Text

Part 4 of 10, North Anna Power Station, Units 1 & 2, Proposed Improved Technical Specifications Comments on Draft Safety Evaluation, Certified Improved Technical Specifications (ITS) & Bases & Proposed License Conditions, B.3.3 Instrumentat
	ML020700330
Person / Time
Site:	North Anna
Issue date:	02/22/2002
From:	Hartz L; Virginia Electric & Power Co (VEPCO)
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	02-053, CM/RAB R0, TAC MB0799, TAC MB0800
	Download: ML020700330 (170)
	v • d • e

ESFAS Instrumentation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents.

The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below:

"*Field transmitters or process sensors and instrumentation:

provide a measurable electronic signal based on the physical characteristics of the parameter being measured;

"*Signal processing equipment including analog protection system, field contacts, and protection channel sets:

provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications; and

"*Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.

The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for ESFAS action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be acceptable. The Allowable Value is considered a limiting value such that a channel is OPERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL OPERATIONAL TEST (COT). Note that, although a channel is "OPERABLE" under these circumstances, the ESFAS setpoint must be left adjusted to within the established calibration tolerance band of the ESFAS setpoint in accordance with the uncertainty assumptions stated in the referenced setpoint methodology, (as-left criteria) and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.

North Anna Units 1 and 2 B 3.3.2-1 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Field Transmitters or Sensors (continued)

To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the Allowable Values. The OPERABILITY of each transmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitative assessment of field transmitter or sensor, as related to the channel behavior observed during performance of the CHANNEL CHECK.

Signal Processing Equipment Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with setpoints established by safety analyses. These setpoints are defined in UFSAR, Chapter 6 (Ref. 1), Chapter 7 (Ref. 2), and Chapter 15 (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

These requirements are described in IEEE-279-1971 (Ref. 4).

The actual number of channels required for each unit parameter is specified in Reference 2.

North Anna Units 1 and 2 B 3.3.2-2 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Allowable Values and ESFAS Setpoints (continued)

The trip setpoints used in the bistables are summarized in Reference 6. The selection of these trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values specified in Table 3.3.2-1 in the accompanying LCO are conservative with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Value and ESFAS setpoints including their explicit uncertainties, is provided in the unit specific setpoint methodology study (Ref. 6) which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each ESFAS setpoint and corresponding Allowable Value. The nominal ESFAS setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for measurement errors detectable by the COT. The Allowable Value serves as the Technical Specification OPERABILITY limit for the purpose of the COT.

One example of such a change in measurement error is drift during the surveillance interval. If the measured setpoint does not exceed the Allowable Value, the bistable is considered OPERABLE.

The ESFAS setpoints are the values at which the bistables are set and is the expected value to be achieved during calibration. The ESFAS setpoint value ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" setpoint value is within the band for CHANNEL CALIBRATION uncertainty allowance (i.e.,

calibration tolerance uncertainties). The ESFAS setpoint value is therefore considered a "nominal" value (i.e.,

expressed as a value without inequalities) for the purposes of the COT and CHANNEL CALIBRATION.

Setpoints adjusted consistent with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.

(continued)

North Anna Units 1 and 2 B 3.3.2-3 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Allowable Values and ESFAS Setpoints (continued)

Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Table 3.3.2-1. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables.

To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation devices while the unit is at power. When any one train is taken out of service for testing, the other (continued)

North Anna Units 1 and 2 B 3.3.2-4 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES BACKGROUND Solid State Protection System (continued) train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.

APPLICABLE Each of the analyzed accidents can be detected by one or more SAFETY ESFAS Functions. One of the ESFAS Functions is the primary ANALYSES, LCO, actuation signal for that accident. An ESFAS Function may be AND the primary actuation signal for more than one type of APPLICABILITY accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents.

For example, Pressurizer Pressure-Low Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

The LCO requires all instrumentation performing an ESFAS Function to be OPERABLE. A channel is OPERABLE with a trip setpoint value outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed (continued)

North Anna Units 1 and 2 B 3.3.2-5 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE its associated Allowable Value and provided the trip SAFETY setpoint "as-left" value is adjusted to a value within the ANALYSES, LCO, calibration tolerance band of the nominal trip setpoint. A AND trip setpoint may be set more conservative than the nominal APPLICABILITY trip setpoint as necessary in response to unit conditions.

(continued) Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manual initiation function. The two-out-of-three and the two-out-of-four configurations allow one channel to be tripped or bypassed during maintenance or testing without causing an ESFAS initiation.

Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents.

ESFAS protection functions are as follows:

1. Safety Injection Safety Injection (SI) provides two primary functions:

1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 22000 F); and

2. Boration to ensure recovery and maintenance of SDM.

These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initiate other Functions such as:

"*Phase A Isolation;

"*Reactor Trip;

"*Turbine Trip;

"*Feedwater Isolation;

"*Start of all auxiliary feedwater (AFW) pumps; North Anna Units 1 and 2 B 3.3.2-6 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES, LCO,

Control room ventilation isolation; and AND APPLICABILITY

Enabling automatic switchover of Emergency Core Cooling Systems (ECCS) suction to containment sump.

These other functions ensure:

"* Isolation of nonessential systems through containment penetrations;

"*Trip of the turbine and reactor to limit power generation;

"*Isolation of main feedwater (MFW) to limit secondary side mass losses;

"*Start of AFW to ensure secondary side cooling capability;

"* Isolation of the control room to ensure habitability; and

"*Enabling ECCS suction from the refueling water storage tank (RWST) switchover on low low RWST level to ensure continued cooling via use of the containment sump.

a. Safety Injection-Manual Initiation The LCO requires one channel per train to be OPERABLE. The operator can initiate SI at any time by using either of two switches in the control room.

This action will cause actuation of all components in the same manner as any of the automatic actuation signals.

The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capability.

Each channel consists of one switch and the interconnecting wiring to the actuation logic cabinet. Each switch actuates both trains. This configuration does not allow testing at power.

North Anna Units 1 and 2 B 3.3.2-7 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES, LCO, b. Safety Injection-Automatic Actuation Logic and AND Actuation Relays APPLICABILITY This LCO requires two trains to be OPERABLE.

Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.

Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE 4 even though automatic actuation is not required.

Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system manual initiation. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation switches.

These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

c. Safety Injection-Containment Pressure-High This signal provides protection against the following accidents:

"*SLB inside containment;

"*LOCA; and

"*Feed line break inside containment.

(continued)

North Anna Units 1 and 2 B 3.3.2-8 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES, LCO, c. Safety Injection-Containment Pressure-High AND (continued)

APPLICABILITY Containment Pressure-High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic. The transmitters (d/p cells) and electronics are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment.

Thus, the high pressure Function will not experience any adverse environmental conditions and the trip setpoint reflects only steady state instrument uncertainties.

Containment Pressure-High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.

d. Safety Injection-Pressurizer Pressure-Low Low This signal provides protection against the following accidents:

"*Inadvertent opening of a steam generator (SG) relief or safety valve;

"* SLB;

"* A spectrum of rod cluster control assembly ejection accidents (rod ejection);

"*Inadvertent opening of a pressurizer relief or safety valve;

"*LOCAs; and

"*SG Tube Rupture.

(continued)

North Anna Units 1 and 2 B 3.3.2-9 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES, LCO, d. Safety Injection-Pressurizer Pressure-Low Low AND (continued)

APPLICABILITY Three channels are required to satisfy the requirements with a two-out-of-three logic. North Anna design utilizes dedicated protection and control channels, and only three protection channels are necessary to satisfy the protective requirements.

The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the trip setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 (above P-lI) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-11 setpoint.

Automatic SI actuation below this pressure setpoint is then performed by the Containment Pressure-High signal.

This Function is not required to be OPERABLE in MODE 3 below the P-I1 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

e. Steam Line Pressure-High Differential Pressure Between Steam Lines Steam Line Pressure-High Differential Pressure Between Steam Lines provides protection against the following accidents:

"*SLB;

"*Feed line break; and

"*Inadvertent opening of an SG relief or an SG safety valve.

(continued)

North Anna Units 1 and 2 B 3.3.2-10 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES, LCO, e. Steam Line Pressure-High Differential Pressure AND Between Steam Lines (continued)

APPLICABILITY Steam Line Pressure-High Differential Pressure Between Steam Lines provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the requirements, with a two-out-of-three logic on each steam line.

With the transmitters located away from the steam lines, it is not possible for them to experience adverse environmental conditions during an SLB event.

The trip setpoint reflects only steady state instrument uncertainties. Steam line high differential pressure must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is not sufficient energy in the secondary side of the unit to cause an accident.

f. g. Safety Injection-High Steam Flow in Two Steam Lines Coincident With Tavg-Low Low or Coincident With Steam Line Pressure-Low These Functions (l.f and 1.g) provide protection against the following accidents:

"*SLB; and

"*the inadvertent opening of an SG relief or an SG safety valve.

Two steam line flow channels per steam line are required OPERABLE for these Functions. The steam line flow channels are combined in a one-out-of-two logic to indicate high steam flow in one steam line. The steam flow transmitters provide control inputs, but the control function cannot cause the events that the Function must protect against. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows online testing because trip of one high steam flow (continued)

North Anna Units 1 and 2 B 3.3.2-11 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES, LCO, f. g. Safety Injection-High Steam Flow in Two Steam Lines AND Coincident With Tavw-Low Low or Coincident With Steam APPLICABILITY Line Pressure-Low Ccontinued) channel is not sufficient to cause initiation. High steam flow in two steam lines is acceptable in the case of a single steam line fault due to the fact that the remaining intact steam lines will pick up the full turbine load. The increased steam flow in the remaining intact lines will actuate the required second high steam flow trip. Additional protection is provided by Function i.e, High Differential Pressure Between Steam Lines.

One channel of Tavg per loop and one channel of low steam line pressure per steam line are required OPERABLE. For each parameter, the channels for all loops or steam lines are combined in a logic such that two channels tripped will cause a trip for the parameter. The low steam line pressure channels are combined in two-out-of-three logic. Thus, the Function trips on one-out-of-two high flow in any two-out-of-three steam lines if there is one-out-of-one low low Tavg trip in any two-out-of-three RCS loops, or if there is a one-out-of-one low pressure trip in any two-out-of-three steam lines. Since the accidents that this event protects against cause both low steam line pressure and low low Tavg, provision of one channel per loop or steam line ensures no single random failure can disable both of these Functions.

The steam line pressure channels provide no control inputs. The Tavg channels provide control inputs, but the control function cannot initiate events that the Function acts to mitigate.

The Allowable Value for high steam flow is a linear function that varies with power level. The function is a AP corresponding to 42% of full steam flow between 0% and 20% load to 111% of full steam flow at 100% load. The nominal trip setpoint is similarly calculated.

(continued)

North Anna Units 1 and 2 B 3.3.2-12 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 1. Safety Injection (continued)

SAFETY ANALYSES, LCO, f. g. Safety Injection-High Steam Flow in Two Steam Lines AND Coincident With Tavw-Low Low or Coincident With Steam APPLICABILITY Line Pressure-Low (continued)

With the transmitters located inside the containment (Tavg) or near the steam lines (High Steam Flow), it is possible for them to experience adverse steady state environmental conditions during an SLB event.

The trip setpoint reflects only steady state instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 (above P-12) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam line(s). This signal may be manually blocked by the operator when below the P-12 setpoint.

Above P-12, this Function is automatically unblocked.

This Function is not required OPERABLE below P-12 because the reactor is not critical, so steam line break is not a concern. SLB may be addressed by Containment Pressure High (inside containment) or by High Steam Flow in Two Steam Lines coincident with Steam Line Pressure-Low, for Steam Line Isolation, followed by High Differential Pressure Between Two Steam Lines, for SI. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

2. Containment Spray Containment Spray provides three primary functions:

1. Lowers containment pressure and temperature after an HELB in containment;

2. Reduces the amount of radioactive iodine in the containment atmosphere; and

3. Adjusts the pH of the water in the containment sump after a large break LOCA.

North Anna Units 1 and 2 B 3.3.2-13 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 2. Containment Spray (continued)

SAFETY ANALYSES, LCO, These functions are necessary to:

AND APPLICABILITY

Ensure the pressure boundary integrity of the containment structure;

"*Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure; and

" Minimize corrosion of the components and systems inside containment following a LOCA.

The containment spray actuation signal starts the quench spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is initially drawn from the RWST by the quench spray pumps and mixed with a sodium hydroxide solution from the chemical addition tank. When the RWST reaches the low low level setpoint, the Low Head Safety Injection pump suctions are shifted to the containment sump. Containment spray is actuated manually or by Containment Pressure-High High signal.

a. Containment Spray-Manual Initiation The operator can initiate containment spray at any time from the control room by simultaneously turning two containment spray actuation switches in the same train. Because an inadvertent actuation of containment spray could have such serious consequences, two switches must be turned simultaneously to initiate containment spray. There are two sets of two switches each in the control room.

Simultaneously turning the two switches in either set will actuate containment spray in both trains in the same manner as the automatic actuation signal. Two Manual Initiation switches in each train are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Note that Manual Initiation of containment spray also actuates Phase B containment isolation.

North Anna Units 1 and 2 B 3.3.2-14 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 2. Containment Spray (continued)

SAFETY ANALYSES, LCO, b. Containment Spray-Automatic Actuation Logic and AND Actuation Relays APPLICABILITY Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy exists in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual initiation is also required in MODE 4, even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.

c. Containment Spray-Containment Pressure This signal provides protection against a LOCA or an SLB inside containment. The transmitters (d/p cells) are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions and the Allowable Value reflects only steady state instrument uncertainties.

This is one of few Functions that requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power (continued)

North Anna Units 1 and 2 B 3.3.2-15 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 2. Containment Spray (continued)

SAFETY ANALYSES, LCO, c. Containment Spray-Containment Pressure (continued)

AND APPLICABILITY actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

North Anna uses four channels in a two-out-of-four logic configuration and the Containment Pressure-High High Setpoint Actuates Containment Spray Systems.

Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip.

Containment Pressure-High High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure-High High setpoints.

3. Containment Isolation Containment Isolation provides isolation of the containment atmosphere, and all process systems that penetrate containment, from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a large break LOCA.

There are two separate Containment Isolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CC) and instrument air (IA), at a relatively low containment pressure indicative of primary or secondary system leaks. A list of the process lines is provided in the Technical Requirements Manual (Ref. 9). For these types of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) method of decay heat removal. Since CC is required to support RCP operation, not isolating CC on the low pressure Phase A signal (continued)

North Anna Units 1 and 2 B 3.3.2-16 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 3. Containment Isolation (continued)

SAFETY ANALYSES, LCO, enhances unit safety by allowing operators to use forced AND RCS circulation to cool the unit. Isolating CC on the low APPLICABILITY pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control.

Phase A containment isolation is actuated automatically by SI, or manually via the automatic actuation logic.

All process lines penetrating containment, with the exception of CC and IA, are isolated. CC is not isolated at this time to permit continued operation of the RCPs with cooling water flow to the thermal barrier heat exchangers and air or oil coolers. All process lines not equipped with remote operated isolation valves are manually closed, or otherwise isolated, prior to reaching MODE 4.

Manual Phase A Containment Isolation is accomplished by either of two switches in the control room. Either switch actuates both trains.

The Phase B signal isolates CC and IA. This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an SLB. For these events, forced circulation using the RCPs is no longer desirable.

Isolating the CC at the higher pressure does not pose a challenge to the containment boundary because the CC System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint.

Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment. Therefore, the combination of CC and IA Systems design and Phase B isolation ensures the CC System is not a potential path for radioactive release from containment.

Phase B containment isolation is actuated by Containment Pressure-High High, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure-High High, a large break (continued)

North Anna Units 1 and 2 B 3.3.2-17 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 3. Containment Isolation (continued)

SAFETY ANALYSES, LCO, LOCA or SLB must have occurred. RCP operation will no AND longer be required and CC to the RCPs is, therefore, no APPLICABILITY longer necessary. The RCPs can be operated with seal injection flow alone and without CC flow to the thermal barrier heat exchanger.

Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two switches in either set are turned simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in both trains.

a. Containment Isolation-Phase A Isolation (1) Phase A Isolation-Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room.

Either switch actuates both trains.

(2) Phase A Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation. There also is adequate time for the operator to evaluate unit (continued)

North Anna Units 1 and 2 B 3.3.2-18 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 3. Containment Isolation (continued)

SAFETY ANALYSES, LCO, a. Containment Isolation-Phase A Isolation (continued)

AND APPLICABILITY conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase A Isolation-Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

b. Containment Isolation-Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels (the same channels that actuate Containment Spray, Function 2). The Containment Pressure trip of Phase B Containment Isolation is energized to trip in order to minimize the potential of spurious trips that may damage the RCPs.

(1) Phase B Isolation-Manual Initiation (2) Phase B Isolation-Automatic Actuation Logic and Actuation Relays Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B containment isolation, actuation is simplified by the use of the Containment Spray manual actuation switches.

(continued)

North Anna Units 1 and 2 B 3.3.2-19 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 3. Containment Isolation (continued)

SAFETY ANALYSES, LCO, b. Containment Isolation-Phase B Isolation (continued)

AND APPLICABILITY (2) Phase B Isolation-Automatic Actuation Logic and Actuation Relays (continued)

Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase B containment isolation. There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

(3) Phase B Isolation-Containment Pressure The basis for containment pressure MODE applicability is as discussed for ESFAS Function 2.c above.

4. Steam Line Isolation Isolation of the main steam lines provides protection in the event of an SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam trip valves (MSTVs), inside or outside of containment, closure of the MSTVs limits the accident to the blowdown from only the affected SG.

For an SLB downstream of the MSTVs, closure of the MSTVs terminates the accident.

a. Steam Line Isolation-Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two switches for each MSTV in the control room and either switch can initiate action to immediately close that MSTV. The LCO requires two channels to be OPERABLE for each MSTV.

North Anna Units 1 and 2 B 3.3.2-20 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 4. Steam Line Isolation (continued)

SAFETY ANALYSES, LCO, b. Steam Line Isolation-Automatic Actuation Logic and AND Actuation Relays APPLICABILITY Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have an SLB or other accident. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless all MSTVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.

c. Steam Line Isolation-Containment Pressure-Intermediate High High This Function actuates closure of the MSTVs in the event of a LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment. Containment Pressure-Intermediate High High provides no input to any control functions.

Thus, two OPERABLE channels are sufficient to satisfy protective requirements with one-out-of-two logic.

However, for enhanced reliability, this Function was designed with three channels and a two-out-of-three logic. The transmitters and electronics are located outside of containment. Thus, they will not experience any adverse environmental conditions, and the trip setpoint reflects only steady state instrument uncertainties.

Containment Pressure-Intermediate High High must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break.

(continued)

North Anna Units 1 and 2 B 3.3.2-21 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 4. Steam Line Isolation (continued)

SAFETY ANALYSES, LCO, c. Steam Line Isolation-Containment AND Pressure-Intermediate High High (continued)

APPLICABILITY This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSTVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless all MSTVs are closed and de-activated. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure-Intermediate High High setpoint.

d. e. Steam Line Isolation-High Steam Flow in Two Steam Lines Coincident with Tavg-Low Low or Coincident With Steam Line Pressure-Low These Functions (4.d and 4.e) provide closure of the MSTVs during an SLB or inadvertent opening of an SG relief or a safety valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.

These Functions were discussed previously as Functions 1.f. and 1.g.

These Functions must be OPERABLE in MODES 1 and 2, and in MODE 3, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines unless all MSTVs are closed and de-activated. These Functions are not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines, and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system. The SG high water level is due to excessive feedwater flows.

(continued)

North Anna Units 1 and 2 B 3.3.2-22 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 5. Turbine Trip and Feedwater Isolation (continued)

SAFETY ANALYSES, LCO, The Function is actuated when the level in any SG exceeds AND the high high setpoint, and performs the following APPLICABILITY functions:

0 Trips the main turbine;

Trips the MFW pumps;

Initiates feedwater isolation by closing the Main Feedwater Isolation Valves (MFIVs); and

Shuts the MFW regulating valves and their associated bypass valves.

This Function is actuated by SG Water Level-High High, or by an SI signal. In the event of SI, the MFW System is automatically secured and isolated and the AFW System is automatically started. The SI signal was discussed previously.

a. Turbine Trip and Feedwater Isolation-Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

b. Turbine Trip and Feedwater Isolation-Steam Generator Water Level-High High (P-14)

This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System.

The SG Water Level-High High trip is provided from the narrow range instrumentation span from each SG.

North Anna has only three channels that are shared between protection and control functions and justification is provided in NUREG-1218 (Ref. 7).

The transmitters (d/p cells) are located inside containment. However, the events that this Function protects against cannot cause a severe environment in containment. Therefore, the trip setpoint reflects only steady state instrument uncertainties.

North Anna Units 1 and 2 B 3.3.2-23 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 5. Turbine Trip and Feedwater Isolation (continued)

SAFETY ANALYSES, LCO, c. Turbine Trip and Feedwater Isolation-Safety Injection AND APPLICABILITY Turbine Trip and Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and requirements.

Turbine Trip and Feedwater Isolation Functions must be OPERABLE in MODES 1, 2, and 3 when the MFW System is in operation and the turbine generator may be in operation.

These functions are not required to be OPERABLE in MODES 2 and 3 when all MFW pump discharge valves or all MFIVs, MFRVs, and associated bypass valves are closed and de-activated or isolated by a closed manual valve.

In MODES 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.

6. Auxiliary Feedwater The AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not available. The system has two motor driven pumps and a turbine driven pump, making it available during normal unit operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break.

The normal source of water for the AFW System is the Emergency condensate storage tank (ECST). The AFW System is aligned so that upon a pump start, flow is initiated to the respective SG immediately.

a. Auxiliary Feedwater-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

North Anna Units 1 and 2 B 3.3.2-24 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 6. Auxiliary Feedwater (continued)

SAFETY ANALYSES, LCO, b. Auxiliary Feedwater-Steam Generator Water Level-Low AND Low APPLICABILITY SG Water Level-Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, would result in a loss of SG water level. SG Water Level-Low Low provides input to the SG Level Control System.

Three protection channels are necessary to satisfy the protective requirements. These channels are shared between protection and control functions and justification is provided in Reference 7.

With the transmitters (d/p cells) located inside containment and thus possibly experiencing adverse environmental conditions (feed line break), the trip setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

c. Auxiliary Feedwater-Safety Injection An SI signal starts the motor driven and turbine driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function.

Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

d. Auxiliary Feedwater-Loss of Offsite Power A loss of offsite power to the transfer buses may be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal. The loss of offsite power is detected by a voltage drop on each transfer bus. Loss of power to the transfer bus will start all AFW pumps to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip.

