Text

Part 1 of 3 - James A. FitzPatrick Nuclear Power Plant, Technical Specifications Bases (License Amendment) as Part of Conversion to Improved Standard Technical Specifications
	ML021750488
Person / Time
Site:	FitzPatrick
Issue date:	06/12/2002
From:	; Entergy Nuclear Operations
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML021750488 (225)
	v • d • e

TABLE OF CONTENTS B 2.0 SAFETY LIMITS (SLs)

B 2.1 Reactor Core SLs .................. B 2.1.1-1 B 2.2 Reactor Coolant System (RCS) Pressure SL ..... B 2.1.2-1 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY B 3.0-1 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY ...... B 3.0-12 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM) ....... B 3.1.1-1 B 3.1.2 Reactivity Anomalies ........... B 3.1.2-1 B 3.1.3 Control Rod OPERABILITY ...... B 3.1.3-1 B 3.1.4 Control Rod Scram Times ...... B 3.1.4-1 B 3.1.5 Control Rod Scram Accumulators . . . B 3.1.5-1 B 3.1.6 Rod Pattern Control .. . . . B 3.1.6-1 B 3.1.7 Standby Liquid Control (SLC) System B 3.1.7-1 B 3.1.8 Scram Discharge Volume (SDV) Vent an d Drain Valves .B 3.1.8-1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR) B 3.2.1-1 B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR) ........ B 3.2.2-1 B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR) ............. B 3.2.3-1 B 3.2.4 Average Power Range Monitor (APRM) Gain and Setpoint B 3.2.4-1 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation B 3.3.1.1-1 B 3.3.1.2 Source Range Monitor (SRM) Instrumentation ....... B 3.3.1.2-1 B 3.3.2.1 Control Rod Block Instrumentation ..... ......... B 3.3.2.1-1 B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation .... ... ............. B 3.3.2.2-1 B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation . B 3.3.3.1-1 B 3.3.3.2 Remote Shutdown System ...... ............... B 3.3.3.2-1 B 3.3.4.1 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ... ..... B 3.3.4.1-1 B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation B 3.3.5.1-1 B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ........ ................ B 3.3.5.2-1 B 3.3.6.1 Primary Containment Isolation Instrumentation . . . B 3.3.6.1-1 B 3.3.6.2 Secondary Containment Isolation Instrumentation . . B 3.3.6.2-1 B 3.3.7.1 Control Room Emergency Ventilation Air Supply (CREVAS)

System Instrumentation ..................... B 3.3.7.1-1 B 3.3.7.2 Condenser Air Removal Pump Isolation Instrumentation B 3.3.7.2-1 B 3.3.7.3 Emergency Service Water (ESW) System Instrumentation B 3.3.7.3-1 B 3.3.8.1 Loss of Power (LOP) Instrumentation .... ........ B 3.3.8.1-1 B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ........... .................. B 3.3.8.2-1 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.1 Recirculation Loops Operating ..... B 3.4.1-1 B 3.4.2 Jet Pumps . . . . . . . . . . . . . . . S. . . .. . B 3.4.2-1 (continued)

JAFNPP i Revision 0

TABLE OF CONTENTS B 3.4 REACTOR COOLANT SYSTEM (RCS) (continued)

B 3.4.3 Safety/Relief Valves (S/RVs) ............. B 3.4.3-1 B 3.4.4 RCS Operational LEAKAGE ........... B 3.4.4-1 B 3.4.5 RCS Leakage Detection Instrumentation .... B 3.4.5-1 B 3.4.6 RCS Specific Activity ............ B 3.4.6-1 B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System- Hot Shutdown .... ........... B 3.4.7-1 B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown .......... B 3.4.8-1 B 3.4.9 RCS Pressure and Temperature (P/T) Limits . . B 3.4.9-1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.1 ECCS- Operating . .. . . . . . . . . . . . . . . SB 3.5.1-1 B 3.5.2 ECCS- Shutdown ...... .................. B 3.5.2-1 B 3.5.3 RCIC System . . . . . . . . . . . . . . . . . . . B 3.5.3-1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.1 Primary Containment ................ B 3.6.1.1-1 B 3.6.1.2 Primary Containment Air Locks .... B 3.6.1.2-1 B 3.6.1.3 Primary Containment Isolation Valves (PCIVs) . ... B 3.6.1.3-1 B 3.6.1.4 Drywell Pressure ...... .................. B 3.6.1.4-1 B 3.6.1.5 Drywell Air Temperature .............. B 3.6.1.5-1 B 3.6.1.6 Reactor Building-to-Suppression Chamber Vacuum Breakers . . . . . . . . . . . . . . . . B 3.6.1.6-1 B 3.6.1.7 Suppression Chamber-to-Drywell Vacuum Breakers . B 3.6.1.7-1 B 3.6.1.8 Main Steam Leakage Collection (MSLC) System . ... B 3.6.1.8-1 B 3.6.1.9 Residual Heat Removal (RHR) Containment Spray System B 3.6.1.9-1 B 3.6.2.1 Suppression Pool Average Temperature ........... B 3.6.2.1-1 B 3.6.2.2 Suppression Pool Water Level ..... ............ B 3.6.2.2-1 B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling B 3.6.2.3-1 B 3.6.2.4 Drywell-to-Suppression Chamber Differential Pressure B 3.6.2.4-1 B 3.6.3.1 Primary Containment Oxygen Concentration ........ B 3.6.3.1-1 B 3.6.3.2 Containment Atmosphere Dilution (CAD) System . ... B 3.6.3.2-1 B 3.6.4.1 Secondary Containment ............... B 3.6.4.1-1 B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs) B 3.6.4.2-1 B 3.6.4.3 Standby Gas Treatment (SGT) System ............ B 3.6.4.3-1 B 3.7 PLANT SYSTEMS B 3.7.1 Residual Heat Removal Service Water (RHRSW) System B 3.7.1-1 B 3.7.2 Emergency Service Water (ESW) System and Ultimate Heat Sink (UHS) . . . . . . . . . . . . . . . . B 3.7.2-1 B 3.7.3 Control Room Emergency Ventilation Air Supply (CREVAS) System ..... . .... B 3.7.3-1 B 3.7.4 Control Room Air Conditioning (AC) System ..... B 3.7.4-1 B 3.7.5 Main Condenser Steam Jet Air Ejector (SJAE) Offgas . B 3.7.5-1 (continued)

JAFNPP ii Revision 0

TABLE OF CONTENTS B 3.7 PLANT SYSTEMS (continued)

B 3.7.6 Main Turbine Bypass System .... ............. ... B 3.7.6-1 B 3.7.7 Spent Fuel Storage Pool Water Level ........... ... B 3.7.7-1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources- Operating ........ ............... B 3.8.1-1 B 3.8.2 AC Sources- Shutdown .................. B 3.8.2-1 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air ... B 3.8.3-1 B 3.8.4 DC Sources- Operating ..... ............... ... B 3.8.4-1 B 3.8.5 DC Sources- Shutdown ..... ................ ... B 3.8.5-1 B 3.8.6 Battery Cell Parameters ...... .............. B 3.8.6-1 B 3.8.7 Distribution Systems-Operating ..... .......... B 3.8.7-1 B 3.8.8 Distribution Systems-Shutdown .............. .. B 3.8.8-1 B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks .............. .. B 3.9.1-1 B 3.9.2 Refuel Position One-Rod-Out Interlock ......... ... B 3.9.2-1 B 3.9.3 Control Rod Position ..... ................ .. B 3.9.3-1 B 3.9.4 Control Rod Position Indication ..... .......... B 3.9.4-1 B 3.9.5 Control Rod OPERABILITY-Refueling .............. B 3.9.5-1 B 3.9.6 Reactor Pressure Vessel (RPV) Water Level . .... B 3.9.6-1 B 3.9.7 Residual Heat Removal (RHR)-High Water Level . B 3.9.7-1 B 3.9.8 Residual Heat Removal (RHR) -Low Water Level . . .. B 3.9.8-1 B 3.10 SPECIAL OPERATIONS B 3.10.1 Inservice Leak and Hydrostatic Testing Operation B 3.10.1-1 B 3.10.2 Reactor Mode Switch Interlock Testing ......... ... B 3.10.2-1 B 3.10.3 Single Control Rod Withdrawal -Hot Shutdown . .. B 3.10.3-1 B 3.10.4 Single Control Rod Withdrawal -Cold Shutdown . ... B 3.10.4-1 B 3.10.5 Single Control Rod Drive (CRD) Removal-Refueling B 3.10.5-1 B 3.10.6 Multiple Control Rod Withdrawal-Refueling ....... B 3.10.6-1 B 3.10.7 Control Rod Testing-Operating ........... B 3.10.7-1 B 3.10.8 SHUTDOWN MARGIN (SDM) Test-Refueling ....... B 3.10.8-1 JAFNPP iii Revision 0

Reactor Core SLs B 2.1.1 B 2.0 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core SLs BASES BACKGROUND JAFNPP design criteria (Ref. 1) requires, and SLs ensure, that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and abnormal operational transients.

The fuel cladding integrity SL is set such that no significant fuel damage is calculated to occur if the limit is not violated. Because fuel damage is not directly observable, a stepback approach is used to establish an SL, such that the MCPR is not less than the limit specified in Specification 2.1.1.2. MCPR greater than the specified limit represents a conservative margin relative to the conditions required to maintain fuel cladding integrity.

The fuel cladding is one of the physical barriers that separate the radioactive materials from the environs. The integrity of this cladding barrier is related to its relative freedom from perforations or cracking. Although some corrosion or use related cracking may occur during the life of the cladding, fission product migration from this source is incrementally cumulative and continuously measurable. Fuel cladding perforations, however, can result from thermal stresses, which occur from reactor operation significantly above design conditions.

While fission product migration from cladding perforation is just as measurable as that from use related cracking, the thermally caused cladding perforations signal a threshold beyond which still greater thermal stresses may cause gross, rather than incremental, cladding deterioration. Therefore, the fuel cladding SL is defined with a margin to the conditions that would produce onset of transition boiling (i.e., MCPR = 1.00). These conditions represent a significant departure from the condition intended by design for planned operation. The MCPR fuel cladding integrity SL ensures that during normal operation and during abnormal operational transients, at least 99.9% of the fuel rods in the core do not experience transition boiling.

Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of transition boiling and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a (continued)

JAFNPP B 2.1.1-1 Revision 0

Reactor Core SLs B 2.1.1 BASES BACKGROUND cladding water (zirconium water) reaction may take place.

(continued) This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of fission products to the reactor coolant.

The reactor vessel water level SL ensures that adequate core cooling capability is maintained during all MODES of reactor operation. Establishment of Emergency Core Cooling System initiation setpoints higher than this safety limit provides margin such that the safety limit will not be reached or exceeded.

APPLICABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation and abnormal operational transients. The reactor core SLs are established to preclude violation of the fuel design criterion that a MCPR limit is to be established, such that at least 99.9% of the fuel rods in the core would not be expected to experience the onset of transition boiling.

The Reactor Protection System setpoints (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), in combination with the other LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System water level, pressure, and THERMAL POWER level that would result in reaching the MCPR limit.

