to the RCS boron concentration.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.1-1

SDM B 3.1.1 BASES APPLICABLE The minimum required SDM is assumed as an initial condition SAFETY ANALYSES in safety analyses. The safety analysis (Ref.

2) establishes an SDM that ensures specified acceptable fuel design limits are not exceeded for normal operation and AOOs, with the assumption of the highest worth rod stuck out on scram.

The acceptance criteria for the SDM requirements are that specified acceptable fuel design limits are maintained. This is done by ensuring that:

a. The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events;
b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits (departure from nucleate boiling ratio (DNBR),

fuel centerline temperature limits for AOOs, and

< 225 cal/gm energy deposition to unirradiated fuel and

< 200 cal/gm energy deposition to irradiated fuel for the rod ejection accident); and

c.

The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.

The most limiting accident for the SDM requirements is based on a main steam line break (MSLB),

as described in the accident analysis (Ref. 2).

The increased steam flow resulting from a pipe break in the main steam system causes an increased energy removal from the affected steam generator (SG),

and consequently the RCS. This results in a reduction of the reactor coolant temperature. The resultant coolant shrinkage causes a reduction in pressure. In the presence of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. As RCS temperature decreases, the severity of an MSLB decreases until the MODE 5 value is reached. The most limiting MSLB, with respect to potential fuel damage before a reactor trip

occurs, is a guillotine break of a main steam line inside containment initiated at the end of core life. The positive reactivity addition from the moderator temperature decrease will terminate when the affected SG boils dry, thus terminating RCS heat removal and cooldown. Following the
MSLB, a post trip return to power may occur; however, no fuel (continued)

North Anna Units 1 and 2 B 3.1.1-2 Revision 0, 04/02/02

SDM B 3.1.1 BASES APPLICABLE damage occurs as a result of the post trip return to power, SAFETY ANALYSES and THERMAL POWER does not violate the Safety Limit (SL)

(continued) requirement of SL 2.1.1.

In addition to the limiting MSLB transient, the SDM requirement must also protect against:

a. An uncontrolled rod withdrawal from subcritical or low power condition;
b. Startup of an inactive reactor coolant pump (RCP); and
c.

Rod ejection.

Each of these events is discussed below.

Depending on the system initial conditions and reactivity insertion rate, the uncontrolled rod withdrawal transient is terminated by either a high source range trip or a high power range neutron flux trip, an intermediate range neutron flux trip, a high pressurizer pressure or water level trip, or an OTAT.

In all cases, power level, RCS pressure, linear heat rate, and the DNBR do not exceed allowable limits.

The startup of an inactive loop event is defined as an uncontrolled reduction in SHUTDOWN MARGIN resulting from the startup of an RCP on an idle loop containing a reduced coolant temperature or boron concentration. Adherence to LCO 3.4.18, "RCS Isolated Loop Startup," ensures that the preconditions necessary for significant reactivity insertion during the startup of an inactive loop (i.e., reduced coolant temperature or boron concentration on an idle and unisolated loop) cannot be achieved under credible circumstances. Recirculation of reactor coolant in an isolated loop through a loop stop valve bypass line prior to loop unisolation when performed in accordance with LCO 3.4.18 does not constitute an uncontrolled boron dilution event. The accident analysis demonstrates that sufficient time exists for corrective operator action in response to a postulated reactivity insertion resulting from the recirculation activity.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.1-3

SDM B 3.1.1 BASES APPLICABLE SAFETY ANALYSES (continued)

The ejection of a control rod rapidly adds reactivity to the reactor core, causing both the core power level and heat flux to increase with corresponding increases in reactor coolant temperatures and pressure. The ejection of a rod also produces a time dependent redistribution of core power.

SDM satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

Even though it is not directly observed from the control room, SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.

LCO SDM is a core design condition that can be ensured during operation through control rod positioning (control and shutdown banks) and through the soluble boron concentration.

The MSLB (Ref. 2) accident is the most limiting analysis that establishes the SDM value of the LCO.

For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed 10 CFR 100, "Reactor Site Criteria," limits (Ref.

3).

APPLICABILITY In MODE 2 with keff < 1.0 and in MODES 3, 4, and 5, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above.

In MODE 6, the shutdown reactivity requirements are given in LCO 3.9.1, "Boron Concentration."

In MODES 1 and 2 with keff > 1.0, SDM is ensured by complying with LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits."

ACTIONS A.1 If the SDM requirements are not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components.

It is assumed that boration will be continued until the SDM requirements are met.

In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as (continued)

North Anna Units 1 and 2 B 3. 1. 1-4 Revision 0, 04/02/02

SDM B 3.1.1 BASES ACTIONS A.1 (continued) possible, the boron concentration should be a highly concentrated solution, such as that normally found in the boric acid storage tank, or the Refueling Water Storage Tank. The operator should borate with the best source available for the unit conditions.

In determining the boration flow rate, the time in core life must be considered. For instance, the most difficult time in core life to increase the RCS boron concentration is at the beginning of cycle when the boron concentration may approach or exceed 2000 ppm. Assuming that a value of 1% Ak/k must be recovered and a boration flow rate of 10 gpm, it is possible to increase the boron concentration of the RCS by 100 ppm in approximately 59 minutes. If a boron worth of 10 pcm/ppm is assumed, this combination of parameters will increase the SDM by 1% Ak/k. These boration parameters of 10 gpm and 12,950 ppm represent typical values and are provided for the purpose of offering a specific example.

SURVEILLANCE SR 3.1.1.1 REQUIREMENTS In MODES I and 2 with keff Ž 1.0, SDM is verified by observing that the requirements of LCO 3.1.5 and LCO 3.1.6 are met. In the event that a rod is known to be untrippable,

however, SDM verification must account for the worth of the untrippable rod as well as another rod of maximum worth.

In MODE 2 with keff < 1.0 and MODES 3, 4, and 5, the SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects:

a. RCS boron concentration;
b. Control and shutdown bank position;
c.

RCS average temperature;

d. Fuel burnup based on gross thermal energy generation;
e. Xenon concentration;
f. Samarium concentration; and
g. Isothermal temperature coefficient (ITC).

North Anna Units 1 and 2 B 3. 1. 1-5 Revision 0, 04/02/02

SDM B 3.1.1 BASES SURVEILLANCE REQUIREMENTS SR 3.1.1.1 (continued)

Using the ITC accounts for Doppler reactivity calculation because the reactor is subcritical temperature will be changing at the same rate in this and the fuel as the RCS.

The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on the generally slow change in required boron concentration and the low probability of an accident occurring without the required SDM. This allows time for the operator to collect the required data, which includes performing a boron concentration analysis, and complete the calculation.

REFERENCES

1. UFSAR, Section 3.1.22.
2.

UFSAR, Chapter 15.

3.

10 CFR 100.

North Anna Units 1 and 2 B 3. 1. 1-6 Revision 0, 04/02/02

Core Reactivity B 3.1.2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Core Reactivity BASES BACKGROUND According to GDC 26, GDC 28, and GDC 29 (Ref.

1), reactivity shall be controllable, such that subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control rod worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)")

in ensuring the reactor can be brought safely to cold, subcritical conditions.

When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers producing zero net reactivity. Excess reactivity can be inferred from the boron letdown curve (or critical boron curve),

which provides an indication of the soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic measurement of the RCS boron concentration for comparison with the predicted value with other variables fixed (such as rod height, temperature, pressure, and power),

provides a convenient method of ensuring that core reactivity is within design expectations and that the calculational models used to generate the safety analysis are adequate.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.2-1

Core Reactivity B 3.1.2 BASES BACKGROUND (continued)

In order to achieve the required fuel cycle energy output, the uranium enrichment, in the new fuel loading and in the fuel remaining from the previous cycle, provides excess positive reactivity beyond that required to sustain steady state operation throughout the cycle. When the reactor is critical at RTP and moderator temperature, the excess positive reactivity is compensated by burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concentration.

When the core is producing THERMAL POWER, the fuel is being depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER.

The boron letdown curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be evaluated.

APPLICABLE SAFETY ANALYSES The acceptance criteria for core reactivity are that the reactivity balance limit ensures unit operation is maintained within the assumptions of the safety analyses.

Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis evaluations.

Every accident evaluation (Ref. 2) is, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod ejection accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating unit data, and analytical benchmarks. Monitoring reactivity balance additionally ensures that the nuclear methods provide an accurate representation of the core reactivity.

Design calculations and safety analyses are performed for each fuel cycle for the purpose of predetermining reactivity behavior and the RCS boron concentration requirements for reactivity control during fuel depletion.

The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and (continued)

North Anna Units 1 and 2 B 3.1.2-2 Revision 0, 04/02/02

Core Reactivity B 3.1.2 BASES APPLICABLE SAFETY ANALYSES (continued) predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then the assumptions used in the reload cycle design analysis or the calculational models used to predict soluble boron requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured boron concentration. Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdown curve that develop during fuel depletion may be an indication that the calculational model is not adequate for core burnups beyond BOC, or that an unexpected change in core conditions has occurred.

The normalization of predicted RCS boron concentration to the measured value is typically performed after reaching RTP following startup from a refueling outage, with the control rods in their normal positions for power operation. The normalization is performed at BOC conditions, so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.

Core reactivity satisfies Criterion 2 of 10 CFR 50.36(c) (2)(ii).

Long term core reactivity behavior is a result of the core physics design and cannot be easily controlled once the core design is fixed. During operation, therefore, the LCO can only be ensured through measurement and tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the Nuclear Design Methodology are larger than expected. A limit on the reactivity balance of +/- 1% Ak/k has been established based on engineering judgment. A 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.

When measured core reactivity is within 1% Ak/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between (continued)

North Anna Units 1 and 2 LCO B 3. 1.2-3 Revision 0, 04/02/02

Core Reactivity B 3.1.2 BASES LCO (continued)

APPLICABILITY measured and predicted values would be approximately 100 ppm (depending on the boron worth) before the limit is reached.

These values are well within the uncertainty limits for analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely.

The limits on core reactivity must be maintained during MODES 1 and 2 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER.

As the fuel depletes, core conditions are changing, and confirmation of the reactivity balance ensures the core is operating as designed. This Specification does not apply in MODES 3, 4, and 5 because the reactor is shut down and the reactivity balance is not changing.

In MODE 6, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO 3.9.1, "Boron Concentration") ensure that fuel movements are performed within the bounds of the safety analysis. An SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, control rod replacement, control rod shuffling).

ACTIONS A.1 and A.2 Should an anomaly develop between measured and predicted core reactivity, an evaluation of the core design and safety analysis must be performed. Core conditions are evaluated to determine their consistency with input to design calculations. Measured core and process parameters are evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models are reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 7 days is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis.

Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the reactivity anomaly is a (continued)

North Anna Units 1 and 2 B 3.1.2-4 Revision 0, 04/02/02

Core Reactivity B 3.1.2 BASES ACTIONS A.1 and A.2 (continued) mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected.

If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity anomaly is in the calculation technique, then the calculational models must be revised to provide more accurate predictions. If any of these results are demonstrated, and it is concluded that the reactor core is acceptable for continued operation, then the boron letdown curve may be renormalized and power operation may continue. If operational restriction or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined.

The required Completion Time of 7 days is adequate for preparing whatever operating restrictions or Surveillances that may be required to allow continued reactor operation.

B.1 If the core reactivity cannot be restored to within the 1% Ak/k limit, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the SDM for MODE 3 is not met, then the boration required by SR 3.1.1.1 would occur. The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made, considering that other core conditions are fixed or stable, including control rod position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. The Surveillance is performed prior to entering MODE 1 as an initial check on core conditions and design calculations at BOC.

The SR is modified by a Note. The Note indicates that any normalization of predicted core reactivity to the (continued)

North Anna Units 1 and 2 B 3.1.2-5 Revision 0, 04/02/02

Core Reactivity B 3.1.2 BASES SURVEILLANCE REQUIREMENTS SR 3.1.2.1 (continued) measured value must take place within the first 60 effective full power days (EFPD) after each fuel loading. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations. The required subsequent Frequency of 31 EFPD, following the initial 60 EFPD after entering MODE 1, is acceptable, based on the slow rate of core changes due to fuel depletion and the presence of other indicators (QPTR, AFD, etc.) for prompt indication of an anomaly.

REFERENCES

1. UFSAR, Sections 3.1.22, 3.1.24, and 3.1.25.
2.

UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3. 1.2-6 Revision 0, 04/02/02

MTC B 3.1.3 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Moderator Temperature Coefficient (MTC)

BASES BACKGROUND According to GDC 11 (Ref.

1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.

The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature).

The reactor is designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self limiting, and stable power operation will result.

MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by measurements.

Both initial and reload cores are designed so that the beginning of cycle (BOC)

MTC is less than or equal to zero when THERMAL POWER is at RTP.

The actual value of the MTC is dependent on core characteristics, such as fuel loading and reactor coolant soluble boron concentration. The core design may require additional fixed distributed poisons to yield an MTC at BOC within the range analyzed in the unit accident analysis. The end of cycle (EOC)

MTC is also limited by the requirements of the accident analysis. Fuel cycles are evaluated to ensure that the MTC does not exceed the EOC limit.

The limitations on MTC are provided to ensure that the value of this coefficient remains within the limiting conditions assumed in the UFSAR accident and transient analyses.

(continued)

North Anna Units 1 and 2 B 3.1.3-1 Revision 0, 04/02/02

MTC B 3.1.3 BASES BACKGROUND If the LCO limits are not met, the unit response during (continued) transients may not be as predicted. For example, the core could violate criteria that prohibit a return to criticality, or the departure from nucleate boiling ratio criteria of the approved correlation may be violated, which could lead to a loss of the fuel cladding integrity.

The SRs for measurement of the MTC at the beginning and near the end of the fuel cycle are adequate to confirm that the MTC remains within its limits, since this coefficient changes slowly, due principally to the reduction in RCS boron concentration associated with fuel burnup.

APPLICABLE The acceptance criteria for the specified MTC are:

SAFETY ANALYSES

a. The MTC values must remain within the bounds of those used in the accident analysis (Ref. 2); and
b. The MTC must be such that inherently stable power operations result during normal operation and accidents, such as overheating and overcooling events.

The UFSAR, Chapter 15 (Ref. 2), contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is one of the controlling parameters for core reactivity in these accidents. Both the most positive value and most negative value of the MTC are important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure that the accident results are bounding (Ref. 3).

The consequences of accidents that cause core overheating must be evaluated when the MTC is positive. Such accidents include the rod withdrawal transient from either zero or RTP, loss of main feedwater flow, and loss of forced reactor coolant flow. The consequences of accidents that cause core overcooling must be evaluated when the MTC is negative. Such accidents include sudden feedwater flow increase and sudden decrease in feedwater temperature.

In order to ensure a bounding accident analysis, the MTC is assumed to be its most limiting value for the analysis conditions appropriate to each accident. The bounding value is determined by considering rodded and unrodded conditions, whether the reactor is at full or zero power, and whether it (continued)

North Anna Units 1 and 2 B 3.1.3-2 Revision 0, 04/02/02

MTC B 3.1.3 BASES APPLICABLE is the BOC or EOC life. The most conservative combination SAFETY ANALYSES appropriate to the accident is then used for the analysis (continued)

(Ref.

2).

MTC values are bounded in reload safety evaluations assuming steady state conditions at BOC and EOC.

An EOC measurement is conducted at conditions when the RCS boron concentration reaches approximately 300 ppm. The measured value may be extrapolated to project the EOC value, in order to confirm reload design predictions.

MTC satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

Even though it is not directly observed and controlled from the control room, MTC is considered an initial condition process variable because of its dependence on boron concentration.

LCO LCO 3.1.3 requires the MTC to be within specified limits of the COLR to ensure that the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its values remain within the bounds of the original accident analysis during operation.

Assumptions made in safety analyses require that the MTC be less positive than a given upper bound and more positive than a given lower bound. The MTC is most positive at BOC; this upper bound must not be exceeded. This maximum upper limit occurs at BOC, all rods out (ARO),

hot zero power conditions.

At EOC the MTC takes on its most negative value, when the lower bound becomes important. This LCO exists to ensure that both the upper and lower bounds are not exceeded.

During operation, therefore, the conditions of the LCO can only be ensured through measurement. The Surveillance checks at BOC and EOC on MTC provide confirmation that the MTC is behaving as anticipated so that the acceptance criteria are met.

The LCO establishes a maximum positive value that cannot be exceeded. The upper limit and the lower limit are established in the COLR to allow specifying limits for each particular cycle. This permits the unit to take advantage of improved fuel management and changes in unit operating schedule.

North Anna Units 1 and 2 B 3.1.3-3 Revision 0, 04/02/02

MTC B 3.1.3 BASES APPLICABILITY Technical Specifications place both LCO and SR values on

MTC, based on the safety analysis assumptions described above.

In MODE 1, the limits on MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation will not violate the design assumptions of the accident analysis. In MODE 2 with the reactor critical, the upper limit must also be maintained to ensure that startup and subcritical accidents (such as the uncontrolled control rod assembly or group withdrawal) will not violate the assumptions.of the accident analysis. The lower MTC limit must be maintained in MODES 2 and 3, in addition to MODE 1, to ensure that cooldown accidents will not violate the assumptions of the accident analysis. In MODES 4, 5, and 6, this LCO is not applicable, since no Design Basis Accidents using the MTC as an analysis assumption are initiated from these MODES.

ACTIONS A.1 If the upper MTC limit is violated, administrative withdrawal limits for control banks must be established to maintain the MTC within its limits. The MTC becomes more negative with control bank insertion and decreased boron concentration. A Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> provides enough time for evaluating the MTC measurement and computing the required bank withdrawal limits.

As cycle burnup is increased, the RCS boron concentration will be reduced. The reduced boron concentration causes the MTC to become more negative. Using physics calculations, the time in cycle life at which the calculated MTC will meet the LCO requirement can be determined. At this point in core life Condition A no longer exists. The unit is no longer in the Required Action, so the administrative withdrawal limits are no longer in effect.

B.1 If the required administrative withdrawal limits at BOC are not established within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the unit must be brought to MODE 2 with keff < 1.0 to prevent operation with an MTC that is more positive than that assumed in safety analyses.

(continued)

North Anna Units 1 and 2 B 3.1.3-4 Revision 0, 04/02/02

MTC B 3.1.3 BASES ACTIONS B.1 (continued)

The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging unit systems.

C.1 Exceeding the lower MTC limit means that the safety analysis assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the lower MTC limit is exceeded, the unit must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.1.3.1 REQUIREMENTS This SR requires measurement of the MTC at BOC prior to entering MODE 1 in order to demonstrate compliance with the most positive MTC LCO. Meeting the limit prior to entering MODE 1 ensures that the limit will also be met at higher power levels.

The BOC MTC value for ARO will be inferred from isothermal temperature coefficient measurements obtained during the physics tests after refueling. The ARO value can be directly compared to the upper MTC limit of the LCO.

If required, measurement results and predicted design values can be used to establish administrative withdrawal limits for control banks.

SR 3.1.3.2 In similar fashion, the LCO demands that the MTC be less negative than the specified value for EOC full power conditions. This measurement may be performed at any THERMAL POWER, but its results must be extrapolated to the conditions of RTP and all banks withdrawn in order to make a proper comparison with the LCO value. Because the RTP MTC (continued)

North Anna Units 1 and 2 B 3.1.3-5 Revision 0, 04/02/02

MTC B 3.1.3 BASES SURVEILLANCE SR 3.1.3.2 (continued)

REQUIREMENTS value will gradually become more negative with further core depletion and boron concentration reduction, a 300 ppm SR value of MTC should necessarily be less negative than the lower LCO limit. The 300 ppm SR value is sufficiently less negative than the lower LCO limit value to ensure that the LCO limit will be met when the 300 ppm Surveillance criterion is met.

SR 3.1.3.2 is modified by three Notes that include the following requirements:

a. The SR is not required to be performed until 7 Effective Full Power Days (EFPDs) after reaching the equivalent of an equilibrium RTP all rods out (ARO) boron concentration of 300 ppm.
b.

If the 300 ppm Surveillance limit is exceeded, it is possible that the lower limit on MTC could be reached before the planned EOC.

Because the MTC changes slowly with core depletion, the Frequency of 14 EFPDs is sufficient to avoid exceeding the EOC limit.

c.

The Surveillance limit for RTP boron concentration of 60 ppm is conservative.

If the measured MTC at 60 ppm is more positive than the 60 ppm Surveillance limit, the lower limit will not be exceeded because of the gradual manner in which MTC changes with core burnup.

REFERENCES

1. UFSAR, Section 3.1.7.
2.

UFSAR, Chapter 15.