Functions 6.a through 6.d must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. SG Water Level-Low Low in any SG will cause all AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to (continued)

North Anna Units 1 and 2 B 3.3.2-25 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 6. Auxiliary Feedwater (continued)

SAFETY ANALYSES, LCO, flow to the SGs. These Functions do not have to be AND OPERABLE in MODES 5 and 6 because there is not enough APPLICABILITY heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either RCS Loop(s) or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.

e. Auxiliary Feedwater-Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Motor driven MFW pumps are equipped with a breaker position sensing device. An open supply breaker indicates that the pump is not running. Two OPERABLE channels per pump satisfy redundancy requirements with one-out-of-two taken twice logic. A trip of all MFW pumps starts the motor driven and turbine driven AFW pumps to ensure that at least one SG is available with water to act as the heat sink for the reactor.

Function 6.e must be OPERABLE in MODES 1 and 2. This ensures that at least one SG is provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES 3, 4, and 5, the RCPs and MFW pumps may be normally shut down, and thus neither pump trip is indicative of a condition requiring automatic AFW initiation.

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment sump. The low head safety injection (LHSI) pumps and inside and outside recirculation spray pumps draw the water from the containment sump, the LHSI pumps pump the water back into the RCS. The Inside and Outside Recirculation Spray pumps circulate water through the heat exchangers to the spray rings and supplies water to the containment sump. Switchover from the RWST to the (continued)

North Anna Units 1 and 2 B 3.3.2-26 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 7. Automatic Switchover to Containment Sump (continued)

SAFETY ANALYSES, LCO, containment sump must occur before the RWST empties to AND prevent damage to the LHSI pumps and a loss of core APPLICABILITY cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction.

Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST.

This ensures the reactor remains shut down in the recirculation mode.

a. Automatic Switchover to Containment Sump-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

b. Automatic Switchover to Containment Sump-Refueling Water Storage Tank (RWST) Level-Low Low Coincident With Safety Injection During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The RWST is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability.

The RWST-Low Low Allowable Value has both upper and lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shut down. The high limit also ensures adequate water inventory in the containment sump to provide ECCS pump suction.

(continued)

North Anna Units 1 and 2 B 3.3.2-27 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 7. Automatic Switchover to Containment Sump (continued)

SAFETY ANALYSES, LCO, b. Automatic Switchover to Containment Sump-Refueling AND Water Storage Tank (RWST) Level-Low Low Coincident APPLICABILITY With Safety Injection (continued)

The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the Allowable Value reflects only steady state instrument uncertainties.

Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation.

Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump.

The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

8. Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The (continued)

North Anna Units 1 and 2 B 3.3.2-28 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 8. Engineered Safety Feature Actuation System Interlocks SAFETY (continued)

ANALYSES, LCO, AND interlock Functions back up manual actions to ensure APPLICABILITY bypassable functions are in operation under the conditions assumed in the safety analyses.

a. Engineered Safety Feature Actuation System Interlocks-Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open. Once the P-4 interlock is enabled, automatic SI reinitiation is blocked after a 60 second time delay.

This Function allows operators to take manual control of SI systems after the initial phase of injection is complete. Once SI is blocked, automatic actuation of SI cannot occur until the RTBs have been manually closed, resetting the P-4 interlock. The functions of the P-4 interlock are:

"*Trip the main turbine;

"*Isolate MFW Regulating Valves with coincident low Tavg;

"*Prevent automatic reactuation of SI after a manual reset of SI;

"*Prevent opening of the MFW regulating valves if they were closed on SI or SG Water Level-High High; and

"*Reset the high steam line flow to the nominal setpoint.

Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power. To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.

(continued)

North Anna Units 1 and 2 R 3.3.2-29 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 8. Engineered Safety Feature Actuation System Interlocks SAFETY (continued)

ANALYSES, LCO, AND a. Engineered Safety Feature Actuation System APPLICABILITY Interlocks-Reactor Trip, P-4 (continued)

None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses.

Only the turbine trip Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other Functions associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are not exceeded.

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate an Allowable Value.

This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine and the MFW System are not required to be in operation.

b. Engineered Safety Feature Actuation System Interlocks-Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-Il setpoint, the operator can manually block the Pressurizer Pressure-Low Low SI signal. Additionally, the P-Il signal blocks the automatic opening of the pressurizer power operated relief valves (PORVs).

With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure-Low Low SI signal is automatically enabled. The operator can also enable this trip by use of the respective manual reset buttons. The automatic opening capability for the pressurizer PORVs is reinstated (continued)

North Anna Units 1 and 2 B 3.3.2-30 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 8. Engineered Safety Feature Actuation System Interlocks SAFETY (continued)

ANALYSES, LCO, AND b. Engineered Safety Feature Actuation System APPLICABILITY Interlocks-Pressurizer Pressure, P-lI (continued) above the P-Il setpoint. The ECCS accumulator isolation valves will receive an automatic open signal when pressurizer pressure exceeds the P-Il setpoint. The Allowable Value reflects only steady state instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-1I setpoint for the requirements of the heatup and cooldown curves to be met.

c. Engineered Safety Feature Actuation System Interlocks-Tavg-Low Low, P-12 On increasing reactor coolant temperature, the P-12 interlock reinstates SI on High Steam Flow Coincident With Steam Line Pressure-Low or Coincident With Tavg-Low Low. On decreasing reactor coolant temperature, the P-12 interlock allows the operator to manually block SI on High Steam Flow Coincident With Steam Line Pressure-Low or Coincident with Tavg-Low Low. On a decreasing temperature, the P-12 interlock also provides a blocking signal to the Steam Dump System to prevent an excessive cooldown of the RCS due to a malfunctioning Steam Dump System.

Since Tavg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop.

These channels are used in two-out-of-three logic.

This Function must be OPERABLE in MODES 1, 2, and 3 when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to have an accident.

The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c) (2)(ii).

North Anna Units 1 and 2 B 3.3.2-31 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.

In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc.,

basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1, B.2.1, and B.2.2 Condition B applies to manual initiation of:

"*SI;

"*Containment Spray; and

"*Phase A Isolation.

This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is allowed to return it to an OPERABLE status. Note that for containment spray isolation, failure (continued)

North Anna Units 1 and 2 B 3.3.2-32 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES ACTIONS B.1, B.2.1, and B.2.2 (continued) of one or both channels in one train renders the train inoperable. The manual initiation for Phase B Containment isolation is provided by the containment spray manual switches. Condition B, therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months total time) and in MODE 5 within an additional 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months total time). The allowable Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1, C.2.1, and C.2.2 Condition C applies to the automatic actuation logic and actuation relays for the following functions:

"*SI;

"*Containment Spray;

"*Phase A Isolation;

"*Phase B Isolation; and

"*Automatic Switchover to Containment Sump.

This action addresses the train orientation of the SSPS and the master and slave relays. If one train is inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the train to OPERABLE status. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval.

If the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply.

This is done by placing the unit in at least MODE 3 within an additional 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months total time) and in MODE 5 within an additional 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months total time). The Completion Times are reasonable, based on operating (continued)

North Anna Units I and 2 B 3.3.2-33 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES ACTIONS C.1, C.2.1, and C.2.2 (continued) experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing, provided the other train is OPERABLE. This allowance is based on the reliability analysis assumption of Reference 8 that 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is the average time required to perform channel surveillance.

D.1, D.2.1, and D.2.2 Condition D applies to:

"*Containment Pressure-High;

"*Pressurizer Pressure-Low Low;

"*Steam Line Differential Pressure-High;

"*High Steam Flow in Two Steam Lines Coincident With Tavg-Low Low or Coincident With Steam Line Pressure-Low;

"*Containment Pressure-Intermediate High High;

"*SG Water level-Low Low; and

"* SG Water level-High High (P-14).

If one channel is inoperable, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months are allowed to restore the channel to OPERABLE status or to place it in the tripped condition. Generally this Condition applies to functions that operate on two-out-of-three logic. Therefore, failure of one channel places the Function in a two-out-of-two configuration. One channel must be tripped to place the Function in a one-out-of-two configuration that satisfies redundancy requirements.

Failure to restore the inoperable channel to OPERABLE status or place it in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

(continued)

North Anna Units 1 and 2 B 3.3.2-34 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued)

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to restore the channel to OPERABLE status or to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for testing, are justified in Reference 8.

E.1, E.2.1, and E.2.2 Condition E applies to:

"*Containment Spray Containment Pressure-High High; and

"*Containment Phase B Isolation Containment Pressure-High High.

None of these signals has input to a control function. Thus, two-out-of-three logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented.

Therefore, these channels are designed with two-out-of-four logic so that a failed channel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, with one channel bypassed, a single instrumentation channel failure will not spuriously initiate containment spray.

To avoid the inadvertent actuation of containment spray and Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The Completion Time is further (continued)

North Anna Units 1 and 2 B 3.3.2-35 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES ACTIONS E.1, E.2.1, and E.2.2 (continued) justified based on the low probability of an event occurring during this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the bypassed condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , requires the unit be placed in MODE 3 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.

The Required Actions are modified by a Note that allows one additional channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing. Placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for testing purposes is acceptable based on the results of Reference 8.

F.1, F.2.1, and F.2.2 Condition F applies to:

"*Manual Initiation of Steam Line Isolation;

"*Loss of Offsite Power; and

"*P-4 Interlock.

For the Manual Initiation and the P-4 Interlock Functions, this action addresses the train orientation of the SSPS. For the Loss of Offsite Power Function, this action recognizes the lack of manual trip provision for a failed channel. If a train or channel is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is allowed to return it to OPERABLE status. The specified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an event occurring during this interval. If the Function cannot be returned to OPERABLE status, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

North Anna Units 1 and 2 B 3.3.2-36 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES ACTIONS G.1, G.2.1, and G.2.2 (continued)

Condition G applies to the automatic actuation logic and actuation relays for the Steam Line Isolation, Turbine Trip and Feedwater Isolation, and AFW actuation Functions.

The action addresses the train orientation of the SSPS and the master and slave relays for these functions. If one train is inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the train to OPERABLE status. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the train cannot be returned to OPERABLE status, the unit must be brought to MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing provided the other train is OPERABLE. This allowance is based on the reliability analysis (Ref. 8) assumption that 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is the average time required to perform channel surveillance.

H.1 and H.2 Condition H applies to the AFW pump start on trip of all MFW pumps.

This action addresses the train orientation of the SSPS for the auto start function of the AFW System on loss of all MFW pumps. The OPERABILITY of the AFW System must be assured by allowing automatic start of the AFW System pumps. If a channel is inoperable, 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months are allowed to return it to an OPERABLE status. If the function cannot be returned to an OPERABLE status, 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months are allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without (continued)

North Anna Units 1 and 2 B 3.3.2-37 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES ACTIONS H.1 and H.2 (continued) challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above. The allowance of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months to return the train to an OPERABLE status is justified in Reference 8.

1.1, 1.2.1, and 1.2.2 Condition I applies to:

e RWST Level-Low Low Coincident with Safety Injection.

RWST Level-Low Low Coincident With SI provides actuation of switchover to the containment sump. Note that this Function requires the bistables to energize to perform their required action. The failure of up to two channels will not prevent the operation of this Function. However, placing a failed channel in the tripped condition could result in a premature switchover to the sump, prior to the injection of the minimum volume from the RWST. Placing the inoperable channel in bypass results in a two-out-of-three logic configuration, which satisfies the requirement to allow another failure without disabling actuation of the switchover when required.

Restoring the channel to OPERABLE status or placing the inoperable channel in the bypass condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is sufficient to ensure that the Function remains OPERABLE, and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is justified in a plant-specific risk assessment, consistent with Reference 8.

If the channel cannot be returned to OPERABLE status or placed in the bypass condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , the unit must be brought to MODE 3 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within the next 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 5, the unit does not have any analyzed transients or conditions that require the explicit use of the protection functions noted above.

The Required Actions are modified by a Note that allows placing a second channel in the bypass condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing. The total of 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months to (continued)

North Anna Units 1 and 2 B 3.3.2-38 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES ACTIONS 1.1, 1.2.1, and 1.2.2 (continued) reach MODE 3 and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for a second channel to be bypassed is acceptable based on the results of a plant-specific risk assessment, consistent with Reference 8.

J.1, J.2.1, and J.2.2 Condition J applies to the P-11 and P-12 interlocks.

With one or more channels inoperable, the operator must verify that the interlock is in the required state for the existing unit condition. The verification that the interlocks are in their proper state may be performed via the Control Room permissive status lights. This action manually accomplishes the function of the interlock. Determination must be made within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete loss of ESFAS function. If the interlock is not in the required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removes all requirements for OPERABILITY of these interlocks.

SURVEILLANCE The SRs for each ESFAS Function are identified by the SRs REQUIREMENTS column of Table 3.3.2-1.

A Note has been added to the SR Table to clarify that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions.

Note that each channel of process protection supplies both trains of the ESFAS. When testing channel I, train A and train B must be examined. Similarly, train A and train B must be examined when testing channel II, channel III, and channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

North Anna Units 1 and 2 B 3.3.2-39 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and reliability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.2.2 SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST.

The SSPS is tested every 31 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. This verifies that the logic modules are OPERABLE. The Frequency of every 31 days on a STAGGERED TEST BASIS is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.

North Anna Units 1 and 2 B 3.3.2-40 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.3 REQUIREMENTS (continued) SR 3.3.2.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil.

This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. This test is performed every 31 days on a STAGGERED TEST BASIS.

The time allowed for the surveillance interval is justified in Reference 8.

SR 3.3.2.4 SR 3.3.2.4 is the performance of a COT.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be found within the Allowable Values specified in Table 3.3.2-1. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions.

The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The COT for the Containment Pressure Channel includes exercising the transmitter by applying either a vacuum or pressure to the appropriate side of the transmitter.

The Frequency of 92 days is justified in Reference 8.

SR 3.3.2.5 SR 3.3.2.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays.

Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation MODE (continued)

North Anna Units 1 and 2 B 3.3.2-41 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.5 (continued)

REQUIREMENTS is either allowed to function, or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation MODE is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay. This test is performed every 92 days. The Frequency is adequate, based on industry operating experience, considering instrument reliability and operating history data.

This SR is modified by a Note that allows an exception for testing of relays which could induce a unit transient, an inadvertent reactor trip or ESF actuation, or cause the inoperability of two or more ESF components.

SR 3.3.2.6 SR 3.3.2.6 is the performance of a TADOT every 92 days. This test is a check of the Loss of Offsite Power Function. The Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions.

The SR is modified by a Note that excludes verification of setpoints for relays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency is adequate. It is based on industry operating experience, considering instrument reliability and operating history data.

SR 3.3.2.7 SR 3.3.2.7 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and AFW pump start on trip of all MFW pumps. It is performed every 18 months. Each Manual Actuation Function is tested up to, and including, the master relay coils. A successful test of the required contact(s) of a channel relay may be performed by the (continued)

North Anna Units 1 and 2 B 3.3.2-42 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.7 (continued)

REQUIREMENTS verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions.

In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industry operating experience and is consistent with the typical refueling cycle. The SR is modified by a Note that excludes verification of setpoints during the TADOT for manual initiation Functions. The manual initiation Functions have no associated setpoints.

SR 3.3.2.8 SR 3.3.2.8 is the performance of a CHANNEL CALIBRATION.

A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor.

The test verifies that the channel responds to measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology.

The Frequency of 18 months is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.

This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed values where applicable.

SR 3.3.2.9 This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis. Response Time testing acceptance criteria are included in the Technical Requirements Manual (Ref. 9).

(continued)

North Anna Units 1 and 2 B 3.3.2-43 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.9 (continued)

REQUIREMENTS Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position).

For channels that include dynamic transfer functions (e.g.,

lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate UFSAR response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time test in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel.

ESF RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 18 months. The 18 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after reaching 1005 psig in the SGs.

North Anna Units 1 and 2 B 3.3.2-44 Revision 0, 04/02/02

ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.10 REQUIREMENTS (continued) SR 3.3.2.10 is the performance of a TADOT as described in SR 3.3.2.7, except that it is performed for the P-4 Reactor Trip Interlock, and the Frequency is once per RTB train cycle (RTB and associated bypass breaker must be opened at the same time). A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least one per refueling interval with applicable extensions.

This Frequency is based on operating experience demonstrating that undetected failure of the P-4 interlock sometimes occurs when the RTB is cycled.

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Function tested has no associated setpoint.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 7.

3. UFSAR, Chapter 15.

4. IEEE-279-1971.

5. 10 CFR 50.49.

6. RTS/ESFAS Setpoint Methodology Study (Technical Report EE-0116).

7. NUREG-1218, April 1988.

8. WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990 and WCAP-14333-P-A, Rev. 1, October 1998.

9. Technical Requirements Manual.

North Anna Units 1 and 2 B 3.3.2-45 Revision 0, 04/02/02

Intentionally Blank PAM Instrumentation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display unit variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Accidents (DBAs).

The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected unit parameters to monitor and to assess unit status and behavior following an accident.

The availability of accident monitoring instrumentation is important so that responses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by Reference 1 addressing the recommendations of Regulatory Guide 1.97 (Ref. 2) as required by Supplement 1 to NUREG-0737 (Ref. 3).

The instrument channels required to be OPERABLE by this LCO include two classes of parameters identified during unit specific implementation of Regulatory Guide 1.97 as Type A and Category I variables.

Type A variables are included in this LCO because they provide the primary information required for the control room operator to take specific manually controlled actions for which no automatic control is provided, and that are required for safety systems to accomplish their safety functions for DBAs. Primary information is defined as information that is essential for the direct accomplishment of the specific safety functions; it does not include those variables that are associated with contingency actions that may also be identified in written procedures.

(continued)

North Anna Units 1 and 2 B 3.3.3-1 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES BACKGROUND Category I variables are the key variables deemed risk (continued) significant because they are needed to:

"*Determine whether other systems important to safety are performing their intended functions;

"* Provide information to the operators that will enable them to determine the likelihood of a gross breach of the barriers to radioactivity release; and

"*Provide information regarding the release of radioactive materials to allow for early indication of the need to initiate action necessary to protect the public, and to estimate the magnitude of any impending threat.

These key variables are identified by the plant specific Regulatory Guide 1.97 analyses (Ref. 1). This report identifies the plant specific Type A and Category I variables and provides justification for deviating from the NRC proposed list of Category I variables.

The specific instrument Functions listed in Table 3.3.3-1 are discussed in the LCO section.

APPLICABLE The PAM instrumentation ensures the operability of SAFETY ANALYSES Regulatory Guide 1.97 Type A and Category I variables so that the control room operating staff can:

"* Perform the diagnosis specified in the emergency operating procedures (these variables are restricted to pre-planned actions for the primary success path of DBAs), e.g., loss of coolant accident (LOCA);

"*Take the specified, pre-planned, manually controlled actions, for which no automatic control is provided, and that are required for safety systems to accomplish their safety function;

"*Determine whether systems important to safety are performing their intended functions;

"* Determine the likelihood of a gross breach of the barriers to radioactivity release;

"* Determine if a gross breach of a barrier has occurred; and (continued)

North Anna Units 1 and 2 B 3.3.3-2 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES APPLICABLE

Initiate action necessary to protect the public and to SAFETY ANALYSES estimate the magnitude of any impending threat.

(continued)

PAM instrumentation that meets the definition of Type A in Regulatory Guide 1.97 satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii). Category I, non-Type A, instrumentation must be retained in TS because it is intended to assist operators in minimizing the consequences of accidents.

Therefore, Category I, non-Type A, variables are important for reducing public risk.

LCO The PAM instrumentation LCO provides OPERABILITY requirements for Regulatory Guide 1.97 Type A monitors, which provide information required by the control room operators to perform certain manual actions specified in the plant Emergency Operating Procedures. These manual actions ensure that a system can accomplish its safety function, and are credited in the safety analyses. Additionally, this LCO addresses Regulatory Guide 1.97 instruments that have been designated Category I, non-Type A.

The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assess unit status following an accident.

This capability is consistent with Reference 1.

LCO 3.3.3 requires two OPERABLE channels for most Functions.

Two OPERABLE channels ensure no single failure prevents operators from getting the information necessary for them to determine the safety status of the unit, and to bring the unit to and maintain it in a safe condition following an accident.

Furthermore, OPERABILITY of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

The exception to the two channel requirement is Containment Isolation Valve (CIV) Position. In this case, the important information is the status of the containment penetrations.

The LCO requires one position indicator for each active CIV.

This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of a passive valve, or via system boundary status. If a normally active CIV is known to be closed and deactivated, position (continued)

North Anna Units 1 and 2 B 3.3.3-3 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES LCO indication is not needed to determine status. Therefore, the (continued) position indication for valves in this state is not required to be OPERABLE.

Table 3.3.3-1 lists all Type A and Category I variables identified by the plant specific Regulatory Guide 1.97 analyses (Ref. 1).

Type A and Category I variables are required to meet Regulatory Guide 1.97 Category I (Ref. 2) design and qualification requirements for seismic and environmental qualification, single failure criterion, utilization of emergency standby power, immediately accessible display, continuous readout, and recording of display.

Listed below are discussions of the specified instrument Functions listed in Table 3.3.3-1.

1, 2. Power Ranqe and Source Ranqe Neutron Flux Power Range and Source Range Neutron Flux indication is provided to verify reactor shutdown. This indication is provided by the Gammametric channels. The two ranges are necessary to cover the full range of flux that may occur post accident.

Neutron flux is used for accident diagnosis, verification of subcriticality, and diagnosis of positive reactivity insertion.

3, 4. Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (Wide Ranges)

RCS Hot and Cold Leg Temperature wide range indications are Category I variables provided for verification of core cooling and long term surveillance.

The RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions necessary to establish natural circulation in the RCS.

The channels provide indication over a range of O°F to 700 0 F.

North Anna Units 1 and 2 B 3.3.3-4 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES LCO 5. Reactor Coolant System Pressure (Wide Range)

(continued)

RCS wide range pressure is a Category I variable provided for verification of core cooling and RCS integrity long term surveillance.

RCS pressure is used to verify closure of spray line valves and pressurizer power operated relief valves (PORVs).

In addition to these verifications, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin will allow termination of safety injection (SI),

if still in progress, or reinitiation of SI if it has been stopped. RCS pressure can also be used:

"*to determine whether to terminate actuated SI or to reinitiate stopped SI;

"* to determine when to reset SI and shut off low head SI;

"* to manually restart low head SI;

"*to make a decision on operation of reactor coolant pumps (RCPs); and

"*to make a determination on the nature of the accident in progress and where to go next in the procedure.

RCS subcooling margin is also used for unit stabilization and cooldown control.

RCS pressure is also related to three decisions about depressurization. They are:

"*to determine whether to proceed with primary system depressurization;

"* to verify termination of depressurization; and

"*to determine whether to close accumulator isolation valves during a controlled cooldown/depressurization.

Another use of RCS pressure is to determine whether to operate the pressurizer heaters.

(continued)

North Anna Units 1 and 2 B 3.3.3-5 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES LCO 5. Reactor Coolant System Pressure (Wide Range) (continued)

RCS pressure is a Type A variable because the operator uses this indication to monitor subcooling margin during the cooldown of the RCS following a steam generator tube rupture (SGTR) or small break LOCA. Operator actions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would use this indication.