2.1.1.1 Fuel Cladding Integrity GE critical power correlations are applicable for all critical power calculations at pressures Ž 785 psig and core flows Ž 10% of rated flow. For operation at low pressures or low flows, another basis is used, as follows:

Since the pressure drop in the bypass region is essentially all elevation head, the core pressure drop at low power and flows will always be

> 4.5 psi. Analyses (Ref. 2) show that with a bundle flow of 28 x 10' lb/hr, bundle pressure drop is nearly independent of bundle power and has a value of 3.5 psi. Thus, the bundle flow with a 4.5 psi driving head will be

> 28 x 103 lb/hr. Full scale ATLAS test data taken at pressures from 14.7 psia to 800 psia (continued)

JAFNPP B 2.1.1-2 Revision 0

Reactor Core SLs B 2.1.1 BASES APPLICABLE 2.1.1.1 Fuel Cladding Integrity (continued)

SAFETY ANALYSES indicate that the fuel assembly critical power at this flow is approximately 3.35 MWt. With the design peaking factors, this corresponds to a THERMAL POWER > 50% RTP. Thus, a THERMAL POWER limit of 25% RTP for reactor pressure < 785 psig is conservative.

2.1.1.2 MCPR The fuel cladding integrity SL is set such that no significant fuel damage is calculated to occur if the limit is not violated. Since the parameters that result in fuel damage are not directly observable during reactor operation, the thermal and hydraulic conditions that result in the onset of transition boiling have been used to mark the beginning of the region in which fuel damage could occur.

Although it is recognized that the onset of transition boiling would not result in damage to BWR fuel rods, the critical power at which boiling transition is calculated to occur has been adopted as a convenient limit. However, the uncertainties in monitoring the core operating state and in the procedures used to calculate the critical power result in an uncertainty in the value of the critical power.

Therefore, the fuel cladding integrity SL is defined as the critical power ratio in the limiting fuel assembly for which more than 99.9% of the fuel rods in the core are expected to avoid boiling transition, considering the power distribution within the core and all uncertainties.

The MCPR SL is determined using a statistical model that combines all the uncertainties in operating parameters and the procedures used to calculate critical power. The probability of the occurrence of boiling transition is determined using the approved General Electric Critical Power correlations. Details of the fuel cladding integrity SL calculation are given in Reference 2. Reference 2 also includes a tabulation of the uncertainties used in the determination of the MCPR SL and of the nominal values of the parameters used in the MCPR SL statistical analysis.

2.1.1.3 Reactor Vessel Water Level The reactor vessel water level is required to be above the top of the active irradiated fuel. The top of the active irradiated fuel is the top of a 150 inch fuel column which (continued)

JAFNPP B 2.1.1-3 Revision 0

Reactor Core SLs B 2.1.1 BASES APPLICABLE 2.1.1.3 Reactor Vessel Water Level (continued)

SAFETY ANALYSES includes both the enriched and the natural uranium. During MODES 1 and 2 the reactor vessel water level is required to be above the top of the active irradiated fuel to provide core cooling capability. With fuel in the reactor vessel during periods when the reactor is shut down, consideration must be given to water level requirements due to the effect of decay heat. If the water level should drop below the top of the active irradiated fuel during this period, the ability to remove decay heat is reduced. This reduction in cooling capability could lead to elevated cladding temperatures and clad perforation in the event that the water level becomes < 2/3 of the core height (Ref. 3). The reactor vessel water level SL has been established at the top of the active irradiated fuel to provide a point that can be monitored and to also provide adequate margin for effective action.

SAFETY LIMITS The reactor core SLs are established to protect the integrity of the fuel clad barrier to prevent the release of radioactive materials to the environs. SL 2.1.1.1 and SL 2.1.1.2 ensure that the core operates within the fuel design criteria. SL 2.1.1.3 ensures that the reactor vessel water level is greater than the top of the active irradiated fuel in order to prevent elevated clad temperatures and resultant clad perforations.

APPLICABILITY SLs 2.1.1.1, 2.1.1.2, and 2.1.1.3 are applicable in all MODES.

SAFETY LIMIT Exceeding a SL may cause fuel damage and create a potential VIOLATIONS for radioactive releases in excess of 10 CFR 100, "Reactor Site Criteria," limits (Ref. 4). Therefore, it is required to insert all insertable control rods and restore compliance with the SLs within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time ensures that the operators take prompt remedial action and also ensures that the probability of an accident occurring during this period is minimal.

(continued)

JAFNPP B 2.1.1-4 Revision 0

Reactor Core SLs B 2.1.1 BASES (continued)

REFERENCES 1. UFSAR, Section 16.6.

2. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, (Revision specified in the COLR).

3. NEDC-31317P, Revision 2, James A. FitzPatrick Nuclear Power Plant SAFER/GESTR-LOCA, Loss-of-Coolant Accident Analysis, April 1993.

4. 10 CFR 100.

JAFNPP B 2.1.1-5 Revision 0

RCS Pressure SL B 2.1.2 B 2.0 SAFETY LIMITS (SLs)

B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASES BACKGROUND The SL on reactor steam dome pressure protects the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. Establishing an upper limit on reactor steam dome pressure ensures continued RCS integrity. According to JAFNPP design criteria (Ref. 1), the reactor coolant pressure boundary (RCPB) shall be designed with sufficient margin to ensure that the design conditions are not exceeded during normal operation and abnormal operational transients.

During normal operation and abnormal operational transients, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with Section III of the ASME Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, in accordance with ASME Code requirements, prior to initial operation when there is no fuel in the core. Any further hydrostatic testing with fuel in the core may be done under LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation." Following inception of unit operation, RCS components shall be pressure tested in accordance with the requirements of ASME Code,Section XI (Ref. 3).

Overpressurization of the RCS could result in a breach of the RCPB, reducing the number of protective barriers designed to prevent radioactive releases from exceeding the limits specified in 10 CFR 100, "Reactor Site Criteria" (Ref. 4). If this occurred in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere.

APPLICABLE The RCS safety/relief valves and the Reactor Protection SAFETY ANALYSES System Reactor Vessel Steam Dome Pressure-High Function have settings established to ensure that the RCS pressure SL will not be exceeded.

The RCS pressure SL has been selected such that it is at a pressure below which it can be shown that the integrity of the system is not endangered. The reactor pressure vessel is designed to Section III of the ASME, Boiler and Pressure Vessel Code, 1965 Edition including Addenda through the (continued)

JAFNPP B 2.1.2-1 Revision 0

RCS Pressure SL B 2.1.2 BASES APPLICABLE winter of 1966 (Ref. 5), which permits a maximum pressure SAFETY ANALYSES transient of 110%, 1375 psig, of design pressure 1250 psig.

(continued) The SL of 1325 psig, as measured in the reactor steam dome, is equivalent to 1375 psig at the lowest elevation of the RCS. The RCS is designed to the USAS Nuclear Power Piping Code, Section B31.1.0, 1967 Edition, including Addendum A through 1969 (Ref. 6), for the reactor recirculation piping, which permits a maximum pressure transient of 120% of design pressures of 1148 psig for suction piping and 1274 psig for discharge piping. The RCS pressure SL is selected to be the lowest transient overpressure allowed by the applicable codes.

SAFETY LIMITS The maximum transient pressure allowable in the RCS pressure vessel under the ASME Code,Section III, is 110% of design pressure. The maximum transient pressure allowable in the RCS piping, valves, and fittings is 120% of design pressures of 1148 psig for suction piping and 1274 psig for discharge piping. The most limiting of these allowances is the 110%

of the reactor pressure vessel design pressure; therefore, the SL on maximum allowable RCS pressure is established at 1325 psig as measured at the reactor steam dome.

APPLICABILITY SL 2.1.2 applies in all MODES.

SAFETY LIMIT Exceeding the RCS pressure SL may cause immediate RCS VIOLATIONS failure and create a potential for radioactive releases in excess of 10 CFR 100, "Reactor Site Criteria," limits (Ref. 4). Therefore, it is required to insert all insertable control rods and restore compliance with the SL within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time ensures that the operators take prompt remedial action and also assures that the probability of an accident occurring during this period is minimal.

REFERENCES 1. UFSAR, Section 16.6.

2. ASME, Boiler and Pressure Vessel Code,Section III, Article NB-7000.

3. ASME, Boiler and Pressure Vessel Code,Section XI, Article IWA-5000.

4. 10 CFR 100.

(continued)

JAFNPP B 2.1.2-2 Revision 0

RCS Pressure SL B 2.1.2 BASES REFERENCES 5. ASME, Boiler and Pressure Vessel Code,Section III, (continued) 1965 Edition, Addenda winter of 1966.

6. ASME, USAS, Nuclear Power Piping Code, Section B31.1.0, 1967 Edition, with Addendum A, 1969.

JAFNPP B 2.1.2-3 Revision 0

LCO Applicability B 3.0 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY BASES LCOs LCO 3.0.1 through LCO 3.0.7 establish the general requirements applicable to all Specifications in Sections 3.1 through 3.10 and apply at all times, unless otherwise stated.

LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the plant is in the MODES or other specified conditions of the Applicability statement of each Specification).

LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:

a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and

b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the plant in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the remedial measures that permit continued operation of the plant that is not further restricted by the Completion Time.

In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.

(continued)

JAFNPP B 3.0-1 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.2 Completing the Required Actions is not required when an LCO (continued) is met or is no longer applicable, unless otherwise stated in the individual Specifications.

The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Condition no longer exists. The individual LCO's ACTIONS specify the Required Actions where this is the case.

An example of this is in LCO 3.4.9, "RCS Pressure and Temperature (P/T) Limits."

The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems. Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Additionally, if intentional entry into ACTIONS would result in redundant equipment being inoperable, alternatives should be used instead. Doing so limits the time both subsystems/divisions of a safety function are inoperable and limits the time conditions exist which may result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.

When a change in MODE or other specified condition is required to comply with Required Actions, the plant may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable and the ACTIONS Condition(s) are entered.

LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and:

a. An associated Required Action and Completion Time is not met and no other Condition applies; or (continued)

JAFNPP B 3.0-2 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.3 b. The condition of the plant is not specifically (continued) addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the plant. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.

This Specification delineates the time limits for placing the plant in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.

Upon entering LCO 3.0.3, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to prepare for an orderly shutdown before initiating a change in plant operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the plant, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times. A plant shutdown required in accordance with LCO 3.0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs:

a. The LCO is now met.

b. A Condition exists for which the Required Actions have now been performed.

(continued)

JAFNPP B 3.0-3 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.3 C. ACTIONS exist that do not have expired Completion (continued) Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.

The time limits of LCO 3.0.3 allow 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months for the plant to be in MODE 4 when a shutdown is required during MODE 1 operation. If the plant is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 4, or other applicable MODE, is not reduced. For example, if MODE 2 is reached in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then the time allowed for reaching MODE 3 is the next 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months , because the total time for reaching MODE 3 is not reduced from the allowable limit of 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.

In MODES 1, 2, and 3, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 4 and 5 because the plant is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, or 3) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

Exceptions to LCO 3.0.3 are provided in instances where requiring a plant shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the plant. An example of this is in LCO 3.7.7, "Spent Fuel Storage Pool Water Level." LCO 3.7.7 has an Applicability of "During movement of irradiated fuel assemblies in the spent fuel storage pool." Therefore, this LCO can be applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.7 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the plant in a shutdown condition. The Required Action of LCO 3.7.7 to "Suspend movement of irradiated fuel assemblies in the spent fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications.

(continued)

JAFNPP B 3.0-4 Revision 0

LCO Applicability B 3.0 BASES (continued)

LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It precludes placing the plant in a MODE or other specified condition stated in that Applicability (e.g., Applicability desired to be entered) when the following exist:

a. Plant conditions are such that the requirements of the LCO would not be met in the Applicability desired to be entered; and

b. Continued noncompliance with the LCO requirements, if the Applicability were entered, would result in the plant being required to exit the Applicability desired to be entered to comply with the Required Actions.

Compliance with Required Actions that permit continued operation of the plant for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the plant before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provisions of the Required Actions.

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any plant shutdown.

Exceptions to LCO 3.0.4 are stated in the individual Specifications. The exceptions allow entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time.