3. VEP-FRD-42, Rev.

1A, "Reload Nuclear Design Methodology,"

September 1986.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.3-6

Rod Group Alignment Limits B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Rod Group Alignment Limits BASES BACKGROUND The OPERABILITY (i.e., trippability) of the shutdown and control rods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available SDM.

The applicable criteria for these reactivity and power distribution design requirements are GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and Capability" (Ref.

1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants" (Ref. 2).

Mechanical or electrical failures may cause a control or shutdown rod to become inoperable or to become misaligned from its group. Rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.

Limits on rod alignment have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Rod cluster control assemblies (RCCAs),

or rods, are moved by their control rod drive mechanisms (CRDMs).

Each CRDM moves its RCCA one step (approximately 5/8 inch) at a time, but at varying rates (steps per minute) depending on the signal output from the Rod Control System.

The RCCAs are divided among control banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. If a bank of RCCAs consists of two groups, (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3. 1.4-1

Rod Group Alignment Limits B 3.1.4 BASES BACKGROUND the groups are moved in a staggered fashion, but always (continued) within one step of each other. There are four control banks and two shutdown banks.

The shutdown banks are maintained either in the fully inserted or fully withdrawn position. The control banks are moved in an overlap pattern, using the following withdrawal sequence: When control bank A reaches a predetermined height in the core, control bank B begins to move out with control bank A. Control bank A stops at the position of maximum withdrawal, and control bank B continues to move out. When control bank B reaches a predetermined height, control bank C begins to move out with control bank B. This sequence continues until control banks A, B, and C are at the fully withdrawn position, and control bank D is approximately halfway withdrawn. The insertion sequence is the opposite of the withdrawal sequence. The control rods are arranged in a radially symmetric pattern, so that control bank motion does not introduce radial asymmetries in the core power distributions.

The axial position of shutdown rods and control rods is indicated by two separate and independent systems, which are the Bank Demand Position Indication System (commonly called group step counters) and the Rod Position Indication (RPI)

System.

The Bank Demand Position Indication System counts the pulses from the rod control system that moves the rods. There is one step counter for each group of rods. Individual rods in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication System is considered highly precise (+/- I step or

+/- 5/8 inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the position of the rod.

The RPI System provides a highly accurate indication of actual rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a hollow tube. The RPI system is capable of monitoring rod position within at least

+/- 12 steps.

North Anna Units 1 and 2 B 3.1.4-2 Revision 0, 04/02/02

Rod Group Alignment Limits B 3.1.4 BASES APPLICABLE Rod misalignment accidents are analyzed in the safety SAFETY ANALYSES analysis (Ref.

3).

The acceptance criteria for addressing rod inoperability or misalignment are that:

a. There be no violations of:
1. specified acceptable fuel design limits, or
2.

Reactor Coolant System (RCS) pressure boundary integrity; and

b. The core remains subcritical after accident transients.

Two types of misalignment are distinguished. During movement of a rod group, one rod may stop moving, while the other rods in the group continue. This condition may cause excessive power peaking. The second type of misalignment occurs if one rod fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition requires an evaluation to determine that sufficient reactivity worth is held in the rods to meet the SDM requirement, with the maximum worth rod stuck fully withdrawn.

Two types of analysis are performed in regard to static rod misalignment (Ref. 4).

With control and shutdown banks at their insertion limits, one type of analysis considers the case when any one rod is completely inserted into the core.

The second type of analysis considers the case of a completely withdrawn single rod from a bank inserted to its insertion limit. Satisfying limits on departure from nucleate boiling ratio in both of these cases bounds the situation when a rod is misaligned from its group by 12 steps.

Another type of misalignment occurs if one RCCA fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition is assumed in the evaluation to determine that the required SDM is met with the maximum worth RCCA also fully withdrawn (Ref. 5).

The Required Actions in this LCO ensure that either deviations from the alignment limits will be corrected or that THERMAL POWER will be adjusted so that excessive local linear heat rates (LHRs) will not occur, and that the requirements on SDM and ejected rod worth are preserved.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.4-3

Rod Group Alignment Limits B 3.1.4 BASES APPLICABLE SAFETY ANALYSES (continued)

Continued operation of the reactor with a misaligned rod is allowed if power is reduced or if the heat flux hot channel factor (Fg(Z))

and the nuclear enthalpy rise hot channel factor (F.0 are verified to be within their limits in the COLR and the safety analysis is verified to remain valid.

When a rod is misaligned, the assumptions that are used to determine the rod insertion limits, AFD limits, and quadrant power tilt limits are not preserved. Therefore, the limits may not preserve the design peaking factors, and FQ(Z) and FaH must be verified directly by incore mapping. Bases Section 3.2 (Power Distribution Limits) contains more complete discussions of the relation of FQ(Z) and FAH to the operating limits.

Shutdown and control rod OPERABILITY and alignment are directly related to power distributions and SDM, which are initial conditions assumed in safety analyses. Therefore they satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

The limits on shutdown or control rod alignments ensure that the assumptions in the safety analysis will remain valid.

The requirements on rod OPERABILITY ensure that upon reactor trip, the assumed reactivity will be available and will be inserted. The rod OPERABILITY requirements (i.e.,

trippability) are separate from the alignment requirements which ensure that the RCCAs and banks maintain the correct power distribution and rod alignment. The rod OPERABILITY requirement is satisfied provided the rod will fully insert in the required rod drop time assumed in the safety analysis.

Rod control malfunctions that result in the inability to move a rod (e.g., rod lift coil failures), but that do not impact trippability, do not result in rod inoperability.

The requirement to maintain the rod alignment to within plus or minus 12 steps is conservative. The minimum misalignment assumed in safety analysis is 24 steps (15 inches), and in some cases a total misalignment from fully withdrawn to fully inserted is assumed.

Failure to meet the requirements of this LCO may produce unacceptable power peaking factors and LHRs, or unacceptable SDMs, all of which may constitute initial conditions inconsistent with the safety analysis.

(continued)

North Anna Units 1 and 2 LCO B 3.1.4-4 Revision 0, 04/02/02

Rod Group Alignment Limits B 3.1.4 BASES LCO (continued)

APPLICABILITY ACTIONS The LCO has been modified by a Note. The Note permits a wider tolerance on indicated rod position for a maximum of one hour in every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to allow stabilization of known thermal drift in the individual rod position indicator channels.

This thermal soak time is available both for a continuous one hour period or several discrete intervals as long as the total time does not exceed 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period and the indicated rod position does not exceed 24 steps from the group step counter demand position. This allowance applies to the indicated position of the rod, not its actual position. If the actual position is known to be greater than 12 steps from the group step counter demand position, the Conditions and Required Actions of the specification must be followed.

The requirements on RCCA OPERABILITY and alignment are applicable in MODES 1 and 2 because these are the only MODES in which neutron (or fission) power is generated, and the OPERABILITY (i.e., trippability) and alignment of rods have the potential to affect the safety of the unit. In MODES 3, 4, 5, and 6, the alignment limits do not apply because the rods are normally bottomed and the reactor is shut down and not producing fission power. In the shutdown MODES, the OPERABILITY of the shutdown and control rods has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS.

See LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM in MODES 3, 4,

and 5 and LCO 3.9.1, "Boron Concentration," for boron concentration requirements during refueling.

A.1.1 and A.1.2 When one or more rods are inoperable (i.e., untrippable),

there is a possibility that the required SDM may be adversely affected. Under these conditions, it is important to determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is adequate for determining SDM and, if necessary, for initiating emergency boration and restoring SDM.

In this situation, SDM verification must include the worth of the untrippable rod, as well as a rod of maximum worth.

North Anna Units 1 and 2 B 3.1.4-5 Revision 0, 04/02/02

Rod Group Alignment Limits B 3.1.4 BASES ACTIONS A.2 (continued)

If the inoperable rod(s) cannot be restored to OPERABLE status, the unit must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

B.1.1 and B.1.2 With a misaligned rod, SDM must be verified to be within limit or boration must be initiated to restore SDM to within limit.

In many cases, realigning the remainder of the group to the misaligned rod may not be desirable. For example, realigning control bank C to a rod that is misaligned 15 steps from the top of the core would require a significant power reduction, since control bank D must be moved in significantly to meet the overlap requirements.

Power operation may continue with one RCCA OPERABLE but misaligned, provided that SDM is verified within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> represents the time necessary for determining the actual unit SDM and, if necessary, aligning and starting the necessary systems and components to initiate boration. Since the core conditions can change with time, periodic verification of SDM is required. A Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient to ensure this requirement continues to be met.

B.2.1, B.2.2.1. B.2.2.2, and B.3 For continued operation with a misaligned rod, RTP must be reduced or hot channel factors (FQ(Z) and FAH) must be verified within limits, and the safety analyses must be re-evaluated to confirm continued operation is permissible.

Reduction of power to 75% RTP ensures that local LHR increases due to a misaligned RCCA will not cause the core design criteria to be exceeded (Ref. 4).

The Completion Time (continued)

North Anna Units 1 and 2 B 3.1.4-6 Revision 0, 04/02/02

Rod Group Alignment Limits B 3.1.4 BASES ACTIONS B.2.1, B.2.2.1, B.2.2.2, and B.3 (continued) of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> gives the operator sufficient time to accomplish an orderly power reduction without challenging the Reactor Protection System.

Alternatively, verifying that FQ(Z) and FAH are within the required limits ensures that current operation with a rod misaligned does not result in power distributions that may invalidate safety analysis assumptions. The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allows sufficient time to obtain flux maps of the core power distribution using the incore flux mapping system and to calculate FQ(Z) and FAH*

Once current conditions have been verified acceptable, time is available to perform evaluations of accident analysis to determine that core limits will not be exceeded during a Design Basis Event for the duration of operation under these conditions. The accident analyses presented in UFSAR, Chapter 15 (Ref.

3) that may be adversely affected will be evaluated to ensure that the analysis results remain valid for the duration of continued operation under these conditions. A Completion Time of 5 days is sufficient time to obtain the required input data and to perform the analysis.

C.1 When Required Actions cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable.

To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, which obviates concerns about the development of undesirable xenon or power distributions. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging the unit systems.

D.1.1 and D.1.2 More than one rod becoming misaligned from its group average position is not expected, and has the potential to reduce SDM. Therefore, SDM must be evaluated. One hour allows the operator adequate time to determine SDM. Restoration of the required SDM, if necessary, requires increasing the RCS boron concentration to provide negative reactivity, as (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.4-7

Rod Group Alignment Limits B 3.1.4 BASES ACTIONS D.1.1 and D.1.2 (continued) described in the Bases or LCO 3.1.1. The required Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for initiating boration is reasonable, based on the time required for potential xenon redistribution, the low probability of an accident occurring, and the steps required to complete the action. This allows the operator sufficient time to align the required valves and start the boric acid pumps. Boration will continue until the required SDM is restored.

D.2 If more than one rod is found to be misaligned or becomes misaligned because of bank movement, the unit conditions fall outside of the accident analysis assumptions. Since automatic bank sequencing would continue to cause misalignment, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.1.4.1 REQUIREMENTS Verification that individual rod positions are within alignment limits at a Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> provides a history that allows the operator to detect a rod that is beginning to deviate from its expected position. If an individual rod position is not within the alignment limit of the group step counter demand position, a determination must be made whether the problem is the actual rod position or the indicated rod position. If the actual rod position is not within the alignment limit, follow the Conditions and Required Actions in Specification 3.1.4. If the indicated, not actual, rod position is not within the alignment limit, follow the Conditions and Required Actions of Specification 3.1.7, Rod Position Indication. The specified Frequency takes into account other rod position information that is continuously available to the operator in the control room, so that during actual rod motion, deviations can immediately be detected.

North Anna Units 1 and 2 B 3. 1.4-8 Revision 0, 04/02/02

Rod Group Alignment Limits B 3.1.4 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.1.4.2 Verifying each rod is OPERABLE would require that each rod be tripped. However, in MODES 1 and 2, tripping each rod would result in radial or axial power tilts, or oscillations.

Exercising each individual rod every 92 days provides increased confidence that all rods continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each rod by 10 steps will not cause radial or axial power tilts, or oscillations, to occur. The 92 day Frequency takes into consideration other information available to the operator in the control room and SR 3.1.4.1, which is performed more frequently and adds to the determination of OPERABILITY of the rods. Between required performances of SR 3.1.4.2 (determination of rod OPERABILITY by movement),

if a rod(s) is discovered to be immovable, but remains trippable, the rod(s) is considered to be OPERABLE.

At any time, if a rod(s) is immovable, a determination of the trippability (OPERABILITY) of the rod(s) must be made, and appropriate action taken.

SR 3.1.4.3 Verification of rod drop times allows the operator to determine that the maximum rod drop time permitted is consistent with the assumed rod drop time used in the safety analysis. Measuring rod drop times prior to reactor criticality, after reactor vessel head removal, ensures that the reactor internals and rod drive mechanism will not interfere with rod motion or rod drop time, and that no degradation in these systems has occurred that would adversely affect rod motion or drop time. This testing is performed with all RCPs operating and the average moderator temperature _> 500°F to simulate a reactor trip under actual conditions. The surveillance procedure for rod drop time uses a limit on rod drop time reduced from the value in SR 3.1.4.3 in order to ensure that the negative reactivity insertion rate used in the accident analyses bounds a reactor trip concurrent with a postulated seismic event.

This Surveillance is performed during a unit the unit conditions needed to perform the SR potential for an unplanned unit transient if Surveillance were performed with the reactor outage, due to and the the at power.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.4-9

Rod Group Alignment Limits B 3.1.4 BASES REFERENCES

1. UFSAR, Sections 3.1.6 and 3.1.22.
2. 10 CFR 50.46.
3. UFSAR, Chapter 15.
4. UFSAR, Section 15.2.3.
5. UFSAR, Section 4.3.1.5.

North Anna Units 1 and 2 B 3.1.4-10 Revision 0, 04/02/02

Shutdown Bank Insertion Limits B 3.1.5 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Shutdown Bank Insertion Limits BASES BACKGROUND The insertion limits of the shutdown and control rods are initial assumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions and assumptions of available ejected rod worth, SDM and initial reactivity insertion rate.

The applicable criteria for these reactivity and power distribution design requirements are GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and Protection," GDC 28, "Reactivity Limits" (Ref.

1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on control rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for precise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four control banks and two shutdown banks. See LCO 3.1.4, "Rod Group Alignment Limits," for control and shutdown rod OPERABILITY and alignment requirements, and LCO 3.1.7, "Rod Position Indication," for position indication requirements.

The control banks are used for precise reactivity control of the reactor. The positions of the control banks are normally automatically controlled by the Rod Control System, but they can also be manually controlled. They are capable of adding negative reactivity very quickly (compared to borating). The control banks must be maintained above designed insertion limits and are typically near the fully withdrawn position during normal full power operations.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.5-1

Shutdown Bank Insertion Limits B 3.1.5 BASES BACKGROUND (continued)

Hence, they are not capable of adding a large amount of positive reactivity. Boration or dilution of the Reactor Coolant System (RCS) compensates for the reactivity changes associated with large changes in RCS temperature. The design calculations are performed with the assumption that the shutdown banks are withdrawn first. The shutdown banks can be fully withdrawn without the core going critical. This provides available negative reactivity in the event of boration errors. The shutdown banks are controlled manually by the control room operator. During normal unit operation, the shutdown banks are either fully withdrawn or fully inserted. The shutdown banks must be completely withdrawn from the core, prior to withdrawing any control banks during an approach to criticality. The shutdown banks are then left in this position until the reactor is shut down.

They add negative reactivity to shut down the reactor upon receipt of a reactor trip signal.

APPLICABLE SAFETY ANALYSES On a reactor trip, all RCCAs (shutdown banks and control banks), except the most reactive RCCA, are assumed to insert into the core. The shutdown banks shall be at or above their insertion limits and available to insert the maximum amount of negative reactivity on a reactor trip signal. The control banks may be partially inserted in the core, as allowed by LCO 3.1.6, "Control Bank Insertion Limits." The shutdown bank and control bank insertion limits are established to ensure that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)")

following a reactor trip from full power. The combination of control banks and shutdown banks (less the most reactive RCCA, which is assumed to be fully withdrawn) is sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref. 3). The shutdown bank insertion limit also limits the reactivity worth of an ejected shutdown rod.

The acceptance criteria for addressing shutdown rod bank insertion limits and inoperability or misalignment is that:

a. There be no violations of:
1. specified acceptable fuel design limits, or
2. RCS pressure boundary integrity; and
b. The core remains subcritical after accident transients.

North Anna Units 1 and 2 B 3.1.5-2 Revision 0, 04/02/02

Shutdown Bank Insertion Limits B 3.1.5 BASES APPLICABLE As such, the shutdown bank insertion limits affect safety SAFETY ANALYSES analysis involving core reactivity and SDM (Ref. 3).

(continued)

The shutdown bank insertion limits preserve an initial condition assumed in the safety analyses and, as such, satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The shutdown banks must be within their insertion limits any time the reactor is critical or approaching criticality.

This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip.

The shutdown bank insertion limits are defined in the COLR.

APPLICABILITY The shutdown banks must be within their insertion limits, with the reactor in MODES 1 and 2. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. The shutdown banks do not have to be within their insertion limits in MODE 3, unless an approach to criticality is being made.

In MODE 3, 4, or 5, the shutdown banks are fully inserted in the core and contribute to the SDM. Refer to LCO 3.1.1 for SDM requirements in MODES 3, 4, and 5.

LCO 3.9.1, "Boron Concentration," ensures adequate SDM in MODE 6.

The Applicability requirements have been modified by a Note indicating the LCO requirement is suspended during SR 3.1.4.2. This SR verifies the freedom of the rods to move, and requires the shutdown bank to move below the LCO limits, which would normally violate the LCO.

Should the SR testing be suspended due to equipment malfunction with a rod bank below the insertion limit, the applicable Condition should be entered.

ACTIONS A.1.1, A.1.2 and A.2 When one or more shutdown banks is not within insertion limits, except as allowed by Condition B, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is allowed to restore the shutdown banks to within the insertion limits. This is necessary because the available SDM may be significantly reduced, with one or more of the shutdown banks not within their insertion limits. Also, verification (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.5-3

Shutdown Bank Insertion Limits B 3.1.5 BASES ACTIONS A.1.1, A.1.2 and A.2 (continued) of SDM or initiation of boration within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is required, since the SDM in MODES 1 and 2 is ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1).

If shutdown banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.

The allowed Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> provides an acceptable time for evaluating and repairing minor problems without allowing the unit to remain in an unacceptable condition for an extended period of time.

B.1 and B.2 If a shutdown bank is inserted below the insertion limits, power operation may continue for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> provided that the bank is not inserted more than 18 steps below the insertion limits, the control and shutdown rods are within the operability and rod group alignment requirements provided in LCO 3.1.4, and the control banks are within the insertion limits provided in LCO 3.1.6. The requirement to be in compliance with LCO 3.1.4 and LCO 3.1.6 ensures that the rods are trippable, and power distribution is acceptable during the time allowed to restore the inserted rod. If any of these Conditions are not met, Condition A must be applied.

The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on operating experience and provides an acceptable time for evaluating and repairing problems with the rod control system.

C.1 If the Required Action and associated Completion Time of Conditions A or B are not met, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging unit systems.

North Anna Units 1 and 2 B 3.1.5-4 Revision 0, 04/02/02

Shutdown Bank Insertion Limits B 3.1.5 BASES SURVEILLANCE SR 3.1.5.1 REQUIREMENTS Verification that the shutdown banks are within their insertion limits prior to an approach to criticality ensures that when the reactor is critical, or being taken critical, the shutdown banks will be available to shut down the reactor, and the required SDM will be maintained following a reactor trip. This SR and Frequency ensure that the shutdown banks are withdrawn before the control banks are withdrawn during a unit startup.

Since the shutdown banks are positioned manually by the control room operator, a verification of shutdown bank position at a Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, after the reactor is taken critical, is adequate to ensure that they are within their insertion limits. Also, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency takes into account other information available in the control room for the purpose of monitoring the status of shutdown rods.

REFERENCES

1. UFSAR, Sections 3.1.6, 3.1.22, and 3.1.24.
2. 10 CFR 50.46.
3. UFSAR, Chapter 15.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.5-5

Intentionally Blank

Control Bank Insertion Limits B 3.1.6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Control Bank Insertion Limits BASES BACKGROUND The insertion limits of the shutdown and control rods are initial assumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions and assumptions of available SDM, and initial reactivity insertion rate.

The applicable criteria for these reactivity and power distribution design requirements are GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and Protection," GDC 28, "Reactivity Limits" (Ref.