6. Inadequate Core Cooling Monitoring (ICCM) System The ICCM consists of three functional subsystems. Each subsystem is composed of two instrumentation trains. The three subsystems of ICCM are: the Reactor Vessel Level Instrumentation System (RVLIS); Core Exit Temperature Monitoring (CETM); and Subcooling Margin Monitor (SMM).

The functions provided by the subsystems are discussed below.

6.a Reactor Vessel Level Instrumentation System RVLIS is provided for verification and long term surveillance of core cooling. It is also used to determine reactor coolant inventory adequacy.

The RVLIS provides a measurement of the collapsed liquid level above the upper core plate. The collapsed level represents the amount of liquid mass that is in the reactor vessel above the core. Measurement of the collapsed water level is selected because it is an indication of the water inventory.

6.b Reactor Coolant System Subcooling Margin Monitor The RCS SMM is a Category I variable provided for verification of core cooling. The SMM subsystem calculates the margin to saturation for the RCS from inputs of wide range RCS pressure transmitters and the average of the five highest temperature core exit thermocouples. The two trains of SMM receive inputs from separate trains of pressure transmitters and core exit thermocouples (CETs).

(continued)

North Anna Units 1 and 2 B 3.3.3-6 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES LCO 6.b Reactor Coolant System Subcooling Margin Monitor (continued)

The SMM indicators are redundant to the information provided by the RCS hot and cold leg temperature and RCS wide range pressure indicators. RCS subcooling margin will allow termination of SI, if still in progress, or reinitiating of SI if it has been secured. RCS subcooling margin is also used for unit stabilization, cooldown control, and RCP trip criteria. The SMM indicates the degree of subcooling from -350F (superheated) to +200'F (subcooled).

6.c Core Exit Temperature Monitoring CETM is provided for verification and long term surveillance of core cooling. Two OPERABLE CETs per channel are required in each core quadrant to provide indication of radial distribution of the coolant temperature rise across representative regions of the core. Two sets of two thermocouples ensure a single failure will not disable the ability to determine the radial temperature gradient. Monitoring of the CETs is available through the Inadequate Core Cooling Monitor.

Different CETs are connected to their respective channel, so a single CET failure does not affect both channels. The following CET indication is provided in the control room:

"*Five hottest thermocouples (ranked from highest to lowest);

"*Maximum, Average, and Minimum temperatures for each quadrant; and

"*Average of the five high thermocouples.

7. Containment Sump Water Level (Wide Range)

Containment Sump Water Level is provided for verification and long term surveillance of RCS integrity.

Containment Sump Water Level is used for accident diagnosis.

North Anna Units 1 and 2 B 3.3.3-7 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES LCO 8, 9. Containment Pressure and Containment Pressure Wide Range (continued)

Containment Pressure and Containment Pressure Wide Range are provided for verification of RCS and containment OPERABILITY.

Containment Pressure channels are used to verify Safety Injection (SI) initiation and Phase A isolation on a Containment Pressure-High signal. These channels are also used to verify closure of the Main Steam Trip Valves on a Containment Pressure-Intermediate High High signal.

The Containment Pressure channels are also used to verify initiation of Containment Spray and Phase B isolation on a Containment Pressure-High High signal.

10. Penetration Flow Path Containment Isolation Valve Position CIV Position is provided for verification of Containment OPERABILITY, and Phase A and Phase B isolation.

When used to verify Phase A and Phase B isolation, the important information is the isolation status of the containment penetrations. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active CIV in a containment penetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active CIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve, as applicable, and prior knowledge of a passive valve, or via system boundary status. If a normally active CIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE. Note (a) to the Required Channels states that the Function is not required for isolation valves whose associated penetration is isolated by at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured. Each penetration is treated separately and each penetration flow path is considered a separate function. Therefore, separate Condition entry is allowed for each inoperable penetration flow path.

North Anna Units 1 and 2 B 3.3.3-8 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES LCO 11. Containment Area Radiation (High Range)

(continued)

Containment Area Radiation is provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans.

Containment radiation level is used to determine if adverse containment conditions exist.

12. Containment Hydrogen Analyzers Containment hydrogen analyzers are provided to detect high hydrogen concentration conditions that represent a potential for containment breach from a hydrogen explosion. This variable is also important in verifying the adequacy of mitigating actions. The containment hydrogen analyzers are shared between units.

13. Pressurizer Level Pressurizer Level is used to determine whether to terminate SI, if still in progress, or to reinitiate SI if it has been stopped. Knowledge of pressurizer water level is also used to verify the unit conditions necessary to establish natural circulation in the RCS and to verify that the unit is maintained in a safe shutdown condition.

14, 15. Steam Generator Water Level (Wide and Narrow Ranges)

SG Water Level is provided to monitor operation of decay heat removal via the SGs. Both wide and narrow ranges are Category I indications of SG level. The wide range level covers a span of +7 to -41 feet from nominal full load water level. The narrow range instrument covers from +7 to -5 feet of nominal full load water level.

The level signals are inputs to the unit computer, control room indicators, and the Auxiliary Feedwater System.

SG Water Level is used to:

"*identify the affected SG following a tube rupture;

"*verify that the intact SGs are an adequate heat sink for the reactor; (continued)

North Anna Units 1 and 2 B 3.3.3-9 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES LCO 14, 15. Steam Generator Water Level (Wide and Narrow Ranges)

(continued)

"*determine the nature of the accident in progress (e.g., verify a SGTR); and

"*verify unit conditions for termination of SI during secondary unit High Energy Line Breaks (HELBs) outside containment.

Operator action is based on the control room indication of SG level. The RCS response during a design basis small break LOCA depends on the break size. For a certain range of break sizes, a secondary heat sink is necessary to remove decay heat. Narrow range level is a Type A variable because the operator must manually raise and control SG level.

16. Emergency Condensate Storage Tank (ECST) Level ECST Level is provided to ensure water supply for auxiliary feedwater (AFW). The ECST provides the ensured safety grade water supply for the AFW System. Inventory is monitored by a 0% to 100% level indication and ECST Level is displayed on a control room indicator.

The DBAs that require AFW are the loss of offsite electric power, loss of normal feedwater, SGTR, steam line break (SLB), and small break LOCA.

The ECST is the initial source of water for the AFW System. However, as the ECST is depleted, manual operator action is necessary to replenish the ECST.

17. Steam Generator Pressure SG pressure is a Category I variable and provides an indication of the integrity of a steam generator. This indication can provide important information in the event of a faulted or ruptured steam generator.

18. High Head Safety Injection (HHSI) Flow Total HHSI flow to the RCS cold legs is a Type A variable and provides an indication of the total borated water supplied to the RCS. For the small break LOCA, HHSI flow may be the only source of borated water that is injected (continued)

North Anna Units 1 and 2 B 3.3.3-10 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES LCO 18. High Head Safety Injection (HHSI) Flow (continued) into the RCS. Total HHSI flow is a Type A variable because it provides an indication to the operator for the RCP trip criteria.

APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1, 2, and 3. These variables are related to the diagnosis and pre-planned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1, 2, and 3. In MODES 4, 5, and 6, unit conditions are such that the likelihood of an event that would require PAM instrumentation is low; therefore, the PAM instrumentation is not required to be OPERABLE in these MODES.

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies when one or more Functions have one required channel that is inoperable. Required Action A.1 requires restoring the inoperable channel to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1 Condition B applies when the Required Action and associated Completion Time for Condition A are not met. This Required Action specifies initiation of actions in Specification 5.6.6, which requires a written report to be submitted to the NRC immediately. This report discusses the results of the (continued)

North Anna Units 1 and 2 B 3.3.3-11 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES ACTIONS B.1 (continued) root cause evaluation of the inoperability and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement since alternative actions are identified before loss of functional capability, and given the likelihood of unit conditions that would require information provided by this instrumentation.

C.1 Condition C applies when one or more Functions have two inoperable required channels (i.e., two channels inoperable in the same Function). Required Action C.1 requires restoring one channel in the Function(s) to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

D.1 and D.2 If the Required Action and associated Completion Time of Condition D is not met the unit must be brought to a MODE where the requirements of this LCO do not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.

SURVEILLANCE A Note has been added to the SR Table to clarify that REQUIREMENTS SR 3.3.3.1 and SR 3.3.3.3 apply to each PAM instrumentation Function in Table 3.3.3-1 with the exception that SR 3.3.3.3 is not required to be performed on the containment hydrogen analyzers or the containment isolation valve position (continued)

North Anna Units 1 and 2 B 3.3.3-12 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES SURVEILLANCE indication. SR 3.3.3.2 is required to be performed on the REQUIREMENTS containment hydrogen analyzers. SR 3.3.3.4 is required for (continued) the containment isolation valve position indication.

SR 3.3.3.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar unit instruments located throughout the unit.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized.

The Frequency of 31 days is based on operating experience that demonstrates that channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.3.2 A CHANNEL CALIBRATION is performed on the containment hydrogen analyzers every 92 days and uses a gas solution containing a one volume percent (+/- 0.25%) of hydrogen and a sample of four volume percent (+/- 0.25%) of hydrogen with the balance of each gas sample being nitrogen. The containment hydrogen analyzer heat trace system is verified OPERABLE as a part of this surveillance.

North Anna Units 1 and 2 B 3.3.3-13 Revision 0, 04/02/02

PAM Instrumentation B 3.3.3 BASES SURVEILLANCE SR 3.3.3.3 REQUIREMENTS (continued) A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor.

The test verifies that the channel responds to measured parameter with the necessary range and accuracy. This SR is modified by a Note that excludes neutron detectors. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the CET sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element. The Frequency is based on operating experience and consistency with the typical industry refueling cycle.

SR 3.3.3.4 SR 3.3.3.4 is the performance of a TADOT of containment isolation valve position indication. This TADOT is performed every 18 months. The test shall independently verify the OPERABILITY of containment isolation valve position indication against the actual position of the valves.

The Frequency is based on the known reliability of the Functions, and has been shown to be acceptable through operating experience.

REFERENCES 1. Technical Report PE-0013.

2. Regulatory Guide 1.97, May 1983.

3. NUREG-0737, Supplement 1, "TMI Action Items."

North Anna Units 1 and 2 B 3.3.3-14 Revision 0, 04/02/02

Remote Shutdown System B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to maintain the unit in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With the unit in MODE 3, the Auxiliary Feedwater (AFW) System and the steam generator (SG) power operated relief valves (PORVs) can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside the control room allows extended operation in MODE 3.

If the control room becomes inaccessible, the operators can establish control at the auxiliary shutdown panel, and maintain the unit in MODE 3. Not all controls and necessary transfer switches are located at the auxiliary shutdown panel. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The unit automatically reaches MODE 3 following a unit shutdown and can be maintained safely in MODE 3 for an extended period of time.

The OPERABILITY of the remote shutdown control and instrumentation functions ensures there is sufficient information available on selected unit parameters to maintain the unit in MODE 3 should the control room become inaccessible.

APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a capability to maintain the unit in a safe condition in MODE 3.

The criteria governing the design and specific system requirements of the Remote Shutdown System are located in Reference 1.

The Remote Shutdown System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

North Anna Units 1 and 2 B 3.3.4-1 Revision 0, 04/02/02

Remote Shutdown System B 3.3.4 BASES LCO The Remote Shutdown System LCO provides the OPERABILITY requirements of the instrumentation and controls necessary to maintain the unit in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Table B 3.3.4-1.

The controls, instrumentation, and transfer switches are required for:

Core reactivity control (long term);

RCS pressure control; Decay heat removal via the AFW System and the SG PORVs; and RCS inventory control via charging flow.

A Function of a Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the Remote Shutdown System Function are OPERABLE. In some cases, Table B 3.3.4-1 may indicate that the required information or control capability is available from several alternate sources. In these cases, the Function is OPERABLE as long as one channel of any of the alternate information or control sources is OPERABLE.

The remote shutdown instrument and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure the instruments and control circuits will be OPERABLE if unit conditions require that the Remote Shutdown System be placed in operation.

APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3. This is required so that the unit can be maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy. Under these conditions, considerable time is available to restore necessary instrument control functions if control room instruments or controls become unavailable.

North Anna Units 1 and 2 B 3.3.4-2 Revision 0, 04/02/02

Remote Shutdown System B 3.3.4 BASES ACTIONS A Remote Shutdown System function is inoperable when the function is not accomplished by at least one designed Remote Shutdown System channel that satisfies the OPERABILITY criteria for the channel's Function. These criteria are outlined in the LCO section of the Bases.

A Note has been added to the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for each Function. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System are inoperable. This includes the control and transfer switches for any required function.

The Required Action is to restore the required Function to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A is not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of (continued)

North Anna Units 1 and 2 B 3.3.4-3 Revision 0, 04/02/02

Remote Shutdown System B 3.3.4 BASES SURVEILLANCE SR 3.3.4.1 (continued)

REQUIREMENTS excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

As specified in the Surveillance, a CHANNEL CHECK is only required for those channels which are normally energized.

The Frequency of 31 days is based upon operating experience which demonstrates that channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.

SR 3.3.4.2 SR 3.3.4.2 verifies each required Remote Shutdown System control circuit and transfer switch performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary.

The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the unit can be maintained in MODE 3 from the remote shutdown panel and the local control stations. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. (However, this Surveillance is not required to be performed only during a unit outage.)

Operating experience demonstrates that remote shutdown control channels usually pass the Surveillance test when performed at the 18 month Frequency.

North Anna Units 1 and 2 B 3.3.4-4 Revision 0, 04/02/02

Remote Shutdown System B 3.3.4 BASES SURVEILLANCE SR 3.3.4.3 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detector (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

The Frequency of 18 months is based upon operating experience and consistency with the refueling cycle.

REFERENCES 1. UFSAR, Chapter 3.

North Anna Units 1 and 2 B 3.3.4-5 Revision 0, 04/02/02

Remote Shutdown System B 3.3.4 Table B 3.3.4-1 (page 1 of 1)

Remote Shutdown System Instrumentation and Controls FUNCTION/INSTRUMENT REQUIRED OR CONTROL PARAMETER NUMBER OF FUNCTIONS

1. Reactivity Control

a. Boric Acid Pump controls 1

2. Reactor Coolant System (RCS) Pressure Control

a. Pressurizer Pressure indications I

b. Pressurizer Heater controls 1

3. Decay Heat Removal via Steam Generators (SGs)

a. RCS Tavg Temperature indication 1 loop

b. AFW Pump and Valve controls 1

c. SG Pressure indication 1

d. SG Level (Wide Range) indication 1

e. SG Power Operated Relief Valve controls 1

f. AFW Discharge Header Pressure indication 1

g. Emergency Condensate Storage Tank Level indication 1

4. RCS Inventory Control

a. Pressurizer Level indication I

b. Charging Pump controls i

c. Charging Flow control i North Anna Units 1 and 2 B 3.3.4-6 Revision 0, 04/02/02

LOP EDG Start Instrumentation B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Loss of Power (LOP) Emergency Diesel Generator (EDG) Start Instrumentation BASES BACKGROUND The EDGs provide a source of emergency power when offsite power is either unavailable or is insufficiently stable to allow safe unit operation. Undervoltage protection will generate an LOP start if a loss of voltage or degraded voltage condition occurs on the emergency buses. There are two required LOP start signals for each 4.16 kV emergency bus.

Undervoltage relays are provided on each 4160 V Class 1E bus for detecting a loss of bus voltage or a sustained degraded voltage condition. The relays are combined in a two-out-of-three logic to generate a LOP signal. A loss of voltage start of the EDG is initiated when the voltage is less than 74% of rated voltage and lasts for approximately 2 seconds. A degraded voltage start of the EDG is produced when the voltage is less than 90% of rated voltage sustained for approximately 56 seconds. The time delay for the degraded voltage start signal is reduced to approximately 7.5 seconds with the presence of a Safety Injection signal for the H and J bus on this unit.

One 4160 VAC bus from the other unit is needed to support operation of each required Service Water (SW) pump, Main Control Room/Emergency Switchgear Room (MCR/ESGR) Emergency Ventilation System (EVS) fan, and Auxiliary Building central exhaust fan. SW, MCR/ESGR EVS, and Auxiliary Building central exhaust systems are shared systems.

The Allowable Value in conjunction with the trip setpoint and LCO establishes the threshold for Engineered Safety Features Actuation System (ESFAS) action to prevent exceeding acceptable limits such that the consequences of Design Basis Accidents (DBAs) will be acceptable. The Allowable Value is considered a limiting value such that a channel is OPERABLE if the setpoint is found not to exceed the Allowable Value during the CHANNEL CALIBRATION. Note that, although a channel is OPERABLE under these circumstances, the setpoint must be left adjusted to within the established calibration tolerance band of the setpoint in accordance with uncertainty assumptions stated in the (continued)

North Anna Units 1 and 2 B 3.3.5-1 Revision 0, 04/02/02

LOP EDG Start Instrumentation B 3.3.5 BASES BACKGROUND referenced setpoint methodology, (as-left-criteria) and (continued) confirmed to be operating with the statistical allowances of the uncertainty terms assigned.

Allowable Values and LOP EDG Start Instrumentation Setpoints The trip setpoints are summarized in Reference 3. The selection of the Allowable Values is such that adequate protection is provided when all sensor and processing time delays are taken into account.

Setpoints adjusted consistent with the requirement of the Allowable Value ensure that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the accident and that the equipment functions as designed.

Allowable Values are specified for each Function in SR 3.3.5.2. Nominal trip setpoints are also specified in the unit specific setpoint calculations and listed in the Technical Requirements Manual (TRM) (Ref. 2). The trip setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. If the measured setpoint does not exceed the Allowable Value, the relay is considered OPERABLE. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable provided that operation and testing is consistent with the assumptions of the unit specific setpoint calculation (Ref. 3).

APPLICABLE The LOP EDG start instrumentation is required for the SAFETY ANALYSES Engineered Safety Features (ESF) Systems to function in any accident with a loss of offsite power. Its design basis is that of the ESFAS.

Accident analyses credit the loading of the EDG based on the loss of offsite power during a loss of coolant accident (LOCA). The actual EDG start has historically been associated with the ESFAS actuation. The EDG loading has been included in the delay time associated with each safety system component requiring EDG supplied power following a loss of offsite power. The analyses assume a non-mechanistic EDG loading, which does not explicitly account for each individual component of loss of power detection and subsequent actions.

(continued)

North Anna Units 1 and 2 B 3.3.5-2 Revision 0, 04/02/02

LOP EDG Start Instrumentation B 3.3.5 BASES APPLICABLE The required channels of LOP EDG start instrumentation, in SAFETY ANALYSES conjunction with the ESF systems powered from the EDGs, (continued) provide unit protection in the event of any of the analyzed accidents discussed in Reference 5, in which a loss of offsite power is assumed.

The delay times assumed in the safety analysis for the ESF equipment include the 10 second EDG start delay, and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation,"

include the appropriate EDG loading and sequencing delay if applicable.

The LOP EDG start instrumentation channels satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO for LOP EDG start instrumentation requires that three channels per bus of both the loss of voltage and degraded voltage Functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP EDG start instrumentation supports safety systems associated with the ESFAS. This is associated with the requirement of LCO 3.3.5.a for this unit's H and J buses. LCO 3.3.5.b specifies that for a required H and/or J bus on the other unit that is needed to support a required shared component for this unit, the LOP EDG start instrumentation for the required bus must be OPERABLE. The other unit's required H and/or J bus are required to be OPERABLE to support the SW, MCR/ESGR EVS, and Auxiliary Building Central Exhaust functions needed for this unit.

These Functions share components, pumps, or fans, which are electrically powered from both units. A channel is OPERABLE with a trip setpoint value outside its calibration tolerance band provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the "as-left" calibration tolerance band of the trip setpoint. A trip setpoint may be set more conservative than the trip setpoint specified in the TRM (Ref. 2) as necessary in response to unit conditions. In MODES 5 or 6, the three channels must be OPERABLE whenever the associated EDG is required to be OPERABLE to ensure that the automatic start of the EDG is available when needed. Loss of the LOP EDG Start Instrumentation Function could result in the delay of safety systems initiation when required. This could lead to unacceptable consequences during accidents. During the loss (continued)

North Anna Units 1 and 2 B 3.3.5-3 Revision 0, 04/02/02

LOP EDG Start Instrumentation B 3.3.5 BASES LCO of offsite power the EDG powers the motor driven auxiliary (continued) feedwater pumps. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased potential for a loss of decay heat removal through the secondary system.

APPLICABILITY The LOP EDG Start Instrumentation Functions are required in MODES 1, 2, 3, and 4 because ESF Functions are designed to provide protection in these MODES. Actuation in MODE 5 or 6 is required whenever the required EDG must be OPERABLE so that it can perform its function on a LOP or degraded power to the vital bus.

ACTIONS In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the channel is found inoperable, then the function that channel provides must be declared inoperable and the LCO Condition entered for the particular protection function affected.

Because the required channels are specified on a per bus basis, the Condition may be entered separately for each bus as appropriate.

A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in the LCO and for each emergency bus. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function for the associated emergency bus.

A.1 Condition A applies to the LOP EDG start Function with one loss of voltage or degraded voltage channel per bus inoperable.

If one channel is inoperable, Required Action A.1 requires that channel to be placed in trip within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . A plant-specific risk assessment, consistent with Reference 4, was performed to justify the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. With a channel in trip, the LOP EDG start instrumentation channels are configured to provide a one-out-of-two logic to initiate a trip of the incoming offsite power.

(continued)

North Anna Units 1 and 2 B 3.3.5-4 Revision 0, 04/02/02

LOP EDG Start Instrumentation B 3.3.5 BASES ACTIONS A.1 (continued)

A Note is added to allow bypassing an inoperable channel for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels. A plant-specific risk assessment, consistent with Reference 4, was performed to justify the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time limit. This allowance is made where bypassing the channel does not cause an actuation and where normally, excluding required testing, two other channels are monitoring that parameter.

The specified Completion Time and time allowed for bypassing one channel are reasonable considering the Function remains fully OPERABLE on every bus and the low probability of an event occurring during these intervals.

B.1 Condition B applies when more than one loss of voltage or more than one degraded voltage channel on an emergency bus is inoperable.

Required Action B.1 requires restoring all but one channel to OPERABLE status. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time should allow ample time to repair most failures and takes into account the low probability of an event requiring an LOP start occurring during this interval.

C.1 Condition C applies to each of the LOP EDG start Functions when the Required Action and associated Completion Time for Condition A or B are not met.

In these circumstances the Conditions specified in LCO 3.8.1, "AC Sources-Operating," or LCO 3.8.2, "AC Sources-Shutdown," for the EDG made inoperable by failure of the LOP EDG start instrumentation are required to be entered immediately. The actions of those LCOs provide for adequate compensatory actions to assure unit safety.

SURVEILLANCE SR 3.3.5.1 REQUIREMENTS SR 3.3.5.1 is the performance of a TADOT for channels required by LCO 3.3.5.a and LCO 3.3.5.b. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a (continued)

North Anna Units 1 and 2 B 3.3.5-5 Revision 0, 04/02/02

LOP EDG Start Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.1 (continued)

REQUIREMENTS single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at an 18 month frequency with applicable extensions. This test is performed every 92 days.