Exceptions may apply to all the ACTIONS or to a specific Required Action of a Specification.

(continued)

JAFNPP B 3.0-5 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.4 Surveillances do not have to be performed on the associated (continued) inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, changing MODES or other specified conditions while in an ACTIONS Condition, either in compliance with LCO 3.0.4 or where an exception to LCO 3.0.4 is stated, is not a violation of SR 3.0.1 or SR 3.0.4 for those Surveillances that do not have to be performed due to the associated inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.

LCO 3.0.4 is only applicable when entering MODE 3 from MODE 4, MODE 2 from MODE 3, 4, or 5, or MODE 1 from MODE 2.

Furthermore, LCO 3.0.4 is applicable when entering any other specified condition in the Applicability only while operating in MODE 1, 2, or 3. The requirements of LCO 3.0.4 do not apply in MODES 4 and 5, or in other specified conditions of the Applicability (unless in MODE 1, 2, or 3) because the ACTIONS of individual specifications sufficiently define the remedial measures to be taken.

LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate:

a. The OPERABILITY of the equipment being returned to service; or

b. The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the required testing to demonstrate OPERABILITY.

This Specification does not provide time to perform any other preventive or corrective maintenance.

(continued)

JAFNPP B 3.0-6 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.5 An example of demonstrating the OPERABILITY of the equipment (continued) being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions and must be reopened to perform the required testing.

An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.

LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system's LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the plant is maintained in a safe condition are specified in the support systems' LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions.

When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability.

However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems' LCO's Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the plant is maintained in a safe condition in the support system's Required Actions.

(continued)

JAFNPP B 3.0-7 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.6 However, there are instances where a support system's (continued) Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.

Specification 5.5.12, "Safety Function Determination Program (SFDP)," ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.

Cross division checks to identify a loss of safety function for those support systems that support safety systems are required. The cross division check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained.

A loss of safety function may exist when a support system is inoperable, and:

a. A required system redundant to system(s) supported by the inoperable support system is also inoperable (EXAMPLE B3.0.6-1); or

b. A required system redundant to system(s) in turn supported by the inoperable supported system is also inoperable (EXAMPLE B3.0.6-2); or

c. A required system redundant to support system(s) for the supported systems (a) and (b) above is also inoperable (EXAMPLE B3.0.6-3).

(continued)

JAFNPP B 3.0-8 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.6 EXAMPLE B3.0.6-1 (continued)

If System 2 of Division A is inoperable, and System 5 of Division B is inoperable, a loss of safety function exists in supported System 5.

EXAMPLE B3.0.6-2 If System 2 of Division A is inoperable, and System 11 of Division B is inoperable, a loss of safety function exists in System 11 which in turn is supported by System 5.

EXAMPLE B3.0.6-3 If System 2 of Division A is inoperable, and System 1 of Division B is inoperable, a loss of safety function exists in Systems 2, 4, 5, 8, 9, 10 and 11.

If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.

EXAMPLES DIVISION A DIVISION B SYSTEM 8 .SYSTEM4 -f SYSTEM 8 SYSTEM 4 { SYSTEM 4 SYSTEM 9 SYSTEM 9 SYSTEM 2 1 SYSTEM 5 2SYST 5 SYSTEM 10 SYSTEM 10 SYSTEM 511 SYSTEM 1] 3 K SSYSTE

r SYSTEM 11 SYSTEM 12 SYSTEM 3 If SYSTEM 12

[ SYSTEM 6 { SYSTEM 13 SYSTEM SYSTEM 6 SYSTEM 13 K SYSTEM 7 SYSTEM 14 SYSTEM 15 SYSTEM 7 S SYSTEM 15 14 (continued)

JAFNPP B 3.0-9 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.6 This loss of safety function does not require the assumption (continued) of additional single failures or loss of offsite power.

Since operation is being restricted in accordance with the ACTIONS of the support system, any resulting temporary loss of redundancy or single failure protection is taken into account. Similarly, the ACTIONS for inoperable offsite circuit(s) and inoperable emergency diesel generator(s) provide the necessary restriction for cross train inoperabilities. This explicit cross train verification for inoperable AC electrical power sources also acknowledges that supported system(s) are not declared inoperable solely as a result of inoperability of a normal or emergency electrical power source (refer to the definition of OPERABILITY).

When loss of safety function is determined to exist, and the SFDP requires entry into the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely due to a single Technical Specification support system (e.g., loss of automatic start due to inoperable instrumentation, or loss of pump suction source due to low tank level) the appropriate LCO is the LCO for the support system. The ACTIONS for a support system LCO adequately addresses the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple support systems, the appropriate LCO is the LCO for the supported system.

LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the plant.

These special tests and operations are necessary to demonstrate select plant performance characteristics, to perform special maintenance activities, and to perform special evolutions. Special Operations LCOs in Section 3.10 allow specified TS requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.

(continued)

JAFNPP B 3.0-10 Revision 0

LCO Applicability B 3.0 BASES LCO 3.0.7 The Applicability of a Special Operations LCO represents a (continued) condition not necessarily in compliance with the normal requirements of the TS. Compliance with Special Operations LCOs is optional. A special operation may be performed either under the provisions of the appropriate Special Operations LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Special Operations LCO, the requirements of the Special Operations LCO shall be followed. When a Special Operations LCO requires another LCO to be met, only the requirements of the LCO statement are required to be met regardless of that LCO's Applicability (i.e., should the requirements of this other LCO not be met, the ACTIONS of the Special Operations LCO apply, not the ACTIONS of the other LCO). However, there are instances where the Special Operations LCO's ACTIONS may direct the other LCO's ACTIONS be met. The Surveillances of the other LCO are not required to be met, unless specified in the Special Operations LCO. If conditions exist such that the Applicability of any other LCO is met, all the other LCO's requirements (ACTIONS and SRs) are required to be met concurrent with the requirements of the Special Operations LCO.

JAFNPP B 3.0-11 Revision 0

SR Applicability B 3.0 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications in Sections 3.1 through 3.10 and apply at all times, unless otherwise stated.

SR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO.

Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:

a. The systems or components are known to be inoperable, although still meeting the SRs; or

b. The requirements of the Surveillance(s) are known to be not met between required Surveillance performances.

Surveillances do not have to be performed when the plant is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a Special Operations LCO are only applicable when the Special Operations LCO is used as an allowable exception to the requirements of a Specification.

Unplanned events may satisfy the requirements (including applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR.

Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply.

Surveillances have to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status.

(continued)

JAFNPP B 3.0-12 Revision 0

SR Applicability B 3.0 BASES SR 3.0.1 Upon completion of maintenance, appropriate post-work (continued) testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post-work testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary plant parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed. Some examples of this process are:

a. Control Rod Drive maintenance during refueling that requires scram testing at 2 800 psig. However, if other appropriate testing is satisfactorily completed and the scram time testing of SR 3.1.4.3 is satisfied, the control rod can be considered OPERABLE. This allows startup to proceed to reach 800 psig to perform other necessary testing.

b. High pressure coolant injection (HPCI) maintenance during shutdown that requires system functional tests at a specified pressure. Provided other appropriate testing is satisfactorily completed, startup can proceed with HPCI considered OPERABLE. This allows operation to reach the specified pressure to complete the necessary post-work testing.

SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per..."

interval.

SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable for conducting the Surveillance (e.g.,transient conditions or other ongoing Surveillance or maintenance activities).

(continued)

JAFNPP B 3.0-13 Revision 0

SR Applicability B 3.0 BASES SR 3.0.2 The 25% extension does not significantly degrade the (continued) reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS. An example of where SR 3.0.2 does not apply is the Primary Containment Leakage Rate Testing Program. This program establishes testing requirements and Frequencies in accordance with the requirements of regulations. The TS cannot in and of themselves extend a test interval specified in the regulations.

As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25%

extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25%

extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.

The provisions of SR 3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.

SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the (continued)

JAFNPP B 3.0-14 Revision 0

SR Applicability B 3.0 BASES SR 3.0.3 time that the specified Frequency was not met. This delay (continued) period provides adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance.

The basis for this delay period includes consideration of plant conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance with a Frequency based not on time intervals, but upon specified plant conditions, operating conditions, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance.

However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to plant conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through (continued)

JAFNPP B 3.0-15 Revision 0

SR Applicability B 3.0 BASES SR 3.0.3 the program in place to implement 10 CFR 50.65(a)(4) and its (continued) implementation guidance, Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component.

Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.

This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the plant.

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

(continued)

JAFNPP B 3.0-16 Revision 0

SR Applicability B 3.0 BASES SR 3.0.4 However, in certain circumstances, failing to meet an SR (continued) will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed per SR 3.0.1, which states that Surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency, on equipment that is inoperable, does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes.

The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any plant shutdown.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs' annotation is found in Section 1.4, Frequency.

SR 3.0.4 is only applicable when entering MODE 3 from MODE 4, MODE 2 from MODE 3, 4, or 5, or MODE 1 from MODE 2.

Furthermore, SR 3.0.4 is applicable when entering any other specified condition in the Applicability only while (continued)

JAFNPP B 3.0-17 Revision 0

SR Applicability B 3.0 BASES SR 3.0.4 operating in MODE 1, 2, or 3. The requirements of SR 3.0.4 (continued) do not apply in MODES 4 and 5, or in other specified conditions of the Applicability (unless in MODE 1, 2, or 3) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

JAFNPP B 3.0-18 Revision 0

SDM B 3.1.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM)

BASES BACKGROUND SDM requirements are specified to ensure:

a. The reactor can be made subcritical from all operating conditions and transients and Design Basis Events;

b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits; and

c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.

These requirements are satisfied by the control rods, as described in the Updated Final Safety Analysis Report (UFSAR) Section 16.6 (Ref. 1), which can compensate for the reactivity effects of the fuel and water temperature changes experienced during all operating conditions.

APPLICABLE The control rod drop accident (CRDA) analysis (Refs. 2 and SAFETY ANALYSES 3) assumes the core is subcritical with the highest worth control rod withdrawn. Typically, the first control rod withdrawn has a very high reactivity worth and, should the core SDM be substantially less than 0.38% Ak/k during the withdrawal of the first control rod, the consequences of a CRDA could exceed the fuel damage limits for a CRDA (see Bases for LCO 3.1.6, "Rod Pattern Control"). Also, SDM is assumed as an initial condition for the control rod removal error during refueling (Ref. 4) and fuel assembly insertion error during refueling (Ref. 5) accidents. The analysis of these reactivity insertion events assumes the refueling interlocks are OPERABLE when the reactor is in the refueling mode of operation. These interlocks prevent the withdrawal of more than one control rod from the core during refueling.

(Special consideration and requirements for multiple control rod withdrawal during refueling are covered in Special Operations LCO 3.10.6, "Multiple Control Rod Withdrawal -Refueling.") The analysis assumes this condition is acceptable since the core will be shut down with the highest worth control rod withdrawn, if adequate SDM has been demonstrated.

(continued)

JAFNPP B 3.1.1-1 Revision 0

SDM B 3.1.1 BASES APPLICABLE Prevention or mitigation of reactivity insertion events is SAFETY ANALYSES necessary to limit energy deposition in the fuel to prevent (continued) significant fuel damage, which could result in undue release of radioactivity. Adequate SDM ensures inadvertent criticalities and potential CRDAs involving high worth control rods (namely the first control rod withdrawn) will not cause significant fuel damage.

SDM satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii)

(Ref. 5).

LCO The specified SDM limit accounts for the uncertainty in the demonstration of the SDM by analysis or by a combination of test and analysis. A SDM limit is provided where the highest worth control rod is determined analytically. SDM is demonstrated by analysis or by a combination of test and analysis. During refueling it is demonstrated by analysis and during a startup it is demonstrated by a combination of test and analysis. To ensure adequate SDM during the design process, a design margin is included to account for uncertainties in the design calculations (Ref. 6).