1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on control rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for precise reactivity control. A group consists of four RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four control banks and two shutdown banks. See LCO 3.1.4, "Rod Group Alignment Limits," for control and shutdown rod OPERABILITY and alignment requirements, and LCO 3.1.7, "Rod Position Indication," for position indication requirements.

The control bank insertion limits are specified in the COLR.

An example is provided for information only in Figure B 3.1.6-1. The control banks are required to be at or above the insertion limit lines.

Figure B 3.1.6-1 also indicates how the control banks are sequenced and moved in an overlap pattern. Overlap is the distance travelled together by two control banks. Sequencing is the order in which the banks are moved. For example, if the fully withdrawn position is 231 steps, as in (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.6-1

Control Bank Insertion Limits B 3.1.6 BASES BACKGROUND (continued)

APPLICABLE SAFETY ANALYSES Figure B 3.1.6-1, control bank D will begin to move with bank C on a withdrawal when control bank C is at 128 steps.

The fully withdrawn position, as well as proper overlap and sequence, are defined in the COLR.

The control banks are used for precise reactivity control of the reactor. The positions of the control banks are normally controlled automatically by the Rod Control System, but can also be manually controlled. They are capable of adding reactivity very quickly (compared to borating or diluting).

The power density at any point in the core must be limited, so that the fuel design criteria are maintained. Together, LCO 3.1.4, LCO 3.1.5, "Shutdown Bank Insertion Limits,"

LCO 3.1.6, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," provide limits on control component operation and on monitored process variables, which ensure that the core operates within the fuel design criteria.

The shutdown and control bank insertion and alignment limits, AFD, and QPTR are process variables that together characterize and control the three dimensional power distribution of the reactor core. Additionally, the control bank insertion limits control the reactivity that could be added in the event of a rod ejection accident, and the shutdown and control bank insertion limits ensure the required SDM is maintained.

Operation within the subject LCO limits will limit fuel cladding failures that would breach the primary fission product barrier and release fission products to the reactor coolant to within acceptable limits in the event of a loss of coolant accident (LOCA),

loss of flow, ejected rod, or other accident requiring termination by a Reactor Trip System (RTS) trip function.

The shutdown and control bank insertion limits, AFD, and QPTR LCOs are required to maintain power distributions that limit fuel cladding failures to within acceptable limits in the event of a LOCA, loss of flow, ejected rod, or other accident requiring termination by an RTS trip function.

(continued)

North Anna Units 1 and 2 B 3.1.6-2 Revision 0, 04/02/02

Control Bank Insertion Limits B 3.1.6 BASES APPLICABLE SAFETY ANALYSES (continued)

The acceptance criteria for addressing control bank insertion limits and inoperability or misalignment are that:

a. There be no violations of:
1. specified acceptable fuel design limits, or
2. Reactor Coolant System pressure boundary integrity; and
b. The core remains subcritical after accident transients.

As such, the shutdown and control bank insertion affect safety analysis involving core reactivity distributions (Ref. 3).

limits and power The SDM requirement is ensured by limiting the control bank insertion limits so that allowable inserted worth of the RCCAs is such that sufficient reactivity is available in the rods to shut down the reactor to hot zero power with a reactivity margin that assumes the maximum worth RCCA remains fully withdrawn upon trip (Ref. 3).

Operation at the insertion limits or AFD limits may approach the maximum allowable linear heat generation rate or peaking factor with the allowed QPTR present. Operation at the insertion limit may also indicate the maximum ejected RCCA worth could be equal to the limiting value in fuel cycles that have sufficiently high ejected RCCA worths.

The control bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and power distribution peaking factors are preserved (Ref. 3).

The insertion limits satisfy Criterion 2 of 10 CFR 50.36(c) (2)(ii).

LCO The limits on control banks sequence, overlap, and physical insertion, as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected rod worth is maintained, and ensuring adequate negative reactivity insertion is available on trip. The overlap between control banks provides more uniform rates of (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.6-3

Control Bank Insertion Limits B 3.1.6 BASES LCO reactivity insertion and withdrawal and is imposed to (continued) maintain acceptable power peaking during control bank motion.

APPLICABILITY The control bank sequence, overlap, and physical insertion limits shall be maintained with the reactor in MODES 1 and 2 with keff > 1.0. These limits must be maintained, since they preserve the assumed power distribution, ejected rod worth,

SDM, and reactivity rate insertion assumptions.

Applicability in MODE 2 with keff < 1.0, and MODES 3, 4,

and 5 is not required, since neither the power distribution nor ejected rod worth assumptions would be exceeded in these MODES.

The applicability requirements have been modified by a Note indicating the LCO requirements are suspended during the performance of SR 3.1.4.2. This SR verifies the freedom of the rods to move, and requires the control bank to move below the LCO limits, which would violate the LCO.

Should the SR testing be suspended due to equipment malfunction with a rod bank below the insertion limits, the applicable Condition should be entered.

ACTIONS A.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2 If the control banks are found to be out of sequence or in the wrong overlap configuration, they must be restored to meet the limits.

Operation beyond the LCO limits is allowed for a short time period in order to take conservative action because the simultaneous occurrence of either a LOCA, loss of flow accident, ejected rod accident, or other accident during this short time period, together with an inadequate power distribution or reactivity capability, has an acceptably low probability.

Also, verification of SDM or initiation of boration to regain SDM is required within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, since the SDM in MODES 1 and 2 normally ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)")

has been upset. If control banks are not within their limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.

(continued)

North Anna Units 1 and 2 B 3.1.6-4 Revision 0, 04/02/02

Control Bank Insertion Limits B 3.1.6 BASES ACTIONS A.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2 (continued)

When the control banks are outside the acceptable insertion limits, except as allowed by Condition C, they must be restored to within those limits. This restoration can occur in two ways:

a. Reducing power to be consistent with rod position; or
b. Moving rods to be consistent with power.

The allowed Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for restoring the banks to within the insertion, sequence, and overlaps limits provides an acceptable time for evaluating and repairing minor problems without allowing the unit to remain in an unacceptable condition for an extended period of time.

C.1 and C.2 If Control Banks A, B, or C are inserted below the insertion limits, power operation may continue for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> provided that the bank is not inserted more than 18 steps below the insertion limits, the control and shutdown rods are within the operability and rod group alignment requirements provided in LCO 3.1.4, and the shutdown banks are within the insertion limits provided in LCO 3.1.5. The requirement to be in compliance with LCO 3.1.4 and LCO 3.1.5 ensures that the rods are trippable, and power distribution is acceptable during the time allowed to restore the inserted rod.

If any of these Conditions are not met, Condition B must be applied.

The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on operating experience and provides an acceptable time for evaluating and repairing problems with the rod control system.

D.1 If Required Actions A.1 and A.2, B.1 and B.2, or C.1 and C.2 cannot be completed within the associated Completion Times, the unit must be brought to MODE 2 with keff < 1.0, where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging unit systems.

North Anna Units 1 and 2 B 3.1.6-5 Revision 0, 04/02/02

Control Bank Insertion Limits B 3.1.6 BASES SURVEILLANCE SR 3.1.6.1 REQUIREMENTS This Surveillance is required to ensure that the reactor does not achieve criticality with the control banks below their insertion limits.

The estimated critical position (ECP) depends upon a number of factors, one of which is xenon concentration.

If the ECP was calculated long before criticality, xenon concentration could change to make the ECP substantially in error.

Verifying the predicted critical rod bank position within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> prior to criticality avoids a large error from changes in xenon concentration, but allows the operator some flexibility to schedule the verification with other startup activities.

SR 3.1.6.2 Verification of the control bank insertion limits at a Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient to detect control banks that may be approaching the insertion limits since, normally, very little rod motion occurs in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

SR 3.1.6.3 When control banks are miaintained within their insertion limits as checked by SR 3.1.6.2 above, it is unlikely that their sequence and overlap will not be in accordance with requirements provided in the COLR. A Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is consistent with the insertion limit check above in SR 3.1.6.2.

REFERENCES

1. UFSAR, Sections 3.1.6, 3.1.22, and 3.1.24.
2.

10 CFR 50.46.

3.

UFSAR, Chapter 15.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.6-6

Control Bank Insertion Limits B 3.1.6 (67,231) 20 40 60 80 PERCENT OF RTP Figure B 3.1.6-1 (page 1 of 1)

Control Bank Insertion vs. Percent RTP North Anna Units 1 and 2 (17,231) 231 200 C)

OU) 0 0

Q Cr, 0

0_

-J 0

Ir 0

150 100 50 0

0 100 B 3.1.6-7 Revision 0, 04/02/02

Intentionally Blank

Rod Position Indication B 3.1.7 B 3.1 REACTIVITY CONTROL SYSTEM B 3.1.7 Rod Position Indication BASES BACKGROUND According to GDC 13 (Ref.

1), instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE.

LCO 3.1.7 is required to ensure OPERABILITY of the rod position indicators to determine rod positions and thereby ensure compliance with the rod alignment and insertion limits.

The OPERABILITY, including position indication, of the shutdown and control rods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip.

Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available SDM.

Rod position indication is required to assess OPERABILITY and misalignment.

Mechanical or electrical failures may cause a rod to become inoperable or to become misaligned from its group.

Rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available rod worth for reactor shutdown. Therefore, rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.

Limits on rod alignment and OPERABILITY have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Rod cluster control assemblies (RCCAs),

or rods, are moved out of the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms. The RCCAs are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for precise reactivity control.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.7-1

Rod Position Indication B 3.1.7 BASES BACKGROUND (continued)

The axial position of shutdown rods and control rods are determined by two separate and independent systems: the Bank Demand Position Indication System (commonly called group step counters) and the Rod Position Indication (RPI)

System.

The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods. There is one step counter for each group of rods. Individual rods in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication System is considered highly precise (+/- 1 step or

+/- 5/8 inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the position of the rod.

The RPI System provides a highly accurate indication of actual rod position, but at a lower precision than the step counters. This system is based on inductive analog signals from a series of coils spaced along a hollow tube. The RPI System is capable of monitoring rod position within at least

+/- 12 steps.

APPLICABLE SAFETY ANALYSES Control and shutdown rod position accuracy is essential during power operation. Power peaking, ejected rod worth, or SDM limits may be violated in the event of a Design Basis Accident (Ref.

2), with control or shutdown rods operating outside their limits undetected. Therefore, the acceptance criteria for rod position indication is that rod positions must be known with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits").

The rod positions must also be known in order to verify the alignment limits are preserved (LCO 3.1.4, "Rod Group Alignment Limits"). Control rod positions are continuously monitored to provide operators with information that ensures the unit is operating within the bounds of the accident analysis assumptions.

The control rod position indicator channels satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

North Anna Units 1 and 2 B 3.1.7-2 Revision 0, 04/02/02

Rod Position Indication B 3.1.7 BASES LCO APPLICABILITY The requirements on the RPI and step counters are only applicable in MODES 1 and 2 (consistent with LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6), because these are the only MODES in which power is generated, and the OPERABILITY and alignment of rods have the potential to affect the safety of the unit. In the shutdown MODES, the OPERABILITY of the shutdown and control banks has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the Reactor Coolant System.

North Anna Units 1 and 2 LCO 3.1.7 specifies that the RPI System and the Bank Demand Position Indication System be OPERABLE for each rod. For the rod position indicators to be OPERABLE requires meeting the SR of the LCO and the following:

a. The RPI System indicates within 12 or 24 steps of the group step counter demand position as required by LCO 3.1.4, "Rod Group Alignment Limits";
b. For the RPI System there are no failed coils; and
c. The Bank Demand Indication System has been calibrated either in the fully inserted position or to the RPI System.

The 12 step agreement limit between the Bank Demand Position Indication System and the RPI System indicates that the Bank Demand Position Indication System is adequately calibrated, and can be used for indication of the measurement of rod bank position.

A deviation of less than the allowable limit, given in LCO 3.1.4, in position indication for a single rod, ensures high confidence that the position uncertainty of the corresponding rod group is within the assumed values used in the analysis (that specified rod group insertion limits).

These requirements ensure that rod position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged.

OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositioned rods can be detected. Therefore, power peaking, ejected rod worth, and SDM can be controlled within acceptable limits.

B 3-1.7-3 Revision 0, 04/02/02

Rod Position Indication B 3.1.7 BASES ACTIONS The ACTIONS table is modified by a Note indicating that a separate Condition entry is allowed for each inoperable rod position indicator and each demand position indicator. This is acceptable because the Required Actions for each Condition provide appropriate compensatory actions for each inoperable position indicator.

A.1 When one RPI channel per group fails, the position of the rod may still be determined indirectly by use of the movable incore detectors. The Required Action may also be satisfied by ensuring at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> that FO(Z) satisfies LCO 3.2.1, FN satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the nonindicating rods have not been moved. Based on experience, normal power operation does not require excessive movement of banks.

If a bank has been significantly moved, the Required Action of C.1 or C.2 below is required. Therefore, verification of RCCA position within the Completion Time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is adequate for allowing continued full power operation, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small.

A.2 Reduction of THERMAL POWER to

  • 50% RTP puts the core into a condition where rod position is not significantly affecting core peaking factors (Ref. 2).

The allowed Completion Time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is reasonable, based on operating experience, for reducing power to

  • 50% RTP from full power conditions without challenging unit systems and allowing for rod position determination by Required Action A.1 above.

B.1, B.2, B.3, and B.4 When more than one RPI per group fail, additional actions are necessary to ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potential effects of rod misalignment on associated accident analyses are limited. Placing the Rod Control System in manual assures unplanned rod motion will not occur. Together with the indirect position determination available via movable incore detectors will minimize the potential for rod (continued)

North Anna Units 1 and 2 B 3.1-7-4 Revision 0, 04/02/02

Rod Position Indication B 3.1.7 BASES ACTIONS B.1, B.2, B.3, and B.4 (continued) misalignment. The immediate Completion Time for placing the Rod Control System in manual reflects the urgency with which unplanned rod motion must be prevented while in this Condition.

Monitoring and recording reactor coolant Taw help assure that significant changes in power distribution and SDM are avoided. The once per hour Completion Time is acceptable because only minor fluctuations in RCS temperature are expected at steady state plant operating conditions.

The position of the rods may be determined indirectly by use of the movable incore detectors. The Required Action may also be satisfied by ensuring at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> that F (Z) satisfies LCO 3.2., F H satisfies LCO 3.2.2, and SUTDOWN MARGIN is within the limits provided in the COLR, provided the nonindicating rods have not been moved.

Verification of control rod position once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is adequate for allowing continued full power operation for a limited, 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time provides sufficient time to troubleshoot and restore the RPI system to operation while avoiding the plant challenges associated with a shutdown without full rod position indication.

Based on operating experience, normal power operation does not require excessive rod movement.

If one or more rods has been significantly moved, the Required Action of C.1 or C.2 below is required.

C.1 and C.2 These Required Actions clarify that when one or more rods with inoperable position indicators have been moved in excess of 24 steps in one direction, since the position was last determined, the Required Actions of A.1 and A.2, or B.1, as applicable, are still appropriate but must be initiated promptly under Required Action C.1 to begin verifying that these rods are still properly positioned, relative to their group positions.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.7-5

Rod Position Indication B 3.1.7 BASES ACTIONS C.1 and C.2 (continued)

If, within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the rod positions have not been determined, THERMAL POWER must be reduced to

  • 50% RTP within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to avoid undesirable power distributions that could result from continued operation at > 50% RTP, if one or more rods are misaligned by more than 24 steps. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> provides an acceptable period of time to verify the rod positions.

D.1.1 and D.1.2 With one demand position indicator per bank inoperable, the rod positions can be determined by the RPI System. Since normal power operation does not require excessive movement of rods, verification by administrative means that the rod position indicators are OPERABLE and the most withdrawn rod and the least withdrawn rod are

  • 12 steps apart within the allowed Completion Time of once every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is adequate.

D.2 Reduction of THERMAL POWER to

  • 50% RTP puts the core into a condition where rod position is not significantly affecting core peaking factor limits (Ref. 2).

The allowed Completion Time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> provides an acceptable period of time to verify the rod positions per Required Actions D.1.1 and D.1.2 or reduce power to

E.1 If the Required Actions cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.1.7.1 REQUIREMENTS Performing a CHANNEL CALIBRATION on each RPI channel ensures that the RPI electronics are operating properly. This CHANNEL CALIBRATION involves injecting a test signal into the RPI electronics and verifying or adjusting the (continued)

North Anna Units 1 and 2 B 3.1.7-6 Revision 0, 04/02/02

Rod Position Indication B 3.1.7 BASES SURVEILLANCE SR 3.1.7.1 (continued)

REQU IREMENTS calibration from that point forward. The CHANNEL CALIBRATION also verifies all alarms and indications, such as the Rod Bottom lights. The CHANNEL CALIBRATION does not include the coil stack, as it cannot be adjusted. The indicated RPI position is adjusted as needed to compensate for thermal drift. The 18 month Frequency has been shown by operating experience to be adequate.

REFERENCES

1. UFSAR, Section 3.1.9.
2.

UFSAR, Chapter 15.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.7-7

Intentionally Blank

Primary Grade Water Flow Path Isolation Valves B 3.1.8 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Primary Grade Water Flow Path Isolation Valves BASES BACKGROUND APPLICABLE SAFETY ANALYSES LCO During MODES 3, 4, and 5 operations, the isolation valves for primary grade water flow paths that are connected to the Reactor Coolant System (RCS) must be closed to prevent unplanned boron dilution of the reactor coolant. The isolation valves must be locked, sealed, or otherwise secured in the closed position.

The Chemical and Volume Control System is capable of supplying borated and unborated water to the RCS through various flow paths. Since a positive reactivity addition made by an uncontrolled reduction of the boron concentration is inappropriate during MODES 3, 4 and 5, isolation of all primary grade water flow paths prevents an unplanned boron dilution.

The possibility of an inadvertent boron dilution event (Ref. 1) occurring during MODES 3, 4, or 5 is precluded by adherence to this LCO, which requires that the primary grade water flow path be isolated. Closing the required valves prevents the flow of significant volumes of primary grade water to the RCS.

The valves are used to isolate primary grade water flow paths. These valves have the potential to indirectly allow dilution of the RCS boron concentration. By isolating primary grade water flow paths, a safety analysis for an uncontrolled boron dilution accident is not required for MODES 3, 4 or 5.

The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c) (2) (ii).

This LCO requires that primary grade water be isolated from the RCS to prevent unplanned boron dilution during MODES 3, 4, and 5.

For Unit 1, primary grade water flow paths may be isolated from the RCS by closing valve 1-CH-217 or 1-CH-220, 1-CH-241, FCV-1114B and FCV-1113B. For Unit 2, primary grade water flow paths may be isolated from the RCS by closing valve 2-CH-140, or 2-CH-160, 2-CH-156, FCV-2114B, and FCV-2113B.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.8-1

Primary Grade Water Flow Path Isolation Valves B 3.1.8 BASES LCO The LCO is modified by a Note which allows the primary grade (continued) water flow path isolation valves to be opened under administrative control for planned boron dilution or makeup activities.

APPLICABILITY This LCO is applicable in MODES 3, 4, and 5 to prevent an inadvertent boron dilution event by ensuring closure of all primary grade water flow path isolation valves.

In MODE 6, LCO 3.9.2, "Primary Grade Water Flow Path Isolation Valves-MODE 6," requires all primary grade water isolation valves to be closed to prevent an inadvertent boron dilution.

In MODES 1 and 2, the boron dilution accident was analyzed and was found to be capable of being mitigated.

ACTIONS A.1, A.2, and A.3 Preventing inadvertent dilution of the reactor coolant boron concentration is dependent on maintaining the primary grade water flow path isolation valves locked, sealed, or otherwise secured closed, except as allowed under administrative control by the LCO Note. Because of the possibility of an inadvertent boron dilution, Required Action A.1 prohibits other positive reactivity additions while securing the isolation valves on the primary grade water system. The Completion Time of "Immediately" for suspending positive reactivity additions reflects the importance of preventing known positive reactivity additions so that any boron dilution event can be readily identified and terminated.

The Required Action A.2 Completion Time of 15 minutes for securing the isolation valves provides sufficient time to close and secure the isolation valves on the primary grade water flow paths while minimizing the probability of an unintentional dilution during the Completion Time. Securing the valves in the closed position ensures that the valves cannot be inadvertently opened.

Condition A has been modified by a Note to require that Required Action A.3 be completed whenever Condition A is entered.

(continued)

North Anna Units 1 and 2 B 3.1.8-2 Revision 0, 04/02/02

Primary Grade Water Flow Path Isolation Valves B 3.1.8 BASES ACTIONS A.1, A.2, and A.3 (continued)

The performance of Surveillance 3.1.1.1 under Required Action A.3 verifies that the SDM is within the limits provided in the COLR.