The test checks trip devices that provide actuation signals directly, bypassing the analog process control equipment.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to the loss of voltage and degraded voltage relays for the 4160 VAC emergency buses, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION. Each train or logic channel shall be functionally tested up to and including input coil continuity testing of the ESF slave relay. The Frequency is based on the known reliability of the relays and controls and the multichannel redundancy available, and has been shown to be acceptable through operating experience.

SR 3.3.5.2 SR 3.3.5.2 is the performance of a CHANNEL CALIBRATION for channels required by LCO 3.3.5.a and LCO 3.3.5.b.

The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay, as shown in Reference 1.

A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor.

The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. The verification of degraded voltage with a SI signal is not required by LCO 3.3.5.b.

The Frequency of 18 months is based on operating experience and consistency with the typical industry refueling cycle and is justified by the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

North Anna Units 1 and 2 B 3.3.5-6 Revision 0, 04/02/02

LOP EDG Start Instrumentation B 3.3.5 BASES SURVEILLANCE SR 3.3.5.3 REQUIREMENTS (continued) This SR ensures the individual channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis for channels required by LCO 3.3.5.a and LCO 3.3.5.b. Response Time testing acceptance criteria are included in the TRM (Ref. 2).

Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position).

For channels that include dynamic transfer functions (e.g.,

lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate TRM response time. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

Response time may be verified by actual response time test in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel.

ESF RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 18 months. The 18 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

North Anna Units 1 and 2 B 3.3.5-7 Revision 0, 04/02/02

LOP EDG Start Instrumentation B 3.3.5 BASES REFERENCES 1. UFSAR, Section 8.3.

2. Technical Requirements Manual.

3. RTS/ESFAS Setpoint Methodology Study (Technical Report EE-O116).

4. WCAP 14333-P-A, Rev. 1, October 1998.

5. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.3.5-8 Revision 0, 04/02/02

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.1 RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits BASES BACKGROUND These Bases address requirements for maintaining RCS pressure, temperature, and flow rate within limits assumed in the safety analyses. The safety analyses (Ref. 1) of normal operating conditions and anticipated operational occurrences assume initial conditions within the normal steady state envelope. The limits placed on RCS pressure, temperature, and flow rate ensure that the minimum departure from nucleate boiling ratio (DNBR) will be met for each of the transients analyzed.

The RCS pressure limit is consistent with operation within the nominal operational envelope. Pressurizer pressure indications are compared to the limit. A lower pressure will cause the reactor core to approach DNB limits.

The RCS coolant average temperature limit is consistent with full power operation within the nominal operational envelope. RCS loop average temperature is compared to the limit. A higher average temperature will cause the core to approach DNB limits.

The RCS flow rate normally remains constant during an operational fuel cycle with all pumps running. The minimum RCS flow limit corresponds to that assumed for DNB analyses.

Flow rate indications are averaged to come up with a value for comparison to the limit. A lower RCS flow will cause the core to approach DNB limits.

Operation for significant periods of time outside these DNB limits increases the likelihood of a fuel cladding failure in a DNB limited event.

APPLICABLE The requirements of this LCO represent the initial SAFETY ANALYSES conditions for DNB limited transients analyzed in the unit safety analyses (Ref. 1). The safety analyses have shown that transients initiated from the limits of this LCO will result in meeting the DNBR criterion. The limits on the DNB related parameters assure that each of the parameters are maintained within the normal steady state envelope of (continued)

North Anna Units 1 and 2 B 3.4.1-1 Revision 0, 04/02/02

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES APPLICABLE operation assumed in the transient and accident analysis.

SAFETY ANALYSES The limits have been analytically demonstrated to be (continued) adequate to maintain a minimum DNBR greater than the design limit throughout each analyzed transient including allowances for measurement uncertainties. Changes to the unit that could impact these parameters must be assessed for their impact on the DNBR criteria. The transients analyzed for include loss of coolant flow events and dropped or stuck rod events. A key assumption for the analysis of these events is that the core power distribution is within the limits of LCO 3.1.6, "Control Bank Insertion Limits"; LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)"; and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)."

The pressurizer pressure limit and RCS average temperature limit specified in the COLR equal the analytical limits because of the application of statistical combination of uncertainty.

The RCS DNB parameters satisfy Criterion 2 of 10 CFR 50.36(c) (2) (ii).

LCO This LCO specifies limits on the monitored process variables-pressurizer pressure, RCS average temperature, and RCS total flow rate-to ensure the core operates within the limits assumed in the safety analyses. These variables are contained in the COLR to provide operating and analysis flexibility from cycle to cycle. However, the minimum RCS flow, usually based on the maximum analyzed steam generator tube plugging, is retained in the LCO. Operating within these limits will result in meeting the DNBR criterion in the event of a DNB limited transient.

The numerical values for pressure, temperature, and flow rate specified in the COLR are given for the measurement location have been adjusted for instrument error.

APPLICABILITY In MODE 1, the limits on pressurizer pressure, RCS coolant average temperature, and RCS flow rate must be maintained during steady state operation in order to ensure DNBR criteria will be met in the event of an unplanned loss of forced coolant flow or other DNB limited transient. The (continued)

North Anna Units 1 and 2 B 3.4.1-2 Revision 0, 04/02/02

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES APPLICABILITY design basis events that are sensitive to DNB in other MODES (continued) (MODE 2 through 5) have sufficient margin to DNB, and therefore, there is no reason to restrict DNB in these MODES.

A Note has been added to indicate the limit on pressurizer pressure is not applicable during short term operational transients such as a THERMAL POWER ramp increase > 5% RTP per minute or a THERMAL POWER step increase > 10% RTP. These conditions represent short term perturbations where actions to control pressure variations might be counterproductive.

Also, since they represent transients initiated from power levels < 100% RTP, an increased DNBR margin exists to offset the temporary pressure variations.

The DNBR limit is provided in SL 2.1.1, "Reactor Core SLs."

The conditions which define the DNBR limit are less restrictive than the limits of this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Should a violation of this LCO occur, the operator must check whether or not an SL may have been exceeded.

ACTIONS A.1 RCS pressure and RCS average temperature are controllable and measurable parameters. With one or both of these parameters not within LCO limits, action must be taken to restore parameter(s).

RCS total flow rate is not a controllable parameter and is not expected to vary during steady state operation. If the indicated RCS total flow rate is below the LCO limit, power must be reduced, as required by Required Action B.1, to restore DNB margin and eliminate the potential for violation of the accident analysis bounds.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for restoration of the parameters provides sufficient time to adjust unit parameters, to determine the cause for the off normal condition, and to restore the readings within limits, and is based on unit operating experience.

North Anna Units 1 and 2 B 3.4.1-3 Revision 0, 04/02/02

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES ACTIONS B.1 (continued)

If Required Action A.1 is not met within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . In MODE 2, the reduced power condition eliminates the potential for violation of the accident analysis bounds. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable to reach the required unit conditions in an orderly manner.

SURVEILLANCE SR 3.4.1.1 REQUIREMENTS Since Required Action A.1 allows a Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to restore parameters that are not within limits, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for pressurizer pressure is sufficient to ensure the pressure can be restored to a normal operation, steady state condition following load changes and other expected transient operations. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval has been shown by operating practice to be sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.

SR 3.4.1.2 Since Required Action A.1 allows a Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to restore parameters that are not within limits, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for RCS average temperature is sufficient to ensure the temperature can be restored to a normal operation, steady state condition following load changes and other expected transient operations. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval has been shown by operating practice to be sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.

SR 3.4.1.3 The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Surveillance Frequency for RCS total flow rate is performed using the installed flow instrumentation. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval has been shown by operating practice to be sufficient to regularly assess potential degradation and to verify operation within safety analysis assumptions.

North Anna Units 1 and 2 B 3.4. 1-4 Revision 0, 04/02/02

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES SURVEILLANCE SR 3.4.1.4 REQUIREMENTS (continued) Measurement of RCS total flow rate by performance of a precision calorimetric heat balance once every 18 months allows the installed RCS flow instrumentation to be calibrated and verifies the actual RCS flow rate is greater than or equal to the minimum required RCS flow rate.

The Frequency of 18 months reflects the importance of verifying flow after a refueling outage when the core has been altered, which may have caused an alteration of flow resistance.

This SR is modified by a Note that allows entry into MODE 1, without having performed the SR, and placement of the unit in the best condition for performing the SR. The Note states that the SR is not required to be performed until 30 days after _>90% RTP. The 30 day period after reaching 90% RTP is reasonable to establish stable operating conditions, install the test equipment, perform the test, and analyze the results. The Surveillance shall be performed within 30 days after reaching 90% RTP.

REFERENCES 1. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.4. 1-5 Revision 0, 04/02/02

Intentionally Blank RCS Minimum Temperature for Criticality B 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.2 RCS Minimum Temperature for Criticality BASES BACKGROUND This LCO is based upon meeting several major considerations before the reactor can be made critical and while the reactor is critical.

The first consideration is moderator temperature coefficient (MTC), LCO 3.1.3, "Moderator Temperature Coefficient (MTC)."

In the transient and accident analyses, the MTC is assumed to be in a range from slightly positive to negative and the operating temperature is assumed to be within the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the unit is operated consistent with these assumptions.

The second consideration is the protective instrumentation.

Because certain protective instrumentation (e.g., excore neutron detectors) can be affected by moderator temperature, a temperature value within the nominal operating envelope is chosen to ensure proper indication and response while the reactor is critical.

The third consideration is the pressurizer operating characteristics. The transient and accident analyses assume that the pressurizer is within its normal startup and operating range (i.e., saturated conditions and steam bubble present). It is also assumed that the RCS temperature is within its normal expected range for startup and power operation. Since the density of the water, and hence the response of the pressurizer to transients, depends upon the initial temperature of the moderator, a minimum value for moderator temperature within the nominal operating envelope is chosen.

The fourth consideration is that the reactor vessel is above its minimum nil ductility reference temperature when the reactor is critical.

APPLICABLE Although the RCS minimum temperature for criticality is not SAFETY ANALYSES itself an initial condition assumed in Design Basis Accidents (DBAs), the closely aligned temperature for hot zero power (HZP) is a process variable that is an initial (continued)

North Anna Units 1 and 2 B 3.4.2-1 Revision 0, 04/02/02

RCS Minimum Temperature for Criticality B 3.4.2 BASES APPLICABLE condition of DBAs, such as the rod cluster control assembly SAFETY ANALYSES (RCCA) withdrawal from subcritical, RCCA ejection, boron (continued) dilution at startup, feedwater malfunction, main steam system depressurization, and main steam line break accidents performed at zero power that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.

All low power safety analyses assume initial RCS loop temperatures Ž the HZP temperature of 547 0 F. The minimum temperature for criticality limitation provides a small band, 60 F, for critical operation below HZP. This band allows critical operation below HZP during unit startup and does not adversely affect any safety analyses since the MTC is not significantly affected by the small temperature difference between HZP and the minimum temperature for criticality.

The RCS minimum temperature for criticality satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Compliance with the LCO ensures that the reactor will not be made or maintained critical (keff Ž 1.0) at a temperature less than a small band below the HZP temperature, which is assumed in the safety analysis. Failure to meet the requirements of this LCO may produce initial conditions inconsistent with the initial conditions assumed in the safety analysis.

APPLICABILITY In MODE 1 and MODE 2 with keff Ž 1.0, LCO 3.4.2 is applicable since the reactor can only be critical (keff Ž 1.0) in these MODES.

The special test exception of LCO 3.1.9, "MODE 2 PHYSICS TESTS Exceptions," permits PHYSICS TESTS to be performed at

5% RTP with RCS loop average temperatures slightly lower than normally allowed so that fundamental nuclear characteristics of the core can be verified. In order for nuclear characteristics to be accurately measured, it may be necessary to operate outside the normal restrictions of this LCO. For example, to measure the MTC at beginning of cycle, it is necessary to allow RCS loop average temperatures to fall below Tno load, which may cause RCS loop average temperatures to fall below the temperature limit of this LCO.

North Anna Units 1 and 2 B 3.4.2-2 Revision 0, 04/02/02

RCS Minimum Temperature for Criticality B 3.4.2 BASES ACTIONS A.1 If the parameters that are outside the limit cannot be restored, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 2 with keff < 1.0 within 30 minutes. Rapid reactor shutdown can be readily and practically achieved within a 30 minute period. The allowed time is reasonable, based on operating experience, to reach MODE 2 with keff

< 1.0 in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.4.2.1 REQUIREMENTS RCS loop average temperature is required to be verified at or above 541'F every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The SR to verify RCS loop average temperatures every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months takes into account indications and alarms that are continuously available to the operator in the control room and is consistent with other routine Surveillances which are typically performed once per shift.

In addition, operators are trained to be sensitive to RCS temperature during approach to criticality and will ensure that the minimum temperature for criticality is met as criticality is approached.

REFERENCES None.

North Anna Units 1 and 2 B 3.4.2-3 Revision 0, 04/02/02

Intentionally Blank RCS P/T Limits B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.3 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation.

This LCO contains P/T limit curves for heatup, cooldown, inservice leak and hydrostatic (ISLH) testing, and data for the maximum rate of change of reactor coolant temperature.

Each P/T limit curve defines an acceptable region for normal operation. The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.

The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittle failure, and the LCO limits apply mainly to the vessel. The limits do not apply to the pressurizer, which has different design characteristics and operating functions.

10 CFR 50, Appendix G (Ref. 1), requires the establishment of P/T limits for specific material fracture toughness requirements of the RCPB materials. Reference 1 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME) Code,Section III, Appendix G (Ref. 2).

The neutron embrittlement effect on the material toughness is reflected by increasing the nil ductility reference temperature (RTNDT) as exposure to neutron fluence increases.

(continued)

North Anna Units 1 and 2 B 3.4.3-1 Revision 0, 04/02/02

RCS P/T Limits B 3.4.3 BASES BACKGROUND The actual shift in the RTNDT of the vessel material is (continued) established periodically by removing and evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 3) and Appendix H of 10 CFR 50 (Ref. 4). The operating P/T limit curves are adjusted, as necessary, based on the evaluation findings and the recommendations of Regulatory Guide 1.99 (Ref. 5).

The P/T limit curves are calculated using the most limiting value of RTNDT corresponding to the limiting beltline region material for the reactor vessel.

The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls.

The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components. The ASME Code,Section XI, Appendix E (Ref. 6), provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.

APPLICABLE The P/T limits are not derived from Design Basis Accident SAFETY ANALYSES (DBA) analyses. They are prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. Although the P/T limits are not derived from any DBA, the P/T limits are acceptance limits since they preclude operation in an unanalyzed condition.

RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36 (c) (2) (i i).

North Anna Units 1 and 2 B 3.4.3-2 Revision 0, 04/02/02

RCS P/T Limits B 3.4.3 BASES LCO The two elements of this LCO are:

a. The limit curves for heatup, cooldown, and ISLH testing; and

b. Limits on the rate of change of temperature.

The LCO limits apply to all components of the RCS, except the pressurizer. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.

The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and ISLH testing P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.

The reactor vessel beltline is the most limiting region of the reactor vessel for the determination of P/T limit curves. The P/T curves include a correction for the difference between the pressure at the point of measurement (hot leg or pressurizer) and the reactor vessel beltline.

The P/T limits do not include instrument uncertainties since these uncertainties are insignificant when compared to the margin included in the Reference 1 methods.

Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follow:

a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;

b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and

c. The existences, sizes, and orientations of flaws in the vessel material.

North Anna Units 1 and 2 B 3.4.3-3 Revision 0, 04/02/02

RCS P/T Limits B 3.4.3 BASES APPLICABILITY The RCS P/T limits LCO provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 1). Although the P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5) or ISLH testing, their Applicability is at all times in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer.

During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)

Limits"; LCO 3.4.2, "RCS Minimum Temperature for Criticality"; and Safety Limit 2.1, "Safety Limits," also provide operational restrictions for pressure and temperature and maximum pressure. Furthermore, MODES 1 and 2 are above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.

ACTIONS A.1 and A.2 Operation outside the P/T limits during MODE 1, 2, 3, or 4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.

The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

(continued)

North Anna Units 1 and 2 B 3.4.3-4 Revision 0, 04/02/02

RCS P/T Limits B 3.4.3 BASES ACTIONS A.1 and A.2 (continued)

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable to accomplish the evaluation. The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed before continuing to operate.

Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the unit must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. In reduced pressure and temperature conditions, the possibility of propagation with undetected flaws is decreased.

If the required restoration activity cannot be accomplished within 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.

If the required evaluation for continued operation cannot be accomplished within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Action B.1 and Required Action B.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions.

Pressure and temperature are reduced by bringing the unit to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 with RCS pressure

< 500 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

(continued)

North Anna Units 1 and 2 B 3.4.3-5 Revision 0, 04/02/02

RCS P/T Limits B 3.4.3 BASES ACTIONS B.1 and B.2 (continued)

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than when in MODE 1, 2, 3, or 4, so that the RCPB is returned to a condition that has been verified by stress analysis.

The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 4.

Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

North Anna Units 1 and 2 B 3.4.3-6 Revision 0, 04/02/02

RCS P/T Limits B 3.4.3 BASES SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within limits is required every 30 minutes when RCS pressure and temperature conditions are undergoing planned changes. This Frequency is considered reasonable in view of the control room indication available to monitor RCS status. Also, since temperature rate of change limits are specified in hourly increments, 30 minutes permits assessment and correction for minor deviations within a reasonable time.

Surveillance for heatup, cooldown, or ISLH testing may be discontinued when the definition given in the relevant unit procedure for ending the activity is satisfied.

This SR is modified by a Note that only requires this SR to be performed during system heatup, cooldown, and ISLH testing. No SR is given for criticality operations because LCO 3.4.2 contains a more restrictive requirement.

REFERENCES 1. 10 CFR 50, Appendix G.

2. ASME, Boiler and Pressure Vessel Code, Section III, Appendix G.

3. ASTM E 185.

4. 10 CFR 50, Appendix H.

5. Regulatory Guide 1.99, Revision 2, May 1988.

6. ASME, Boiler and Pressure Vessel Code,Section XI, Appendix E.

North Anna Units 1 and 2 B 3.4.3-7 Revision 0, 04/02/02

Intentionally Blank RCS Loops-MODES 1 and 2 B 3.4.4 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.4 RCS Loops-MODES 1 and 2 BASES BACKGROUND The primary function of the RCS is removal of the heat generated in the fuel due to the fission process, and transfer of this heat, via the steam generators (SGs), to the secondary plant.

The secondary functions of the RCS include:

a. Moderating the neutron energy level to the thermal state, to increase the probability of fission;

b. Improving the neutron economy by acting as a reflector;

c. Carrying the soluble neutron poison, boric acid;

d. Providing a second barrier against fission product release to the environment; and

e. Removing the heat generated in the fuel due to fission product decay following a unit shutdown.

The reactor coolant is circulated through three loops connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow and temperature instrumentation for both control and protection.

The reactor vessel contains the clad fuel. The SGs provide the heat sink to the isolated secondary coolant. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage. This forced circulation of the reactor coolant ensures mixing of the coolant for proper boration and chemistry control.

APPLICABLE Safety analyses contain various assumptions for the design SAFETY ANALYSES bases accident initial conditions including RCS pressure, RCS temperature, reactor power level, core parameters, and safety system setpoints. The important aspect for this LCO is the reactor coolant forced flow rate, which is represented by the number of RCS loops in service.

(continued)

North Anna Units 1 and 2 B 3.4.4-1 Revision 0, 04/02/02

RCS Loops-MODES 1 and 2 B 3.4.4 BASES APPLICABLE Both transient and steady state analyses have been performed SAFETY ANALYSES to establish the effect of flow on the departure from (continued) nucleate boiling (DNB). The transient and accident analyses for the unit have been performed assuming three RCS loops are in operation. The majority of the unit safety analyses are based on initial conditions at high core power or zero power.

The accident analyses that are most important to RCP operation are the complete loss of forced reactor flow, single reactor coolant pump locked rotor, partial loss of forced reactor flow, and rod withdrawal events (Ref. 1).

The DNB analyses assume normal three loop operation.

Uncertainties in key unit operating parameters, nuclear and thermal parameters, and fuel fabrication parameters are considered statistically such that there is at least a 95 percent probability that DNB will not occur for the limiting power rod. Key unit parameter uncertainties are used to determine the unit departure from nucleate boiling ratio (DNBR) uncertainty. This DNBR uncertainty, combined with the DNBR limit, establishes a design DNBR value which must be met in unit safety analyses and is used to determine the pressure and temperature Safety Limit (SL). Since the parameter uncertainties are considered in determining the design DNBR value, the unit safety analyses are performed using values of input parameters without uncertainties. Therefore, nominal operating values for reactor coolant flow are used in the accident analyses.

The unit is designed to operate with all RCS loops in operation to maintain DNBR above the limit during all normal operations and anticipated transients. By ensuring heat transfer in the nucleate boiling region, adequate heat transfer is provided between the fuel cladding and the reactor coolant.

RCS Loops-MODES 1 and 2 satisfy Criterion 2 of 10 CFR 50.36(c) (2) (ii).

LCO The purpose of this LCO is to require an adequate forced flow rate for core heat removal. Flow is represented by the number of RCPs in operation for removal of heat by the SGs. To meet safety analysis acceptance criteria for DNBR, three pumps are required at rated power.

An OPERABLE RCS loop consists of an OPERABLE RCP in operation providing forced flow for heat transport and an OPERABLE SG in accordance with the Steam Generator Surveillance Program.

North Anna Units 1 and 2 B 3.4.4-2 Revision 0, 04/02/02

RCS Loops-MODES 1 and 2 B 3.4.4 BASES APPLICABILITY In MODES 1 and 2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that the assumptions of the accident analyses remain valid, all RCS loops are required to be OPERABLE and in operation in these MODES to prevent DNB and core damage.

The decay heat production rate is much lower than the full power heat rate. As such, the forced circulation flow and heat sink requirements are reduced for lower, noncritical MODES as indicated by the LCOs for MODES 3, 4, and 5.

Operation in other MODES is covered by:

LCO 3.4.5, "RCS Loops-MODE 3";

LCO 3.4.6, "RCS Loops-MODE 4";

LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";

LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";

LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).

ACTIONS A.1 If the requirements of the LCO are not met, the Required Action is to reduce power and bring the unit to MODE 3. This lowers power level and thus reduces the core heat removal needs and minimizes the possibility of violating DNBR limits.

The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging safety systems.

SURVEILLANCE SR 3.4.4.1 REQUIREMENTS This SR requires verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that each RCS loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal while maintaining the margin to the DNBR limit. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient considering other indications and alarms available to the operator in the control room to monitor RCS loop performance.

North Anna Units 1 and 2 B 3.4.4-3 Revision 0, 04/02/02

RCS Loops-MODES 1 and 2 B 3.4.4 BASES REFERENCES 1. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.4.4-4 Revision 0, 04/02/02

RCS Loops-MODE 3 B 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.5 RCS Loops-MODE 3 BASES BACKGROUND In MODE 3, the primary function of the reactor coolant is removal of decay heat and transfer of this heat, via the steam generator (SG), to the secondary plant fluid. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through three RCS loops, connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protection, and indication. The reactor vessel contains the clad fuel. The SGs provide the heat sink. The RCPs circulate the water through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage.