APPLICABILITY In MODES 1 and 2, SDM must be provided because subcriticality with the highest worth control rod withdrawn is assumed in the CRDA analysis (Ref. 2). In MODES 3 and 4, SDM is required to ensure the reactor will be held subcritical with margin for a single withdrawn control rod.

SDM is required in MODE 5 to prevent an open vessel, inadvertent criticality during the withdrawal of a single control rod from a core cell containing one or more fuel assemblies or a fuel assembly insertion error (Ref. 7).

ACTIONS A.1 With SDM not within the limits of the LCO in MODE 1 or 2, SDM must be restored within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Failure to meet the specified SDM may be caused by a control rod that cannot be inserted. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is acceptable, considering that the reactor can still be shut down, assuming no failures of additional control rods to insert, and the low probability of an event occurring during this interval.

(continued)

JAFNPP B 3.1.1-2 Revision 0

SDM B 3.1.1 BASES ACTIONS B.1 (continued)

If the SDM cannot be restored, the plant must be brought to MODE 3 in 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , to prevent the potential for further reductions in available SDM (e.g., additional stuck control rods). The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

C.1 With SDM not within limits in MODE 3, the operator must immediately initiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This action results in the least reactive condition for the core.

D.1, D.2, D.3, and D.4 With SDM not within limits in MODE 4, the operator must immediately initiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This action results in the least reactive condition for the core. Action must also be initiated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to provide means for control of potential radioactive releases. This includes ensuring secondary containment is OPERABLE; at least one Standby Gas Treatment (SGT) subsystem is OPERABLE; and secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to isolate to mitigate radioactivity releases (i.e., at least one secondary containment isolation valve and associated instrumentation are OPERABLE, or acceptable administrative controls assure isolation capability. These administrative controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated). This may be performed as an administrative check, by examining logs or other information, to determine if the components are out of service for maintenance or other reasons. It is not (continued)

JAFNPP B 3.1.1-3 Revision 0

SDM B 3.1.1 BASES ACTIONS D.1, D.2, D.3, and D.4 (continued) necessary to perform the surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status.

Actions must continue until all required components are OPERABLE.

E.1, E.2, E.3, E.4, and E.5 With SDM not within limits in MODE 5, the operator must immediately suspend CORE ALTERATIONS that could reduce SDM (e.g., insertion of fuel in the core or the withdrawal of control rods). Suspension of these activities shall not preclude completion of movement of a component to a safe condition. Inserting control rods or removing fuel from the core will reduce the total reactivity and are therefore excluded from the suspended actions.

Action must also be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies have been fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and therefore do not have to be inserted.

Action must also be initiated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to provide means for control of potential radioactive releases. This includes ensuring secondary containment is OPERABLE: at least one SGT subsystem is OPERABLE; and secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to isolate to mitigate radioactivity releases (i.e., at least one secondary containment isolation valve and associated instrumentation are OPERABLE, or acceptable administrative controls assure isolation capability. These administrative controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated). This may be performed as an (continued)

JAFNPP B 3.1.1-4 Revision 0

SDM B 3.1.1 BASES ACTIONS E.1, E.2, E.3, E.4, and E.5 (continued) administrative check, by examining logs or other information, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances as needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status.

Action must continue until all required components are OPERABLE.

SURVEILLANCE SR 3.1.1.1 REQUIREMENTS Adequate SDM must be verified to ensure that the reactor can be made subcritical from any initial operating condition with the highest reactivity worth control rod fully withdrawn and all other control rods fully inserted. This can be accomplished by a test (by withdrawing control rods),

an evaluation, or a combination of the two. Adequate SDM is demonstrated by testing before or during the first startup after fuel movement, shuffling within the reactor pressure vessel, or control rod replacement. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Since core reactivity will vary during the cycle as a function of fuel depletion and poison burnup, the beginning of cycle (BOC) test must also account for changes in core reactivity during the cycle. Therefore, to obtain the SDM, the initial measured value must be increased by an adder, "R", which is the difference between the calculated value of maximum core reactivity during the operating cycle and the calculated BOC core reactivity. If the value of R is negative (that is, BOC is the most reactive point in the cycle), no correction to the BOC measured value is required (Ref. 6).

The SDM may be demonstrated during an in-sequence control rod withdrawal or during local criticals. In both cases, the highest worth control rod is analytically determined. Local critical tests require the withdrawal of out of sequence control rods. This testing would therefore require bypassing of the rod worth minimizer to allow the out of (continued)

JAFNPP B 3.1.1-5 Revision 0

SDM B 3.1.1 BASES SURVEILLANCE SR 3.1.1.1 (continued)

REQUIREMENTS sequence withdrawal, and therefore additional requirements must be met (see LCO 3.10.7, "Control Rod Testing Operating" and LCO 3.10.8, "SHUTDOWN MARGIN Test Refuel ing").

The Frequency of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after reaching criticality is allowed to provide a reasonable amount of time to perform the required calculations and have appropriate verification.

During MODES 3 and 4, analytical calculation of SDM may be used to assure the requirements of SR 3.1.1.1 are met.

During MODE 5, adequate SDM is required to ensure that the reactor does not reach criticality during control rod withdrawals. An evaluation of each in-vessel fuel movement during fuel loading (including shuffling fuel within the core) is required to ensure adequate SDM is maintained during refueling. This evaluation ensures that the intermediate loading patterns are bounded by the safety analyses for the final core loading pattern. For example, bounding analyses that demonstrate adequate SDM for the most reactive configurations during the refueling may be performed to demonstrate acceptability of the entire fuel movement sequence. These bounding analyses include additional margins to the associated uncertainties. Spiral offload/reload sequences inherently satisfy the SR, provided the fuel assemblies are reloaded in the same configuration analyzed for the new cycle. Removing fuel from the core will always result in an increase in SDM.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.6.1.2.

3. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, Supplement for United States, Section S.2.2.3.1, (Revision specified in the COLR).

4. UFSAR, Section 14.5.4.3.

5. 10 CFR 50.36(c)(2)(ii).

6. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, Section 3.2.4.1, (Revision specified in the COLR).

7. UFSAR, Section 14.5.4.4.

JAFNPP B 3.1.1-6 Revision 0

Reactivity Anomalies B 3.1.2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Reactivity Anomalies BASES BACKGROUND In accordance with the Updated Final Safety Evaluation Report (UFSAR) Section 16.6 (Ref. 1), reactivity shall be controllable such that subcriticality is maintained under cold conditions and acceptable fuel design limits are not exceeded during normal operation and abnormal operational transients. Therefore, Reactivity Anomalies are used as a measure of the predicted versus measured core reactivity during power operation. The continual confirmation of core reactivity is necessary to ensure that the Design Basis Accident (DBA) and transient safety analyses remain valid.

A large reactivity anomaly could be the result of unanticipated changes in fuel reactivity or control rod worth or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM requirements (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") in assuring the reactor can be brought safely to cold, subcritical conditions.

When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers, producing zero net reactivity.

In order to achieve the required fuel cycle energy output, the uranium enrichment in the new fuel loading and the fuel loaded in the previous cycles provide excess positive reactivity beyond that required to sustain steady state operation at the beginning of cycle (BOC). When the reactor is critical at RTP and operating moderator temperature, the excess positive reactivity is compensated by burnable absorbers (if any), control rods, and whatever neutron (continued)

JAFNPP B 3.1.2-1 Revision 0

Reactivity Anomalies B 3.1.2 BASES BACKGROUND poisons (mainly xenon and samarium) are present in the fuel.

(continued) The predicted core reactivity, as represented by control rod density, is calculated by the 3D Monicore System as a function of cycle exposure. This calculation is performed for projected operating states and conditions throughout the cycle. The core reactivity is determined from control rod densities for actual plant conditions and is then compared to the predicted value for the cycle exposure.

APPLICABLE Accurate prediction of core reactivity is either an explicit SAFETY ANALYSES or implicit assumption in the accident analysis evaluations (Ref. 2). In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod drop accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks.

Measuring reactivity anomaly provides additional assurance that the nuclear methods provide an accurate representation of the core reactivity.

The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted rod density for identical core conditions at BOC do not reasonably agree, then the assumptions used in the reload cycle design analysis or the calculation models used to predict rod density may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured value. Thereafter, any significant deviations in the measured rod density from the predicted rod density that develop during fuel depletion may be an indication that the assumptions of the DBA and transient analyses are no longer valid, or that an unexpected change in core conditions has occurred.

Reactivity Anomalies satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The reactivity anomaly limit is established to ensure plant operation is maintained within the assumptions of the safety analyses. Large differences between measured and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the (continued)

JAFNPP B 3.1.2-2 Revision 0

Reactivity Anomalies B 3.1.2 BASES LCO uncertainties in the "Nuclear Design Methodology" are larger (continued) than expected. A limit on the difference between the measured and the predicted rod density of +/- 1% Ak/k has been established based on engineering judgment. A > 1%deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.

APPLICABILITY In MODE 1, most of the control rods are withdrawn and steady state operation is typically achieved. Under these conditions, the comparison between predicted and measured core reactivity provides an effective measure of the reactivity anomaly. In MODE 2, control rods are typically being withdrawn during a startup. In MODES 3 and 4, all control rods are fully inserted and therefore the reactor is in the least reactive state, where measuring core reactivity is not necessary. In MODE 5, fuel loading results in a continually changing core reactivity. SDM requirements (LCO 3.1.1) ensure that fuel movements are performed within the bounds of the safety analysis, and an SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, control rod replacement, shuffling). The SDM test, required by LCO 3.1.1, provides a direct comparison of the predicted and measured core reactivity at cold conditions; therefore, the Reactivity Anomalies Specification is not required during these conditions.

ACTIONS A.1 Should an anomaly develop between measured and predicted core reactivity, the core reactivity difference must be restored to within the limit to ensure continued operation is within the core design assumptions. Restoration to within the limit could be performed by an evaluation of the core design and safety analysis to determine the reason for the anomaly. This evaluation normally reviews the core conditions to determine their consistency with input to design calculations. Measured core and process parameters are also normally evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models may be reviewed to verify that they are adequate for representation of the core conditions.

The required Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis.

(continued)

JAFNPP B 3.1.2-3 Revision 0

Reactivity Anomalies B 3.1.2 BASES ACTIONS B.1 (continued)

If the core reactivity cannot be restored to within the 1% Ak/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Verifying the reactivity difference between the measured and predicted rod density is within the limits of the LCO provides added assurance that plant operation is maintained within the assumptions of the DBA and transient analyses.

The 3D Monicore System calculates the rod density for the reactor conditions obtained from plant instrumentation. A comparison of the measured rod density to the predicted rod density at the same cycle exposure is used to calculate the reactivity difference. The comparison is required when the core reactivity has potentially changed by a significant amount. This may occur following a refueling in which new fuel assemblies are loaded, fuel assemblies are shuffled within the core, or control rods are replaced or shuffled.

Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Also, core reactivity changes during the cycle. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months interval after reaching equilibrium conditions following a startup is based on the need for equilibrium xenon concentrations in the core, such that an accurate comparison between the measured and predicted rod density can be made. For the purposes of this SR, the reactor is assumed to be at equilibrium conditions when steady state operations (no control rod movement or core flow changes) at t 75% RTP have been obtained. The 1000 MWD/T Frequency was developed, considering the relatively slow change in core reactivity with exposure and operating experience related to variations in core reactivity. This comparison requires the core to be operating at power levels which minimize the uncertainties and measurement errors, in order to obtain meaningful results. Therefore, the comparison is only done when in MODE 1. The tests performed at this Frequency also use base data obtained during the first test of the specific cycle.