It is performed to verify that the required SDM still exists and any inadvertent boron dilution that may have occurred has been detected and corrected. The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is reasonable, based on the time required to request and analyze an RCS water sample to determine the boron concentration and to compute the SDM.

SURVEILLANCE SR 3.1.8.1 REQUIREMENTS The primary grade water flow path isolation valves are to be locked, sealed, or otherwise secured closed to isolate possible dilution paths. The likelihood of a significant reduction in the boron concentration during MODES 3, 4, and 5 is remote due to the large mass of borated water in the RCS and the fact that the specified primary grade water flow paths are isolated, precluding a dilution. The SHUTDOWN MARGIN is verified every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> during MODES 3, 4, and 5 under SR 3.1.1.1. The Frequency is based on the time required to verify that the isolation valves in the utilized flow path are locked, sealed, or otherwise secured in the closed position following a boron dilution or makeup activity.

REFERENCES

1. UFSAR, Section 15.2.4.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3. 1.8-3

Intentionally Blank

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.9 PHYSICS TESTS Exceptions-MODE 2 BASES BACKGROUND The primary purpose of the MODE 2 PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain PHYSICS TESTS to be performed.

Section XI of 10 CFR 50, Appendix B (Ref.

1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the unit. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10 CFR 50.59 (Ref.

2).

The key objectives of a test program are to (Ref.

3):

a. Ensure that the facility has been adequately designed;
b. Validate the analytical models used in the design and analysis;
c. Verify the assumptions used to predict unit response;
d.

Ensure that installation of equipment in the facility has been accomplished in accordance with the design; and

e. Verify that the operating and emergency procedures are adequate.

To accomplish these objectives, testing is performed prior to initial criticality, during startup, during low power operations, during power ascension, at high power, and after each refueling. The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the core can be operated as designed (Ref. 4).

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.9-1

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES BACKGROUND PHYSICS TESTS procedures are written and approved in (continued) accordance with established formats. The procedures include all information necessary to permit a detailed execution of the testing required to ensure that the design intent is met.

PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long term power operation.

The PHYSICS TESTS required for reload fuel cycles (Ref.

5) are listed below:
a. Critical Boron Concentration-All Banks Withdrawn;
b. Differential Boron Worth;
c.

Bank Worth;

d.

Isothermal Temperature Coefficient (ITC); and

e. Neutron Flux Symmetry.

The first four tests are performed in MODE 2, and the last test is performed in MODE 1. These and other supplementary tests may be required to calibrate the nuclear instrumentation or to diagnose operational problems. These tests may cause the operating controls and process variables to deviate from their LCO requirements during their performance.

a. The Critical Boron Concentration-Control Rods Withdrawn Test measures the critical boron concentration at hot zero power (HZP).

With all rods out, the lead control bank is at or near its fully withdrawn position. HZP is where the core is critical (keff = 1.0), and the Reactor Coolant System (RCS) is at design temperature and pressure for zero power. Performance of this test should not violate any of the referenced LCOs.

b.

The Differential Boron Worth Test determines if the measured differential boron worth is consistent with the predicted value. With the core at HZP, the change in equilibrium boron concentration is determined at different rod bank positions. As the rod bank or banks are moved, the reactivity change is measured using a reactivity computer. The measured reactivity change is divided by the difference in measured critical boron (continued)

North Anna Units I and 2 B 3.1.9-2 Revision 0, 04/02/02

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES BACKGROUND

b.

(continued) concentrations to determine the differential boron worth.

The insertion of the rod bank could result in violation of LCO 3.1.4, "Rod Group Alignment Limits," LOC 3.1.5, "Shutdown Bank Insertion Limits," or LCO 3.1.6, "Control Bank Insertion Limits."

c. The Bank Worth Test is used to measure the reactivity worth of selected banks. This test is performed at HZP and has three alternative methods of performance. The first method, the Boron Exchange Method, varies the reactor coolant boron concentration and moves the selected bank in response to the changing boron concentration. The reactivity changes are measured with a reactivity computer. This sequence is repeated for the remaining banks. The second method, the Rod Swap Method, measures the worth of a predetermined reference bank using the Boron Exchange Method above. The reference bank is then nearly fully inserted into the core. The selected bank is then inserted into the core as the reference bank is withdrawn. The HZP critical conditions are then determined with the selected bank fully inserted into the core. The worth of the selected bank is inferred, based on the position of the reference bank with respect to the selected bank. This sequence is repeated as necessary for the remaining banks. The third method, the Boron Endpoint Method, moves the selected bank over its entire length of travel and then varies the reactor coolant boron concentration to achieve HZP criticality again. The difference in boron concentration is the worth of the selected bank. This sequence is repeated for the remaining banks. Performance of this test could violate LCO 3.1.4, LCO 3.1.5, or LCO 3.1.6.
d. The ITC Test measures the ITC of the reactor. This test is performed at HZP and has two methods of performance. The first method, the Slope Method, varies RCS temperature in a slow and continuous manner. The reactivity change is measured with a reactivity computer as a function of the temperature change. The ITC is the slope of the reactivity versus the temperature plot. The test is repeated by reversing the direction of the temperature change, and the final ITC is the average of two or more calculated ITCs. The second method, the Endpoint Method, changes the RCS temperature and measures the reactivity (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.9-3

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES BACKGROUND

d.

(continued) at the beginning and end of the temperature change.

The ITC is the total reactivity change divided by the totaltemperature change. The test is repeated by reversing the direction of the temperature change, and the final ITC is the average of the two or more calculated ITCs. Performance of this test could violate LCO 3.4.2, "RCS Minimum Temperature for Criticality."

e. The Flux Symmetry Test measures the degree of azimuthal symmetry of the neutron flux at as low a power level as practical.

The Flux Distribution Method uses the incore flux detectors to measure the azimuthal flux distribution at selected locations with the core at

APPLICABLE The fuel is protected by LCOs that preserve the initial SAFETY ANALYSES conditions of the core assumed during the safety analyses.

The methods for development of the LCOs that are excepted by this LCO are described in Reference 6. The above mentioned PHYSICS TESTS, and other tests that may be required to calibrate nuclear instrumentation or to diagnose operational problems, may require the operating control or process variables to deviate from their LCO limitations.

The UFSAR defines requirements for initial testing of the facility, including PHYSICS TESTS. Tables 14.1-1, 14.1-2, and 14.1-3 summarize the zero, low power, and power tests.

Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1997 (Ref. 4). Although these PHYSICS TESTS are generally accomplished within the limits for all LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. When one or more of the requirements specified in LCO 3.1.3, "Moderator Temperature Coefficient (MTC),"

LCO 3.1.4, LCO 3.1.5, LCO 3.1.6, and LCO 3.4.2 are suspended for PHYSICS TESTS, the fuel design criteria are preserved as long as the power level is limited to

Ž 5310F, and SDM is within the limits provided in the COLR.

The PHYSICS TESTS include measurement of core nuclear parameters or the exercise of control components that affect process variables. Among the process variables involved are AFD and QPTR, which represent initial conditions of the unit (continued)

North Anna Units 1 and 2 B 3.1.9-4 Revision 0, 04/02/02

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES APPLICABLE SAFETY ANALYSES (continued) safety analyses. Also involved are the movable control components (control and shutdown banks), which are required to shut down the reactor. The limits for these variables are specified for each fuel cycle in the COLR.

As described in LCO 3.0.7, compliance with Test Exception LCOs is optional and, therefore, no criteria of 10 CFR 50.36(c)(2)(ii) apply.

Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

Reference 7 allows special test exceptions (STEs) to be included as part of the LCO that they affect. It was decided, however, to retain this STE as a separate LCO because it was less cumbersome and provided additional clarity.

This LCO allows the reactor parameters of MTC and minimum temperature for criticality to be outside their specified limits. In addition, it allows selected control and shutdown banks to be positioned outside of their specified alignment and insertion limits. One Power Range Neutron Flux channel may be bypassed, reducing the number of required channels from "4" to "3" to provide input to the reactivity computer.

Operation beyond specified limits is permitted for the purpose of performing PHYSICS TESTS and poses no threat to fuel integrity, provided the SRs are met.

The requirements of LCO 3.1.3, LCO 3.1.4, LCO 3.1.5, LCO 3.1.6, and LCO 3.4.2 may be suspended during the performance of PHYSICS TESTS provided:

a.

RCS lowest loop average temperature is Ž 5317F;

b. SDM is within the limits provided in the COLR; and
c. THERMAL POWER is

APPLICABILITY This LCO is applicable when performing low power PHYSICS TESTS. The Applicability stated as "during PHYSICS TESTS initiated in MODE 2" to ensure that the 5% RTP maximum power level is not exceeded. Should the THERMAL POWER exceed 5% RTP and, consequently, enter MODE 1, this Applicability statement prevents exiting the Specification and its Required Action.

North Anna Units 1 and 2 LCO Revision 0, 04/02/02 B 3.1.9-5

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES ACTIONS A.1 and A.2 If the SDM requirement is not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. The operator should begin boration with the best source available for the unit conditions. Boration will be continued until SDM is within limit.

Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification.

B.1 When THERMAL POWER is > 5% RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent operation of the reactor beyond its design limits.

Immediately opening the RTBs will shut down the reactor and prevent operation of the reactor outside of its design limits.

C.1 When the RCS lowest Tava is < 5310 F, the appropriate action is to restore Taw to within its specified limit. The allowed Completion Time of 15 minutes provides time for restoring Tavg to within limits without allowing the unit to remain in an unacceptable condition for an extended period of time.

Operation with the reactor critical and with temperature below 5317F could violate the assumptions for accidents analyzed in the safety analyses.

D.1 If the Required Actions and associated Completion Times cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within an additional 15 minutes.

The Completion Time of 15 additional minutes is reasonable, based on operating experience, for reaching MODE 3 in an orderly manner and without challenging unit systems.

North Anna Units 1 and 2 B 3.1.9-6 Revision 0, 04/02/02

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES SURVEILLANCE SR 3.1.9.1 REQUIREMENTS The power range and intermediate range neutron detectors must be verified to be OPERABLE in MODE 2 by LCO 3.3.1, "Reactor Trip System (RTS)

Instrumentation." A CHANNEL OPERATIONAL TEST is performed on each power range and intermediate range channel prior to initiation of the PHYSICS TESTS. This will ensure that the RTS is properly aligned to provide the required degree of core protection during the performance of the PHYSICS TESTS.

Performance of the normally scheduled COT is sufficient to ensure the equipment is OPERABLE.

LCO 3.3.1 requires a COT on the power range and intermediate range channels every 92 days. These Frequencies have been determined to be sufficient for verification that the equipment is working properly. Because initiation of PHYSICS TESTS does not affect the ability of the equipment to perform its function or the RTS trip capability, and does not invalidate the previous Surveillances, requiring the testing to be performed at a fixed time prior to the initiation of PHYSICS TESTS has no benefit.

SR 3.1.9.2 Verification that the RCS lowest loop Tavg is Ž 531°F will ensure that the unit is not operating in a condition that could invalidate the safety analyses. Verification of the RCS temperature at a Frequency of 30 minutes during the performance of the PHYSICS TESTS will ensure that the initial conditions of the safety analyses are not violated.

SR 3.1.9.3 Verification that the THERMAL POWER is

  • 5% RTP will ensure that the unit is not operating in a condition that could invalidate the safety analyses. Verification of the THERMAL POWER at a Frequency of 30 minutes during the performance of PHYSICS TESTS will ensure that the initial conditions of the safety analyses are not violated.

SR 3.1.9.4 The SDM is verified by performing a reactivity balance calculation, considering the following reactivity effects:

a.

RCS boron concentration;

b.

Rod bank position; North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.1.9-7

PHYSICS TESTS Exceptions-MODE 2 B 3.1.9 BASES SURVEILLANCE SR 3.1.9.4 (continued)

REQUIREMENTS

c.

RCS average temperature;

d.

Fuel burnup based on gross thermal energy generation;

e. Xenon concentration;
f. Samarium concentration;
g.

Isothermal temperature coefficient (ITC),

when below the point of adding heat (POAH);

h. Moderator Defect when above the POAH; and
i.

Doppler Defect when above the POAH.

Using the ITC accounts for Doppler reactivity in this calculation when the reactor is subcritical or critical but below the POAH, and the fuel temperature will be changing at the same rate as the RCS.

The Frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on the generally slow change in required boron concentration and on the low probability of an accident occurring without the required SDM.

REFERENCES

1. 10 CFR 50, Appendix B, Section XI.
2.

10 CFR 50.59.

3. Regulatory Guide 1.68, Revision 2, August, 1978.
4. ANSI/ANS-19.6.1-1997, August 22, 1997.
5. Letter from W.L. Stewart to NRC, "Virginia Electric and Power Company, Surry Power Station, Units I and 2, North Anna Power Station, Units 1 and 2, Modification of Startup Physics Testing Program Inspector Follow-Up Item 280, 281/88-29-01," dated 12/8/89.
6.

VEP-FRD-42, Rev.

1A, "Reload Nuclear Design Methodology,"

September 1986.

7. WCAP-11618, including Addendum 1, April 1989.

North Anna Units 1 and 2 B 3. 1.9-8 Revision 0, 04/02/02

FQ(Z)

B 3.2.1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Heat Flux Hot Channel Factor (FQ(Z))

BASES BACKGROUND The purpose of the limits on the values of FQ(Z) is to limit the local (i.e., pellet) peak power density. The value of FQ(Z) varies along the axial height (Z) of the core.

FQ(Z) is defined as the maximum local fuel rod linear power density divided by the average fuel rod linear power density, assuming nominal fuel pellet and fuel rod dimensions. Therefore, FQ(Z) is a measure of the peak fuel pellet power within the reactor core.

During power operation, the global power distribution is limited by LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which are directly and continuously measured process variables. These LCOs, along with LCO 3.1.6, "Control Bank Insertion Limits,"

maintain the core limits on power distributions on a continuous basis.

FQ(Z) varies with fuel loading patterns, control bank insertion, fuel burnup, and changes in axial power distribution.

FQ(Z) is measured periodically using the incore detector system. These measurements are generally taken with the core at or near steady state conditions.

Using the measured three dimensional power distributions, it is possible to derive a measured value for FQ(Z),

F*(Z).

However, because this value represents a steady state condition, it does not encompass the variations in the value of FQ(Z) that are present during nonequilibrium situations, such as load changes.

To account for these possible variations, the steady state limit for F (Z) is adjusted by an elevation dependent factor that accounts for the calculated worst case transient conditions.

Core monitoring and control under nonsteady state conditions are accomplished by operating the core within the limits of the appropriate LCOs, including the limits on AFD, QPTR, and control rod insertion.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.1-1

FQ(Z)

B 3.2.1 BASES APPLICABLE This LCO precludes core power distributions that violate the SAFETY ANALYSES following fuel design criteria:

a.

During a large break loss of coolant accident (LOCA),

the peak cladding temperature must not exceed 2200°F (Ref.

1);

b. During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95%

confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a departure from nucleate boiling (DNB) condition;

c. During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225 cal/gm and irradiated fuel is limited to 200 cal/gm (Ref. 2); and
d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref.

3).

Limits on F (Z) ensure that the value of the initial total peaking faclor assumed in the accident analyses remains valid. Other criteria must also be met (e.g., maximum cladding oxidation, maximum hydrogen generation, coolable geometry, and long term cooling). However, the peak cladding temperature is typically most limiting.

F,(Z) limits assumed in the LOCA analysis are typically limiting relative to (i.e., lower than) the FQ(Z) limit assumed in safety analyses for other postulated accidents.

Therefore, this LCO provides conservative limits for other postulated accidents.

FQ(Z) satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The Measured Heat Flux Hot Channel Factor, Fm(Z),

shall be limited by the following relationships, as described in Reference 4:

Fm(Z) <CFQ K(Z) for P > 0.5 Q P N(Z)

Fm(Z) <CFQ K(Z) for P *0.5

-0.5 N(Z)

(continued)

North Anna Units 1 and 2 B 3.2.1-2 Revision 0, 04/02/02

FQ(Z)

B 3.2.1 BASES LCO where:

CFQ is the FQ(Z) limit at RTP provided in the COLR, (conti nued)

K(Z) is the normalized F (Z) as a function of core height provided in the COLR, N(Z) is a cycle dependent function that accounts for power distribution transients encountered during normal operation.

N(Z) is included in the COLR; and P is the fraction of RATED THERMAL POWER defined as THERMAL POWER RTP The actual values of CFQ, K(Z),

and N(Z) are given in the COLR; however, CFQ is normally approximately 2, K(Z) is a function that looks like the one provided in Figure B 3.2.1-1, and N(Z) is a value greater than 1.0.

An Fm(Z) evaluation requires obtaining an incore flux map in MODE 1. From the incore flux map results we obtain the measured value of FQ(Z).

Then, the measured Fm(Z) is increased by 1.03 which is a factor that accounts for fuel manufacturing tolerances and 1.05 which accounts for flux map measurement uncertainty (Ref.

5).

The FQ(Z) limits define limiting values for core power peaking that precludes peak cladding temperatures above 2200°F during either a large or small break LOCA.

This LCO requires operation within the bounds assumed in the safety analyses. Calculations are performed in the core design process to confirm that the core can be controlled in such a manner during operation that it can stay within the LOCA FQ(Z) limits. If FQ(Z) cannot be maintained within the LCO limits, reduction of the core power is required.

Violating the LCO limits for FQ(Z) produces unacceptable consequences if a design basis event occurs while FQ(Z) is outside its specified limits.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.1-3

FQ(Z)

B 3.2.1 BASES APPLICABILITY The FQ(Z) limits must be maintained in MODE 1 to prevent core power distributions from exceeding the limits assumed in the safety analyses. Applicability in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require a limit on the distribution of core power.

ACTIONS A.1 If F*(Z) exceeds its specified limits, reducing the AFD limit by _> 1% for each 1% by which Fm(Z) exceeds its limit within the allowed Completion Time of 15 minutes, restricts the axial flux distribution such that even if a transient occurred, core peaking factors are not exceeded. The maximum AFD limits initially determined by Required Action A.1 may be affected by subsequent determinations of F*(Z) and would require AFD reductions with 15 minutes of the Fm(Z) determination, if necessary.

A.2.1 R~ducing THERMAL POWER by _> 1% RTP for each 1% by which FQ(Z) exceeds its limit, maintains an acceptable absolute power density. The percent that Fm(Z) exceeds the limit can be determined from:

SM FQ Z)

CFQ K(ZJ ~1 0X 100

- 1.0}x 100 for P > 0.5 for P _< 0.5 maximum over z F

r FQ (Z)

N maximum over z CFQ K(Z)

Fm(Z) is the measured FQ(Z) multiplied by factors accounting for manufacturing tolerances and measurement uncertainties.

Fm(Z) is the measured value of FQ(Z).

The Completion Time of 15 minutes provides an acceptable time to reduce power in an orderly manner and without allowing the unit to remain in an unacceptable condition for an extended period of time. The maximum allowable power level initially determined by Required Action A.2.1 may be affected by subsequent determinations of F*(Z) and would require power reductions (continued)

North Anna Units 1 and 2 B 3.2.1-4 Revision 0, 04/02/02

FQ(Z)

B 3.2.1 BASES ACTIONS A.2.1 (continued) within 15 minutes of the Fm(Z) determination, if necessary to comply with the decreased maximum allowable power level.

Decreases in Fm(Z) would allow increasing the maximum allowable power level and increasing power up to this revised limit.

A.2.2 A reduction of the Power Range Neutron Flux-High trip setpoints by Ž 1% for each 1% by which Fm(Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is sufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER in accordance with Required Action A.2.1. The maximum allowable Power Range Neutron Flux-High trip setpoints initially determined by Required Action A.2.2 may be affected by subsequent determinations of Fm(Z) and would require Power Range Neutron Flux-High trip setpoint reductions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of the FQ(Z) determination, if necessary to comply with the decreased maximum allowable Power Range Neutron Flux-High trip setpoints. Decreases in Fm(Z) would allow increasing the maximum allowable Power Range Neutron Flux-High trip setpoints.

A.2.3 Reduction in the Overpower AT trip setpoints (value of K4) by

Ž 1% (in AT span) for each 1% by which Fm(Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is sufficient considering the small likelihood of a severe transient in this time period, and the preceding prompt reduction in THERMAL POWER in accordance with Required Action A.2.1. The maximum allowable Overpower AT trip setpoints initially determined by Required Action A.2.3 may be affected by subsequent determinations of F*(Z) and would require Overpower AT trip setpoint reductions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of the Fm(Z) determination, if necessary to comply with the decreased maximum allowable Overpower AT trip setpoints.