In MODE 3, RCPs are used to provide forced circulation for heat removal during heatup and cooldown. The MODE 3 decay heat removal requirements are low enough that a single RCS loop with one RCP running is sufficient to remove core decay heat. However, two RCS loops are required to be OPERABLE to ensure redundant capability for decay heat removal.

APPLICABLE Whenever the reactor trip breakers (RTBs) are in the closed SAFETY ANALYSES position and the control rod drive mechanisms (CRDMs) are energized, an inadvertent rod withdrawal from subcritical, resulting in a power excursion, is possible. Such a transient could be caused by a malfunction of the rod control system.

Therefore, in MODE 3 with RTBs in the closed position and Rod Control System capable of rod withdrawal, accidental control rod withdrawal from subcritical is postulated and requires at least one RCS loop to be OPERABLE and in operation to ensure that the accident analyses limits are met.

Failure to provide decay heat removal may result in challenges to a fission product barrier. The RCS loops are part of the primary success path that functions or actuates (continued)

North Anna Units 1 and 2 B 3.4.5-1 Revision 0, 04/02/02

RCS Loops-MODE 3 B 3.4.5 BASES APPLICABLE to prevent or mitigate a Design Basis Accident or transient SAFETY ANALYSES that either assumes the failure of, or presents a challenge (continued) to, the integrity of a fission product barrier.

RCS Loops-MODE 3 satisfy Criterion 3 of 10 CFR 50.36(c) (2) (ii).

LCO The purpose of this LCO is to require that at least two RCS loops be OPERABLE and one of those loops be in operation. One RCS loop in operation is necessary to ensure removal of decay heat from the core and homogenous boron concentration throughout the RCS. An additional RCS loop is required to be OPERABLE to ensure redundant capability for decay heat removal.

The Note permits all RCPs to be removed from operation for

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. The purpose of the Note is to permit pump swap operations and tests that are designed to validate various accident analyses values. One of these tests is validation of the pump coastdown curve used as input to a number of accident analyses including a loss of flow accident. This test is generally performed in MODE 3 during the initial startup testing program, and as such should only be performed once. If, however, changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values of the coastdown curve may be revalidated by conducting the test again. Another test that may be performed during the startup testing program is the validation of rod drop times during cold conditions, both with and without flow.

The no flow test may be performed in MODE 3, 4, or 5 and requires that the pumps be stopped for a short period of time. The Note permits the stopping of the pumps in order to perform this test and validate the assumed analysis values.

As with the validation of the pump coastdown curve, this test should be performed only once unless the flow characteristics of the RCS are changed. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months time period specified is adequate to perform the pump swap or the desired tests, and operating experience has shown that boron stratification is not a problem during this short period with no forced flow.

(continued)

North Anna Units 1 and 2 B 3.4.5-2 Revision 0, 04/02/02

RCS Loops-MODE 3 B 3.4.5 BASES LCO Utilization of the Note is permitted provided the following (continued) conditions are met, along with any other conditions imposed by initial startup test procedures:

a. No operations are permitted that would dilute the RCS boron concentration with coolant at boron concentrations less than required to ensure the SDM of LCO 3.1.1, thereby maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure the SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation; and

b. Core outlet temperature is maintained at least 100 F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

An OPERABLE RCS loop consists of one OPERABLE RCP and one OPERABLE SG in accordance with the Steam Generator Tube Surveillance Program, which has the minimum water level specified in SR 3.4.5.2. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required.

APPLICABILITY In MODE 3, this LCO ensures forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing.

Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops-MODES 1 and 2";

LCO 3.4.6, "RCS Loops-MODE 4";

LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";

LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";

LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).

North Anna Units 1 and 2 B 3.4.5-3 Revision 0, 04/02/02

RCS Loops-MODE 3 B 3.4.5 BASES ACTIONS A.1 If one required RCS loop is inoperable, redundancy for heat removal is lost. The Required Action is restoration of the required RCS loop to OPERABLE status within the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This time allowance is a justified period to be without the redundant, nonoperating loop because a single loop in operation has a heat transfer capability greater than that needed to remove the decay heat produced in the reactor core and because of the low probability of a failure in the remaining loop occurring during this period.

B.1 If restoration is not possible within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , the unit must be brought to MODE 4. In MODE 4, the unit may be placed on the Residual Heat Removal System. The additional Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is compatible with required operations to achieve cooldown and depressurization from the existing unit conditions in an orderly manner and without challenging unit systems.

C.1, C.2, and C.3 If two required RCS loops are inoperable or a required RCS loop is not in operation, except as during conditions permitted by the Note in the LCO section, place the Rod Control System in a condition incapable of rod withdrawal (e.g., all CRDMs must be de-energized by opening the RTBs or de-energizing the MG sets). All operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended, and action to restore one of the RCS loops to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and opening the RTBs or de-energizing the MG sets removes the possibility of an inadvertent rod withdrawal. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.

North Anna Units 1 and 2 B 3.4.5-4 Revision 0, 04/02/02

RCS Loops-MODE 3 B 3.4.5 BASES SURVEILLANCE SR 3.4.5.1 REQUIREMENTS This SR requires verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that the required loops are in operation. Verification includes flow rate, temperature, and pump status monitoring, which help ensure that forced flow is providing heat removal. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient considering other indications and alarms available to the operator in the control room to monitor RCS loop performance.

SR 3.4.5.2 SR 3.4.5.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side narrow range water level is Ž 17% for required RCS loops. If the SG secondary side narrow range water level is < 17%, the tubes may become uncovered and the associated loop may not be capable of providing the heat sink for removal of the decay heat. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered adequate in view of other indications available in the control room to alert the operator to a loss of SG level.

SR 3.4.5.3 Verification that the required RCP is OPERABLE ensures that safety analyses limits are met. The requirement also ensures that an additional RCP can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power availability to the required RCP.

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

REFERENCES None.

North Anna Units 1 and 2 B 3.4.5-5 Revision 0, 04/02/02

Intentionally Blank RCS Loops-MODE 4 B 3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.6 RCS Loops-MODE 4 BASES BACKGROUND In MODE 4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam generator (SG) secondary side coolant or the component cooling water via the residual heat removal (RHR) heat exchangers. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through three RCS loops connected in parallel to the reactor vessel, each loop containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protection, and indication. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and to prevent boric acid stratification.

In MODE 4, either RCPs or RHR loops can be used to provide forced circulation. The intent of this LCO is to provide forced flow from at least one RCP or one RHR loop for decay heat removal and transport. The flow provided by one RCP loop or RHR loop is adequate for decay heat removal. The other intent of this LCO is to require that two paths be OPERABLE to provide redundancy for decay heat removal.

APPLICABLE In MODE 4, RCS circulation is considered in the SAFETY ANALYSES determination of the time available for mitigation of the accidental boron dilution event. The RCS and RHR loops provide this circulation.

RCS Loops-MODE 4 satisfies Criterion 4 of 10 CFR 50.36(c) (2) (ii).

LCO The purpose of this LCO is to require that at least two loops be OPERABLE in MODE 4 and that one of these loops be in operation. The LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS loops and RHR loops. Any one loop in operation provides enough flow to (continued)

North Anna Units 1 and 2 B 3.4.6-1 Revision 0, 04/02/02

RCS Loops-MODE 4 B 3.4.6 BASES LCO remove the decay heat from the core with forced circulation.

(continued) An additional loop is required to be OPERABLE to provide redundancy for heat removal.

Note I permits all RCPs or RHR pumps to be removed from operation for

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. The purpose of the Note is to permit pump swap operations and tests that are designed to validate various accident analyses values. One of the tests which may be performed during the startup testing program is the validation of rod drop times during cold conditions, both with and without flow. The no flow test may be performed in MODE 3, 4, or 5 and requires that the pumps be stopped for a short period of time. The Note permits the stopping of the pumps in order to perform this test and validate the assumed analysis values. If changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values may be revalidated by conducting the test again. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months time period is adequate to perform the pump swap or test, and operating experience has shown that boron stratification is not a problem during this short period with no forced flow.

Utilization of Note 1 is permitted provided the following conditions are met along with any other conditions imposed by initial startup test procedures:

a. No operations are permitted that would dilute the RCS boron concentration with coolant at boron concentrations less than required to meet the SDM of LCO 3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure the SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation; and

b. Core outlet temperature is maintained at least 10OF below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

Note 2 requires that the secondary side water temperature of each SG be

50°F above each of the RCS cold leg temperatures before the start of an RCP with any RCS cold leg temperature (continued)

North Anna Units 1 and 2 B 3.4.6-2 Revision 0, 04/02/02

RCS Loops-MODE 4 B 3.4.6 BASES LCO

235°F (Unit 1), 270°F (Unit 2). This restraint is to (continued) prevent a low temperature overpressure event due to a thermal transient when an RCP is started.

An OPERABLE RCS loop is comprised of an OPERABLE RCP and an OPERABLE SG in accordance with the Steam Generator Tube Surveillance Program, which has the minimum water level specified in SR 3.4.6.2.

Similarly for the RHR System, an OPERABLE RHR loop is comprised of an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger. RCPs and RHR pumps are OPERABLE if they are capable of being powered and are able to provide forced flow if required.

APPLICABILITY In MODE 4, this LCO ensures forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing. One loop of either RCS or RHR provides sufficient circulation for these purposes. However, two loops consisting of any combination of RCS and RHR loops are required to be OPERABLE to provide redundancy for heat removal.

Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops-MODES 1 and 2";

LCO 3.4.5, "RCS Loops-MODE 3";

LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";

LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";

LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).

ACTIONS A.1 If one required loop is inoperable, redundancy for heat removal is lost. Action must be initiated to restore a second RCS or RHR loop to OPERABLE status. The immediate Completion Time reflects the importance of maintaining the availability of two paths for heat removal.

North Anna Units 1 and 2 B 3.4.6-3 Revision 0, 04/02/02

RCS Loops-MODE 4 B 3.4.6 BASES ACTIONS A.2 (continued)

If restoration is not accomplished and an RHR loop is OPERABLE, the unit must be brought to MODE 5 within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Bringing the unit to MODE 5 is a conservative action with regard to decay heat removal. With only one RHR loop OPERABLE, redundancy for decay heat removal is lost and, in the event of a loss of the remaining RHR loop, it would be safer to initiate that loss from MODE 5 rather than MODE 4. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is a reasonable time, based on operating experience, to reach MODE 5 from MODE 4 in an orderly manner and without challenging unit systems.

This Required Action is modified by a Note which indicates that the unit must be placed in MODE 5 only if an RHR loop is OPERABLE. With no RHR loop OPERABLE, the unit is in a condition with only limited cooldown capabilities.

Therefore, the actions are to be concentrated on the restoration of an RHR loop, rather than a cooldown of extended duration.

B.1 and B.2 If two required loops are inoperable or a required loop is not in operation, except during conditions permitted by Note 1 in the LCO section, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action to restore one RCS or RHR loop to OPERABLE status and operation must be initiated.

The required margin to criticality must not be reduced in this type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required to assure continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Times reflect the importance of maintaining operation for decay heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.

North Anna Units 1 and 2 B 3.4.6-4 Revision 0, 04/02/02

RCS Loops-MODE 4 B 3.4.6 BASES SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This SR requires verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that the required RCS or RHR loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient considering other indications and alarms available to the operator in the control room to monitor RCS and RHR loop performance.

SR 3.4.6.2 SR 3.4.6.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side narrow range water level is Ž 17%. If the SG secondary side narrow range water level is < 17%, the tubes may become uncovered and the associated loop may not be capable of providing the heat sink necessary for removal of decay heat.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered adequate in view of other indications available in the control room to alert the operator to the loss of SG level.

SR 3.4.6.3 Verification that the required pump is OPERABLE ensures that an additional RCS or RHR pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required pump.

The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

REFERENCES None.

North Anna Units 1 and 2 B 3.4.6-5 Revision 0, 04/02/02

Intentionally Blank RCS Loops-MODE 5, Loops Filled B 3.4.7 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.7 RCS Loops-MODE 5, Loops Filled BASES BACKGROUND In MODE 5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and transfer this heat either to the steam generator (SG) secondary side coolant via natural circulation (Ref. 1) or the component cooling water via the residual heat removal (RHR) heat exchangers. While the principal means for decay heat removal is via the RHR System, the SGs via natural circulation (Ref. 1) are specified as a backup means for redundancy.

Even though the SGs cannot produce steam in this MODE, they are capable of being a heat sink due to their large contained volume of secondary water. As long as the SG secondary side water is at a lower temperature than the reactor coolant, heat transfer will occur. The rate of heat transfer is directly proportional to the temperature difference. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

In MODE 5 with RCS loops filled, the reactor coolant is circulated by means of two RHR loops connected to the RCS, each loop containing an RHR heat exchanger, an RHR pump, and appropriate flow and temperature instrumentation for control, protection, and indication. One RHR pump circulates the water through the RCS at a sufficient rate to prevent boric acid stratification.

The number of loops in operation can vary to suit the operational needs. The intent of this LCO is to provide forced flow from at least one RHR loop for decay heat removal and transport. The flow provided by one RHR loop is adequate for decay heat removal. The other intent of this LCO is to require that a second path be available to provide redundancy for heat removal.

The LCO provides for redundant paths of decay heat removal capability. The first path can be an RHR loop that must be OPERABLE and in operation. The second path can be another OPERABLE RHR loop or maintaining a SG with secondary side water level of at least 17% using narrow range instrumentation to provide an alternate method for decay heat removal via natural circulation (Ref. 1).

North Anna Units 1 and 2 B 3.4.7-1 "I Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Filled B 3.4.7 BASES APPLICABLE In MODE 5, RCS circulation is considered in the SAFETY ANALYSES determination of the time available for mitigation of the accidental boron dilution event. The RHR loops provide this circulation.

RCS Loops-MODE 5 (Loops Filled) satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO The purpose of this LCO is to require that at least one of the RHR loops be OPERABLE and in operation with an additional RHR loop OPERABLE or a SG with secondary side water level

Ž 17% using narrow range instrumentation and the associated loop isolation valves open. One RHR loop provides sufficient forced circulation to perform the safety functions of the reactor coolant under these conditions. An additional RHR loop is required to be OPERABLE to provide redundancy for heat removal. However, if the standby RHR loop is not OPERABLE, an acceptable alternate method is a SG with its secondary side water level Ž 17% using narrow range instrumentation. Should the operating RHR loop fail, the SG could be used to remove the decay heat via natural circulation.

Note 1 permits all RHR pumps to be removed from operation

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months per 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. The purpose of the Note is to permit pump swap operations and tests designed to validate various accident analyses values. One of the tests performed during the startup testing program is the validation of rod drop times during cold conditions, both with and without flow. The no flow test may be performed in MODE 3, 4, or 5 and requires that the pumps be stopped for a short period of time. The Note permits stopping of the pumps in order to perform this test and validate the assumed analysis values.

If changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values must be revalidated by conducting the test again. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months time period is adequate to perform the pump swap or test, and operating experience has shown that boron stratification is not likely during this short period with no forced flow.

(continued)

North Anna Units 1 and 2 B 3.4.7-2 Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Filled B 3.4.7 BASES LCO Utilization of Note 1 is permitted provided the following (continued) conditions are met, along with any other conditions imposed by initial startup test procedures:

a. No operations are permitted that would dilute the RCS boron concentration with coolant at boron concentrations less than required to meet the SDM of LCO 3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure the SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation; and

b. Core outlet temperature is maintained at least lOF below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

Note 2 allows one RHR loop to be inoperable for a period of up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , provided that the other RHR loop is OPERABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable loop during the only time when such testing is safe and possible.

Note 3 requires that the secondary side water temperature of each SG be

50°F above each of the RCS cold leg temperatures before the start of a reactor coolant pump (RCP) with an RCS cold leg temperature

235 0 F (Unit 1), 2707F (Unit 2). This restriction is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started.

Note 4 provides for an orderly transition from MODE 5 to MODE 4 during a planned heatup by permitting removal of RHR loops from operation when at least one RCS loop is in operation. This Note provides for the transition to MODE 4 where an RCS loop is permitted to be in operation and replaces the RCS circulation function provided by the RHR loops with circulation provided by an RCP.

RHR pumps are OPERABLE if they are capable of being powered and are able to provide flow if required. An OPERABLE SG can perform as a heat sink via natural circulation when it has an adequate water level and is OPERABLE in accordance with the Steam Generator Tube Surveillance Program.

North Anna Units 1 and 2 B 3.4.7-3 Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Filled B 3.4.7 BASES APPLICABILITY In MODE 5 with the unisolated portion of the RCS loops filled, this LCO requires forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing. One loop of RHR provides sufficient circulation for these purposes. However, one additional RHR loop is required to be OPERABLE, or the secondary side water level of at least one SG is required to be Ž 17% with the associated loop isolation valves open.

Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops-MODES 1 and 2";

LCO 3.4.5, "RCS Loops-MODE 3";

LCO 3.4.6, "RCS Loops-MODE 4";

LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";

LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).

If all RCS loops are isolated, an SG cannot be used for decay heat removal and RCS water inventory is substantially reduced. In this circumstance, LCO 3.4.8 applies.

ACTIONS A.1, A.2, B.1, and B.2 If one RHR loop is OPERABLE and the required SG has secondary side water level < 17%, redundancy for heat removal is lost.

Action must be initiated immediately to restore a second RHR loop to OPERABLE status or to restore the required SG secondary side water level. Either Required Action will restore redundant heat removal paths. The immediate Completion Time reflects the importance of maintaining the availability of two paths for heat removal.

C.1 and C.2 If a required RHR loop is not in operation, except during conditions permitted by Note I and Note 4, or if no required RHR loop is OPERABLE, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action to restore one RHR loop to OPERABLE status and operation must be initiated. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of (continued)

North Anna Units 1 and 2 B 3.4.7-4 Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Filled B 3.4.7 BASES ACTIONS C.1 and C.2 (continued)

LCO 3.1.1 is required to assure continued safe operation.

With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Times reflect the importance of maintaining operation for heat removal.

SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This SR requires verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that the required loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient considering other indications and alarms available to the operator in the control room to monitor RHR loop performance.

SR 3.4.7.2 Verifying that at least one SG is OPERABLE by ensuring its secondary side narrow range water level is Ž 17% ensures an alternate decay heat removal method via natural circulation in the event that the second RHR loop is not OPERABLE. If both RHR loops are OPERABLE, this Surveillance is not needed. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered adequate in view of other indications available in the control room to alert the operator to the loss of SG level.

SR 3.4.7.3 Verification that the required RHR pump is OPERABLE ensures that an additional pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to the required RHR pump. If secondary side water level is Ž 17% in at least one SG, this Surveillance is not needed. The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

North Anna Units 1 and 2 B 3.4.7-5 Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Filled B 3.4.7 BASES REFERENCES 1. NRC Information Notice 95-35, Degraded Ability of Steam Generators to Remove Decay Heat by Natural Circulation.

North Anna Units 1 and 2 B 3.4.7-6 Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Not Filled B 3.4.8 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.8 RCS Loops-MODE 5, Loops Not Filled BASES BACKGROUND In MODE 5 with the RCS loops not filled, the primary function of the reactor coolant is the removal of decay heat generated in the fuel, and the transfer of this heat to the component cooling water via the residual heat removal (RHR) heat exchangers. The steam generators (SGs) are not available as a heat sink when the loops are not filled. The secondary function of the reactor coolant is to act as a carrier for the soluble neutron poison, boric acid.

In MODE 5 with loops not filled, only RHR pumps can be used for coolant circulation. The number of pumps in operation can vary to suit the operational needs. The intent of this LCO is to provide forced flow from at least one RHR pump for decay heat removal and transport and to require that two paths be available to provide redundancy for heat removal.

APPLICABLE In MODE 5, RCS circulation is considered in the SAFETY ANALYSES determination of the time available for mitigation of the accidental boron dilution event. The RHR loops provide this circulation. The flow provided by one RHR loop is adequate for heat removal and for boron mixing.

RCS loops in MODE 5 (loops not filled) satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO The purpose of this LCO is to require that at least two RHR loops be OPERABLE and one of these loops be in operation. An OPERABLE loop is one that has the capability of transferring heat from the reactor coolant at a controlled rate. Heat cannot be removed via the RHR System unless forced flow is used. A minimum of one running RHR pump meets the LCO requirement for one loop in operation. An additional RHR loop is required to be OPERABLE to provide redundancy for heat removal.

Note 1 permits all RHR pumps to be removed from operation for

15 minutes when switching from one loop to another. The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and core outlet (continued)

North Anna Units 1 and 2 B 3.4.8-1 Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Not Filled B 3.4.8 BASES LCO temperature is maintained > 10OF below saturation (continued) temperature. The Note prohibits boron dilution with coolant at boron concentrations less than required to assure the SDM of LCO 3.1.1 is maintained or draining operations when RHR forced flow is stopped.

Note 2 allows one RHR loop to be inoperable for a period of

2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , provided that the other loop is OPERABLE and in operation. This permits periodic surveillance tests to be performed on the inoperable loop during the only time when these tests are safe and possible.

An OPERABLE RHR loop is comprised of an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger. RHR pumps are OPERABLE if they are capable of being powered and are able to provide flow if required.

APPLICABILITY In MODE 5 with the unisolated portion of the loops not filled, this LCO requires core heat removal and coolant circulation by the RHR System.

Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops-MODES 1 and 2";

LCO 3.4.5, "RCS Loops-MODE 3";

LCO 3.4.6, "RCS Loops-MODE 4";

LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";

LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).

If all RCS loops are isolated, the RCS water inventory is substantially reduced. In this circumstance, LCO 3.4.8 applies whether or not the isolated loops are filled.

ACTIONS A.1 If one required RHR loop is inoperable, redundancy for RHR is lost. Action must be initiated to restore a second loop to OPERABLE status. The immediate Completion Time reflects the importance of maintaining the availability of two paths for heat removal.

North Anna Units 1 and 2 B 3.4.8-2 Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Not Filled B 3.4.8 BASES ACTIONS B.1 and B.2 (continued)

If no required loop is OPERABLE or the required loop is not in operation, except during conditions permitted by Note 1, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action must be initiated immediately to restore an RHR loop to OPERABLE status and operation. The required margin to criticality must not be reduced in this type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required to assure continued safe operation.

With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal. The action to restore must continue until one loop is restored to OPERABLE status and operation.

SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This SR requires verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that the required loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient considering other indications and alarms available to the operator in the control room to monitor RHR loop performance.

SR 3.4.8.2 Verification that the required pump is OPERABLE ensures that an additional pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation.

Verification is performed by verifying proper breaker alignment and power available to the required pump. The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.

This SR is modified by a Note that states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after a required pump is not in operation.

North Anna Units 1 and 2 B 3.4.8-3 Revision 0, 04/02/02

RCS Loops-MODE 5, Loops Not Filled B 3.4.8 BASES REFERENCES None.