(continued)

JAFNPP B 3.1.2-4 Revision 0

Reactivity Anomalies B 3.1.2 BASES (continued)

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Chapter 14.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.1.2-5 Revision 0

Control Rod OPERABILITY B 3.1.3 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Control Rod OPERABILITY BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD)

System, which is the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes to ensure under conditions of normal operation, including abnormal operational transients, that specified acceptable fuel design limits are not exceeded. In addition, the control rods provide the capability to hold the reactor core subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System. The CRD System is designed to satisfy the requirements specified in Reference 1.

The CRD System consists of 137 locking piston CRDs and a hydraulic control unit for each CRD. The locking piston type CRD is a double acting hydraulic piston, which uses condensate water as the operating fluid. Accumulators provide additional energy for scram. An index tube and piston, coupled to the control rod, are locked at fixed increments by a collet mechanism. The collet fingers engage notches in the index tube to prevent unintentional withdrawal of the control rod, but without restricting insertion.

This Specification, along with LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators,"

ensure that the performance of the control rods in the event of a Design Basis Accident (DBA) or transient meets the assumptions used in the safety analyses of References 2 and 3.

APPLICABLE The control rods provide the primary means for rapid SAFETY ANALYSES reactivity control (reactor scram), for maintaining the reactor subcritical and for limiting the potential effects of reactivity insertion events caused by malfunctions in the CRD System.

The capability to insert the control rods provides assurance that the assumptions for scram reactivity in the DBA and transient analyses are not violated (Refs. 2 and 3). Since the SDM ensures the reactor will be subcritical with the (continued)

JAFNPP B 3.1.3-1 Revision 0

Control Rod OPERABILITY B 3.1.3 BASES APPLICABLE highest worth control rod withdrawn (assumed single SAFETY ANALYSES failure), the additional failure of a second control rod to (continued) insert, if required, could invalidate the demonstrated SDM and potentially limit the ability of the CRD System to hold the reactor subcritical. If the control rod is stuck at an inserted position and becomes decoupled from the CRD, a control rod drop accident (CRDA) can possibly occur.

Therefore, the requirement that all control rods be OPERABLE ensures the CRD System can perform its intended function.

The control rods also protect the fuel from damage which could result in release of radioactivity. The limits protected are the MCPR Safety Limit (SL) (see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"), the 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)", and LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"), and the fuel damage limit (see Bases for LCO 3.1.6, "Rod Pattern Control")

during reactivity insertion events.

The negative reactivity insertion (scram) provided by the CRD System provides the analytical basis for determination of plant thermal limits and provides protection against fuel damage limits during a CRDA. The Bases for LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6 discuss in more detail how the SLs are protected by the CRD System.

Control rod OPERABILITY satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

LCO The OPERABILITY of an individual control rod is based on a combination of factors, primarily, the scram insertion times, the control rod coupling integrity, and the ability to determine the control rod position. Accumulator OPERABILITY is addressed by LCO 3.1.5. The associated scram accumulator status for a control rod only affects the scram insertion times; therefore, an inoperable accumulator does not immediately require declaring a control rod inoperable.

Although not all control rods are required to be OPERABLE to satisfy the intended reactivity control requirements, strict control over the number and distribution of inoperable control rods is required to satisfy the assumptions of the DBA and transient analyses.

(continued)

JAFNPP B 3.1.3-2 Revision 0

Control Rod OPERABILITY B 3.1.3 BASES (continued)

APPLICABILITY In MODES 1 and 2, the control rods are assumed to function during a DBA or transient and are therefore required to be OPERABLE in these MODES. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions. Control rod requirements in MODE 5 are located in LCO 3.9.5, "Control Rod OPERABILITY-Refueling."

ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod.

This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable control rod. Complying with the Required Actions may allow for continued operation, and subsequent inoperable control rods are governed by subsequent Condition entry and application of associated Required Actions.

A.1, A.2, A.3, and A.4 A control rod is considered stuck if it will not insert by either CRD drive water or scram pressure. With a fully inserted control rod stuck, no actions are required as long as the control rod remains fully inserted. The Required Actions are modified by a Note, which allows the rod worth minimizer (RWM) to be bypassed if required to allow continued operation. LCO 3.3.2.1, "Control Rod Block Instrumentation," provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.

With one withdrawn control rod stuck, the local scram reactivity rate assumptions may not be met if the stuck control rod separation criteria are not met. Therefore, a verification that the separation criteria are met must be performed immediately. The separation criteria are not met if a) the stuck control rod occupies a location adjacent to two "slow" control rods, b) the stuck control rod occupies a location adjacent to one "slow" control rod, and the one "slow" control rod is also adjacent to another "slow" control rod, or c) if the stuck control rod occupies a location adjacent to one "slow" control rod when there is another pair of "slow" control rods adjacent to one another.

The description of "slow" control rods is provided in LCO 3.1.4, "Control Rod Scram Times." In addition, the (continued)

JAFNPP B 3.1.3-3 Revision 0

Control Rod OPERABILITY B 3.1.3 BASES ACTIONS A.1, A.2, A.3, and A.4 (continued) associated control rod drive must be disarmed (hydraulically) in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is acceptable, considering the reactor can still be shut down, assuming no additional control rods fail to insert, and provides a reasonable time to perform the Required Action in an orderly manner. The control rod must be isolated from both scram and normal insert and withdraw pressure. Isolating the control rod in this manner prevents damage to the stuck CRD. In addition, the control rod should be isolated while maintaining cooling water to the CRD.

Demonstrating the insertion capability of each withdrawn control rod must also be performed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of Condition A concurrent with THERMAL POWER greater than the low power setpoint (LPSP) of the RWM.

SR 3.1.3.2 and SR 3.1.3.3 require periodic tests of the control rod insertion capability of withdrawn control rods.

Testing each withdrawn control rod ensures that a generic problem does not exist. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." The Required Action A.3 Completion Time only begins upon discovery of Condition A concurrent with THERMAL POWER greater than the actual LPSP of the RWM since the notch insertions may not be compatible with the requirements of rod pattern control (LCO 3.1.6) and the RWM (LCO 3.3.2.1). The allowed Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of Condition A concurrent with THERMAL POWER greater than the LPSP of the RWM provides a reasonable time to test the control rods, considering the potential for a need to reduce power to perform the tests.

To allow continued operation with a withdrawn control rod stuck, an evaluation of adequate SDM is also required within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Should a DBA or transient require a shutdown, to preserve the single failure criterion, an additional control rod would have to be assumed to fail to insert when required. Therefore, the original SDM demonstration may not be valid. The SDM must therefore be evaluated (by measurement or analysis) with the stuck control rod at its stuck position and the highest worth OPERABLE control rod assumed to be fully withdrawn.

The allowed Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to verify SDM is adequate, considering that with a single control rod stuck in a withdrawn position, the remaining OPERABLE control rods are capable of providing the required scram and shutdown (continued)

JAFNPP B 3.1.3-4 Revision 0

Control Rod OPERABILITY B 3.1.3 BASES ACTIONS A.1, A.2, A.3, and A.4 (continued) reactivity. Failure to reach MODE 4 condition is only likely if an additional control rod adjacent to the stuck control rod also fails to insert during a required scram.

Even with the postulated additional single failure of an adjacent control rod to insert, sufficient reactivity control remains to reach and maintain MODE 3 conditions (Ref. 5).

B.1 With two or more withdrawn control rods stuck, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The occurrence of more than one control rod stuck at a withdrawn position increases the probability that the reactor cannot be shut down if required. Insertion of all insertable control rods eliminates the possibility of an additional failure of a control rod to insert. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 With one or more control rods inoperable for reasons other than being stuck in the withdrawn position, operation may continue, provided the control rods are fully inserted within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months and disarmed (electrically or hydraulically) within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected.

The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids. Required Action C.1 is modified by a Note, which allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation. LCO 3.3.2.1 provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.

(continued)

JAFNPP B 3.1.3-5 Revision 0

Control Rod OPERABILITY B 3.1.3 BASES ACTIONS C.1 and C.2 (continued)

The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems.

D.1 and D.2 Out of sequence control rods may increase the potential reactivity worth of a dropped control rod during a CRDA. At

! 10% RTP, the generic banked position withdrawal sequence (BPWS) analysis (Ref. 5) requires inserted control rods not in compliance with BPWS to be separated by at least two OPERABLE control rods in all directions, including the diagonal. Therefore, if two or more inoperable control rods are not in compliance with BPWS and not separated by at least two OPERABLE control rods, action must be taken to restore compliance with BPWS or restore the control rods to OPERABLE status. Condition D is modified by a Note indicating that the Condition is not applicable when

> 10% RTP, since the BPWS is not required to be followed under these conditions, as described in the Bases for LCO 3.1.6. The allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is acceptable, considering the low probability of a CRDA occurring.

E.1 If any Required Action and associated Completion Time of Condition A, C, or D are not met, or there are nine or more inoperable control rods, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This ensures all insertable control rods are inserted and places the reactor in a condition that does not require the active function (i.e., scram) of the control rods. The number of control rods permitted to be inoperable when operating above 10% RTP (i.e., no CRDA considerations) could be more than the value specified, but the occurrence of a large number of inoperable control rods could be indicative of a generic problem, and investigation and resolution of the potential problem should be undertaken. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems.

(continued)

JAFNPP B 3.1.3-6 Revision 0

Control Rod OPERABILITY B 3.1.3 BASES (continued)

SURVEILLANCE SR 3.1.3.1 REQUIREMENTS The position of each control rod must be determined to ensure adequate information on control rod position is available to the operator for determining control rod OPERABILITY and controlling rod patterns. Control rod position may be determined by the use of OPERABLE position indicators, by moving control rods to a position with an OPERABLE indicator, or by the use of other appropriate methods. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency of this SR is based on operating experience related to expected changes in control rod position and the availability of control rod position indications in the control room.

SR 3.1.3.2 and SR 3.1.3.3 Control rod insertion capability is demonstrated by inserting each partially or fully withdrawn control rod at least one notch and observing that the control rod moves.

The control rod may then be returned to its original position. This ensures the control rod is not stuck and is free to insert on a scram signal. These Surveillances are not required when THERMAL POWER is less than or equal to the actual LPSP of the RWM, since the notch insertions may not be compatible with the requirements of the Banked Position Withdrawal Sequence (BPWS) (LCO 3.1.6) and the RWM (LCO 3.3.2.1). The 7 day Frequency of SR 3.1.3.2 is based on operating experience related to the changes in CRD performance and the ease of performing notch testing for fully withdrawn control rods. Partially withdrawn control rods are tested at a 31 day Frequency, based on the potential power reduction required to allow the control rod movement and considering the large testing sample of SR 3.1.3.2. Furthermore, the 31 day Frequency takes into account operating experience related to changes in CRD performance. At any time, if a control rod is immovable, a determination of the control rods OPERABILITY must be made and appropriate action taken. These SRs are modified by Notes that allows 7 days and 31 days respectively, after withdrawal of the control rod and increasing power to above the LPSP of the RWM, to perform the Surveillance. This acknowledges that the control rod must be first withdrawn and THERMAL POWER must increase to above the LPSP before performance of the Surveillance, and therefore the Notes avoid potential conflicts with SR 3.0.3 and SR 3.0.4.

(continued)

JAFNPP B 3.1.3-7 Revision 0

Control Rod OPERABILITY B 3.1.3 BASES SURVEILLANCE SR 3.1.3.4 REQUIREMENTS (continued) Verifying that the scram time for each control rod to notch position 04 is

7 seconds provides reasonable assurance that the control rod will insert when required during a DBA or transient, thereby completing its shutdown function.