Decreases in Fm(Z) would allow increasing the maximum Overpower AT trip setpoints.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.1-5

FQ(Z)

B 3.2.1 BASES ACTIONS (continued)

A.2.4 Verification that F*(Z) has been restored to within its limit, by performing SR 3.2.1.1 prior to increasing THERMAL POWER above the limit imposed by Required Action A.2.1, ensures that core conditions during operation at higher power levels are consistent with safety analyses assumptions.

B.I If Required Actions A.1, A.2.1, A.2.2, A.2.3, or A.2.4 are not met within their associated Completion Times, the unit must be placed in a MODE or condition in which the LCO requirements are not applicable. This is done by placing the unit in at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

This allowed Completion Time is reasonable based on operating experience regarding the amount of time it takes to reach MODE 2 from full power operation in an orderly manner and without challenging unit systems.

SURVEILLANCE REQUIREMENTS SR 3.2.1.1 is modified by a Note. It states that THERMAL POWER may be increased until a power level for extended operation has been achieved at which a power distribution map can be obtained. This allowance is modified, however, by one of the Frequency conditions that requires verification that F*(Z) is within its specified limit after a power rise of more than 10% RTP over the THERMAL POWER at which it was last verified to be within specified limits. In the absence of this Frequency condition, it is possible to increase power to RTP and operate for 31 days without verification of Fm(Z).

The Frequency condition is not intended to require verification of these parameters after every 10% increase in power level above the last verification. It only requires verification after a power level is achieved for extended operation that is 10% higher than that power at which FQ was last measured.

SR 3.2.1.1 The nuclear design process includes calculations performed to determine that the core can be operated within the FQ(Z) limits. Because flux maps are taken in steady state conditions, the variations in power distribution resulting from normal operational maneuvers are not present in the (continued)

North Anna Units 1 and 2 B 3.2.1-6 Revision 0, 04/02/02

FQ(Z)

B 3.2.1 BASES SURVEILLANCE SR 3.2.1.1 (continued)

REQUIREMENTS flux map data. These variations are, however, conservatively calculated by considering a wide range of unit maneuvers in normal operation. The maximum peaking factor increase over steady state values, calculated as a function of core elevation, Z, is called N(Z).

The limit with which Fm(Z) is compared varies inversely with power above 50% RTP and N(Z) and directly with a function called K(Z) provided in the COLR.

Performing this Surveillance in MODE 1 prior to exceeding 75% RTP ensures that the Fm(Z) limit is met when RTP is achieved, because peaking factors generally decrease as power level is increased.

If THERMAL POWER has been increased by Ž 10% RTP since the last determination of Fm(Z),

another evaluation of this factor is required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after achieving equilibrium conditions at this higher power level (to ensure that F*(Z) values are being reduced sufficiently with power increase to stay within the LCO limits).

The Frequency of 31 EFPD is adequate to monitor the change of power distribution with core burnup because such changes are slow and well controlled when the unit is operated in accordance with the Technical Specifications (TS).

Flux map data are taken for multiple core elevations.

Fm(Z) evaluations are not applicable for the following axial core regions, measured in percent of core height:

a. Lower core region, from 0 to 15% inclusive; and
b. Upper core region, from 85 to 100% inclusive.

The top and bottom 15% of the core are excluded from the evaluation because of the low probability that these regions would be more limiting in the safety analyses and because of the difficulty of making a precise measurement in these regions.

This Surveillance has been modified by a Note that may require that more frequent surveillances be performed. An evaluation of the expression below is required to account (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.1-7

FQ(Z)

B3.2.1 BASES SURVEILLANCE SR 3.2.1.1 (continued)

REQUIREMENTS for any increase to Fm(Z) that may occur and cause the Fm(Z) limit to be exceeded before the next required Fm(Z) evaluation.

If the two most recent Fm(Z) evaluations show an increase in the expression maximum over z F(z)7 it is required to meet the Fm(Z) limit with the last F*(Z) increased by the appropriate factor, or to evaluate F*(Z) more frequently, each 7 EFPD. These alternative requirements prevent FQ(Z) from exceeding its limit without detection.

REFERENCES

1. 10 CFR 50.46, 1974.
2. VEP-NFE-2-A, "VEPCO Evaluation of the Control Rod Ejection Transient."
3.

UFSAR, Section 3.1.22.

4. Relaxed Power Distribution Control Methodology and Associated FQ Surveillance Technical Specifications, VEP-NE-1-A, March 1986.
5.

WCAP-7308-L-P-A, "Evaluation of Nuclear Hot Channel Factor Uncertainties," June 1988.

North Anna Units 1 and 2 B 3.2. 1-8 Revision 0, 04/02/02

FQ(Z)

B 3.2.1 1.2 1.1 1.0 0.9 0.8 0.7 S0.6 0.5 0.4 0.3 0.2 0.1 0.0 FT.

0 1

2 3

4 5

6 7

8 9

10 11 12 N

16.6 33.3 50.0 66.7 83.3 100 CORE HEIGHT

  • FOR CORE HEIGHT OF 12 FEET Figure B 3.2.1-1 (page 1 of 1)

K(Z)-Normalized FQ(Z) as a Function of Core Height North Anna Units 1 and 2 DO NOT OPERATE IN THIS AREA (6,1.0)

(12,.925)

THIS FIGURE FOR ILLUSTRATION ONLY. DO NOT USE FOR OPERATION B 3.2.1-9 Revision 0, 04/02/02

Intentionally Blank

B3 H B 3.2.2 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 Nuclear Enthalpy Rise Hot Channel Factor (FjH)

BASES BACKGROUND The purpose of this LCO is to establish limits on the power density at any point in the core so that the fuel design criteria are not exceeded and the accident analysis assumptions remain valid. The design limits on local (pellet) and integrated fuel rod peak power density are expressed in terms of hot channel factors. Control of the core power distribution with respect to these factors ensures that local conditions in the fuel rods and coolant channels do not challenge core integrity at any location during either normal operation or a postulated accident analyzed in the safety analyses.

FNH is defined as the ratio of the integral of the linear power along the fuel rod with the highest integrated power to the average integrated fuel rod power. Therefore, FNH is a measure of the maximum total power produced in a fuel rod.

FAH is sensitive to fuel loading patterns, bank insertion, and fuel burnup.

FAH typically increases with control bank insertion and typically decreases with fuel burnup.

FNH is not directly measurable but is inferred from a power distribution map obtained with the movable incore detector system. Specifically, the results of the three dimensional power distribution map are analyzed by a computer to determine FNH.

This factor is calculated at least every 31 EFPD. However, during power operation, the global power distribution is monitored by LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which address directly and continuously measured process variables.

The COLR provides peaking factor limits that ensure that the design basis value of the departure from nucleate boiling (DNB) is met for normal operation, operational transients, and any transient condition arising from events of moderate frequency. The DNB design basis precludes DNB and is met by limiting the minimum local DNB heat flux ratio to a value greater than the design limits. All DNB limited transient events are assumed to begin with an FiN value that satisfies the LCO requirements.

(continued)

North Anna Units 1 and 2 B 3.2.2-1 Revision 0, 04/02/02

B3 H B 3.2.2 BASES BACKGROUND (continued)

APPLICABLE SAFETY ANALYSES Operation outside the LCO limits may produce unacceptable consequences if a DNB limiting event occurs. The DNB design basis ensures that there is no overheating of the fuel that results in possible cladding perforation with the release of fission products to the reactor coolant.

Limits on FNH preclude core power distributions that exceed the following fuel design limits:

a. There must be at confidence level hottest fuel rod condition; least 95% probability at the 95%

(the 95/95 DNB criterion) that the in the core does not experience a DNB

b. During a large break loss of coolant accident (LOCA),

peak cladding temperature (PCT) must not exceed 2200°F;

c. During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225 cal/gm and irradiated fuel is limited to 200 cal/gm (Ref.

1); and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 2).

For transients that may be DNB limited, the Reactor Coolant System flow, temperature, and pressure, and FNH are the parameters of most importance. The limits on FNH ensure that the DNB design basis is met for normal operation, operational transients, and any transients arising from events of moderate frequency. The DNB design basis is met by limiting the minimum DNBR to a value which provides a high degree of assurance that the hottest fuel rod in the core does not experience a DNB.

The allowable FNH limit increases with decreasing power level. This functionality in FNH is included in the analyses that provide the Reactor Core Safety Limits (SLs) of SL 2.1.1. Therefore, any DNB events in which the calculation of the core limits is modeled implicitly use this variable value of FNH in the analyses. Likewise, all transients that may be DNB limited are assumed to begin with an initial FNH as a function of power level defined by the COLR limit equation.

(continued)

North Anna Units 1 and 2 B 3.2.2-2 Revision 0, 04/02/02

F N

B 3.2.2 BASES APPLICABLE The LOCA safety analysis indirectly models FNH as an input SAFETY ANALYSES parameter. The Nuclear Heat Flux Hot Channel Factor (FQ(Z))

(continued) and the axial peaking factors are inserted directly into the LOCA safety analyses that verify the acceptability of the resulting peak cladding temperature (Ref.

3).

The fuel is protected in part by Technical Specifications, which ensure that the initial conditions assumed in the safety and accident analyses remain valid. The following LCOs ensure this: LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD),"

LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR),"

LCO 3.1.6, "Control Bank Insertion Limits," LCO 3.2.2, "Nuclear Enthalpy Rise Hot Channel Factor (FgH),"

LCO 3.2.1, "Heat Flux Hot Channel Factor (FQ(Z))," and LCO 3.4.1, "RCS Pressure, Temperature, and Flow DNB Limits."

FAH and FQ(Z) are measured periodically using the movable incore detector system. Measurements are generally taken with the core at, or near, steady state conditions. Core monitoring and control under transient conditions (Condition 1 events) are accomplished by operating the core within the limits of the LCOs on AFD,

QPTR, and Bank Insertion Limits.

FNH satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO FNH shall be maintained within the limits of the relationship provided in the COLR.

The FNH limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has the highest probability for a DNB.

The limiting value of F*H, described by the equation contained in the COLR, is the design radial peaking factor used in the unit safety analyses.

A power multiplication factor in this equation includes an additional margin for higher radial peaking from reduced thermal feedback and greater control rod insertion at low power levels.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.2-3

FAH B 3.2.2 BASES APPLICABILITY The FNH limits must be maintained in MODE 1 to preclude core power distributions from exceeding the fuel design limits for DNBR and PCT. Applicability in other modes is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power.

The design bases events that are sensitive to FH in other modes (MODES 2 through 5) have sufficient margin to DNB, and therefore, there is no need to restrict F*H in these modes.

ACTIONS A.1 and A.2 Condition A is modified by a Note that requires that Required Actions A.3 and A.4 must be completed whenever Condition A is entered. Thus, because even if FNH is restored to within limits, Required Action A.3 nevertheless requires another measurement and calculation of FNH within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in accordance with SR 3.2.2.1.

However, if power is reduced below 50% RTP, Required Action A.4 requires that another determination of FNH must be done prior to exceeding 50% RTP, prior to exceeding 75% RTP, and within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching or exceeding 95% RTP.

In addition, Required Action A.3 is performed if power ascension is delayed past 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

If the value of FAH is not restored to within its specified limit either by adjusting a misaligned rod or by reducing THERMAL POWER, the alternative option is to reduce THERMAL POWER to < 50% RTP in accordance with Required Action A.1 and reduce the Power Range Neutron Flux-High to

  • 55% RTP in accordance with Required Action A.2. Reducing RTP to

< 50% RTP increases the DNB margin and does not likely cause the DNBR limit to be violated in steady state operation. The reduction in trip setpoints ensures that continuing operation remains at an acceptable low power level with adequate DNBR margin. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for Required Action A.1 provides an acceptable time to reach the required power level from full power operation without allowing the unit to remain in an unacceptable condition for an extended period of time.

The allowed Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to reset the trip setpoints per Required Action A.2 recognizes that, once power is reduced, the safety analysis assumptions are (continued)

North Anna Units 1 and 2 B 3.2.2-4 Revision 0, 04/02/02

FAH B 3.2.2 BASES ACTIONS A.1 and A.2 (continued) satisfied and there is no urgent need to reduce the trip setpoints. This is a sensitive operation that may inadvertently trip the Reactor Protection System.

A.3 Once the power level has been reduced to < 50% RTP per Required Action A.1, an incore flux map (SR 3.2.2.1) must be obtained and the measured value of F"H verified not to exceed the allowed limit at the lower power level.

The unit is provided 20 additional hours to perform this task over and above the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed by Action A.1. The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is acceptable because of the increase in the DNB margin, which is obtained at lower power levels, and the low probability of having a DNB limiting event within this 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period. Additionally, operating experience has indicated that this Completion Time is sufficient to obtain the incore flux map, perform the required calculations, and evaluate F1H A.4 Verification that FNH is within its specified limits after an out of limit occurrence ensures that the cause that led to the FNH exceeding its limit is corrected, and that subsequent operation proceeds within the LCO limit. This Action demonstrates that the FNH limit is within the LCO limits prior to exceeding 50% RTP, again prior to exceeding 75% RTP, and within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after THERMAL POWER is

Ž 95% RTP.

This Required Action is modified by a Note that states that THERMAL POWER does not have to be reduced prior to performing this Action.

B.1 When Required Actions A.1 through A.4 cannot be completed within their required Completion Times, the unit must be placed in a mode in which the LCO requirements are not applicable. This is done by placing the unit in at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience regarding the time required to reach MODE 2 from full power conditions in an orderly manner and without challenging unit systems.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.2-5

B 3.2.2 BASES SURVEILLANCE REQUIREMENTS SR 3.2.2.1 The value of FNH is determined by using the movable incore detector system to obtain a flux distribution map. A data reduction computer program then calculates the maximum value of FNH from the measured flux distributions. The FN limit contains an allowance of 1.04 to account for measurement uncertainty.

After each refueling, to exceeding 75% RTP.

limits are met at the FAH must be determined in MODE 1 prior This requirement ensures that FNH beginning of each fuel cycle.

The 31 EFPD Frequency is acceptable because the power distribution changes relatively slowly over this amount of fuel burnup. Accordingly, this Frequency is short enough that the FAH limit cannot be exceeded for any significant period of operation.

REFERENCES

1. VEP-NFE-2-A, "VEPCO Evaluation of the Control Rod Ejection Transient."
2.

UFSAR, Section 3.1.22.

3.

10 CFR 50.46.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.2-6

AFD B 3.2.3 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 AXIAL FLUX DIFFERENCE (AFD)

BASES BACKGROUND APPLICABLE SAFETY ANALYSES The purpose of this LCO is to establish limits on the values of the AFD in order to limit the amount of axial power distribution skewing to either the top or bottom of the core.

By limiting the amount of power distribution skewing, core peaking factors are consistent with the assumptions used in the safety analyses. Limiting power distribution skewing over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution control.

Relaxed Power Distribution Control (RPDC) is a calculational procedure that defines the allowed operational space of the AFD versus THERMAL POWER.

The AFD limits are selected by considering a range of axial xenon distributions that may occur as a result of large variations of the AFD.

Subsequently, power peaking factors and power distributions are examined to ensure that the loss of coolant accident (LOCA),

loss of flow accident, and anticipated transient limits are met. Violation of the AFD limits invalidate the conclusions of the accident and transient analyses with regard to fuel cladding integrity.

The AFD is monitored on an automatic basis using the unit process computer, which has an AFD monitor alarm. The computer determines the 1 minute average of each of the OPERABLE excore detector outputs and provides an alarm message immediately if the AFD for two or more OPERABLE excore channels is outside its specified limits.

The AFD is a measure of the axial power distribution skewing to either the top or bottom half of the core. The AFD is sensitive to many core related parameters such as control bank positions, core power level, axial burnup, axial xenon distribution, and, to a lesser extent, reactor coolant temperature and boron concentration.

The allowed range of the AFD is used in the nuclear design process to confirm that operation within these limits produces core peaking factors and axial power distributions that meet safety analysis requirements.

(continued)

North Anna Units 1 and 2 B 3.2.3-1 Revision 0, 04/02/02

AFD B 3.2.3 BASES APPLICABLE The RPDC methodology (Ref.

1) establishes a xenon SAFETY ANALYSES distribution library with tentatively wide AFD limits. Axial (continued) power distribution calculations are then performed to demonstrate that normal operation power shapes are acceptable for the LOCA and loss of flow accident, and for initial conditions of anticipated transients. The tentative limits are adjusted as necessary to meet the safety analysis requirements.

The limits on the AFD ensure that the Heat Flux Hot Channel Factor (FQ(Z))

is not exceeded during either normal operation or in the event of xenon redistribution following power changes. The limits on the AFD also restrict the range of power distributions that are used as initial conditions in the analyses of Condition 2, 3, or 4 events. This ensures that the fuel cladding integrity is maintained for these postulated accidents. The most important Condition 4 event is the LOCA. The most important Condition 3 event is the loss of flow accident. The most important Condition 2 events are uncontrolled rod withdrawal, excessive heat removal, and boration or dilution accidents. Condition 2 accidents simulated to begin from within the AFD limits are used to confirm the adequacy of the Overpower AT and Overtemperature AT trip setpoints.

The limits on the AFD satisfy Criterion 2 of 10 CFR 50.36(c) (2) (ii).

LCO The shape of the power profile in the axial (i.e., the vertical) direction is largely under the control of the operator through the manual operation of the control banks or automatic motion of control banks. The automatic motion of the control banks is in response to temperature deviations resulting from manual operation of the Chemical and Volume Control System to change boron concentration or from power level changes.

Signals are available to the operator from the Nuclear Instrumentation System (NIS) excore neutron detectors (Ref.

2). Separate signals are taken from the top and bottom detectors. The AFD is defined as the difference in normalized flux signals between the top and bottom excore detectors in each detector well.

For convenience, this flux difference is converted to provide flux difference units expressed as a percentage and labeled as %A flux or %AI.

(continued)

North Anna Units 1 and 2 B 3.2.3-2 Revision 0, 04/02/02

AFD B 3.2.3 BASES LCO (continued)

The AFD limits are provided in the COLR. Figure B 3.2.3-1 shows typical RPDC AFD limits. The AFD limits for RPDC do not depend on the target flux difference. However, the target flux difference may be used to minimize changes in the axial power distribution.

Violating this LCO on the AFD could produce unacceptable consequences if a Condition 2, 3, or 4 event occurs while the AFD is outside its specified limits.

The LCO is modified by a Note which states that AFD shall be considered outside its limit when two or more OPERABLE excore channels indicate AFD to be outside its limit.

APPLICABILITY The AFD requirements are applicable in MODE 1 greater than or equal to 50% RTP when the combination of THERMAL POWER and core peaking factors are of primary importance in safety analysis.

For AFD limits developed using RPDC methodology, the value of the AFD does not affect the limiting accident consequences with THERMAL POWER < 50% RTP and for lower operating power MODES.

ACTIONS A.1 As an alternative to restoring the AFD to within its specified limits, Required Action A.1 requires a THERMAL POWER reduction to < 50% RTP. This places the core in a condition for which the value of the AFD is not important in the applicable safety analyses. A Completion Time of 30 minutes is reasonable, based on operating experience, to reach 50% RTP without challenging unit systems.

SURVEILLANCE SR 3.2.3.1 REQUIREMENTS This Surveillance verifies that the AFD, as indicated by the NIS excore channel, is within its specified limits. The Surveillance Frequency of 7 days is adequate considering that the AFD is monitored by a computer and any deviation from requirements is alarmed.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.3-3

AFD B 3.2.3 BASES REFERENCES

1. K.L. Basehore et al., "Virginia Power Relaxed Power Distribution Control Methodology and Associated FQ Surveillance Technical Specifications," VEP-NE-1-A, March 1986.
2.

UFSAR, Chapter 7.

North Anna Units 1 and 2 B 3.2.3-4 Revision 0, 04/02/02

AFD B 3.2.3 100

-J I

0 0\\0 80 60 40 20 0

-50

-40

-30

-20

-10 0

10 20 30 40 50 AXIAL FLUX DIFFERENCE (%)

Figure B 3.2.3-1 (page I of 1)

AXIAL FLUX DIFFERENCE Acceptable Operation Limits as a Function of RATED THERMAL POWER North Anna Units 1 and 2

(-15,100)

(6,100)

UNACCEPTABLE UNACCEPTABLE OPERATION OPERATION ACCEPTABLE OPERATION

(-31,50)

-(20,50)

THIS FIGURE IS FOR ILLUSTRATION ONLY.

DO NOT USE FOR OPERATION.

B 3.2.3-5 Revision 0, 04/02/02

Intentionally Blank

QPTR B 3.2.4 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.4 QUADRANT POWER TILT RATIO (QPTR)

BASES BACKGROUND APPLICABLE SAFETY ANALYSES The QPTR limit ensures that the gross radial power distribution remains consistent with the design values used in the safety analyses. Precise radial power distribution measurements are made during startup testing, after refueling, and periodically during power operation.