North Anna Units 1 and 2 B 3.4.8-4 Revision 0, 04/02/02

Pressurizer B 3.4.9 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.9 Pressurizer BASES BACKGROUND The pressurizer provides a point in the RCS where liquid and vapor are maintained in equilibrium under saturated conditions for pressure control purposes to prevent bulk boiling in the remainder of the RCS. Key functions include maintaining required primary system pressure during steady state operation, and limiting the pressure changes caused by reactor coolant thermal expansion and contraction during normal load transients.

The pressure control components addressed by this LCO include the pressurizer water level, the required heaters, and their controls and emergency power supplies. Pressurizer safety valves and pressurizer power operated relief valves are addressed by LCO 3.4.10, "Pressurizer Safety Valves,"

and LCO 3.4.11, "Pressurizer Power Operated Relief Valves (PORVs)," respectively.

The intent of the LCO is to ensure that a steam bubble exists in the pressurizer prior to power operation to minimize the consequences of potential overpressure transients. The presence of a steam bubble is consistent with analytical assumptions. Relatively small amounts of noncondensible gases can inhibit the condensation heat transfer between the pressurizer spray and the steam, and diminish the spray effectiveness for pressure control.

Electrical immersion heaters, located in the lower section of the pressurizer vessel, keep the water in the pressurizer at saturation temperature and maintain a constant operating pressure. There are 5 groups of pressurizer heaters. Groups 1, 2, 4, and 5 are backup heaters. Group 3 consists of proportional heaters. Groups 1 and 4 are powered from the emergency busses and are governed by this Specification. A minimum required available capacity of pressurizer heaters ensures that the RCS pressure can be maintained. The capability to maintain and control system pressure is important for maintaining subcooled conditions in the RCS and ensuring the capability to remove core decay heat by either forced or natural circulation of reactor coolant.

Unless adequate heater capacity is available, the hot, high pressure condition cannot be maintained indefinitely and (continued)

North Anna Units 1 and 2 B 3.4.9-1 Revision 0, 04/02/02

Pressurizer B 3.4.9 BASES BACKGROUND still provide the required subcooling margin in the primary (continued) system. Inability to control the system pressure and maintain subcooling under conditions of natural circulation flow in the primary system could lead to a loss of single phase natural circulation and decreased capability to remove core decay heat.

APPLICABLE In MODES 1, 2, and 3, the LCO requirement for a steam bubble SAFETY ANALYSES is reflected implicitly in the accident analyses. Safety analyses performed for lower MODES are not limiting. All analyses performed from a critical reactor condition assume the existence of a steam bubble and saturated conditions in the pressurizer. In making this assumption, the analyses neglect the small fraction of noncondensible gases normally present.

Safety analyses presented in the UFSAR (Ref. 1) do not take credit for pressurizer heater operation unless their operation would increase the severity of the event; however, an implicit initial condition assumption of the safety analyses is that the pressure control system is maintaining RCS pressure in the normal operating range.

The maximum pressurizer water level limit, which ensures that a steam bubble exists in the pressurizer, satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Although the heaters are not specifically used in accident analysis, the need to maintain subcooling in the long term during loss of offsite power, as indicated in NUREG-0737 (Ref. 2), is the reason for providing an LCO.

LCO The LCO requirement for the pressurizer to be OPERABLE with a water volume

1240 cubic feet, which is equivalent to

93%, ensures that a steam bubble exists. Limiting the LCO maximum operating water level preserves the steam space for pressure control. The LCO has been established to ensure the capability to establish and maintain pressure control for steady state operation and to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is also consistent with analytical assumptions.

The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity Ž 125 kW, capable of being powered from an emergency bus. The two heater groups are designated as (continued)

North Anna Units 1 and 2 B 3.4.9-2 Revision 0, 04/02/02

Pressurizer B 3.4.9 BASES LCO Group 1 and Group 4. The minimum heater capacity required is (continued) sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wide margin to subcooling can be obtained in the loops. The exact design value of 125 kW is derived from the use of seven heaters rated at 17.9 kW each.

The amount needed to maintain pressure is dependent on the heat losses.

APPLICABILITY The need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature, resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, applicability has been designated for MODES 1 and 2. The applicability is also provided for MODE 3. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational perturbation, such as reactor coolant pump startup.

In MODES 1, 2, and 3, there is need to maintain the availability of pressurizer heaters, capable of being powered from an emergency bus. In the event of a loss of offsite power, the initial conditions of these MODES give the greatest demand for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. For MODE 4, 5, or 6, the need for pressurizer heaters supplied from an emergency bus to maintain pressure control is reduced because core heat is reduced, and has a correspondingly lower effect on pressurizer level and RCS pressure control. In addition, other mechanisms, such as the Residual Heat Removal (RHR) System and the Power Operated Relief Valves (PORVs) are available to control RCS temperature and pressure should normal offsite power be lost.

ACTIONS A.1, A.2, A.3 and A.4 Pressurizer water level control malfunctions or other unit evolutions may result in a pressurizer water level above the nominal upper limit, even with the unit at steady state conditions. Normally the unit will trip in this event since the upper limit of this LCO is the same as the Pressurizer Water Level-High Trip.

(continued)

North Anna Units 1 and 2 B 3.4.9-3 Revision 0, 04/02/02

Pressuri zer B 3.4.9 BASES ACTIONS A.1, A.2, A.3 and A.4 (continued)

If the pressurizer water level is not within the limit, action must be taken to bring the unit to a MODE in which the LCO does not apply. To achieve this status, within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months the unit must be brought to MODE 3, with all rods fully inserted and incapable of withdrawal. Additionally, the unit must be brought to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This takes the unit out of the applicable MODES.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

B.1 If one required group of pressurizer heaters is inoperable, restoration is required within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the anticipation that a demand caused by loss of offsite power would be unlikely in this period. Pressure control may be maintained during this time using the remaining heaters.

C.1 and C.2 If one group of pressurizer heaters are inoperable and cannot be restored in the allowed Completion Time of Required Action B.1, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.4.9.1 REQUIREMENTS This SR requires that during steady state operation, pressurizer level is maintained below the nominal upper limit to provide a minimum space for a steam bubble. The Surveillance is performed by observing the indicated level.

The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months corresponds to verifying the parameter each shift. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval has been shown by operating practice to be sufficient to regularly assess level for any deviation and verify that operation is within (continued)

North Anna Units 1 and 2 B 3.4.9-4 Revision 0, 04/02/02

Pressurizer B 3.4.9 BASES SURVEILLANCE SR 3.4.9.1 (continued)

REQUIREMENTS the safety analyses assumption of ensuring that a steam bubble exists in the pressurizer. Alarms are also available for early detection of abnormal level indications.

SR 3.4.9.2 The SR is satisfied when the power supplies are demonstrated to be capable of producing the minimum power and the associated pressurizer heaters are verified to be at their required rating. This may be done by testing the power supply output and by performing an electrical check on heater element continuity and resistance. The Frequency of 18 months is considered adequate to detect heater degradation and has been shown by operating experience to be acceptable.

REFERENCES 1. UFSAR, Chapter 15.

2. NUREG-0737, November 1980.

North Anna Units 1 and 2 B 3.4.9-5 Revision 0, 04/02/02

Intentionally Blank Pressurizer Safety Valves B 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10 Pressurizer Safety Valves BASES BACKGROUND The pressurizer safety valves provide, in conjunction with the Reactor Protection System, overpressure protection for the RCS. The pressurizer safety valves are totally enclosed pop type, spring loaded, self actuated valves with backpressure compensation. The safety valves are designed to prevent the system pressure from exceeding the system Safety Limit (SL), 2735 psig, which is 110% of the design pressure.

Because the safety valves are totally enclosed and self actuating, they are considered independent components. The relief capacity for each valve, 380,000 lb/hr, is based on postulated overpressure transient conditions resulting from a complete loss of steam flow to the turbine, a locked reactor coolant pump rotor, and reactivity insertion due to control rod withdrawal. The complete loss of steam flow is typically the limiting event. The limiting event results in the maximum surge rate into the pressurizer, which specifies the minimum relief capacity for the safety valves. The discharge flow from the pressurizer safety valves is directed to the pressurizer relief tank. This discharge flow is indicated by an increase in temperature downstream of the pressurizer safety valves, increase in the pressurizer relief tank temperature or level, or by the acoustic monitors located on the relief line.

Overpressure protection is required in MODES 1, 2, 3, 4, and 5; however, in MODE 4, with one or more RCS cold leg temperatures

235 0 F (Unit 1), 270°F (Unit 2), and MODE 5 and MODE 6 with the reactor vessel head on, overpressure protection is provided by operating procedures and by meeting the requirements of LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System."

The safety valve pressure tolerance limit is expressed as an average value. The as-found error, expressed as a positive or negative percentage of each tested safety valve, is summed and divided by the number of valves tested. This average as-found value is compared to the acceptable range of +2% to -3%. In addition, no single valve is allowed to be outside of +/-3%. The lift setting is for the ambient conditions associated with MODES 1, 2, and 3. This requires (continued)

North Anna Units 1 and 2 B 3.4. 10-1 Revision 0, 04/02/02

Pressurizer Safety Valves B 3.4.10 BASES BACKGROUND either that the valves be set hot or that a correlation (continued) between hot and cold settings be established.

The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to 110% of design pressure. The consequences of exceeding the American Society of Mechanical Engineers (ASME) pressure limit (Ref. 1) could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation.

APPLICABLE All accident and safety analyses in the UFSAR (Ref. 2) that SAFETY ANALYSES require safety valve actuation assume operation of three pressurizer safety valves to limit increases in RCS pressure. The overpressure protection analysis (Ref. 3) is also based on operation of three safety valves. Accidents that could result in overpressurization if not properly terminated include:

a. Uncontrolled rod withdrawal from full power;

b. Loss of reactor coolant flow;

c. Loss of external electrical load;

d. Loss of normal feedwater;

e. Loss of all AC power to station auxiliaries;

f. Locked rotor; and

g. Uncontrolled rod withdrawal from subcritical.

Description of the analyses of the above transients are contained in Reference 2. Safety valve actuation is required in events a, c, f and g (above) to limit the pressure increase. Compliance with this LCO is consistent with the design bases and accident analyses assumptions.

Pressurizer safety valves satisfy Criterion 3 of 10 CFR

50. 36(c) (2) (ii).

North Anna Units 1 and 2 B 3.4.10-2 Revision 0, 04/02/02

Pressurizer Safety Valves B 3.4.10 BASES LCO The three pressurizer safety valves are set to open at the RCS design pressure (2485 psig), and within the ASME specified tolerance, to avoid exceeding the maximum design pressure SL, to maintain accident analyses assumptions, and to comply with ASME requirements. The safety valve pressure tolerance limit is expressed as an average value. The as found error, expressed as a positive or negative percentage of each tested safety valve, is summed and divided by the number of valves tested. This average as-found value is compared to the acceptable range of +2% to -3%. In addition, no single valve is allowed to be outside of +/-3%. The limit protected by this Specification is the reactor coolant pressure boundary (RCPB) SL of 110% of design pressure.

Inoperability of one or more valves could result in exceeding the SL if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation.

APPLICABILITY In MODES 1, 2, and 3, and portions of MODE 4 above the LTOP arming temperature, OPERABILITY of three valves is required because the combined capacity is required to keep reactor coolant pressure below 110% of its design value during certain accidents. MODE 3 and portions of MODE 4 are conservatively included, although the listed accidents may not require the safety valves for protection.

The LCO is not applicable in MODE 4 when any RCS cold leg temperatures are

235 0 F (Unit 1), 270°F (Unit 2) or in MODE 5 because LTOP is provided. Overpressure protection is not required in MODE 6 with reactor vessel head detensioned.

The Note allows entry into MODES 3 and 4 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition. This method of testing is not currently used at North Anna, but it is an accepted method.

Only one valve at a time may be removed from service for testing. The 54 hour6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months exception is based on 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months outage time for each of the three valves. The 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months period is derived from industry experience that hot testing can be performed in this timeframe.

North Anna Units 1 and 2 B 3.4.10-3 Revision 0, 04/02/02

Pressurizer Safety Valves B 3.4.10 BASES ACTIONS A.1 With one pressurizer safety valve inoperable, restoration must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS Overpressure Protection System. An inoperable safety valve coincident with an RCS overpressure event could challenge the integrity of the pressure boundary.

B.1 and B.2 If the Required Action of A.1 cannot be met within the required Completion Time or if two or more pressurizer safety valves are inoperable, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 with any RCS cold leg temperatures

235-F (Unit 1), 270°F (Unit 2) within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. With any RCS cold leg temperatures at or below 235 0 F (Unit 1), 270°F (Unit 2), overpressure protection is provided by the LTOP System. The change from MODE 1, 2, or 3 to MODE 4 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by three pressurizer safety valves.

SURVEILLANCE SR 3.4.10.1 REQUIREMENTS SRs are specified in the Inservice Testing Program.

Pressurizer safety valves are to be tested in accordance with the requirements of the ASME Code (Ref. 4), which provides the activities and Frequencies necessary to satisfy the SRs. No additional requirements are specified.

The pressurizer safety valve setpoint given in the LCO is for OPERABILITY; however, the valves are reset to +/-1% during the Surveillance to allow for drift.

REFERENCES 1. ASME, Boiler and Pressure Vessel Code, Section III.

2. UFSAR, Chapter 15.

3. WCAP-7769, Rev. 1, June 1972.

North Anna Units 1 and 2 B 3.4. 10-4 Revision 0, 04/02/02

Pressurizer Safety Valves B 3.4.10 BASES REFERENCES 4. ASME Code for Operation and Maintenance of Nuclear Power (continued) Plants.

North Anna Units 1 and 2 B 3.4.10-5 Revision 0, 04/02/02

Intentionally Blank Pressurizer PORVs B 3.4.11 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.11 Pressurizer Power Operated Relief Valves (PORVs)

BASES BACKGROUND The pressurizer is equipped with two types of devices for pressure relief: pressurizer safety valves and PORVs. The PORVs are air or nitrogen operated valves that are controlled to open at a set pressure when the pressurizer pressure increases and close when the pressurizer pressure decreases. The PORVs may also be manually operated from the control room.

Block valves, which are normally open, are located between the pressurizer and the PORVs. The block valves are used to isolate the PORVs in case of excessive leakage or a stuck open PORV. Block valve closure is accomplished manually using controls in the control room. A stuck open PORV is, in effect, a small break loss of coolant accident (LOCA). As such, block valve closure terminates the RCS depressurization and coolant inventory loss.

The PORVs and their associated block valves may be used by unit operators to depressurize the RCS to recover from certain transients if normal pressurizer spray is not available. Additionally, the series arrangement of the PORVs and their block valves permit performance of surveillances on the valves during power operation.

The PORVs may also be used for feed and bleed core cooling in the case of multiple equipment failure events that are not within the design basis, such as a total loss of feedwater.

The PORVs, their block valves, and their controls are powered from the emergency buses that normally receive power from offsite power sources, but are also capable of being powered from emergency power sources in the event of a loss of offsite power. The PORVs are air operated valves and normally are provided motive force by the Instrument Air System. A backup, nitrogen supply for the PORVs is also available. Two PORVs and their associated block valves are powered from two separate safety trains (Ref. 1).

The unit has two PORVs, each having a relief capacity of 210,000 lb/hr at 2335 psig. The functional design of the PORVs is based on maintaining pressure below the Pressurizer (continued)

North Anna Units 1 and 2 B 3.4.11-1 Revision 0, 04/02/02

Pressurizer PORVs B 3.4.11 BASES BACKGROUND Pressure-High reactor trip setpoint following a step (continued) reduction of 50% of full load with steam dump. In addition, the PORVs minimize challenges to the pressurizer safety valves and also may be used for low temperature overpressure protection (LTOP). See LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System."

APPLICABLE Unit operators employ the PORVs to depressurize the RCS in SAFETY ANALYSES response to certain unit transients if normal pressurizer spray is not available. For the Steam Generator Tube Rupture (SGTR) event, the safety analysis assumes that manual operator actions are required to mitigate the event. A loss of offsite power is assumed to accompany the event, and thus, normal pressurizer spray is unavailable to reduce RCS pressure. The PORVs are assumed to be used for RCS depressurization, which is one of the steps performed to equalize the primary and secondary pressures in order to terminate the primary to secondary break flow and the radioactive releases from the affected steam generator.

The PORVs are also modeled in safety analyses for events that result in increasing RCS pressure for which departure from nucleate boiling ratio (DNBR) criteria are critical (Ref. 2). By assuming PORV actuation, the primary pressure remains below the high pressurizer pressure trip setpoint; thus, the DNBR calculation is more conservative. As such, this actuation is not required to mitigate these events, and PORV automatic operation is, therefore, not an assumed safety function.

Pressurizer PORVs satisfy Criterion 3 of 10 CFR 50.36 (c) (2) (ii).

LCO The LCO requires the PORVs and their associated block valves to be OPERABLE for manual operation to mitigate the effects associated with an SGTR.

By maintaining two PORVs and their associated block valves OPERABLE, the single failure criterion is satisfied. An OPERABLE block valve may be either open and energized with the capability to be closed, or closed and energized with the capability to be opened, since the required safety function is accomplished by manual operation. Although typically open to allow PORV operation, the block valves may be OPERABLE when closed to isolate the flow path of an inoperable PORV (continued)

North Anna Units 1 and 2 B 3.4. 11-2 Revision 0, 04/02/02

Pressurizer PORVs B 3.4.11 BASES LCO that is capable of being manually cycled (e.g., as in the (continued) case of excessive PORV leakage). Similarly, isolation of an OPERABLE PORV does not render that PORV or block valve inoperable provided the relief function remains available with manual action.

An OPERABLE PORV is required to be capable of manually opening and closing, and not experiencing excessive seat leakage. Excessive seat leakage, although not associated with a specific acceptance criteria, exists when conditions dictate closure of the block valve to limit leakage to within LCO 3.4.13, "RCS Operational Leakage."

Satisfying the LCO helps minimize challenges to fission product barriers.

APPLICABILITY In MODES 1, 2, and 3, the PORVs and their associated block valves are required to be OPERABLE to limit the potential for a small break LOCA through the flow path and for manual operation to mitigate the effects associated with an SGTR.

The PORVs are also required to be OPERABLE in MODES 1, 2, and 3 for manual actuation to mitigate an SGTR event.

Imbalances in the energy output of the core and heat removal by the secondary system can cause the RCS pressure to increase to the PORV opening setpoint. The most rapid increases will occur at the higher operating power and pressure conditions of MODES 1 and 2.

Pressure increases are less prominent in MODE 3 because the core input energy is reduced, but the RCS pressure is high.

Therefore, the LCO is applicable in MODES 1, 2, and 3. The LCO is not applicable in MODES 4, 5, and 6 with the reactor vessel head in place when both pressure and core energy are decreased and the pressure surges become much less significant. LCO 3.4.12 addresses the PORV requirements in these MODES.

ACTIONS Note 1 has been added to clarify that all pressurizer PORVs are treated as separate entities, each with separate Completion Times (i.e., the Completion Time is on a component basis).

North Anna Units 1 and 2 B 3.4.11-3 Revision 0, 04/02/02

Pressurizer PORVs B 3.4.11 BASES ACTIONS A.1 (continued)

The PORVs are provided normal motive force by the Instrument Air system and have a backup nitrogen supply. If the backup nitrogen supply is inoperable, the PORVs are still capable of being manually cycled provided the Instrument Air system is available. The Instrument Air system is highly reliable and the likelihood of its being unavailable during a demand for PORV actuation is low enough to justify a 14 day Completion Time for return of the backup nitrogen supply to OPERABLE status.

B.1 PORVs may be inoperable and capable of being manually cycled (e.g., excessive seat leakage). In this Condition, either the PORVs must be restored or the flow path isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The associated block valve is required to be closed, but power must be maintained to the associated block valve, since removal of power would render the block valve inoperable. This permits operation of the unit until the next refueling outage (MODE 6) so that maintenance can be performed on the PORVs to eliminate the problem condition.

Quick access to the PORV for pressure control can be made when power remains on the closed block valve. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is based on unit operating experience that has shown that minor problems can be corrected or closure accomplished in this time period.

C.1, C.2, and C.3 If one PORV is inoperable and not capable of being manually cycled, it must be either restored, or isolated by closing the associated block valve and removing the power to the associated block valve. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on challenges to the PORVs during this time period, and provides the operator adequate time to correct the situation. If the inoperable valve cannot be restored to being capable of being manually cycled (permitting entry into Condition B), or OPERABLE status, it must be isolated within the specified time. Because there is one PORV that remains OPERABLE, an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is provided to restore the inoperable PORV to OPERABLE status.

If the PORV cannot be restored within this additional time, the unit must be brought to a MODE in which the LCO does not apply, as required by Condition E.

North Anna Units 1 and 2 B 3.4.11-4 Revision 0, 04/02/02

Pressurizer PORVs B 3.4.11 BASES ACTIONS D.1 and D.2 (continued)

If one block valve is inoperable, then it is necessary to either restore the block valve to OPERABLE status within the Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months or place the associated PORV in manual control. The prime importance for the capability to close the block valve is to isolate a stuck open PORV.

Therefore, if the block valve cannot be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the Required Action is to place the PORV in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on the small potential for challenges to the system during this time period, and provides the operator time to correct the situation. Because at least one PORV remains OPERABLE, the operator is permitted a Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the inoperable block valve to OPERABLE status. The time allowed to restore the block valve is based upon the Completion Time for restoring an inoperable PORV in Condition C, since the PORVs may not be capable of mitigating an event if the inoperable block valve is not full open. If the block valve is restored within the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , the PORV may be restored to automatic operation. If it cannot be restored within this additional time, the unit must be brought to a MODE in which the LCO does not apply, as required by Condition E.

The Required Actions D.1 and D.2 are modified by a Note stating that the Required Actions do not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with another Required Action. In this event, the Required Actions for inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address the condition. While it may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of Condition C entry with PORV(s) inoperable and not capable of being manually cycled (e.g., as a result of failed control power fuse(s) or control switch malfunction(s).)

E.1 and E.2 If the Required Action of Condition A, B, C, or D is not met, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within (continued)

North Anna Units 1 and 2 B 3.4. 11-5 Revision 0, 04/02/02

Pressurizer PORVs B 3.4.11 BASES ACTIONS E.1 and E.2 (continued) 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, automatic PORV OPERABILITY is required. See LCO 3.4.12.

F.1 and F.2 If more than one PORV is inoperable and not capable of being manually cycled, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, automatic PORV OPERABILITY is required. See LCO 3.4.12.

G.1 If two block valves are inoperable, it is necessary to restore at least one block valve within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The Completion Time is reasonable, based on the small potential for challenges to the system during this time and provide the operator time to correct the situation.

The Required Action G.1 is modified by a Note stating that the Required Action does not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with another Required Action. In this event, the Required Action for inoperable PORV (which requires the block valve power to be removed once it is closed) is adequate to address the condition. While it may be desirable to also place the PORV in manual control, this may not be possible for all causes of Condition C entry with PORV inoperable and not capable of being manually cycled (e.g.,

as a result of failed control power fuse(s) or control switch malfunction(s)).