This SR is performed in conjunction with the control rod scram time testing of SR 3.1.4.1, SR 3.1.4.2, SR 3.1.4.3, and SR 3.1.4.4. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1, "Reactor Protection System (RPS)

Instrumentation," and the functional testing of SDV vent and drain valves in LCO 3.1.8, "Scram Discharge Volume (SDV)

Vent and Drain Valves," overlap this Surveillance to provide complete testing of the assumed safety function. The associated Frequencies are acceptable, considering the more frequent testing performed to demonstrate other aspects of control rod OPERABILITY and operating experience, which shows scram times do not significantly change over an operating cycle.

SR 3.1.3.5 Coupling verification is performed to ensure the control rod is connected to the CRD and will perform its intended function when necessary. The Surveillance requires verifying a control rod does not go to the withdrawn overtravel position. The overtravel position feature provides a positive check on the coupling integrity since only an uncoupled CRD can reach the overtravel position.

The verification is required to be performed any time a control rod is withdrawn to the "full out" position (notch position 48) or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This includes control rods inserted one notch and then returned to the "full out" position during the performance of SR 3.1.3.2. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved and operating experience related to uncoupling events.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.6.

3. UFSAR, Section 14.5.

(continued)

JAFNPP B 3.1.3-8 Revision 0

Control Rod OPERABILITY B 3.1.3 BASES REFERENCES 4. 10 CFR 50.36(c)(2)(ii).

(continued)

5. NEDO-21231, Banked Position Withdrawal Sequence, Section 7.2, January 1977.

JAFNPP B 3.1.3-9 Revision 0

Control Rod Scram Times B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Control Rod Scram Times BASES BACKGROUND The scram function of the Control Rod Drive (CRD) System controls reactivity changes during abnormal operational transients to ensure that specified acceptable fuel design limits are not exceeded (Ref. 1). The control rods are scrammed by positive means using hydraulic pressure exerted on the CRD piston.

When a scram signal is initiated, control air is vented from the scram valves, allowing them to open by spring action.

Opening the exhaust valve reduces the pressure above the main drive piston to atmospheric pressure, and opening the inlet valve applies the accumulator or reactor pressure to the bottom of the piston. Since the notches in the index tube are tapered on the lower edge, the collet fingers are forced open by cam action, allowing the index tube to move upward without restriction because of the high differential pressure across the piston. As the drive moves upward and the accumulator pressure reduces below the reactor pressure, a ball check valve opens, letting the reactor pressure complete the scram action. If the reactor pressure is low, such as during startup, the accumulator will fully insert the control rod in the required time without assistance from reactor pressure.

APPLICABLE The Design Basis Accident (DBA) and transient analyses SAFETY ANALYSES assume that all of the control rods scram at a specified insertion rate (Refs. 2 and 3). The resulting negative scram reactivity forms the basis for the determination of plant thermal limits (e.g., the MCPR). Other distributions of scram times (e.g., several control rods scramming slower than the average time with several control rods scramming faster than the average time) can also provide sufficient scram reactivity. Surveillance of each individual control rod's scram time ensures the scram reactivity assumed in the DBA and transient analyses can be met.

The scram function of the CRD System protects the MCPR Safety Limit (SL) (see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)")

and the 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION (continued)

JAFNPP B 3.1.4-1 Revision 0

Control Rod Scram Times B 3.1.4 BASES APPLICABLE RATE (APLHGR)"), which ensure that no fuel damage will occur SAFETY ANALYSES if these limits are not exceeded. Above 800 psig, the scram (continued) function is designed to insert negative reactivity at a rate fast enough to prevent the actual MCPR from becoming less than the MCPR SL, during the analyzed limiting power transient. Below 800 psig, the scram function is assumed to mitigate the control rod drop accident (Ref. 4) and, therefore, also provides protection against violating fuel damage limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control"). For the reactor vessel overpressure protection analysis, the scram function, along with the safety/relief valves, ensure that the peak vessel pressure is maintained within the applicable ASME Code limits.

Control rod scram times satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).

LCO The scram times specified in Table 3.1.4-1 are required to ensure that the scram reactivity assumed in the DBA and transient analysis is met (Ref. 6). To account for single failures and "slow" scramming control rods, the scram times specified in Table 3.1.4-1 are faster than those assumed in the design basis analysis. The scram times have a margin that allows 10 control rods to have scram times exceeding the specified limits (i.e., "slow" control rods) assuming a single stuck control rod (as allowed by LCO 3.1.3, "Control Rod OPERABILITY") and an additional control rod failing to scram per the single failure criterion. The scram times are specified as a function of reactor steam dome pressure to account for the pressure dependence of the scram times. The scram times are specified relative to measurements based on reed switch positions, which provide the control rod position indication. The reed switch closes ("pickup") when the index tube passes a specific location and then opens

("dropout") as the index tube travels upward. Verification of the specified scram times in Table 3.1.4-1 is accomplished through measurement of the "dropout" times. To ensure that local scram reactivity rates are maintained within acceptable limits, no more than two of the allowed "slow" control rods may occupy adjacent locations.

Table 3.1.4-1 is modified by two Notes which state that control rods with scram times not within the limits of the table are considered "slow" and that control rods with scram times > 7 seconds are considered inoperable as required by SR 3.1.3.4.

(continued)

JAFNPP B 3.1.4-2 Revision 0

Control Rod Scram Times B 3.1.4 BASES LCO This LCO applies only to OPERABLE control rods since (continued) inoperable control rods will be inserted and disarmed (LCO 3.1.3). Slow scramming control rods may be conservatively declared inoperable and not accounted for as "slow" control rods.

APPLICABILITY In MODES 1 and 2, a scram is assumed to function during transients and accidents analyzed for these plant conditions. These events are assumed to occur during startup and power operation: therefore, the scram function of the control rods is required during these MODES. In MODES 3 and 4, the control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod scram capability during these conditions.

Scram requirements in MODE 5 are contained in LCO 3.9.5, "Control Rod OPERABILITY- Refueling."

ACTIONS A.1 When the requirements of this LCO are not met, the rate of negative reactivity insertion during a scram may not be within the assumptions of the safety analyses. Therefore, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The four SRs of this LCO are modified by a Note stating that REQUIREMENTS during a single control rod scram time surveillance, the CRD pumps shall be isolated from the associated scram accumulator. With the CRD pump isolated, (i.e., charging valve closed) the influence of the CRD pump head does not affect the single control rod scram times. During a full core scram, the CRD pump head would be seen by all control rods and would have a negligible effect on the scram insertion times.

(continued)

JAFNPP B 3.1.4-3 Revision 0

Control Rod Scram Times B 3.1.4 BASES SURVEILLANCE SR 3.1.4.1 REQUIREMENTS (continued) The scram reactivity used in DBA and transient analyses is based on an assumed control rod scram time. Measurement of the scram times with reactor steam dome pressure Ž 800 psig demonstrates acceptable scram times for the transients analyzed in References 3 and 4.

Maximum scram insertion times occur at a reactor steam dome pressure of approximately 800 psig because of the competing effects of reactor steam dome pressure and stored accumulator energy. Therefore, demonstration of adequate scram times at reactor steam dome pressure Ž 800 psig ensures that the measured scram times will be within the specified limits at higher pressures. Limits are specified as a function of reactor pressure to account for the sensitivity of the scram insertion times with pressure and to allow a range of pressures over which scram time testing can be performed. To ensure that scram time testing is performed within a reasonable time following a shutdown duration of 2 120 days, control rods are required to be tested before exceeding 40% RTP following the shutdown.

This Frequency is acceptable considering the additional surveillances performed for control rod OPERABILITY, the frequent verification of adequate accumulator pressure, and the required testing of control rods affected by fuel movement within the associated core cell and by work on control rods or the CRD System.

SR 3.1.4.2 Additional testing of a sample of control rods is required to verify the continued performance of the scram function during the cycle. A representative sample contains at least 10% of the control rods. The sample remains representative if no more than 20% of the control rods in the sample tested are determined to be "slow." With more than 20% of the sample declared to be "slow" per the criteria in Table 3.1.4-1, additional control rods are tested until this 20% criterion (i.e., 20% of the entire sample size) is satisfied, or until the total number of "slow" control rods (throughout the core, from all surveillances) exceeds the LCO limit. For planned testing, the control rods selected for the sample should be different for each test. Data from inadvertent scrams should be used whenever possible to avoid unnecessary testing at power, even if the control rods with (continued)

JAFNPP B 3.1.4-4 Revision 0

Control Rod Scram Times B 3.1.4 BASES SURVEILLANCE SR 3.1.4.2 (continued)

REQUIREMENTS data may have been previously tested in a sample. The 120 day Frequency is based on operating experience that has shown control rod scram times do not significantly change over an operating cycle. This Frequency is also reasonable based on the additional Surveillances done on the CRDs at more frequent intervals in accordance with LCO 3.1.3 and LCO 3.1.5, "Control Rod Scram Accumulators."

SR 3.1.4.3 When work that could affect the scram insertion time is performed on a control rod or the CRD System, testing must be done to demonstrate that each affected control rod retains adequate scram performance over the range of applicable reactor pressures from zero to the maximum permissible pressure. The scram testing must be performed once before declaring the control rod OPERABLE. The required scram time testing must demonstrate the affected control rod is still within acceptable limits. The limits for reactor pressures < 800 psig are found in the Technical Requirements Manual (Ref. 7) and are established based on a high probability of meeting the acceptance criteria at reactor pressures Ž 800 psig. Limits for Ž 800 psig are found in Table 3.1.4-1. If testing demonstrates the affected control rod does not meet these limits, but is within the 7-second limit of Table 3.1.4-1, Note 2, the control rod can be declared OPERABLE and "slow."

Specific examples of work that could affect the scram times are (but are not limited to) the following: removal of any CRD for maintenance or modification; replacement of a control rod; and maintenance or modification of a scram pilot valve, scram valve, accumulator, isolation valve or check valve in the piping required for scram.

The Frequency of once prior to declaring the affected control rod OPERABLE is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY.

(continued)

JAFNPP B 3.1.4-5 Revision 0

Control Rod Scram Times B 3.1.4 BASES SURVEILLANCE SR 3.1.4.4 REQUIREMENTS (continued) When work that could affect the scram insertion time is performed on a control rod or CRD System, or when fuel movement within the reactor pressure vessel occurs, testing must be done to demonstrate each affected control rod is still within the limits of Table 3.1.4-1 with the reactor steam dome pressure Ž 800 psig. Where work has been performed at high reactor pressure (0 800 psig), the requirements of SR 3.1.4.3 and SR 3.1.4.4 can be satisfied with one test. For a control rod affected by work performed while at low pressure (< 800 psig), however, a low pressure and high pressure test may be required. This testing ensures that, prior to withdrawing the control rod for continued operation, the control rod scram performance is acceptable for operating reactor pressure conditions.

Alternatively, a control rod scram test during hydrostatic pressure testing could also satisfy both criteria. When fuel movement occurs within the reactor pressure vessel, only those control rods associated with the core cells affected by the fuel movement are required to be scram time tested. During a routine refueling outage it is expected that all control rods will be affected.

The Frequency of once prior to exceeding 40% RTP is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.6.

3. UFSAR, Section 14.5.

4. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, Supplement for United States, Section S.2.2.3.1, (Revision specified in the COLR).

5. 10 CFR 50.36(c)(2)(ii).

6. Letter from R.F. Janecek (BWROG) to R.W. Starostecki (NRC), BWR Owners Group Revised Reactivity Control System Technical Specifications, BWROG-8754, September 17, 1987.