The power density at any point in the core must be limited so that the fuel design criteria are maintained. Together, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD),"

LCO 3.2.4, and LCO 3.1.6, "Control Rod Insertion Limits," provide limits on process variables that characterize and control the three dimensional power distribution of the reactor core. Control of these variables ensures that the core operates within the fuel design criteria and that the power distribution remains within the bounds used in the safety analyses.

This LCO precludes core power distributions that violate the following fuel design criteria:

a. During a large break loss of coolant accident, the peak cladding temperature must not exceed 2200°F (Ref. 1);
b. During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95%

confidence level (the 95/95 departure from nucleate boiling (DNB) criterion) that the hot fuel rod in the core does not experience a DNB condition;

c. During an ejected rod accident, the energy deposition to unirradiated fuel is limited to 225 cal/gm and irradiated fuel is limited to 200 cal/gm (Ref. 2); and
d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 3).

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.4-1

QPTR B 3.2.4 BASES APPLICABLE SAFETY ANALYSES (continued)

The LCO limits on the AFD, the QPTR, the Heat Flux Hot Channel Factor (F (Z)), the Nuclear Enthalpy Rise Hot Channel Factor (FAH),

and control bank insertion are established to preclude core power distributions that exceed the safety analyses limits.

The QPTR limits ensure that FN and FQ(Z) remain below their limiting values by preventing an undetected change in the gross radial power distribution.

In MODE 1, the FAH and FQ(Z) limits must be maintained to preclude core power distributions from exceeding design limits assumed in the safety analyses.

The QPTR satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The QPTR limit of 1.02, at which corrective action is required, provides a margin of protection for both the DNB ratio and linear heat generation rate contributing to excessive power peaks resulting from X-Y plane power tilts.

A limiting QPTR of 1.02 can be tolerated before the margin for uncertainty in FQ(Z) and (FNH) is possibly challenged.

APPLICABILITY The QPTR limit must be maintained in MODE I with THERMAL POWER > 50% RTP to prevent core power distributions from exceeding the design limits.

Applicability in MODE I

  • 50% RTP and in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require the implementation of a QPTR limit on the distribution of core power. The QPTR limit in these conditions is, therefore, not important. Note that the F0H and FQ(Z) LCOs still apply, but allow progressively higher peaking factors at 50% RTP or lower.

ACTIONS A.1 With the QPTR exceeding its limit, a power level reduction of

Ž 3% from RTP for each 1% by which the QPTR exceeds 1.00 is a conservative tradeoff of total core power with peak linear power. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> allows sufficient time (continued)

North Anna Units 1 and 2 B 3.2.4-2 Revision 0, 04/02/02

QPTR B 3.2.4 BASES ACTIONS A.1 (continued) to identify the cause and correct the tilt.

Note that the power reduction itself may cause a change in the tilted condition.

The maximum allowable power level initially determined by Required Action A.1 may be affected by subsequent determinations of QPTR.

Increases in QPTR would require power reduction within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of QPTR determination, if necessary to comply with the decreased maximum allowable power level. Decreases in QPTR would allow increasing the maximum allowable power level and increasing power up to the revised limit.

A.2 After completion of Required Action A.1, the QPTR alarm may still be in its alarmed state. As such, any additional changes in the QPTR are detected by requiring a check of the QPTR once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter. A 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is sufficient because any additional change in QPTR would be relatively slow.

A.3 The peaking factors FA' and FQ(Z) are of primary importance in ensuring that the power distribution remains consistent with the initial conditions used in the safety analyses.

Performing SRs on FNH and FQ(Z) within the Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after achieving equilibrium conditions from a THERMAL POWER reduction per Required Action A.1 ensures that these primary indicators of power distribution are within their respective limits. Equilibrium conditions are achieved when the core is sufficiently stable at intended operating conditions to support flux mapping. A Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after achieving equilibrium conditions from a THERMAL POWER reduction per Required Action A.1 takes into consideration the rate at which peaking factors are likely to change, and the time required to stabilize the unit and perform a flux map.

If these peaking factors are not within their limits, the Required Actions of these Surveillances provide an appropriate response for the abnormal condition.

If the QPTR remains above its specified limit, the peaking factor surveillances are required each 7 days thereafter to evaluate F1H and FQ(Z) with changes in power distribution.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.4-3

QPTR B 3.2.4 BASES ACTIONS A.3 (continued)

Relatively small changes are expected due to either burnup and xenon redistribution or correction of the cause for exceeding the QPTR limit.

A.4 Although FNH and FQ(Z) are of primary importance as initial conditions in the safety analyses, other changes in the power distribution may occur as the QPTR limit is exceeded and may have an impact on the validity of the safety analysis. A change in the power distribution can affect such reactor parameters as bank worths and peaking factors for rod malfunction accidents. When the QPTR exceeds its limit, it does not necessarily mean a safety concern exists. It does mean that there is an indication of a change in the gross radial power distribution that requires an investigation and evaluation that is accomplished by examining the incore power distribution. Specifically, the core peaking factors and the quadrant tilt must be evaluated because they are the factors that best characterize the core power distribution.

This re-evaluation is required to ensure that, before increasing THERMAL POWER to above the limit of Required Action A.1, the reactor core conditions are consistent with the assumptions in the safety analyses.

A.5 If the QPTR has exceeded the 1.02 limit and a re-evaluation of the safety analysis is completed and shows that safety requirements are met, the excore detectors are normalized to restore QPTR to within limits prior to increasing THERMAL POWER to above the limit of Required Action A.1.

Normalization is accomplished in such a manner that the indicated QPTR following normalization is near 1.00. This is done to detect any subsequent significant changes in QPTR.

Required Action A.5 is modified by two Notes. Note 1 states that the QPTR is not restored to within limits until after the re-evaluation of the safety analysis has determined that core conditions at RTP are within the safety analysis assumptions (i.e., Required Action A.4). Note 2 states that if Required Action A.5 is performed, the Required Action A.6 shall be performed. Required Action A.5 normalizes the excore detectors to restore QPTR to within limits, which restores compliance with LCO 3.2.4. Thus, Note 2 prevents (continued)

North Anna Units 1 and 2 B 3.2.4-4 Revision 0, 04/02/02

QPTR B 3.2.4 BASES ACTIONS A.5 (continued) exiting the Actions prior to completing flux mapping to verify peaking factors, per Required Action A.6. These notes are intended to prevent any ambiguity about the required sequence of actions.

A.6 Once the flux tilt is restored to within limits (i.e.,

Required Action A.5 is performed),

it is acceptable to return to full power operation. However, as an added check that the core power distribution is consistent with the safety analysis assumptions, Required Action A.6 requires verification that FQ(Z) and FNH are within their specified limits within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of reaching equilibrium conditions at RTP. As an added precaution, if the core power does not reach equilibrium conditions at RTP within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, but is increased slowly, then the peaking factor surveillances must be performed within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after increasing power above the limit of Required Action A.1. These Completion Times are intended to allow adequate time to increase THERMAL POWER to above the limit of Required Action A.1, while not permitting the core to remain with unconfirmed power distributions for extended periods of time.

Required Action A.6 is modified by a Note that states that the peaking factor surveillances may only be done after the excore detectors have been normalized to restore QPTR to within limits (i.e., Required Action A.5). The intent of this Note is to have the peaking factor surveillances performed at operating power levels, which can only be accomplished after the excore detectors are normalized to restore QPTR to within limits and the core returned to power.

B.1 If Required Actions A.1 through A.6 are not completed within their associated Completion Times, the unit must be brought to a MODE or condition in which the requirements do not apply. To achieve this status, THERMAL POWER must be reduced to

  • 50% RTP within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is reasonable, based on operating experience regarding the amount of time required to reach the reduced power level without challenging unit systems.

North Anna Units 1 and 2 B 3.2.4-5 Revision 0, 04/02/02

QPTR B 3.2.4 BASES SURVEILLANCE SR 3.2.4.1 REQUIREMENTS SR 3.2.4.1 is modified by two Notes. Note I allows QPTR to be calculated with three power range channels if THERMAL POWER is ! 75% RTP and the input from one Power Range Neutron Flux channel is inoperable. Note 2 allows performance of SR 3.2.4.2 in lieu of SR 3.2.4.1.

This Surveillance verifies that the QPTR, as indicated by the Nuclear Instrumentation System (NIS) excore channels, is within its limits. The Frequency of 7 days takes into account other information and alarms available to the operator in the control room.

For those causes of QPT that occur quickly (e.g., a dropped rod), there typically are other indications of abnormality that prompt a verification of core power tilt.

SR 3.2.4.2 This Surveillance is modified by a Note, which states that it is not required until 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the inputs from one or more Power Range Neutron Flux channels are inoperable and the THERMAL POWER is > 75% RTP.

With an NIS power range channel inoperable, tilt monitoring for a portion of the reactor core becomes degraded. Large tilts are likely detected with the remaining channels, but the capability for detection of small power tilts in some quadrants is decreased. Performing SR 3.2.4.2 at a Frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> provides an accurate alternative means for ensuring that any tilt remains within its limits.

For purposes of monitoring the QPTR when one power range channel is inoperable, the moveable incore detectors are used to confirm that the normalized symmetric power distribution is consistent with the indicated QPTR and any previous data indicating a tilt. The incore detector monitoring is performed with a full incore flux map or two sets of four thimble locations with quarter core symmetry.

The two sets of four symmetric thimbles is a set of eight unique detector locations. These locations are C-8, E-5, E-11, H-3, H-13, L-5, L-11, and N-8.

The symmetric thimble flux map can be used to generate symmetric thimble "tilt." This can be compared to a reference symmetric thimble tilt, from the most recent full (continued)

North Anna Units 1 and 2 B 3.2.4-6 Revision 0, 04/02/02

QPTR B 3.2.4 BASES SURVEILLANCE REQUIREMENTS SR 3.2.4.2 (continued) core flux map, to generate an incore QPTR. Therefore, incore monitoring of QPTR can be used to confirm that QPTR is within limits.

With one NIS channel inoperable, the indicated tilt may be changed from the value indicated with all four channels OPERABLE.

To confirm that no change in tilt has actually occurred, which might cause the QPTR limit to be exceeded, the incore result may be compared against previous flux maps either using the symmetric thimbles as described above or a complete flux map. Nominally, quadrant tilt from the Surveillance should be within 2% of the tilt shown by the most recent flux map data.

REFERENCES

1. 10 CFR 50.46.
2.

VEP-NFE-2-A, "VEPCO Evaluation of the Control Rod Ejection Transient."

3. UFSAR, Section 3.1.22.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.2.4-7

Intentionally Blank

RTS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS)

Instrumentation BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AWOs) and to assist the Engineered Safety Features (ESF)

Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.

Technical specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "... settings for automatic protective devices... so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytic Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytic Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytic Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The Trip Setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit and thus ensuring that the SL would not be exceeded. As such, the Trip Setpoint accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments).

In this manner, the Trip Setpoint plays an important role in ensuring the SLs are not exceeded. As such, (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-1

RTS Instrumentation B 3.3.1 BASES BACKGROUND the Trip Setpoint meets the definition of an LSSS (Ref. 9)

(continued) and could be used to meet the requirement that they be contained in the technical specifications.

Technical specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in technical specifications as

"... being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for these devices. However, use of the Trip Setpoint to define OPERABILITY in technical specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as found" value of a protective device setting during a surveillance.

This would result in technical specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the Trip Setpoint due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the Trip Setpoint and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the Trip Setpoint to account for further drift during the next surveillance interval.

Use of the Trip Setpoint to define "as found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and technical specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the technical specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS.

(continued)

North Anna Units 1 and 2 B 3.3.1-2 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The Allowable Value specified in Table 3.3.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT).

As such, the Allowable Value differs from the Trip Setpoint by an amount primarily equal to the expected instrument loop uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a Safety Limit is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.

If the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable for a technical specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced set point methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);
2. Fuel centerline melt shall not occur; and
3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3. 1-3

RTS Instrumentation B 3.3.1 BASES BACKGROUND occurrence. Meeting the acceptable dose limit for an (continued) accident category is considered having acceptable consequences for that event.

The RTS instrumentation is segmented into four distinct but interconnected modules as described in UFSAR, Chapter 7 (Ref.

1), and as identified below:

1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the parameter being measured;
2. Signal Process Control and Protection System, including Analog Protection System, Nuclear Instrumentation System (NIS),

field contacts, and protection channel sets:

provides signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications;

3. Solid State Protection System (SSPS),

including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process control and protection system; and

4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs),

or "rods," to trip, or de-energize, and fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters.

To account for the calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the trip setpoints and Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor as related to the channel behavior during performance of CHANNEL CHECK.

North Anna Units 1 and 2 B 3.3.1-4 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES BACKGROUND Signal Process Control and Protection System (continued)

Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter 7 (Ref.

1), Chapter 6 (Ref.

2), and Chapter 15 (Ref. 3).

If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channelsof sensor measurement and signal processing.

Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

When a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy.

If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

When a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation. These requirements are described in IEEE-279-1971 (Ref.

4).

The actual number of channels required for each unit parameter is specified in Reference 1.

Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS.

The logic channels are designed such that testing required while the (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-5

RTS Instrumentation B 3.3.1 BASES BACKGROUND Signal Process Control and Protection System (continued) reactor is at power may be accomplished without causing trip. Provisions to allow removing logic channels from service during maintenance are unnecessary because of the logic system's designed reliability.

Allowable Values and RTS Setpoints The trip setpoints used in the bistables are based on the analytical limits cited in Reference 3.

The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors fof those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref.

5),

the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits. The methodology used to calculate the trip setpoints and Allowable Values, including their explicit uncertainties, is cited in the "RTS/ESFAS Setpoint Methodology Study" (Ref.

6) which incorporates all of the known uncertainties applicable to each channel.

The magnitudes of these uncertainties are factored into the determination of each trip setpoint and corresponding Allowable Value. The trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value (LSSS) to account for measurement errors detectable by the COT.

The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT.

One example of such a change in measurement error is drift during the surveillance interval.

If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

The trip setpoint is the value at which the bistable is set and is the expected value to be achieved during calibration.

The trip setpoint value ensures the LSSS and the safety analysis limits are met for surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e., +/- rack calibration + comparator setting uncertainties).

The trip (continued)

North Anna Units 1 and 2 B 3.3.1-6 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES BACKGROUND Allowable Values and RTS Setpoints (continued) setpoint value is therefore considered a "nominal" value (i.e., expressed as a value without inequalities) for the purposes of COT and CHANNEL CALIBRATION.

Trip setpoints consistent with the requirements of the Allowable Value ensure that SLs are not violated during AOOs (and that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed).

Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements of Table 3.3.1-1. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal.

The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables.

To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements. The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.

The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-7

RTS Instrumentation B 3.3.1 BASES BACKGROUND Solid State Protection System (continued)

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Reactor Trip Switchgear The RTBs are in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs.

Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power. During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open. This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each RTB is also equipped with a shunt trip attachment device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.

The logic Functions are described in the functional diagrams included in Reference 2.

In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can automatically test the logic Functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

North Anna Units 1 and 2 B 3.3.1-8 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE The RTS functions to maintain the SLs during all AOOs and SAFETY mitigates the consequences of DBAs in all MODES in which the

ANALYSES, LCO, Rod Control System is capable of rod withdrawal or one or and more rods are not fully inserted.

APPLICABILITY Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 3 takes credit for most RTS trip Functions. RTS trip Functions not specifically credited in the accident analysis are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. They may also serve as backups to RTS trip Functions that were credited in the accident analysis.

The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. A channel is OPERABLE with a trip setpoint value outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the nominal trip setpoint. A trip setpoint may be set more conservative than the nominal trip setpoint as necessary in response to the unit conditions. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function. Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with random failure of one of the other three protection and channels. Three OPERABLE instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel.

The (continued)

North Anna Units 1 and 2 B 3.3.1-9 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE two-out-of-three and two-out-of-four configurations allow SAFETY one channel to be tripped during maintenance or testing

ANALYSES, LCO, without causing a reactor trip. Specific exceptions to the and above general philosophy exist and are discussed below.

APPLICABILITY (continued)

Reactor Trip System Functions The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:

1. Manual Reactor Trip The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room.

A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its trip setpoint.

The LCO requires two Manual Reactor Trip channels to be OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip breaker in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.

In MODE I or 2, manual initiation of a reactor trip must be OPERABLE.

These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if one or more shutdown rods or control rods are withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or control rods and if all rods are fully inserted. If the rods cannot be withdrawn from the core, or all of the rods are inserted, there is no need to be able to trip the reactor. In MODE 6, neither the shutdown rods nor the control rods are permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the manual initiation Function is not required.

North Anna Units 1 and 2 B 3.3.1-10 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY

ANALYSES, LCO, and APPLICABILITY (continued)
2.

Power Range Neutron Flux The NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS power range detectors provide input to the Rod Control System and the Steam Generator (SG)

Water Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

a.

Power Range Neutron Flux-High The Power Range Neutron Flux-High trip Function ensures that protection is provided, from all power levels, against a positive reactivity excursion leading to DNB during power operations. These can be caused by rod withdrawal or reductions in RCS temperature.

The LCO requires all four of the Power Range Neutron Flux-High channels to be OPERABLE.

In MODE I or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux-High trip must be OPERABLE.

This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel.

In MODE 3, 4,

5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux-High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-11

RTS Instrumentation B 3.3.1 BASES APPLICABLE

2.

Power Range Neutron Flux (continued)

SAFETY

ANALYSES, LCO,
b.

Power Range Neutron Flux-Low and APPLICABILITY The LCO requirement for the Power Range Neutron Flux-Low trip Function ensures that protection is provided against a positive reactivity excursion from low power conditions.

The LCO requires all four of the Power Range Neutron Flux-Low channels to be OPERABLE.

In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2, the Power Range Neutron Flux-Low trip must be OPERABLE.

This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately 10% RTP (P-10 setpoint). This Function is automatically unblocked when three out of four power range channels are below the P-1O setpoint. Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux-High trip Function.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-Low trip Function does not have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, 4,

5, or 6.

3.

Power Range Neutron Flux Rate The Power Range Neutron Flux Rate trips use the same channels as discussed for Function 2 above.

a. Power Range Neutron Flux-High Positive Rate The Power Range Neutron Flux-High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA.

This Function compliments the Power Range Neutron (continued)

North Anna Units 1 and 2 B 3.3. 1-12 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

3.

Power Range Neutron Flux Rate (continued)

SAFETY

ANALYSES, LCO,
a. Power Range Neutron Flux-High Positive Rate and (continued)

APPLICABILITY Flux-High and Low Setpoint trip Functions to ensure that the criteria are met for a rod ejection from the power range.

The LCO requires all four of the Power Range Neutron Flux-High Positive Rate channels to be OPERABLE.

In MODE I or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA),

the Power Range Neutron Flux-High Positive Rate trip must be OPERABLE.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-High Positive Rate trip Function does not have to be OPERABLE because other RTS trip Functions and administrative controls will provide protection against positive reactivity additions. Also, since only the shutdown banks may be fully withdrawn in MODE 3, 4, or 5, the remaining complement of control bank (partial withdrawal allowed) worth ensures a sufficient degree of SDM in the event of an REA.

In MODE 6, no rods are withdrawn and the SDM is increased during refueling operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this mode.

b. Power Range Neutron Flux-High Negative Rate The Power Range Neutron Flux-High Negative Rate trip Function ensures that protection is provided for multiple rod drop accidents. At high power levels, a multiple rod drop accident could cause local flux peaking that would result in an unconservative local DNBR.

DNBR is defined as the ratio of the heat flux required to cause a DNB at a particular location in the core to the local heat flux. The DNBR is indicative of the margin to DNB.

No credit is taken for the operation of this Function for those rod drop accidents in which the local DNBRs will be greater than the limit.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-13

RTS Instrumentation B 3.3.1 BASES APPLICABLE

3.

Power Range Neutron Flux Rate (continued)

SAFETY

ANALYSES, LCO,
b. Power Range Neutron Flux-High Negative Rate and (continued)

APPLICABILITY The LCO requires all four Power Range Neutron Flux-High Negative Rate channels to be OPERABLE.

In MODE 1 or 2, when there is potential for a multiple rod drop accident to occur, the Power Range Neutron Flux-High Negative Rate trip must be OPERABLE.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux-High Negative Rate trip Function does not have to be OPERABLE because the core is not critical and DNB is not a concern. Also, since only the shutdown banks may be fully withdrawn in MODE 3, 4, or 5, the remaining complement of control bank (partial withdrawal allowed) worth ensures a sufficient degree of SDM in the event of an REA.