H.1 and H.2 If the Required Actions of Condition G are not met, then the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at (continued)

North Anna Units 1 and 2 B 3.4. 11-6 Revision 0, 04/02/02

Pressurizer PORVs B 3.4.11 BASES ACTIONS H.1 and H.2 (continued) least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, automatic PORV OPERABILITY is required. See LCO 3.4.12.

SURVEILLANCE SR 3.4.11.1 REQUIREMENTS SR 3.4.11.1 requires verification that the pressure in the PORV backup nitrogen system is sufficient to provide motive force for the PORVs to cope with a steam generator tube rupture coincident with loss of the containment Instrument Air system. The Frequency of 7 days is based on operating experience.

SR 3.4.11.2 Block valve cycling verifies that the valve(s) can be opened and closed if needed. The basis for the Frequency of 92 days is the ASME Code (Ref. 3).

This SR is modified by two Notes. Note 1 modifies this SR by stating that it is not required to be performed with the block valve closed, in accordance with the Required Actions of this LCO. Opening the block valve in this condition increases the risk of an unisolable leak from the RCS since the PORV is already inoperable.

Note 2 modifies this SR to allow entry into and operation in MODE 3 prior to performing the SR. This allows the test to be performed in MODE 3 under operating temperature and pressure conditions, prior to entering MODE 1 or 2.

SR 3.4.11.3 SR 3.4.11.3 requires a complete cycle of each PORV.

Operating a PORV through one complete cycle ensures that the PORV can be manually actuated for mitigation of an SGTR. This testing is performed in MODES 3 or 4 to prevent possible RCS pressure transients with the reactor critical. The Frequency of 18 months is based on a typical refueling cycle and industry accepted practice.

(continued)

North Anna Units 1 and 2 B 3.4. 11-7 Revision 0, 04/02/02

Pressurizer PORVs B 3.4.11 BASES SURVEILLANCE SR 3.4.11.3 (continued)

REQUIREMENTS The Note modifies this SR to allow entry into and operation in MODE 3 prior to performing the SR. This allows the test to be performed in MODE 3 under operating temperature and pressure conditions, prior to entering MODE 1 or 2.

SR 3.4.11.4 Operating the solenoid control valves and check valves on the accumulators ensures the PORV control system actuates properly when called upon. The Frequency of 18 months is based on a typical refueling cycle and the Frequency of the other Surveillances used to demonstrate PORV OPERABILITY.

REFERENCES 1. Regulatory Guide 1.32, February 1977.

2. UFSAR, Section 15.4.

3. ASME Code for Operation and Maintenance of Nuclear Power Plants.

North Anna Units 1 and 2 B 3.4. 11-8 Revision 0, 04/02/02

LTOP System B 3.4.12 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.12 Low Temperature Overpressure Protection (LTOP) System BASES BACKGROUND The LTOP System controls RCS pressure at low temperatures so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the LTOP System design basis pressure and temperature (P/T) limit curve (i.e., 110% of the isothermal P/T limit curve determined to satisfy the requirements of 10 CFR 50, Appendix G, Ref. 1).

The reactor vessel is the limiting RCPB component for demonstrating such protection. This specification provides the maximum allowable actuation logic setpoints for the power operated relief valves (PORVs) and LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," provides the maximum RCS pressure for the existing RCS cold leg temperature during cooldown, shutdown, and heatup to meet the Reference 1 requirements during the LTOP MODES.

The reactor vessel material is less tough at low temperatures than at normal operating temperature. As the vessel neutron exposure accumulates, the material toughness decreases and becomes less resistant to pressure stress at low temperatures (Ref. 2). RCS pressure, therefore, is maintained low at low temperatures and is increased only as temperature is increased.

The potential for vessel overpressurization is most acute when the RCS is water solid, occurring only while shutdown; a pressure fluctuation can occur more quickly than an operator can react to relieve the condition. Exceeding the RCS P/T limits by a significant amount could cause brittle cracking of the reactor vessel. LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," requires administrative control of RCS pressure and temperature during heatup and cooldown to prevent exceeding the P/T limits.

This LCO provides RCS overpressure protection by limiting coolant input capability and having adequate pressure relief capacity. Limiting coolant input capability requires all but one low head safety injection (LHSI) pump and one charging pump incapable of injection into the RCS and isolating the accumulators when accumulator pressure is greater than the PORV lift setting. The pressure relief capacity requires either two redundant RCS PORVs or a depressurized RCS and an (continued)

North Anna Units 1 and 2 B 3.4.12-1 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES BACKGROUND RCS vent of sufficient size. One RCS PORV or the open RCS (continued) vent is the overpressure protection device that acts to terminate an increasing pressure event.

With limited coolant input capability, the ability to provide core coolant addition is restricted. The LCO does not require the makeup control system deactivated or the safety injection (SI) actuation circuits blocked. Due to the lower pressures in the LTOP MODES and the expected core decay heat levels, the makeup system can provide adequate flow via the makeup control valve. If conditions require the use of more than one LHSI and charging pump for makeup in the event of loss of inventory, then pumps can be made available through manual actions.

The LTOP System for pressure relief consists of two PORVs with reduced lift settings, or a depressurized RCS and an RCS vent of sufficient size. Two RCS PORVs are required for redundancy. One RCS PORV has adequate relieving capability to keep from overpressurization for the required coolant input capability.

PORV Requirements As designed for the LTOP System, each PORV is signaled to open if the RCS pressure exceeds a limit determined by the LTOP actuation logic. The LTOP actuation logic monitors both RCS temperature and RCS pressure and determines when a condition is not acceptable. The wide range RCS temperature indications are auctioneered to select the lowest temperature signal.

The lowest temperature signal is passed to a comparator circuit which determines the pressure limit for that temperature. The pressure limit is then compared with the indicated RCS pressure from a wide range pressure channel.

If the indicated pressure meets or exceeds the calculated value, the PORVs are signaled to open.

The PORV setpoints are staggered so only one valve opens to stop a low temperature overpressure transient. If the opening of the first valve does not prevent a further increase in pressure, a second valve will open at its higher pressure setpoint to stop the transient. Having the setpoints of both valves within the limits in the LCO ensures that the LTOP System design basis P/T limit curve will not be exceeded in any analyzed event.

(continued)

North Anna Units 1 and 2 B 3.4. 12-2 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES BACKGROUND PORV Requirements (continued)

When a PORV is opened in an increasing pressure transient, the release of coolant will cause the pressure increase to slow and reverse. As the PORV releases coolant, the RCS pressure decreases until a reset pressure is reached and the valve is signaled to close. The pressure continues to decrease below the reset pressure as the valve closes.

RCS Vent Reauirements Once the RCS is depressurized, a vent exposed to the containment atmosphere will maintain the RCS within the LTOP design basis P/T limit curve in an RCS overpressure transient, if the relieving requirements of the transient do not exceed the capabilities of the vent. Thus, the vent path must be capable of relieving the flow resulting from the limiting LTOP mass or heat input transient, and maintaining pressure below the LTOP System design basis P/T limit curve.

The required vent capacity may be provided by one or more vent paths.

For an RCS vent to meet the flow capacity requirement, it requires removing a pressurizer safety valve, blocking open a PORV and its block valve, or similarly establishing a vent by opening an RCS vent valve. The vent path(s) must be above the level of reactor coolant, so as not to drain the RCS when open.

APPLICABLE Safety analyses (Ref. 3) demonstrate that the reactor vessel SAFETY ANALYSES is adequately protected against exceeding the LTOP System design basis P/T limit curve (i.e., 110% of the isothermal P/T limit curve determined to satisfy the requirements of 10 CFR 50, Appendix G, Ref. 1). In MODES 1, 2, and 3, and in MODE 4 with RCS cold leg temperature exceeding 2357F (Unit 1), 270°F (Unit 2), the pressurizer safety valves will prevent RCS pressure from exceeding the Reference 1 limits.

At 235 0 F (Unit 1), 270°F (Unit 2) and below, overpressure prevention falls to two OPERABLE RCS PORVs or to a depressurized RCS and a sufficient sized RCS vent. Each of these means has a limited overpressure relief capability.

The RCS cold leg temperature below which LTOP protection must be provided increases as the reactor vessel material toughness decreases due to neutron embrittlement. Each time the P/T curves are revised, the LTOP System must be (continued)

North Anna Units 1 and 2 B 3.4. 12-3 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES APPLICABLE re-evaluated to ensure its functional requirements can still SAFETY ANALYSES be met using the PORV method or the depressurized and vented (continued) RCS condition.

The LCO contains the acceptance limits that define the LTOP requirements. Any change to the RCS must be evaluated against the Reference 3 analyses to determine the impact of the change on the LTOP acceptance limits.

Transients that are capable of overpressurizing the RCS are categorized as either mass or heat input transients, examples of which follow:

Mass Input Type Transients

a. Inadvertent safety injection; or

b. Charging/letdown flow mismatch.

Heat Input Type Transients

a. Reactor coolant pump (RCP) startup with temperature asymmetry between the RCS and steam generators.

The following are required during the LTOP MODES to ensure that mass and heat input transients do not occur, which either of the LTOP overpressure protection means cannot handle:

a. Rendering all but one LHSI pump and one charging pump incapable of injection;

b. Deactivating the accumulator discharge isolation valves in their closed positions when accumulator pressure is greater than the PORV lift setting; and

c. Disallowing start of an RCP if secondary temperature is more than 50°F above primary temperature in any one loop.

LCO 3.4.6, "RCS Loops-MODE 4," and LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," provide this protection.

The Reference 3 analyses demonstrate that either one PORV or the depressurized RCS and RCS vent can maintain RCS pressure below limits when only one LHSI pump and one charging pump are actuated. Thus, the LCO allows only one LHSI pump and one charging pump OPERABLE during the LTOP MODES. The (continued)

North Anna Units 1 and 2 B 3.4.12-4 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES APPLICABLE Heat Input Type Transients (continued)

SAFETY ANALYSES Reference 3 analyses do not explicitly model actuation of the LHSI pump, since the RCS pressurization resulting from inadvertent safety injection by a single charging pump against a water-solid RCS would not be made more severe by such actuation. Since the LTOP analyses assume that the accumulators do not cause a mass addition transient, when RCS temperature is low, the LCO also requires the accumulators to be isolated when accumulator pressure is greater than the PORV lift setting. The isolated accumulators must have their discharge valves closed and the valve power supply breakers fixed in their open positions.

Fracture mechanics analyses established the temperature of LTOP Applicability at 235°F (Unit 1), 27 0 °F (Unit 2).

The consequences of a small break loss of coolant accident (LOCA) in LTOP MODE 4 conform to 10 CFR 50.46 (Ref. 4),

requirements by having a maximum of one LHSI pump and one charging pump OPERABLE.

PORV Performance The fracture mechanics analyses show that the vessel is protected when the PORVs are set to open at or below the limits shown in the LCO. The setpoints are derived by analyses that model the performance of the LTOP System, assuming the limiting LTOP transient of one charging pump injecting into the RCS. These analyses consider pressure overshoot beyond the PORV opening and closing, resulting from signal processing and valve stroke times. The PORV setpoints at or below the derived limit ensure the RCS pressure at the reactor vessel beltline will not exceed the LTOP design P/T limit curve.

The PORV setpoints are evaluated when the P/T limits are modified. The P/T limits are periodically modified as the reactor vessel material toughness decreases due to neutron embrittlement caused by neutron irradiation. Revised limits are determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases for LCO 3.4.3 discuss these examinations.

The PORVs are considered active components. Thus, the failure of one PORV is assumed to represent the worst case, single active failure.

North Anna Units 1 and 2 B 3.4.12-5 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES APPLICABLE RCS Vent Performance SAFETY ANALYSES (continued) With the RCS depressurized, analyses show a vent size of 2.07 square inches is capable of mitigating the allowed LTOP overpressure transient. (A vent size of 2.07 square inches is the equivalent relief capacity of one PORV.) The capacity of a vent this size is greater than the flow of the limiting transient for the LTOP configuration, one LHSI pump and one charging pump OPERABLE, maintaining RCS pressure less than the LTOP design basis P/T limit curve.

The RCS vent size is re-evaluated for compliance each time the P/T limit curves are revised based on the results of the vessel material surveillance.

The RCS vent is passive and is not subject to active failure.

The LTOP System satisfies Criterion 2 of 10 CFR 50.36(c) (2) (i i).

LCO This LCO requires that the LTOP System is OPERABLE. The LTOP System is OPERABLE when the minimum coolant input and pressure relief capabilities are OPERABLE. Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the LTOP System design basis P/T limit curve (i.e., 110% of the isothermal P/T limit curve determined to satisfy the requirements of 10 CFR 50, Appendix G, Ref. 1) as a result of an operational transient.

To limit the coolant input capability, the LCO requires a maximum of one LHSI pump and one charging pump capable of injecting into the RCS and all accumulator discharge isolation valves closed with power removed from the isolation valve operator, when accumulator pressure is greater than the PORV lift setting.

The LCO is modified by two Notes. Note 1 allows two charging pumps to be made capable of injection for

1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months during pump swap operations. One hour provides sufficient time to safely complete the actual transfer and to complete the administrative controls and Surveillance requirements associated with the swap. The intent is to minimize the actual time that more than one charging pump is physically capable of injection.

(continued)

North Anna Units 1 and 2 B 3.4. 12-6 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES LCO Note 2 states that accumulator isolation is only required (continued) when the accumulator pressure is more than the PORV lift setting. This Note permits the accumulator discharge isolation valves to be open if the accumulator cannot challenge the LTOP limits.

The elements of the LCO that provide low temperature overpressure mitigation through pressure relief are:

a. Two OPERABLE PORVs; or A PORV is OPERABLE for LTOP when its block valve is open, its lift setpoint is set to the limits provided in the LCO and testing proves its ability to open at this setpoint, and backup nitrogen motive power is available to the PORVs and their control circuits.

b. A depressurized RCS and an RCS vent.

An RCS vent is OPERABLE when open with an area of

Ž 2.07 square inches.

Each of these methods of overpressure prevention is capable of mitigating the limiting LTOP transient.

APPLICABILITY This LCO is applicable in MODE 4 when any RCS cold leg temperature is

235 0 F (Unit 1), 270°F (Unit 2), in MODE 5, and in MODE 6 when the reactor vessel head is on. The pressurizer safety valves provide overpressure protection that meets the Reference 1 P/T limits above 235 0 F (Unit 1),

2707F (Unit 2). When the reactor vessel head is off, overpressurization cannot occur.

LCO 3.4.3 provides the operational P/T limits for all MODES.

LCO 3.4.10, "Pressurizer Safety Valves," requires the OPERABILITY of the pressurizer safety valves that provide overpressure protection during MODES 1, 2, and 3, and MODE 4 above 2357F (Unit 1), 270°F (Unit 2).

Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input transient can cause a very rapid increase in RCS pressure when little or no time allows operator action to mitigate the event.

North Anna Units 1 and 2 B 3.4. 12-7 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES ACTIONS A.1 and B.1 With more than one LHSI pump and one charging pump capable of injecting into the RCS, RCS overpressurization is possible.

To immediately initiate action to restore restricted coolant input capability to the RCS reflects the urgency of removing the RCS from this condition.

C.1, C.2, D.1, and D.2 An unisolated accumulator requires isolation immediately.

Power available to an accumulator isolation valve operator must be removed in one hour. These ACTIONS are modified by a Note which states the Condition only applies if the accumulator pressure is more than the PORV lift setting.

If isolation is needed and cannot be accomplished, Required Action D.1 and Required Action D.2 provide two options, either of which must be performed in the next 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . By increasing the RCS temperature to > 235 0 F (Unit 1), 270°F (Unit 2), the LCO is no longer Applicable. Depressurizing the accumulators below the PORV lift setting also exits the Condition.

The Completion Times are based on operating experience that these activities can be accomplished in these time periods and on engineering judgement indicating that an event requiring LTOP is not likely in the allowed times.

E.1 In MODE 4 when any RCS cold leg temperature is

235°F (Unit 1), 270°F (Unit 2), with one RCS PORV inoperable, the RCS PORV must be restored to OPERABLE status within a Completion Time of 7 days. Two PORVs are required to provide low temperature overpressure mitigation while withstanding a single failure of an active component.

The Completion Time considers the facts that only one of the PORVs is required to mitigate an overpressure transient and that the likelihood of an active failure of the remaining valve path during this time period is very low.

North Anna Units 1 and 2 B 3.4.12-8 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES ACTIONS F.1 (conti nued)

The consequences of operational events that will overpressurize the RCS are more severe at lower temperature (Ref. 5). Thus, with one of the two RCS PORVs inoperable in MODE 5 or in MODE 6 with the head on, the Completion Time to restore two valves to OPERABLE status is 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The Completion Time represents a reasonable time to investigate and repair PORV failures without exposure to a lengthy period with only one OPERABLE RCS PORV to protect against overpressure events.

G.1 The RCS must be depressurized and a vent must be established within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months when:

a. Both required RCS PORVs are inoperable; or

b. A Required Action and associated Completion Time of Condition A, B, D, E, or F is not met; or

c. The LTOP System is inoperable for any reason other than Condition A, B, C, D, E, or F.

The vent must be sized Ž 2.07 square inches to ensure that the flow capacity is greater than that required for the worst case mass input transient reasonable during the applicable MODES. This action is needed to protect the RCPB from a low temperature overpressure event and a possible brittle failure of the reactor vessel.

The Completion Time considers the time required to place the unit in this Condition and the relatively low probability of an overpressure event during this time period due to increased operator awareness of administrative control requirements.

SURVEILLANCE SR 3.4.12.1. SR 3.4.12.2, and SR 3.4.12.3 REQUIREMENTS To minimize the potential for a low temperature overpressure event by limiting the mass input capability, a maximum of one LHSI pump and a maximum of one charging pump are verified (continued)

North Anna Units 1 and 2 B 3.4.12-9 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES SURVEILLANCE SR 3.4.12.1, SR 3.4.12.2, and SR 3.4.12.3 (continued)

REQUIREMENTS incapable of injecting into the RCS and the accumulator discharge isolation valves are verified closed with power removed from the isolation valve operator.

SR 3.4.12.3 is modified by a Note stating that the verification is only required when accumulator pressure is greater than the PORV lift setting. With accumulator pressure less than the PORV lift setting, the accumulator cannot challenge the LTOP limits and the isolation valves are allowed to be open.

The LHSI pumps and charging pumps are rendered incapable of injecting into the RCS through removing the power from the pumps by racking the breakers out under administrative control. An alternate method of LTOP control may be employed using at least two independent means to prevent a pump start such that a single failure or single action will not result in an injection into the RCS. This may be accomplished through the pump control switch being placed in pull to lock and at least one valve in the discharge flow path being closed.

The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient, considering other indications and alarms available to the operator in the control room, to verify the required status of the equipment.

SR 3.4.12.4 The RCS vent of Ž 2.07 square inches is proven OPERABLE by verifying its open condition either:

a. Once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for a valve that is not locked.

b. Once every 31 days for a valve that is locked, sealed, or secured in position. A removed pressurizer safety valve or blocked open PORV with its block valve disabled in the open position fits this category.

The passive vent arrangement must only be open to be OPERABLE. This Surveillance is required to be performed if the vent is being used to satisfy the pressure relief requirements of the LCO 3.4.12b.

North Anna Units 1 and 2 B 3.4.12-10 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES SURVEILLANCE SR 3.4.12.5 REQUIREMENTS (continued) The PORV block valve must be verified open every 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to provide the flow path for each required PORV to perform its function when actuated. The valve may be remotely verified open in the main control room. In addition, the PORV keyswitch must be verified to be in the proper position to provide the appropriated trip setpoints to the PORV actuation logic. This Surveillance is performed if the PORV is used to satisfy the LCO.

The block valve is a remotely controlled, motor operated valve. The power to the valve operator is not required removed, and the manual operator is not required locked in the inactive position. Thus, the block valve can be closed in the event the PORV develops excessive leakage or does not close (sticks open) after relieving an overpressure situation.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Frequency is considered adequate in view of other administrative controls available to the operator in the control room, such as valve position indication and alarms, that verify that the PORV block valve remains open and the keyswitch in the proper position.

SR 3.4.12.6 SR 3.4.12.6 requires verification that the pressure in the PORV backup nitrogen system is sufficient to provide motive force for the PORVs to cope with an overpressure event. The Frequency of 7 days is based on operating experience.

SR 3.4.12.7 Performance of a COT is required within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after decreasing RCS temperature to

235 0 F (Unit 1), 270°F (Unit 2) and every 31 days on each required PORV to verify and, as necessary, adjust its lift setpoint. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL OPERATIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. The COT will (continued)

North Anna Units 1 and 2 B 3.4.12-11 Revision 0, 04/02/02

LTOP System B 3.4.12 BASES SURVEILLANCE SR 3.4.12.7 (continued)

REQUIREMENTS verify the setpoint is within the allowed maximum limits in this specification. PORV actuation could depressurize the RCS and is not required.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency considers the unlikelihood of a low temperature overpressure event during this time.

A Note has been added indicating that this SR is required to be met 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after decreasing RCS cold leg temperature to

235 0 F (Unit 1), 270°F (Unit 2). The COT cannot be performed until in the LTOP MODES when the PORV lift setpoint can be reduced to the LTOP setting. The test must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after entering the LTOP MODES.

SR 3.4.12.8 Performance of a CHANNEL CALIBRATION on each required PORV actuation channel is required every 18 months to adjust the whole channel so that it responds and the valve opens within the required range and accuracy to known input.

REFERENCES 1. 10 CFR 50, Appendix G.

2. Generic Letter 88-11.

3. UFSAR, Section 5.2.2.2.

4. 10 CFR 50, Section 50.46.

5. Generic Letter 90-06.

North Anna Units 1 and 2 B 3.4. 12-12 Revision 0, 04/02/02

RCS Operational LEAKAGE B 3.4.13 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.13 RCS Operational LEAKAGE BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.

During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration.

The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.

General Design Criteria 3 (Ref. 1), requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur that is detrimental to the safety of the facility and the public.

A limited amount of leakage inside containment is expected from auxiliary systems that cannot be made 100% leaktight.

Leakage from these systems should be detected, located, and isolated from the containment atmosphere, if possible, to not interfere with RCS leakage detection.

This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation release assumptions from being exceeded.

The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).

North Anna Units 1 and 2 B 3.4.13-1 Revision 0, 04/02/02

RCS Operational LEAKAGE B 3.4.13 BASES APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses SAFETY ANALYSES do not address operational LEAKAGE. However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event. The safety analysis for an event resulting in steam discharge to the atmosphere assumes a 1 gpm primary to secondary LEAKAGE as the initial condition.

Primary to secondary LEAKAGE is a factor in the dose releases outside containment resulting from a steam line break (SLB) accident. To a lesser extent, other accidents or transients involve secondary steam release to the atmosphere, such as a steam generator tube rupture (SGTR). The leakage contaminates the secondary fluid.