7. Technical Requirements Manual.

JAFNPP B 3.1.4-6 Revision 0

Control Rod Scram Accumulators B 3.1.5 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Control Rod Scram Accumulators BASES BACKGROUND The control rod scram accumulators are part of the Control Rod Drive (CRD) System and are provided to ensure that the control rods scram under varying reactor conditions. The control rod scram accumulators store sufficient energy to fully insert a control rod at any reactor vessel pressure.

The accumulator is a hydraulic cylinder with a free floating piston. The piston separates the water used to scram the control rods from the nitrogen, which provides the required energy. The scram accumulators are necessary to scram the control rods within the required insertion times of LCO 3.1.4, "Control Rod Scram Times."

APPLICABLE The Design Basis Accident (DBA) and transient analyses SAFETY ANALYSES assume that all of the control rods scram at a specified insertion rate (Refs. 1 and 2). OPERABILITY of each individual control rod scram accumulator, along with LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.4, ensures that the scram reactivity assumed in the DBA and transient analyses can be met. The existence of an inoperable accumulator may invalidate prior scram time measurements for the associated control rod.

The scram function of the CRD System, and therefore the OPERABILITY of the accumulators, protects the MCPR Safety Limit (see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," and LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"), which ensure that no fuel damage will occur if these limits are not exceeded (see Bases for LCO 3.1.4). In addition, the scram function at low reactor vessel pressure (i.e., startup conditions) provides protection against violating fuel design limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control").

Control rod scram accumulators satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

(continued)

JAFNPP B 3.1.5-1 Revision 0

Control Rod Scram Accumulators B 3.1.5 BASES (continued)

LCO The OPERABILITY of the control rod scram accumulators is required to ensure that adequate scram insertion capability exists when needed over the entire range of reactor pressures. The OPERABILITY of the scram accumulators is based on maintaining adequate accumulator pressure.

APPLICABILITY In MODES 1 and 2, the scram function is required for mitigation of DBAs and transients, and therefore the scram accumulators must be OPERABLE to support the scram function.

In MODES 3 and 4, control rods are not capable of being withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod scram accumulator OPERABILITY during these conditions. Requirements for scram accumulators in MODE 5 are contained in LCO 3.9.5, "Control Rod OPERABILITY - Refueling."

ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod scram accumulator. This is acceptable since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable accumulator. Complying with the Required Actions may allow for continued operation.

A.1 and A.2 With one control rod scram accumulator inoperable and the reactor steam dome pressure Ž 900 psig, the control rod may be declared "slow," since the control rod will still scram at the reactor operating pressure but may not satisfy the required scram times in Table 3.1.4-1.

Required Action A.1 is modified by a Note indicating that declaring the control rod "slow" only applies if the associated control scram time was within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod would already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action A.2) and LCO 3.1.3 is entered. This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function, in accordance with ACTIONS of LCO 3.1.3.

(continued)

JAFNPP B 3.1.5-2 Revision 0

Control Rod Scram Accumulators B 3.1.5 BASES ACTIONS A.1 and A.2 (continued)

The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is reasonable, based on the large number of control rods available to provide the scram function and the ability of the affected control rod to scram only with reactor pressure at high reactor pressures.

B.1, B.2.1, and B.2.2 With two or more control rod scram accumulators inoperable and reactor steam dome pressure e 900 psig, adequate pressure must be supplied to the charging water header.

With inadequate charging water pressure, all of the accumulators could become inoperable, resulting in a potentially severe degradation of scram performance.

Therefore, within 20 minutes from discovery of charging water header pressure < 940 psig concurrent with Condition B, adequate charging water header pressure must be restored. The allowed Completion Time of 20 minutes is reasonable, to place a CRD pump into service to restore the charging water header pressure, if required. This Completion Time is based on the ability of the reactor pressure alone to fully insert all control rods.

The control rod may be declared "slow," since the control rod will still scram using only reactor pressure, but may not satisfy the times in Table 3.1.4-1. Required Action B.2.1 is modified by a Note indicating that declaring the control rod "slow" only applies if the associated control scram time is within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod would already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action B.2.2) and LCO 3.1.3 entered. This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function in accordance with ACTIONS of LCO 3.1.3.

The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on the ability of only the reactor pressure to scram the control rods and the low probability of a DBA or transient occurring while the affected accumulators are inoperable.

(continued)

JAFNPP B 3.1.5-3 Revision 0

Control Rod Scram Accumulators B 3.1.5 BASES ACTIONS C.1 and C.2 (continued)

With one or more control rod scram accumulators inoperable and the reactor steam dome pressure < 900 psig, the pressure supplied to the charging water header must be adequate to ensure that accumulators remain charged. With the reactor steam dome pressure < 900 psig, the function of the accumulators in providing the scram force becomes much more important since the scram function could become severely degraded during a depressurization event or at low reactor pressures. Therefore, immediately upon discovery of charging water header pressure < 940 psig, concurrent with Condition C, all control rods associated with inoperable accumulators must be verified to be fully inserted.

Withdrawn control rods with inoperable accumulators may fail to scram under these low pressure conditions. The associated control rods must also be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable for Required Action C.2, considering the low probability of a DBA or transient occurring during the time that the accumulator is inoperable.

D.1 The reactor mode switch must be immediately placed in the shutdown position if either Required Action and associated Completion Time associated.with loss of the CRD charging pump (Required Actions B.1 and C.1) cannot be met. This ensures that all insertable control rods are inserted and that the reactor is in a condition that does not require the active function (i.e., scram) of the control rods. This Required Action is modified by a Note stating that the action is not applicable if all control rods associated with the inoperable scram accumulators are fully inserted, since the function of the control rods has been performed.

SURVEILLANCE SR 3.1.5.1 REQUIREMENTS SR 3.1.5.1 requires that the accumulator pressure be checked every 7 days to ensure adequate accumulator pressure exists to provide sufficient scram force. The primary indicator of accumulator OPERABILITY is the accumulator pressure. A minimum accumulator pressure is specified, below which the capability of the accumulator to perform its intended function becomes degraded and the accumulator is considered (continued)

JAFNPP B 3.1.5-4 Revision 0

Control Rod Scram Accumulators B 3.1.5 BASES SURVEILLANCE SR 3.1.5.1 (continued)

REQUIREMENTS inoperable. The minimum accumulator pressure of 940 psig is well below the expected pressure of approximately 1100 psig (Ref 4). Declaring the accumulator inoperable when the minimum pressure is not maintained ensures that significant degradation in scram times does not occur. The 7 day Frequency has been shown to be acceptable through operating experience and takes into account indications available in the control room.

REFERENCES 1. UFSAR, Section 14.6.

2. UFSAR, Section 14.5.

3. 10 CFR 50.36(c)(2)(ii).

4. GEK-9582C, "Hydraulic Control Unit," December 1987.

JAFNPP B 3.1.5-5 Revision 0

Rod Pattern Control B 3.1.6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Rod Pattern Control BASES BACKGROUND Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM)

(LCO 3.3.2.1, "Control Rod Block Instrumentation"), so that only specified control rod sequences and relative positions are allowed over the operating range of all control rods inserted to 10% RTP. The sequences limit the potential amount of reactivity addition that could occur in the event of a Control Rod Drop Accident (CRDA).

This Specification assures that the control rod patterns are consistent with the assumptions of the CRDA analyses of References 1 and 2.

APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the CRDA are summarized in References 1 and 2. CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analysis. The RWM (LCO 3.3.2.1) provides backup to operator control of the withdrawal sequences to ensure that the initial conditions of the CRDA analysis are not violated.

Prevention or mitigation of positive reactivity insertion events is necessary to limit the energy deposition in the fuel, thereby preventing significant fuel damage which could result in the undue release of radioactivity. Since the failure consequences for U02 have been shown to be insignificant below fuel energy depositions of 300 cal/gm (Ref. 3), the fuel energy deposition limit of 280 cal/gm provides a margin of safety from significant core damage which would result in release of radioactivity (Refs. 4 and 5). Generic evaluations (Refs. 1, 6, 7, 8 and 9) of a design basis CRDA (i.e., a CRDA resulting in a peak fuel energy deposition of 280 cal/gm) have shown that if the peak fuel enthalpy remains below 280 cal/gm, then the maximum reactor pressure will be less than the required ASME Code limits (Ref. 10) and the calculated offsite doses will be well within the required limits (Ref. 5). The calculated offsite doses remain within the limits since only a small number of fuel rods would reach a fuel enthalpy of 170 cal/gm, which is the enthalpy limit for eventual cladding perforation.

(continued)

JAFNPP B 3.1.6-1 Revision 0

Rod Pattern Control B 3.1.6 BASES APPLICABLE Control rod patterns analyzed in Reference 1 follow the SAFETY ANALYSES banked position withdrawal sequence (BPWS). The BPWS is (continued) applicable from the condition of all control rods fully inserted to 10% RTP (Ref. 2). For the BPWS, the control rods are required to be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions (e.g., between notches 08 and 12). The banked positions are established to minimize the maximum incremental control rod worth without being overly restrictive during normal plant operation. Generic analysis of the BPWS (Ref. 1) has demonstrated that the 280 cal/gm fuel energy deposition limit will not be violated during a CRDA while following the BPWS mode of operation.

The generic BPWS analysis (Ref. 11) also evaluates the effect of fully inserted, inoperable control rods not in compliance with the sequence, to allow a limited number (i.e., eight) and distribution of fully inserted, inoperable control rods.

Rod pattern control satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 12).

LCO Compliance with the prescribed control rod sequences minimizes the potential consequences of a CRDA by limiting the initial conditions to those consistent with the BPWS.

This LCO only applies to OPERABLE control rods. For inoperable control rods required to be inserted, separate requirements are specified in LCO 3.1.3, "Control Rod OPERABILITY," consistent with the allowances for inoperable control rods in the BPWS.

APPLICABILITY In MODES 1 and 2, when THERMAL POWER is

10% RTP, the CRDA is a Design Basis Accident and, therefore, compliance with the assumptions of the safety analysis is required. When THERMAL POWER is > 10% RTP, there is no credible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel energy deposition limit during a CRDA (Ref. 2). In MODES 3, 4, and 5, since the reactor is shut down and only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will remain subcritical with a single control rod withdrawn.

(continued)

JAFNPP B 3.1.6-2 Revision 0

Rod Pattern Control B 3.1.6 BASES (continued)

ACTIONS A.1 and A.2 With one or more OPERABLE control rods not in compliance with the prescribed control rod sequence, actions may be taken to either correct the control rod pattern or declare the associated control rods inoperable within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

Noncompliance with the prescribed sequence may be the result of "double notching," drifting from a control rod drive cooling water transient, leaking scram valves, or a power reduction to

10% RTP before establishing the correct control rod pattern. The number of OPERABLE control rods not in compliance with the prescribed sequence is limited to eight, to prevent the operator from attempting to correct a control rod pattern that significantly deviates from the prescribed sequence. When the control rod pattern is not in compliance with the prescribed sequence, all control rod movement should be stopped except for moves needed to correct the rod pattern, or scram if warranted.

Required Action A.1 is modified by a Note which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position. LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator (Reactor Operator or Senior Reactor Operator) or reactor engineer. This ensures that the control rods will be moved to the correct position. A control rod not in compliance with the prescribed sequence is not considered inoperable except as required by Required Action A.2.

OPERABILITY of control rods is determined by compliance with LCO 3.1.3, "Control Rod OPERABILITY," LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators." The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is reasonable, considering the restrictions on the number of allowed out of sequence control rods and the low probability of a CRDA occurring during the time the control rods are out of sequence.