In MODE 6, no rods are withdrawn and the required SDM is increased during refueling operations. In addition, the NIS power range detectors cannot detect neutron levels present in this MODE.

4.

Intermediate Range Neutron Flux The Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE.

Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function.

(continued)

North Anna Units 1 and 2 B 3-3.1-14 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

4.

Intermediate Range Neutron Flux (continued)

SAFETY

ANALYSES, LCO, Because this trip Function is important only during and startup, there is generally no need to disable channels APPLICABILITY for testing while the Function is required to be OPERABLE. Therefore, a third channel is unnecessary.

In MODE 1 below the P-10 setpoint, and in MODE 2 above the P-6 setpoint, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE.

Above the P-1O setpoint, the Power Range Neutron Flux-High Setpoint trip and the Power Range Neutron Flux-High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE 2 below the P-6 setpoint, the Source Range Neutron Flux Trip provides the core protection for reactivity accidents. In MODE 3, 4, or 5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because Source Range Instrumentation channels provide the required reactor trip protection. The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE 6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range detectors cannot detect neutron levels present in this MODE.

5.

Source Range Neutron Flux The LCO requirement for the Source Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup.

This trip Function provides redundant protection to the Power Range Neutron Flux-Low trip Function. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3, 4, and 5 when rods are capable of withdrawal or one or more rods are not fully inserted. Therefore, the functional capability at the trip setpoint is assumed to be available.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-15

RTS Instrumentation B 3.3.1 BASES APPLICABLE

5.

Source Range Neutron Flux (continued)

SAFETY

ANALYSES, LCO, The Source Range Neutron Flux Function provides and protection for control rod withdrawal from subcritical, APPLICABILITY boron dilution and control rod ejection events.

In MODE 2 when below the P-6 setpoint and in MODES 3, 4, and 5 when there is a potential for an uncontrolled RCCA bank rod withdrawal accident, the Source Range Neutron Flux trip must be OPERABLE.

Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux-Low Setpoint trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the NIS source range detectors are de-energized and inoperable.

In MODES 3, 4, and 5 with all rods fully inserted and the Rod Control System not capable of rod withdrawal, and in MODE 6, the outputs of the Function to RTS logic are not required OPERABLE.

The requirements for the NIS source range detectors to monitor core neutron levels and provide indication of reactivity changes that may occur as a result of events like a boron dilution are addressed in LCO 3.9.3, "Nuclear Instrumentation," for MODE 6.

6.

Overtemperature AT The Overtemperature AT trip Function is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower AT trip Function must provide protection. The inputs to the Overtemperature AT trip include pressurizer pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop AT assuming full reactor coolant flow. Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function monitors both variation in power and flow since a decrease in flow has the same effect on AT as a power increase. The Overtemperature AT trip (continued)

North Anna Units 1 and 2 B 3.3.1-16 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

6.

Overtemperature AT (continued)

SAFETY

ANALYSES, LCO, Function uses each loop's AT as a measure of reactor and power and is compared with a setpoint that is APPLICABILITY automatically varied with the following parameters:

"* reactor coolant average temperature-the trip setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature;

"* pressurizer pressure-the trip setpoint is varied to correct for changes in system pressure; and

"* axial power distribution-f(AI), the trip setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors. If axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the trip setpoint is reduced in accordance with Note 1 of Table 3.3.1-1.

Dynamic compensation is included for system piping delays from the core to the temperature measurement system.

The Overtemperature AT trip Function is calculated for each loop as described in Note 1 of Table 3.3.1-1. Trip occurs if Overtemperature AT is indicated in two loops.

The pressure and temperature signals are used for other control functions. The actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to generate a turbine runback prior to reaching the trip setpoint. A turbine runback will reduce turbine power and reactor power.

Additionally, the turbine runback setpoint blocks automatic and manual rod withdrawal.

A reduction in power will normally alleviate the Overtemperature AT condition and may prevent a reactor trip.

The LCO requires all three channels of the Overtemperature AT trip Function to be OPERABLE.

Note that the Overtemperature AT Function receives input from (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-17

RTS Instrumentation B 3.3.1 BASES APPLICABLE

6.

Overtemperature AT (continued)

SAFETY

ANALYSES, LCO, channels shared with other RTS Functions. Failures that and affect multiple Functions require entry into the APPLICABILITY Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overtemperature AT trip must be OPERABLE to prevent DNB.

In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.

7.

Overpower AT The Overpower AT trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all possible overpower conditions. This trip Function also limits the required range of the Overtemperature AT trip Function and provides a backup to the Power Range Neutron Flux-High Setpoint trip. The Overpower AT trip Function ensures that the allowable heat generation rate (kW/ft) of the fuel is not exceeded.

It uses the AT of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:

"* reactor coolant average temperature-the trip setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; and

"* rate of change of reactor coolant average temperature-including dynamic compensation for the delays between the core and the temperature measurement system. The function generated by the rate lag controller for Tavg dynamic compensation is represented by the expression: T3s/1+T3s. The time constant utilized in the rate lag controller for Tavg is T3 The Overpower AT trip Function is calculated for each loop as per Note 2 of Table 3.3.1-1. Trip occurs if Overpower AT is indicated in two loops. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Allowable Value. A turbine runback will reduce turbine power and reactor power.

(continued)

North Anna Units 1 and 2 B 3.3.1-18 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

7.

Overpower AT (continued)

SAFETY

ANALYSES, LCO, Additionally, the turbine runback setpoint blocks and automatic and manual rod withdrawal.

A reduction in APPLICABILITY power will normally alleviate the Overpower AT condition and may prevent a reactor trip.

The LCO requires three channels of the Overpower AT trip Function to be OPERABLE. Note that the Overpower AT trip Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overpower AT trip Function must be OPERABLE.

These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel.

In MODE 3, 4,

5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.

8.

Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure-High and -Low trips and the Overtemperature AT trip.

a. Pressurizer Pressure-Low The Pressurizer Pressure-Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.

The LCO requires three channels of Pressurizer Pressure-Low to be OPERABLE.

In MODE 1, when DNB is a major concern, the Pressurizer Pressure-Low trip must be OPERABLE.

This trip Function is automatically enabled on increasing power by the P-7 interlock (NIS power range P-1O or turbine impulse pressure greater than approximately 10% of full power equivalent (P-13)).

On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, no conceivable power distributions can occur that would cause DNB concerns.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3. 1-19

RTS Instrumentation B 3.3.1 BASES APPLICABLE

8.

Pressurizer Pressure (continued)

SAFETY

ANALYSES, LCO,
b. Pressurizer Pressure-High and APPLICABILITY The Pressurizer Pressure-High trip Function ensures that protection is provided against overpressurizing the RCS. This trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.

The LCO requires three channels of the Pressurizer Pressure-High to be OPERABLE.

The Pressurizer Pressure-High LSSS is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting minimizes challenges to safety valves while avoiding unnecessary reactor trip for those pressure increases that can be controlled by the PORVs.

In MODE I or 2, the Pressurizer Pressure-High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the relief and safety valves. In MODE 3, 4, 5, or 6, the Pressurizer Pressure-High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur.

Therefore, the operator will have sufficient time to evaluate unit conditions and take corrective actions.

Additionally, low temperature overpressure protection systems provide overpressure protection when below MODE 4.

9.

Pressurizer Water Level-High The Pressurizer Water Level-High trip Function provides a backup signal for the Pressurizer Pressure-High trip and also provides protection against water relief through the pressurizer safety valves. These valves are designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The LCO requires three channels of Pressurizer Water Level-High to be OPERABLE.

The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection (continued)

North Anna Units 1 and 2 B 3.3. 1-20 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

9.

Pressurizer Water Level-High (continued)

SAFETY

ANALYSES, LCO, interaction concerns. The level channels do not actuate and the safety valves, and the high pressure reactor trip is APPLICABILITY set below the safety valve setting. Therefore, with the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.

In MODE 1, when there is a potential for overfilling the pressurizer, the Pressurizer Water Level-High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.

10. Reactor Coolant Flow-Low The Reactor Coolant Flow-Low trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow.

Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled. Above the P-8 setpoint, which is approximately 30% RTP, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

The LCO requires three Reactor Coolant Flow-Low channels per loop to be OPERABLE in MODE 1 above P-7.

In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core because of the higher power level.

In MODE 1 below the P-8 setpoint and above the P-7 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR.

Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since there is insufficient heat production to generate DNB conditions.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-21

RTS Instrumentation B 3.3.1 BASES APPLICABLE

11. Reactor Coolant Pump (RCP)

Breaker Position SAFETY

ANALYSES, LCO, Both RCP Breaker Position trip Functions operate from and three pairs of auxiliary contacts, with one pair on each APPLICABILITY RCP breaker with one contact supplying each train. These (continued)

Functions anticipate the Reactor Coolant Flow-Low trips to avoid RCS heatup that would occur before the low flow trip actuates.

The RCP Breaker Position (Single Loop) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in one RCS loop. The position of each RCP breaker is monitored. If one RCP breaker is open above the P-8 setpoint, a reactor trip is initiated. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Single Loop) trip setpoint is reached.

The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE.

One OPERABLE channel is sufficient for this trip Function because the RCS Flow-Low trip alone provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of a pump.

This Function measures only the discrete position (open or closed) of the RCP breaker. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.

In MODE 1 above the P-8 setpoint, when a loss of flow in any RCS loop could result in DNB conditions in the core, the RCP Breaker Position (Single Loop) trip must be OPERABLE.

In MODE 1 below the P-8 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip because of the lower power level and the greater margin to the design limit DNBR.

The RCP Breaker Position (Two Loops) trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The position of each RCP breaker is monitored.

Above the P-7 setpoint and below the P-8 setpoint, a loss of flow in two or more loops will initiate a reactor (continued)

North Anna Units 1 and 2 B 3.3.1-22 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

11. Reactor Coolant Pump (RCP)

Breaker Position (continued)

SAFETY

ANALYSES, LCO, trip. This trip Function will generate a reactor trip and before the Reactor Coolant Flow-Low (Two Loops) trip APPLICABILITY setpoint is reached.

The LCO requires one RCP Breaker Position channel per RCP to be OPERABLE.

One OPERABLE channel is sufficient for this Function because the RCS Flow-Low trip alone provides sufficient protection of unit SLs for loss of flow events. The RCP Breaker Position trip serves only to anticipate the low flow trip, minimizing the thermal transient associated with loss of an RCP.

This Function measures only the discrete position (open or closed) of the RCP breaker. Therefore, the Function has no adjustable trip setpoint with which to associate an LSSS.

In MODE 1 above the P-7 setpoint and below the P-8 setpoint, the RCP Breaker Position (Two Loops) trip must be OPERABLE.

Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor trip because of the higher power level and the reduced margin to the design limit DNBR.

12. Undervoltage Reactor Coolant Pumps The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP bus is monitored. Above the P-7 setpoint, a loss of voltage detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) trip setpoint is reached. Time delays are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3. 1-23

RTS Instrumentation B 3.3.1 BASES APPLICABLE

12. Undervoltage Reactor Coolant Pumps (continued)

SAFETY

ANALYSES, LCO, The LCO requires three Undervoltage RCPs channels to be and OPERABLE.

Each channel monitors one RCP bus voltage with APPLICABILITY two sensors. One sensor monitors from A to B phases, while the other sensor senses from the B to C phases.

In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE.

Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level.

Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.

13. Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip. The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops) trip setpoint is reached. Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.

The LCO requires three Underfrequency RCPs channels to be OPERABLE with each channel monitoring one bus.

In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE.

Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level.

Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.

North Anna Units 1 and 2 R 3-3.1-24 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY

ANALYSES, LCO, and APPLICABILITY (continued)
14. Steam Generator Water Level-Low Low The SG Water Level-Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the Auxiliary Feedwater (AFW)

System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low level in any SG is indicative of a loss of heat sink for the reactor. The level transmitters provide input to the SG Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level.

The LCO Low per measure requires three channels of SG Water Level-Low SG to be OPERABLE. These channels for the SGs level with a narrow range span.

In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level-Low Low trip must be OPERABLE.

The normal source of water for the SGs is the Main Feedwater (MFW)

System (not safety related). The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. In MODE 3, 4, 5, or 6, the SG Water Level-Low Low Function does not have to be OPERABLE because the reactor is not operating or even critical. Decay heat removal is normally accomplished by Main Feedwater System or AFW System in MODE 3 and by the Residual Heat Removal (RHR)

System in MODE 4, 5, or 6.

15. Steam Generator Water Level-Low, Coincident With Steam Flow/Feedwater Flow Mismatch SG Water Level-Low, in conjunction with the Steam Flow/Feedwater Flow Mismatch, ensures that protection is provided against a loss of heat sink. In addition to a decreasing water level in the SG, the difference between feedwater flow and steam flow is evaluated to determine if feedwater flow is significantly less than steam flow.

With less feedwater flow than steam flow, SG level will decrease at a rate dependent upon the magnitude of the difference in flow rates. There are two SG level (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-25

RTS Instrumentation B 3.3.1 BASES APPLICABLE

15.

Steam Generator Water Level-Low, Coincident With Steam SAFETY Flow/Feedwater Flow Mismatch (continued)

ANALYSES, LCO, and channels and two Steam Flow/Feedwater Flow Mismatch APPLICABILITY channels per SG.

One narrow range level channel sensing a low level coincident with one Steam Flow/Feedwater Flow Mismatch channel sensing flow mismatch (steam flow greater than feed flow) will actuate a reactor trip.

The LCO requires two channels of SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch.

In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch trip must be OPERABLE.

The normal source of water for the SGs is the MFW System (not safety related).

The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. In MODE 3, 4, 5, or 6, the SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch Function does not have to be OPERABLE because the reactor is not operating or even critical.

Decay heat removal is normally accomplished by Main Feedwater System or AFW System in MODE 3 and by the RHR System in MODE 4, 5, or 6.

16. Turbine Trip
a. Turbine Trip-Low Auto Stop Oil Pressure The Turbine Trip-Low Auto Stop Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-8 setpoint, approximately 30% power, will not actuate a reactor trip. Three pressure switches monitor the Auto Stop oil pressure which interfaces with the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the turbine control system. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-26

RTS Instrumentation B 3.3.1 BASES APPLICABLE

16. Turbine Trip (continued)

SAFETY

ANALYSES, LCO,
a. Turbine Trip-Low Auto Stop Oil Pressure (continued) and APPLICABILITY Pressurizer Pressure-High trip Function and RCS integrity is ensured by the pressurizer safety valves.

The LCO requires three channels of Turbine Trip-Low Auto Stop Oil Pressure to be OPERABLE in MODE 1 above P-8.

Below the P-8 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3,

4, 5, or 6, there is no potential for a turbine trip, and the Turbine Trip-Low Auto Stop Oil Pressure trip Function does not need to be OPERABLE.

b. Turbine Trip-Turbine Stop Valve Closure The Turbine Trip-Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. Any turbine trip from a power level below the P-8 setpoint, approximately 30% power, will not actuate a reactor trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close.

Tripping the reactor in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure-High trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip-Low Auto Stop Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS.

If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-27

RTS Instrumentation B 3.3.1 BASES APPLICABLE

16. Turbine Trip (continued)

SAFETY

ANALYSES, LCO,
b. Turbine Trip-Turbine Stop Valve Closure (continued) and APPLICABILITY The LSSS for this Function is set to assure channel trip occurs when the associated stop valve is completely closed.

The LCO requires four Turbine Trip-Turbine Stop Valve Closure channels, one per valve, to be OPERABLE in MODE 1 above P-8. All four channels must trip to cause reactor trip.

Below the P-8 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2, 3,

4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip-Stop Valve Closure trip Function does not need to be OPERABLE.

17. Safety Injection Input from Engineered Safety Feature Actuation System The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signal that initiates SI. This is a condition of acceptability for the LOCA.

However, other transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiated every time an SI signal is present.

Allowable Values are not applicable to this Function.

The SI input is provided by logic in the ESFAS.

Therefore, there is no measurement signal with which to associate an LSSS.

The LCO requires two trains of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.

A reactor trip is initiated every time an SI signal is present. Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical, and must be shut down in the event of an accident. In MODE 3, 4,

5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.

North Anna Units 1 and 2 B 3.3.1-28 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY

ANALYSES, LCO, and APPLICABILITY (continued)
18. Reactor Trio System Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES.

These are:

a. Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading.

If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:

" on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip. This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range. When the source range trip is blocked, the high voltage to the detectors is also removed; and

"* on decreasing power, the P-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor trip.

The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint.

Above the P-6 Range Neutron this Function interlock setpoint, the NIS Source Flux reactor trip will be blocked, and will no longer be necessary.

In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-29

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY

ANALYSES, LCO, and APPLICABILITY
18. Reactor Trip System Interlocks (continued)
b.

Low Power Reactor Trios Block. P-7 The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine Impulse Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:

(1) on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:

"* Pressurizer Pressure-Low;

"* Pressurizer Water Level-High;

flow in two or

"* RCPs Breaker Open (Two Loops);

"* Undervoltage RCPs; and

"* Underfrequency RCPs.

These reactor trips are only required when operating above the P-7 setpoint (approximately 10% power).

The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.

(2) on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:

"* Pressurizer Pressure-Low;

"* Pressurizer Water Level-High;

"* Reactor Coolant Flow-Low (low flow more RCS loops);

"* RCP Breaker Position (Two Loops);

in two or (continued)

North Anna Units 1 and 2 B 3.3.1-30 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

18. Reactor Trip System Interlocks (continued)

SAFETY

ANALYSES, LCO,
b.

Low Power Reactor Trips Block, P-7 (continued) and APPLICABILITY (2)

(continued)

"* Undervoltage RCPs; and

"* Underfrequency RCPs.

Allowable Value is not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.

The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.

The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level increases above 10% power, which is in MODE 1.

c. Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock is actuated at approximately 30% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow-Low and RCP Breaker Position (Single Loop) reactor trips on low flow in one or more RCS loops on increasing power. The LCO requirement for this Function ensures that the Turbine Trip-Low Auto Stop Oil Pressure and Turbine Trip-Turbine Stop Valve Closure reactor trips are enabled above the P-8 setpoint. Above the P-8 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is above the P-8 setpoint, to minimize the transient on the reactor.

The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3. 1-31

RTS Instrumentation B 3.3.1 BASES APPLICABLE

18. Reactor Trip System Interlocks (continued)

SAFETY

ANALYSES, LCO,
c. Power Range Neutron Flux, P-8 (continued) and APPLICABILITY the core when greater than approximately 30% power.

On decreasing power, the reactor trip on low flow in any one loop is automatically blocked.

The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.

In MODE 1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE.

In MODE 2, 3,

4, 5,

or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.

d.

Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock is actuated at approximately 10% power, as determined by two-out-of-four NIS power range detectors. If power level falls below approximately 10% RTP on 3 of 4 channels, the nuclear instrument low power trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:

"* on increasing power, the P-10 interlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic and manual rod withdrawal;

"* on increasing power, the P-10 interlock allows the operator to manually block the Power Range Neutron Flux-Low reactor trip;

"* on increasing power, the P-1O interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip, and also to de-energize the NIS source range detectors;

"* the P-10 interlock provides one of the two inputs to the P-7 interlock; and (continued)

North Anna Units 1 and 2 B 3.3.1-32 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

18. Reactor Trip System Interlocks (continued)

SAFETY

ANALYSES, LCO,
d. Power Range Neutron Flux, P-10 (continued) and APPLICABILITY
  • on decreasing power, the P-10 interlock automatically enables the Power Range Neutron Flux-Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).

The LCO requires four channels of Power Range Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.

OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux-Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5,

or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.

e. Turbine Impulse Pressure, P-13 The Turbine Impulse Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than approximately 10% of the rated full power pressure. This is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

The LCO requires two channels of Turbine Impulse Pressure, P-13 interlock to be OPERABLE in MODE 1.

The Turbine Impulse Chamber Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required to be OPERABLE in MODE 2, 3,

4, 5, or 6 because the turbine generator is not operating.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-33

RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY

ANALYSES, LCO, and APPLICABILITY (continued)
19. Reactor Trip Breakers This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker train consists of all trip breakers associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Thus, the train may consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical.

In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

20. Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function 19 above.

OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

21. Automatic Trip Loqic The LCO requirement for the RTBs (Functions 19 and 20) and Automatic Trip Logic (Function 21) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core. Each RTB is equipped with an undervoltage coil and a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a (continued)

North Anna Units 1 and 2 B 3.3.1-34 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES APPLICABLE

21. Automatic Trip Logic (continued)

SAFETY

ANALYSES, LCO, bypass breaker to allow testing of the trip breaker and while the unit is at power. The reactor trip signals APPLICABILITY generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

The LCO requires two trains of RTS Automatic Trip Logic to be OPERABLE.

Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor trip.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c) (2)(ii).