The UFSAR (Ref. 3) analysis for SGTR assumes the contaminated secondary fluid is only briefly released via safety valves and the majority is steamed to the condenser if offsite power is available. The 1 gpm primary to secondary LEAKAGE is relatively inconsequential in this case. If offsite power is not available, releases continue through the unaffected steam generators until the Residual Heat Removal System is placed in service. In this case, the 1 gpm primary to secondary LEAKAGE is more significant.

The SLB is more limiting for site radiation releases. The safety analysis for the SLB accident assumes primary to secondary LEAKAGE as an initial condition. The dose consequences resulting from the SLB accident are well within the limits defined in the staff approved licensing basis.

The RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

North Anna Units 1 and 2 B 3.4.13-2 Revision 0, 04/02/02

RCS Operational LEAKAGE B 3.4.13 BASES LCO b. Unidentified LEAKAGE (continued)

One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.

c. Identified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System.

Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary LEAKAGE or controlled reactor coolant pump (RCP) seal leakoff (a normal function not considered LEAKAGE). Violation of this LCO could result in continued degradation of a component or system.

d. Primary to Secondary LEAKAGE through All Steam Generators (SGs)

Total primary to secondary LEAKAGE amounting to 1 gpm through all SGs produces acceptable offsite doses in the SLB accident analysis. Violation of this LCO could exceed the offsite dose limits for this accident. Primary to secondary LEAKAGE must be included in the total allowable limit for identified LEAKAGE.

e. Primary to Secondary LEAKAGE through Any One SG The 500 gallons per day limit on one SG is based on the assumption that a single crack leaking this amount would not propagate to a SGTR under the stress conditions of a LOCA or a main steam line rupture. If leaked through many cracks, the cracks are very small, and the above assumption is conservative.

North Anna Units 1 and 2 B 3.4.13-3 Revision 0, 04/02/02

RCS Operational LEAKAGE B 3.4.13 BASES APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.

In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.

LCO 3.4.14, "RCS Pressure Isolation Valve (PIV) Leakage,"

measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leak tight. If both valves leak and result in a loss of mass from the RCS, the loss must be included in the allowable identified LEAKAGE.

ACTIONS A.1 Unidentified LEAKAGE, identified LEAKAGE, or primary to secondary LEAKAGE in excess of the LCO limits must be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.

B.1 and B.2 If any pressure boundary LEAKAGE exists, or if unidentified LEAKAGE, identified LEAKAGE, or primary to secondary LEAKAGE cannot be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE and its potential consequences. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. The reactor must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 5, the pressure stresses acting on the RCPB are much lower, and further deterioration is much less likely.

North Anna Units 1 and 2 B 3.4.13-4 Revision 0, 04/02/02

RCS Operational LEAKAGE B 3.4.13 BASES SURVEILLANCE SR 3.4.13.1 REQUIREMENTS Verifying RCS LEAKAGE to be within the LCO limits ensures the integrity of the RCPB is maintained. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE and can only be positively identified by inspection. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. Unidentified LEAKAGE and identified LEAKAGE are determined by performance of an RCS water inventory balance. Primary to secondary LEAKAGE is also measured by performance of an RCS water inventory balance in conjunction with effluent monitoring within the secondary steam and feedwater systems.

The RCS water inventory balance must be met with the reactor at steady state operating conditions (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows).

Therefore, a Note is added allowing that this SR is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established.

Steady state operation is required to perform a proper inventory balance since calculations during maneuvering are not useful. For RCS operational LEAKAGE determination by water inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows.

An early warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and the containment sump level. It should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

These leakage detection systems are specified in LCO 3.4.15, "RCS Leakage Detection Instrumentation."

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Frequency is a reasonable interval to trend LEAKAGE and recognizes the importance of early leakage detection in the prevention of accidents.

North Anna Units 1 and 2 B 3.4.13-5 Revision 0, 04/02/02

RCS Operational LEAKAGE B 3.4.13 BASES SURVEILLANCE SR 3.4.13.2 REQUIREMENTS (continued) This SR provides the means necessary to determine SG OPERABILITY in an operational MODE. The requirement to demonstrate SG tube integrity in accordance with the Steam Generator Tube Surveillance Program emphasizes the importance of SG tube integrity, even though this Surveillance cannot be performed at normal operating conditions.

REFERENCES 1. UFSAR, Section 3.1.26.

2. Regulatory Guide 1.45, May 1973.

3. UFSAR, Chapter 15.

North Anna Units 1 and 2 B 3.4.13-6 Revision 0, 04/02/02

RCS PIV Leakage B 3.4.14 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.14 RCS Pressure Isolation Valve (PIV) Leakage BASES BACKGROUND 10 CFR 50.2, 10 CFR 50.55a(c), and General Design Criteria 55 (Refs. 1, 2, and 3), define RCS PIVs as any two normally closed valves in series within the reactor coolant pressure boundary (RCPB), which separate the high pressure RCS from an attached low pressure system. The 1975 Reactor Safety Study, WASH-1400, (Ref. 4) identified intersystem LOCAs as a significant contributor to the risk of core melt.

The study considered designs containing two in-series check valves and two check valves in series with an MOV which isolate the high pressure RCS from the low pressure safety injection system. The scenario considered is a failure of the two check valves leading to overpressurization and rupture of the low pressure injection piping which results in a LOCA that bypasses containment. A letter was issued (Ref. 5) by the NRC requiring plants to describe the PIV configuration of the plant. On April 20, 1981, the NRC issued an Order modifying the North Anna Unit 1 Technical Specifications to include testing requirements on PIVs and to specify the PIVs to be tested. The original North Anna 2 Technical Specifications, dated August 21, 1980, included a list of PIVs required to be tested and described the required testing. The valves required to be leak tested by this Specification are listed in Tables B 3.4.14-1 (Unit 1) and B 3.4.14-2 (Unit 2).

During their lives, these valves can produce varying amounts of reactor coolant leakage through either normal operational wear or mechanical deterioration. The RCS PIV Leakage LCO allows RCS high pressure operation when leakage through these valves exists in amounts that do not compromise safety.

The PIV leakage limit applies to each individual valve to which the LCO applies. Leakage through both series PIVs in a line must be included as part of the identified LEAKAGE, governed by LCO 3.4.13, "RCS Operational LEAKAGE." This is true during operation only when the loss of RCS mass through two series valves is determined by a water inventory balance (SR 3.4.13.1). A known component of the identified LEAKAGE before operation begins is the least of the two individual leak rates determined for leaking series PIVs during the (continued)

North Anna Units 1 and 2 B 3.4.14-1 Revision 0, 04/02/02

RCS PIV Leakage B 3.4.14 BASES BACKGROUND required surveillance testing; leakage measured through one (continued) PIV in a line is not RCS operational LEAKAGE if the other is leaktight.

Although this specification provides a limit on allowable PIV leakage rate, its main purpose is to prevent overpressure failure of the low pressure portions of connecting systems. The leakage limit is an indication that the PIVs between the RCS and the connecting systems are degraded or degrading. PIV leakage could lead to overpressure of the low pressure piping or components.

Failure consequences could be a loss of coolant accident (LOCA) outside of containment, an unanalyzed accident, that could degrade the ability for low pressure injection.

Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier.

APPLICABLE Reference 4 identified potential intersystem LOCAs as a SAFETY ANALYSES significant contributor to the risk of core melt. The dominant accident sequence in the intersystem LOCA category is the failure of the low pressure portion of the ECCS low pressure injection system outside of containment. The accident is the result of a postulated failure of the PIVs, which are part of the RCPB, and the subsequent pressurization of the ECCS low pressure injection system downstream of the PIVs from the RCS. Because the low pressure portion of the system is not designed for RCS pressure, overpressurization failure of the low pressure line would result in a LOCA outside containment and subsequent risk of core melt.

RCS PIV leakage satisfies Criterion 2 of 10 CFR 50.36(c) (2) (ii).

LCO The RCS PIVs required to be leak tested are listed in Tables B 3.4.14-1 (Unit 1) and B 3.4.14-2 (Unit 2).

RCS PIV leakage is identified LEAKAGE into closed systems connected to the RCS. Isolation valve leakage is usually on the order of drops per minute. Leakage that increases significantly suggests that something is operationally wrong and corrective action must be taken.

(continued)

North Anna Units 1 and 2 B 3.4.14-2 Revision 0, 04/02/02

RCS PIV Leakage B 3.4.14 BASES LCO The LCO PIV leakage limit is 0.5 gpm per nominal inch of (continued) valve size with a maximum limit of 5 gpm. The previous criterion of 1 gpm for all valve sizes imposed an unjustified penalty on the larger valves without providing information on potential valve degradation and resulted in higher personnel radiation exposures. A study concluded a leakage rate limit based on valve size was superior to a single allowable value.

Reference 6 permits leakage testing at a lower pressure differential than between the specified maximum RCS pressure and the normal pressure of the connected system during RCS operation (the maximum pressure differential) in those types of valves in which the higher service pressure will tend to diminish the overall leakage channel opening. In such cases, the observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to the pressure differential to the one half power.

APPLICABILITY In MODES 1, 2, 3, and 4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized.

In MODE 4, any valves in the RHR flow path that are required to be tested are not required to meet the requirements of this LCO when in, or during the transition to or from, the RHR mode of operation.

In MODES 5 and 6, leakage limits are not provided because the lower reactor coolant pressure results in a reduced potential for leakage and for a LOCA outside the containment.

ACTIONS The Actions are modified by two Notes. Note 1 provides clarification that each flow path allows separate entry into a Condition. This is allowed based upon the functional independence of the flow path. Note 2 requires an evaluation of affected systems if a PIV is inoperable. The leakage may have affected system operability, or isolation of a leaking flow path with an alternate valve may have degraded the ability of the interconnected system to perform its safety function.

North Anna Units 1 and 2 B 3.4.14-3 Revision 0, 04/02/02

RCS PIV Leakage B 3.4.14 BASES ACTIONS A.1 (continued)

Required Action A.1 requires that RCS PIV leakage be restored to within limit within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Four hours provides time to reduce leakage in excess of the allowable limit. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time allows the actions and restricts the operation with leaking isolation valves.

B.1 and B.2 If leakage cannot be reduced the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This Action may reduce the leakage and also reduces the potential for a LOCA outside the containment. The allowed Completion Times are reasonable based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.4.14.1 REQUIREMENTS Performance of leakage testing on the affected RCS PIV or isolation valve used to satisfy Required Action A.1 is required to verify that leakage is below the specified limit and to identify each leaking valve. The leakage limit of 0.5 gpm per inch of nominal valve diameter up to 5 gpm maximum applies to each valve. Leakage testing requires a stable pressure condition. Leakage may be measured indirectly (as from the performance of pressure indicators) to satisfy ALARA requirements if supported by calculations verifying that the method is capable of demonstrating valve compliance with the leakage criteria.

For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage tested, one valve may have failed completely and not be detected if the other valve in series meets the leakage requirement. In this situation, the protection provided by redundant valves would be lost.

Testing is to be performed every 18 months, a typical refueling cycle, if the unit does not go into MODE 5 for at least 7 days. The 18 month Frequency is consistent with 10 CFR 50.55a(g) (Ref. 7) as contained in the Inservice (continued)

North Anna Units 1 and 2 B 3.4.14-4 Revision 0, 04/02/02

RCS PIV Leakage B 3.4.14 BASES SURVEILLANCE SR 3.4.14.1 (continued)

REQUIREMENTS Testing Program, is within frequency allowed by the American Society of Mechanical Engineers (ASME) Code (Ref. 6), and is based on the need to perform such surveillances under the conditions that apply during an outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

In addition, testing must be performed once after the valve has been opened by flow or exercised to ensure tight reseating. PIVs disturbed in the performance of this Surveillance should also be tested unless documentation shows that an infinite testing loop cannot practically be avoided. Testing must be performed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after the valve has been reseated. Within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is a reasonable and practical time limit for performing this test after opening or reseating a valve.

The leakage limit is to be met at the RCS pressure associated with MODES 1 and 2. This permits leakage testing at high differential pressures with stable conditions not possible in the MODES with lower pressures. If testing cannot be performed at these pressures, testing can be performed at lower pressures and scaled to operating pressure.

Entry into MODES 3 and 4 is allowed if needed to establish the necessary differential pressures and stable conditions to allow for performance of this Surveillance. The Note that allows this provision is complementary to the Frequency of prior to entry into MODE 2 whenever the unit has been in MODE 5 for 7 days or more, if leakage testing has not been performed in the previous 9 months. In addition, this Surveillance is not required to be performed on any RCS PIVs in the RHR System flow path when the RHR System is aligned to the RCS in the shutdown cooling mode of operation. PIVs contained in the RHR shutdown cooling flow path that are required to be tested must be leakage rate tested after RHR is secured and stable unit conditions and the necessary differential pressures are established.

REFERENCES 1. 10 CFR 50.2.

2. 10 CFR 50.55a(c).

3. UFSAR, Section 3.1.48.1.

North Anna Units 1 and 2 B 3.4.14-5 Revision 0, 04/02/02

RCS PIV Leakage B 3.4.14 BASES REFERENCES 4. WASH-1400 (NUREG-75/014), Appendix V, October 1975.

(continued)

5. Letter from D. G. Eisenhut, NRC, to all LWR licensees, LWR Primary Coolant System Pressure Isolation Valves, February 23, 1980.

6. ASME Code for Operation and Maintenance of Nuclear Power Plants.

7. 10 CFR 50.55a(g).

North Anna Units 1 and 2 B 3.4.14-6 Revision 0, 04/02/02

RCS PIV Leakage B 3.4.14 Table B 3.4.14-1 (page 1 of 1)

Unit 1 RCS PIVS Required To Be Tested VALVE FUNCTION 1-SI-83 Low Head Safety Injection to Cold Legs-Loop 1 1-SI-195 Low Head Safety Injection to Cold Legs-Loop 1 1-SI-86 Low Head Safety Injection to Cold Legs-Loop 2 1-SI-197 Low Head Safety Injection to Cold Legs-Loop 2 1-SI-89 Low Head Safety Injection to Cold Legs-Loop 3 1-SI-199 Low Head Safety Injection to Cold Legs-Loop 3 North Anna Units 1 and 2 B 3.4. 14-7 Revision 0, 04/02/02

RCS PIV Leakage B 3.4.14 Table B 3.4.14-2 (page 1 of 1)

Unit 2 RCS PIVS Required To Be Tested Valve Function 2-SI-85 High head safety injection to cold legs and hot legs 2-SI-93 High head safety injection to cold legs and hot legs 2-SI-107 High head safety injection to cold legs and hot legs 2-SI-119 High head safety injection to cold legs and hot legs MOV-2836 High head safety injection off charging header MOV-2869A, B High head safety injection off charging header MOV-2867C, D Boron injection tank outlet valves 2-SI-91 Low head safety injection to cold legs 2-SI-99 Low head safety injection to cold legs 2-SI-105 Low head safety injection to cold legs 2-SI-126 Low head safety injection to hot legs 2-SI-128 Low head safety injection to hot legs 2-SI-151 Accumulator discharge check valves 2-SI-153 Accumulator discharge check valves 2-SI-168 Accumulator discharge check valves 2-SI-170 Accumulator discharge check valves 2-SI-185 Accumulator discharge check valves 2-SI-187 Accumulator discharge check valves MOV-2700 RHR system isolation valves MOV-2701 RHR system isolation valves MOV-2720A, B RHR system isolation valves MOV-2890A, B, C, & D Low head safety injection to cold legs and hot legs North Anna Units 1 and 2 B 3.4.14-8 Revision 0, 04/02/02

RCS Leakage Detection Instrumentation B 3.4.15 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.15 RCS Leakage Detection Instrumentation BASES BACKGROUND UFSAR, Chapter 3 (Ref. 1) requires compliance with Regulatory Guide 1.45. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting RCS leakage detection systems.

Leakage detection systems must have the capability to detect significant reactor coolant pressure boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential for propagation to a gross failure.

Thus, an early indication or warning signal is necessary to permit proper evaluation of all unidentified LEAKAGE.

Industry practice has shown that water flow changes of 0.5 to 1.0 gpm can be readily detected in contained volumes by monitoring changes in water level, in flow rate, or in the operating frequency of a pump. The containment sump used to collect unidentified LEAKAGE includes two sump level monitors that provide level indication and a discharge flow totalizer. The discharge flow totalizer can be either a mechanical flow totalizer or a calculated value. This is acceptable for detecting increases in unidentified LEAKAGE.

The reactor coolant contains radioactivity that, when released to the containment, can be detected by radiation monitoring instrumentation. Reactor coolant radioactivity levels will be low during initial reactor startup and for a few weeks thereafter, until activated corrosion products have been formed and fission products appear from fuel element cladding contamination or cladding defects.

Instrument sensitivities in accordance with Regulatory Guide 1.45 (Ref. 2) particulate and for gaseous monitoring are practical for these leakage detection systems.

Radioactivity detection systems are included for monitoring both particulate and gaseous activities because of their sensitivities and rapid responses to RCS LEAKAGE. One Containment Air Recirculation Fan (CARF) provides enough air flow for the operation of the radiation detectors.

Air temperature and pressure monitoring methods may also be used to infer unidentified LEAKAGE to the containment.

Containment temperature and pressure fluctuate slightly (continued)

North Anna Units 1 and 2 B 3.4.15-1 Revision 0, 04/02/02

RCS Leakage Detection Instrumentation B 3.4.15 BASES BACKGROUND during unit operation, but a rise above the normally (continued) indicated range of values may indicate RCS leakage into the containment. The relevance of temperature and pressure measurements are affected by containment free volume and, for temperature, detector location. Alarm signals from these instruments can be valuable in recognizing rapid and sizable leakage to the containment. Temperature and pressure monitors are not required by this LCO.

APPLICABLE The need to evaluate the severity of an alarm or an SAFETY ANALYSES indication is important to the operators, and the ability to compare and verify with indications from other systems is necessary. Multiple instrument locations are utilized, if needed, to ensure that the transport delay time of the leakage from its source to an instrument location yields an acceptable overall response time.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative information to the operators, allowing them to take corrective action should a leakage occur detrimental to the safety of the unit and the public.

RCS leakage detection instrumentation satisfies Criterion 1 of 10 CFR 50.36(c)(2)(ii).

LCO One method of protecting against large RCS leakage derives from the ability of instruments to rapidly detect extremely small leaks. This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide a high degree of confidence that extremely small leaks are detected in time to allow actions to place the unit in a safe condition, when RCS LEAKAGE indicates possible RCPB degradation.

The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment sump monitor, in combination with a gaseous or particulate radioactivity monitor, provides an acceptable minimum.

North Anna Units 1 and 2 B 3.4.15-2 Revision 0, 04/02/02

RCS Leakage Detection Instrumentation B 3.4.15 BASES APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS leakage detection instrumentation is required to be OPERABLE.

In MODE 5 or 6, the temperature is to be

200°F and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1, 2, 3, and 4, the likelihood of leakage and crack propagation are much smaller. Therefore, the requirements of this LCO are not applicable in MODES 5 and 6.

ACTIONS A.1 and A.2 With the required containment sump monitor inoperable, no other form of sampling can provide the equivalent information; however, the containment atmosphere radioactivity monitor will provide indications of changes in leakage. Together with the atmosphere monitor, the periodic surveillance for RCS water inventory balance, SR 3.4.13.1, must be performed at an increased frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to provide information that is adequate to detect leakage. A Note is added allowing that SR 3.4.13.1 is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flow). The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable unit conditions are established.

Restoration of the required sump monitor to OPERABLE status within a Completion Time of 30 days is required to regain the function after the monitor's failure. This time is acceptable, considering the Frequency and adequacy of the RCS water inventory balance required by Required Action A.1.

B.1.1, B.1.2, and B.2 With both gaseous and particulate containment atmosphere radioactivity monitoring instrumentation channels inoperable, alternative action is required. Either grab samples of the containment atmosphere must be taken and analyzed or water inventory balances, in accordance with SR 3.4.13.1, must be performed to provide alternate periodic information.

(continued)

North Anna Units 1 and 2 B 3.4.15-3 Revision 0, 04/02/02

RCS Leakage Detection Instrumentation B 3.4.15 BASES ACTIONS B.1.1, B.1.2, and B.2 (continued)

With a sample obtained and analyzed or water inventory balance performed every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the reactor may be operated for up to 30 days to allow restoration of the required containment atmosphere radioactivity monitors.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months interval provides periodic information that is adequate to detect leakage. A Note is added allowing that SR 3.4.13.1 is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flow). The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable unit conditions are established. The 30 day Completion Time recognizes at least one other form of leakage detection is available.

C.1 and C.2 If a Required Action of Condition A or B cannot be met, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1 With all required monitors inoperable, no required automatic means of monitoring leakage are available, and immediate unit shutdown in accordance with LCO 3.0.3 is required.

SURVEILLANCE SR 3.4.15.1 REQUIREMENTS SR 3.4.15.1 requires the performance of a CHANNEL CHECK of the required containment atmosphere radioactivity monitor.

The check gives reasonable confidence that the channel is operating properly. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is based on instrument reliability and is reasonable for detecting off normal conditions.

North Anna Units 1 and 2 B 3.4.15-4 Revision 0, 04/02/02

RCS Leakage Detection Instrumentation B 3.4.15 BASES SURVEILLANCE SR 3.4.15.2 REQUIREMENTS SR 3.4.15.2 requires the performance of a COT every 92 days on the required containment atmosphere radioactivity monitor. The test ensures that the monitor can perform its function in the desired manner. The test verifies the alarm setpoint and relative accuracy of the instrument string. The Frequency is based on the staff recommendation for increasing the availability of radiation monitors according to NUREG-1366 (Ref. 3).

SR 3.4.15.3 and SR 3.4.15.4 These SRs require the performance of a CHANNEL CALIBRATION for each of the RCS leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string, including the instruments located inside containment. The containment sump level indication is provided by either of two level monitors, and discharge flow indication is provided by a discharge flow totalizer. The frequency of 18 months is a typical refueling cycle and considers channel reliability. Again, operating experience has proven that this Frequency is acceptable.

REFERENCES 1. UFSAR, Chapter 3.

2. Regulatory Guide 1.45, dated May, 1973.

3. NUREG-1366, dated December, 1992.

North Anna Units 1 and 2 B 3.4. 15-5 Revision 0, 04/02/02

Intentionally Blank

v t e Letter Sequence Draft Other
TAC:MB0799, Nis Power Range Channel Daily SR TS Change to Address LOW Power Decalibration, Revise Containment Requirements During Handling Irradiated Fuel and Core Alterations (Approved, Closed) TAC:MB0800, Nis Power Range Channel Daily SR TS Change to Address LOW Power Decalibration, Revise Containment Requirements During Handling Irradiated Fuel and Core Alterations (Approved, Closed)
Initiation Request, Request, Request Acceptance, Acceptance, Acceptance, Acceptance, Acceptance, Acceptance, Acceptance, Acceptance, Acceptance Administration Questions Answers Results Approval Other: ML020650715, ML020840253, ML021220061, ML021220088, ML021550518
MONTHYEAR2002-02-20 [Table View]

ML020700330

Text

Navigation menu

Search