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1. When the Required Channels in Table 3.3.1-1 are specified (e.g., on a per loop, per RCP, per SG, per train, etc., basis), then the Condition may be entered separately for each loop, RCP, SG, train, etc., as appropriate.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.

When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3. 1-35

RTS Instrumentation B 3.3.1 BASES ACTIONS A.1 (continued)

Condition A applies to all RTS protection Functions.

Condition A addresses the situation where one or more required channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1 and B.2 Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable considering that there are two automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.

If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The 6 additional hours to reach MODE 3 is reasonable, based on operating experience, to reach MODE 3 from full power operation in an orderly manner and without challenging unit systems. With the unit in MODE 3, Action C would apply to any inoperable Manual Reactor Trip Function if the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted.

C.1 and C.2 Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted:

"* Manual Reactor Trip;

"* RTBs; (continued)

North Anna Units 1 and 2 B 3.3. 1-36 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES ACTIONS C.1 and C.2 (continued)

"* RTB Undervoltage and Shunt Trip Mechanisms; and

"* Automatic Trip Logic.

This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, action must be initiated within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to ensure that all rods are fully inserted, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner. With rods fully inserted and the Rod Control System incapable of rod withdrawal, these Functions are no longer required.

The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

D.1.1, D.1.2, D.2.1, D.2.2, and D.3 Condition D applies to the Power Range Neutron Flux-High Function.

The NIS power range detectors provide input to the Rod Control System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition.

This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 7.

In addition to placing the inoperable channel in the tripped condition, THERMAL POWER must be reduced to

  • 75% RTP within 78 hours9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br />. Reducing the power level prevents operation of the core with radial power distributions beyond the design limits. With one of the NIS power range detectors inoperable, 1/4 of the radial power distribution monitoring capability is lost.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-37

RTS Instrumentation B 3.3.1 BASES ACTIONS D.1.1, D.1.2, D.2.1, D.2.2, and D.3 (continued)

As an alternative to the above actions, the inoperable channel can be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and the QPTR monitored once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> as per SR 3.2.4.2, QPTR verification. Calculating QPTR every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued unit operation at power levels Ž 75% RTP.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time and the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency are consistent with LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)"

for the long term monitoring requirement.

As an alternative to the above Actions, the unit may be placed in a MODE where this Function is no longer required OPERABLE.

Seventy-eight hours are allowed to place the unit in MODE 3. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

If Required Actions cannot be completed within their allowed Completion

Times, LCO 3.0.3 must be entered.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypass condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of other channels. The Note also allows placing the inoperable channel in the bypass condition to allow setpoint adjustments of other channels when required to reduce the setpoint in accordance with other Technical Specifications.

The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 7.

Required Action D.2.2 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capability to monitor QPTR.

As such, determining QPTR using the movable incore detectors once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> may not be necessary.

E.1 and E.2 Condition E applies to the following reactor trip Functions:

"* Power Range Neutron Flux-Low;

"* Overtemperature AT; (continued)

North Anna Units 1 and 2 B 3.3.1-38 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES ACTIONS E.1 and E.2 (continued)

"* Overpower AT;

"* Power Range Neutron Flux-High Positive Rate;

"* Power Range Neutron Flux-High Negative Rate;

"* Pressurizer Pressure-High;

"* SG Water Level-Low Low; and

"* SG Water Level-Low coincident with Steam Flow/Feedwater Flow Mismatch.

A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 7.

If the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE.

An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 7.

F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs both monitoring and protection Functions. If THERMAL POWER is greater than the (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3. 1-39

RTS Instrumentation B 3.3.1 BASES ACTIONS F.1 and F.2 (continued)

P-6 setpoint but less than the P-10 setpoint, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-1O setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range protection function is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.

G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels in MODE 2 when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs both monitoring and protection Functions. With no intermediate range channels OPERABLE, suspending the introduction into the RCS of reactivity more positive than required to meet the SDM is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperature changes, including temperature increases when operating with a positive MTC, must also be evaluated to not result in reducing core reactivity below the required SDM. This will preclude any power level increase since there are no OPERABLE Intermediate Range Neutron Flux channels. The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours. Below P-6, the Source Range (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-40

RTS Instrumentation B 3.3.1 BASES ACTIONS G.1 and G.2 (continued)

Neutron Flux channels will be able to monitor the core power level and provides a protection function. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.

Required Action G is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g., temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action, provided they are accounted for in the calculated SDM.

H.1 Condition H applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.

This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately.

Required Action H is modified by a Note to indicate that normal plant control operations that individually add limited positive reactivity (e.g., temperature or boron fluctuations associated with RCS inventory management or temperature control) are not precluded by this Action, provided they are accounted for in the calculated SDM.

1.1 Condition I applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rod not fully inserted. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With both (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-41

RTS Instrumentation B 3.3.1 BASES ACTIONS 1.1 (continued) source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition.

J.1 and J.2 Condition J applies to one inoperable source range channel in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one or more rods not fully inserted. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the source range channels inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, action must be initiated within the same 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to ensure that all rods are fully inserted, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour.

The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore the channel to OPERABLE status, and the additional hour, are justified in Reference 7.

K.1 and K.2 Condition K applies when the required number of OPERABLE Source Range Neutron Flux channels is not met in MODES 3, 4,

or 5 with the Rod Control System is not capable of rod withdrawal.

With the unit in this Condition, the NIS source range performs the monitoring function only. With less than the required number of source range channels OPERABLE, operations involving positive reactivity additions shall be suspended immediately.

The SDM must be verified within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter as per SR 3.1.1.1, SDM verification.

With no source range channels OPERABLE, the ability to monitor the core is severely reduced. Verifying the SDM within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allows sufficient time to perform the calculations and determine that the SDM requirements are met. The SDM must also be verified once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter to ensure that the core reactivity has not changed. Required Action K.1 precludes any positive reactivity additions; therefore, core reactivity should not be increasing, and a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is adequate. The Completion Time of within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> are (continued)

North Anna Units 1 and 2 B 3.3.1-42 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES ACTIONS K.1 and K.2 (continued) based on operating experience in performing the Required Actions and the knowledge that unit conditions will change slowly.

Required Action K is modified by a Note which permits unit temperature changes provided the temperature change is accounted for in the calculated SDM.

Introduction of temperature changes, including temperature increases when a positive MTC exists, must be evaluated to ensure they do not result in a loss of required SDM.

L.1 and L.2 Condition L applies to the following reactor trip Functions:

"* Pressurizer Pressure-Low;

"* Pressurizer Water Level-High;

"* Reactor Coolant Flow-Low;

"* Undervoltage RCPs; and

"* Underfrequency RCPs.

With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. For the Pressurizer Pressure-Low, Pressurizer Water Level-High, Undervoltage RCPs, and Underfrequency RCPs trip Functions, placing the channel in the tripped condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a reactor trip. For the Reactor Coolant Flow-Low and RCP Breaker Position (Two Loops) trip Functions, placing the channel in the tripped condition results in a partial trip condition requiring only one additional channel in the same loop to initiate a reactor trip. For the latter two trip Functions, two tripped channels in two RCS loops are required to initiate a reactor trip when below the P-8 setpoint and above the P-7 setpoint.

These Functions do not have to be OPERABLE below the P-7 setpoint because there are no loss of flow trips below the P-7 setpoint. There is insufficient heat production to generate DNB conditions below the P-7 setpoint. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped condition is justified in Reference 7. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed (continued)

North Anna Units 1 and 2 B 3.3.1-43 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES ACTIONS L.1 and L.2 (continued) to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition K.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 7.

M.1 and M.2 Condition M applies to the RCP Breaker Position reactor trip Function. There is one breaker position device per RCP breaker. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

If the channel cannot be restored to OPERABLE status within the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, then THERMAL POWER must be reduced below the P-7 setpoint within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

This places the unit in a MODE where the LCO is no longer applicable. This Function does not have to be OPERABLE below the P-7 setpoint because other RTS Functions provide core protection below the P-8 setpoint. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status and the 6 additional hours allowed to reduce THERMAL POWER to below the P-7 setpoint are justified by a plant-specific risk assessment consistent with Reference 7.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified by a plant-specific risk assessment consistent with Reference 7.

North Anna Units 1 and 2 B 3.3.1-44 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES ACTIONS N.1 and N.2 (continued)

Condition N applies to Turbine Trip on Low Auto Stop Oil Pressure or on Turbine Stop Valve Closure. With one channel inoperable, the inoperable channel must be placed in the trip condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If placed in the tripped condition, this results in a partial trip condition requiring only one additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-8 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in Reference 7.

The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 7.

0.1 and 0.2 Condition 0 applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES I and 2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status (Required Action 0.1) or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Required Action 0.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval.

The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action 0.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE.

P.1 and P.2 Condition P applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3. 1-45

RTS Instrumentation B 3.3.1 BASES ACTIONS P.1 and P.2 (continued) restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function. Placing the unit in MODE 3 results in Action C entry while RTB(s) are inoperable.

The Required Actions have been modified by three Notes.

Note 1 allows one channel to be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for surveillance testing, provided the other channel is OPERABLE.

Note 1 applies to RTB testing that is performed independently from the corresponding logic train testing.

For simultaneous testing of logic and RTBs, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> test time limit of Condition 0 applies. Note 2 allows one RTB to be bypassed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for maintenance on undervoltage or shunt trip mechanisms if the other RTB train is OPERABLE.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time limit is justified in Reference 7. Note 3 applies to RTB testing that is performed concurrently with the corresponding logic train testing. For concurrent testing of the logic and RTB, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> test time limit of Condition 0 applies. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 7.

Q.1 and Q.2 Condition Q applies to the P-6 and P-10 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within I hour or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

North Anna Units 1 and 2 B 3.3. 1-46 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES ACTIONS R.1 and R.2 (continued)

Condition R applies to the P-7, P-8, and P-13 interlocks.

With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 2 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. These actions are conservative for the case where power level is being raised.

Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.

S.1 and S.2 Condition S applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

With the unit in MODE 3, Action C would apply to any inoperable RTB trip mechanism. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the reasons stated under Condition P.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for Required Action S.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-47

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE The SRs for each RTS Function are identified by the SRs REQUIREMENTS column of Table 3.3.1-1 for that Function.

A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

Note that each channel of process protection supplies both trains of the RTS.

When testing Channel I, Train A and Train B must be examined. Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV. The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

North Anna Units 1 and 2 B 3.3.1-48 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.2 SR 3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the calorimetric heat balance calculation results exceeds the power range channel output by more than

+2% RTP, the power range channel is not declared inoperable, but must be adjusted. The power range channel output shall be adjusted consistent with the calorimetric heat balance calculation results if the calorimetric calculation exceeds the power range channel output by more than +2% RTP.

If the power range channel output cannot be properly adjusted, the channel is declared inoperable.

If the calorimetric is performed at part power (< 85% RTP),

adjusting the power range channel indication in the increasing power direction will assure a reactor trip below the safety analysis limit (< 118% RTP).

Making no adjustment to the power range channel in the decreasing power direction due to a part power calorimetric assures a reactor trip consistent with the safety analyses.

This allowance does not preclude making indicated power adjustments, if desired, when the calorimetric heat balance calculation power is less than the power range channel output. To provide close agreement between indicated power and to preserve operating margin, the power range channels are normally adjusted when operating at or near full power during steady-state conditions. However, discretion must be exercised if the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric (< 85% RTP).

This action may introduce a non-conservative bias at higher power levels which may result in an NIS reactor trip above the safety analysis limit

(> 118% RTP).

The cause of the non-conservative bias is the decreased accuracy of the calorimetric at reduced power conditions. The primary error contributor to the instrument uncertainty for a secondary side power calorimetric measurement is the feedwater flow measurement, which is typically a AP measurement across a feedwater venturi. While the measurement uncertainty remains constant in AP as power decreases, when translated into flow, the uncertainty increases as a square term. Thus a 1% flow error at 100%

power can approach a 10% flow error at 30% RTP even though the AP error has not changed.

An evaluation of extended operation at part power conditions would conclude that it is prudent to administratively adjust the setpoint of the Power (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3. 1-49

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 (continued)

REQUIREMENTS Range Neutron Flux-High bistables when: (1) the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric below 85% RTP; or (2) for a post refueling startup. The evaluation of extended operation at part power conditions would also conclude that the potential need to adjust the indication of the Power Range Neutron Flux in the decreasing power direction is quite small, primarily to address operation in the intermediate range about P-1O (nominally 10% RTP) to allow the enabling of the Power Range Neutron Flux-Low Setpoint and the Intermediate Range Neutron Flux reactor trips. Before the Power Range Neutron Flux-High bistables are reset to

  • 109%

RTP, the power range channel output must be confirmed based on a calorimetric performed at Ž 85% RTP.

The Note clarifies that this Surveillance is required only if reactor power is Ž 15% RTP and that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> are allowed for performing the first Surveillance after reaching 15% RTP. A power level of 15% RTP is chosen based on plant stability, i.e., automatic rod control capability and turbine generator synchronized to the grid.

The Frequency of every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is adequate.

It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift.

Together these factors demonstrate that a difference between calorimetric heat balance calculation and the power range channel output of more than +2% RTP is not expected in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period.

In addition, control room operators periodically monitor redundant indications and alarms to detect deviations in channel outputs.

SR 3.3.1.3 SR 3.3.1.3 compares the incore system to the NIS channel output every 31 EFPD.

If the absolute difference is ý 3%,

the NIS channel is still OPERABLE, but it must be readjusted.

The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is Ž 3%. The adjustment is a recalibration of the upper and lower Power Range detectors to incorporate the results of the flux map.

(continued)

North Anna Units 1 and 2 B 3.3. 1-50 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.3 (continued)

REQUIREMENTS If the NIS channel cannot be properly readjusted, the channel is declared inoperable. This Surveillance is performed to verify the f(AI) input to the overtemperature AT Function.

A Note clarifies that the Surveillance is required only if reactor power is Ž 15% RTP and that 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP.

The Frequency of every 31 EFPD is adequate. It is based on unit operating experience, considering instrument reliability and operating history data for instrument drift.

Also, the slow changes in neutron flux during the fuel cycle can be detected during this interval.

SR 3.3.1.4 SR 3.3.1.4 is the performance of a TADOT every 31 days on a STAGGERED TEST BASIS. This test shall verify OPERABILITY by actuation of the end devices. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms.

Independent verification of RTB undervoltage and shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR 3.3.1.14. The test of the bypass breaker is a local shunt trip actuation. A Note has been added to indicate that this test must be performed on the bypass breaker. The local manual shunt trip of the RTB bypass shall be conducted immediately after placing the bypass breaker into service.

This test must be conducted prior to the start of testing on the RTS or maintenance on a RTB. This checks the mechanical operation of the bypass breaker.

(continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-51

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 (continued)

REQUIREMENTS The Frequency of every 31 days on a STAGGERED TEST BASIS is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.

SR 3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST.

The SSPS is tested every 31 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function, including operation of the P-7 permissive which is a logic function only. The Frequency of every 31 days on a STAGGERED TEST BASIS is adequate.

It is based on industry operating experience, considering instrument reliability and operating history data.

SR 3.3.1.6 SR 3.3.1.6 is the performance of a TADOT and is performed every 92 days, as justified in Reference 7. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.

North Anna Units 1 and 2 B 3.3.1-52 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 REQUIREMENTS (continued)

SR 3.3.1.7 is the performance of a COT every 92 days.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The nominal trip setpoints must be within the Allowable Values specified in Table 3.3.1-1.

The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.

The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

SR 3.3.1.7 is modified by a Note that provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3.

The Frequency of 92 days is justified in Reference 7.

SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, except it is modified by a Note that this test shall include verification that the P-6 and P-IO interlocks are in their required state for the existing unit condition.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-53

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.8 (continued)

REQUIREMENTS relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within 92 days of the Frequencies prior to reactor startup and four hours after reducing power below P-1O and P-6. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of "12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10" (applicable to intermediate and power range low channels) and "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6" (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The Frequency of every 92 days thereafter applies if the unit remains in the MODE of Applicability after the initial performances of prior to reactor startup and twelve and four hours after reducing power below P-10 or P-6, respectively. The MODE of Applicability for this surveillance is < P-1O for the power range low and intermediate range channels and < P-6 for the source range channels. Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or < P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the time limit.

Twelve hours and four hours are reasonable times to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10 or < P-6) for periods > 12 and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, respectively. Verification of the surveillance is accomplished by observing the permissive annunciator windows on the Main Control board.

SR 3.3.1.9 SR 3.3.1.9 is a comparison of the excore channels to the incore channels. If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore detector measurements.

(continued)

North Anna Units 1 and 2 B 3.3.1-54 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.9 (continued)

REQUIREMENTS If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed to verify the f(AI) input to the overtemperature AT Function.

Two notes modify SR 3.3.1.9. Note 1 indicates that the excore NIS channels shall be adjusted if the absolute difference between the incore and excore is Ž 3%. Note 2 states that this Surveillance is required only if reactor power is Ž 50% RTP and that 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed for performing the first surveillance after reaching 50% RTP.

The Frequency of 92 EFPD is adequate. It is based on industry operating experience, considering instrument reliability and operating history data for instrument drift.

SR 3.3.1.10 A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor.

The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.

The Frequency of 18 months is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

SR 3.3.1.10 is modified by a Note stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable.

SR 3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every 18 months. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION.

The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detectors based on a power (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-55

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.11 (continued)

REQUIREMENTS calorimetric and flux map performed above 15% RTP.

The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing those curves to the manufacturer's data. This Surveillance is not required for the NIS power range detectors for entry into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed on the 18 month Frequency.

SR 3.3.1.12 SR 3.3.1.12 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10, every 18 months. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detector (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

This test will verify the dynamic compensation for flow from the core to the RTDs.

The OTAT function is lead/lag compensated and the OPAT function is rate/lag compensated.

The Frequency is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.1.13 SR 3.3.1.13 is the performance of a COT of RTS interlocks every 18 months. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by (continued)

North Anna Units 1 and 2 B 3.3.1-56 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.13 (continued)

REQUIREMENTS other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The Frequency is based on the known reliability of the interlocks and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

SR 3.3.1.14 SR 3.3.1.14 is the performance of a TADOT of the Manual Reactor Trip, RCP Breaker Position, and the SI Input from ESFAS. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This TADOT is performed every 18 months. The test shall independently verify the OPERABILITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip Breakers and undervoltage trip mechanism for the Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall include testing of the automatic undervoltage trip.

The Frequency is based on the known reliability of the Functions and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

The SR is modified by a Note that excludes verification of setpoints from the TADOT.

The Functions affected have no setpoints associated with them.

SR 3.3.1.15 SR 3.3.1.15 is the performance of a TADOT of Turbine Trip Functions. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the (continued)

North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-57

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.15 (continued)

REQUIREMENTS relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. This TADOT is performed prior to exceeding the P-8 interlock whenever the unit has been in MODE 3. This Surveillance is not required if it has been performed within the previous 31 days.

Verification of the trip setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-8 interlock.

SR 3.3.1.16 SR 3.3.1.16 verifies that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria are included in Technical Requirements Manual (Ref. 8). Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e., control and shutdown rods fully inserted in the reactor core).

For channels that include dynamic transfer Functions (e.g.,

lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, with the resulting measured response time compared to the appropriate UFSAR response time as listed in the TRM. Alternately, the response time test can be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

As appropriate, each channel's response must be verified every 18 months on a STAGGERED TEST BASIS. Testing of the final actuation devices is included in the testing. Response times cannot be determined during unit operation because equipment operation is required to measure response times.

(continued)

North Anna Units 1 and 2 B 3.3.1-58 Revision 0, 04/02/02

RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS SR 3.3.1.16 (continued)

Experience has shown that these components usually pass this surveillance when performed at the 18 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.3.1.16 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Response of neutron flux signal portion of the channel time shall be measured from the detector or input of the first electronic component in the channel.

Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

REFERENCES

1. UFSAR, Chapter 7.
2.

UFSAR, Chapter 6.

3.

UFSAR, Chapter 15.

4. IEEE-279-1971.
5.

10 CFR 50.49.

6. RTS/ESFAS Setpoint Methodology Study Report EE-0116).

(Technical

7. WCAP-10271-P-A, Supplement 1, Rev.

1, June 1990 and WCAP-14333-P-A, Rev.

1, October 1998.

8. Technical Requirements Manual.
9. Regulatory Guide 1.105, Revision Related Instrumentation."

3, "Setpoints for Safety North Anna Units 1 and 2 Revision 0, 04/02/02 B 3.3.1-59

Intentionally Blank

Retrieved from "https://kanterella.com/w/index.php?title=ML020700311&oldid=5442545"