B.1 and B.2 If nine or more OPERABLE control rods are out of sequence, the control rod pattern significantly deviates from the prescribed sequence. Control rod withdrawal should be suspended immediately to prevent the potential for further deviation from the prescribed sequence. Control rod insertion to correct control rods withdrawn beyond their allowed position is allowed since, in general, insertion of control rods has less impact on control rod worth than withdrawals have. Required Action B.1 is modified by a Note (continued)

JAFNPP B 3.1.6-3 Revision 0

Rod Pattern Control B 3.1.6 BASES ACTIONS B.1 and B.2 (continued) which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position.

LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator (Reactor Operator or Senior Reactor Operator) or reactor engineer.

When nine or more OPERABLE control rods are not in compliance with BPWS, the reactor mode switch must be placed in the shutdown position within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . With the mode switch in shutdown, the reactor is shut down, and as such, does not meet the applicability requirements of this LCO.

The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable to allow insertion of control rods to restore compliance, and is appropriate relative to the low probability of a CRDA occurring with the control rods out of sequence.

SURVEILLANCE SR 3.1.6.1 REQUIREMENTS The control rod pattern is verified to be in compliance with the BPWS at a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency to ensure the assumptions of the CRDA analyses are met. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency was developed considering that the primary check on compliance with the BPWS is performed by the RWM (LCO 3.3.2.1), which provides control rod blocks to enforce the required sequence and is required to be OPERABLE when operating at

10% RTP.

REFERENCES 1. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, Supplement for United States, Section S.2.2.3.1, (Revision specified in the COLR).

2. Letter from T.A. Pickens (BWROG) to G.C. Lainas (NRC),

Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A, BWROG-8644, August 15, 1986.

3. NUREG-0979, Safety Evaluation Report Related to the Final Design Approval of the GESSAR II, BWR/6 Nuclear Island Design (and Supplements 1 through 5),

Section 4.2.1.3.2, April 1983.

4. NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Section 15.4.9, Spectrum of Rod Drop Accidents (BWR),

Revision 2, July 1981.

5. 10 CFR 100.

(continued)

JAFNPP B 3.1.6-4 Revision 0

Rod Pattern Control B 3.1.6 BASES REFERENCES 6. NEDO-10527, Rod Drop Accident Analysis For Large BWRs, (continued) March 1972.

7. NEDO-10527, Supplement 1, Rod Drop Accident Analysis For Large Boiling Water Reactors, Addendum No. 1, Multiple Enrichment Cores With Axial Gadolinium, July 1972.

8. NEDO-10527, Supplement 2, Rod Drop Accident Analysis For Large Boiling Water Reactors, Addendum No. 2, Exposed Cores, January 1973.

9. NEDO-21778-A, Transient Pressure Rises Affecting Fracture Toughness Requirements For Boiling Water Reactors, December 1978.

10. ASME, Boiler and Pressure Vessel Code,Section III, 1965 Edition, Addenda Winter of 1966.

11. NEDO-21231, Banked Position Withdrawal Sequence, January 1977.

12. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.1.6-5 Revision 0

SLC System B 3.1.7 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Standby Liquid Control (SLC) System BASES BACKGROUND The SLC System is designed to provide the capability of bringing the reactor, at any time in a fuel cycle, from full power and minimum control rod inventory (which is at the peak of the xenon transient) to a subcritical condition with the reactor in the most reactive, xenon free state without taking credit for control rod movement. The SLC System satisfies the requirements of 10 CFR 50.62 (Ref. 1) on anticipated transient without scram.

The SLC System consists of a boron solution storage tank, two positive displacement pumps, two explosive valves that are provided in parallel for redundancy, and associated piping and valves used to transfer borated water from the storage tank to the reactor pressure vessel (RPV). The borated solution is discharged near the bottom of the core shroud, where it then mixes with the cooling water rising through the core. A smaller tank containing demineralized water is provided for testing purposes.

APPLICABLE The SLC System is manually initiated from the main control SAFETY ANALYSES room, as directed by the emergency operating procedures, if the operator believes the reactor cannot be shut down, or kept shut down, with the control rods. The SLC System is used in the event that enough control rods cannot be inserted to accomplish shutdown and cooldown in the normal manner. The SLC System injects borated water into the reactor core to add negative reactivity to compensate for all of the various reactivity effects that could occur during plant operations. To meet this objective, it is necessary to inject a quantity of boron, which produces a concentration of 660 ppm of equivalent natural boron, in the reactor coolant at 70 0 F. To allow for potential leakage and imperfect mixing in the reactor system, an amount of boron equal to 125% of the amount cited above is injected (Ref. 2). The volume versus concentration limits in Figure 3.1.7-1 and the concentration versus temperature limits in Figure 3.1.7-2 are calculated such that the required concentration is achieved accounting for dilution in the RPV with normal water level and including the water volume in the residual heat removal shutdown cooling piping and in the recirculation loop piping. This quantity of (continued)

JAFNPP B 3.1.7-1 Revision 0

SLC System B 3.1.7 BASES APPLICABLE borated solution is the amount that is above the pump SAFETY ANALYSES suction level in the boron solution storage tank (6 inches (continued) above tank bottom). No credit is taken for the portion of the tank volume that cannot be injected.

The SLC System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The OPERABILITY of the SLC System provides backup capability for reactivity control independent of normal reactivity control provisions provided by the control rods. The OPERABILITY of the SLC System is based on the conditions of the borated solution in the storage tank and the availability of a flow path to the RPV, including the OPERABILITY of the pumps and valves. Two SLC subsystems are required to be OPERABLE; each contains an OPERABLE pump, an explosive valve, and associated piping, valves, and instruments and controls to ensure an OPERABLE flow path.

APPLICABILITY In MODES 1 and 2, shutdown capability is required. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate controls to ensure that the reactor remains subcritical. In MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Demonstration of adequate SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") ensures that the reactor will not become critical. Therefore, the SLC System is not required to be OPERABLE when only a single control rod can be withdrawn.

ACTIONS A.1 If one SLC subsystem is inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE subsystem is adequate to perform the shutdown function. However, the overall reliability is reduced because a single failure in the remaining OPERABLE subsystem could result in reduced SLC System shutdown capability. The 7 day Completion Time is based on the availability of an OPERABLE subsystem capable of performing the intended SLC System function and the low probability of a Design Basis Accident (DBA) or severe transient occurring concurrent with the failure of the control rods to shut down the reactor.

(continued)

JAFNPP B 3.1.7-2 Revision 0

SLC System B 3.1.7 BASES ACTIONS B.1 (continued)

If both SLC subsystems are inoperable, at least one subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is considered acceptable given the low probability of a DBA or severe transient occurring concurrent with the failure of the control rods to shut down the reactor.

C.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.7.1, SR 3.1.7.2, and SR 3.1.7.3 REQUIREMENTS SR 3.1.7.1 through SR 3.1.7.3 are 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Surveillances verifying certain characteristics of the SLC System (e.g.,

the volume and temperature of the borated solution in the storage tank), thereby ensuring SLC System OPERABILITY without disturbing normal plant operation. These Surveillances ensure that the proper borated solution volume and temperature, including the temperature of the pump suction piping, are maintained. Maintaining a minimum specified borated solution temperature is important in ensuring that the boron remains in solution and does not precipitate out in the storage tank or in the pump suction piping. The temperature versus concentration curve of Figure 3.1.7-2 ensures that a 10'F margin will be maintained above the saturation temperature. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is based on operating experience and has shown there are relatively slow variations in the measured parameters of volume and temperature.

SR 3.1.7.4 and SR 3.1.7.6 SR 3.1.7.4 verifies the continuity of the explosive charges in the injection valves to ensure that proper operation will occur if required. Other administrative controls, such as those that limit the shelf life of the explosive charges, (continued)

JAFNPP B 3.1.7-3 Revision 0

SLC System B 3.1.7 BASES SURVEILLANCE SR 3.1.7.4 and SR 3.1.7.6 (continued)

REQUIREMENTS must be followed. The 31 day Frequency is based on operating experience and has demonstrated the reliability of the explosive charge continuity.

SR 3.1.7.6 verifies that each valve in the system is in its correct position, but does not apply to the squib (i.e.,

explosive) valves. Verifying the correct alignment for manual valves in the SLC System flow path provides assurance that the proper flow paths will exist for system operation.

A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position from the control room, or locally by a dedicated operator at the valve control. This is acceptable since the SLC System is a manually initiated system. This Surveillance does not apply to valves that are locked, sealed, or otherwise secured in position since they are verified to be in the correct position prior to locking, sealing, or securing. This verification of valve alignment does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The 31 day Frequency is based on engineering judgment and is consistent with the procedural controls governing valve operation that ensures correct valve positions.

SR 3.1.7.5 This Surveillance requires an examination of the sodium pentaborate solution by using chemical analysis to ensure that the proper concentration of boron in the storage tank is maintained per Figure 3.1.7-1. SR 3.1.7.5 must be performed anytime boron or water is added to the storage tank solution to determine that the boron solution concentration is within the specified limits. SR 3.1.7.5 must also be performed anytime the temperature is restored to within the limits of Figure 3.1.7-2, to ensure that no significant boron precipitation occurred. The 31 day Frequency of this Surveillance is appropriate because of the relatively slow variation of boron concentration between surveillances.

(continued)

JAFNPP B 3.1.7-4 Revision 0

SLC System B 3.1.7 BASES SURVEILLANCE SR 3.1.7.7 REQUIREMENTS (continued) Demonstrating that each SLC System pump develops a flow rate

Ž 50 gpm at a discharge pressure Ž 1275 psig by recirculating demineralized water to the test tank ensures that pump performance has not degraded during the surveillance interval. This minimum pump flow rate requirement ensures that, when combined with the sodium pentaborate solution concentration requirements, the rate of negative reactivity insertion from the SLC System will adequately compensate for the positive reactivity effects encountered during power reduction, cooldown of the moderator, and xenon decay. This test confirms pump and motor capability and is indicative of overall performance.

Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this Surveillance is in accordance with the Inservice Testing Program.

SR 3.1.7.8 and SR 3.1.7.9 These Surveillances ensure that there is a functioning flow path from the boron solution storage tank to the RPV, including the firing of an explosive valve primer assembly.

The replacement primer assembly for the explosive valve shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of that batch successfully fired. The pump and explosive valve pathway tested should be alternated such that both complete flow paths are tested every 48 months at alternating 24 month intervals. The Surveillance may be performed in separate steps to prevent injecting boron into the RPV. An acceptable method for verifying flow from the pump to the RPV is to pump demineralized water from a test tank through one SLC subsystem and into the RPV. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency; therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

Demonstrating that all heat traced piping between the boron solution storage tank and the suction inlet to the injection pumps is unblocked ensures that there is a functioning flow path for injecting the sodium pentaborate solution. An (continued)

JAFNPP B 3.1.7-5 Revision 0

SLC System B 3.1.7 BASES SURVEILLANCE SR 3.1.7.8 and SR 3.1.7.9 (continued)

REQUIREMENTS acceptable method for verifying that the suction piping is unblocked is to manually initiate the system, except the explosive valves, and pump from the storage tank and recirculating it back to the storage tank. Upon completion of this verification, the pump suction piping must be flushed with demineralized water to ensure piping between the storage tank and pump suction is unblocked.

The 24 month Frequency is acceptable since there is a low probability that the subject piping will be blocked due to precipitation of the boron from solution in the heat traced piping. This is especially true in light of the temperature verification of this piping required by SR 3.1.7.3.

However, if, in performing SR 3.1.7.3, it is determined that the temperature of this piping has fallen below the specified minimum, SR 3.1.7.9 must be performed once within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after the piping temperature is restored to within the limits of Figure 3.1.7-2.

SR 3.1.7.10 Enriched sodium pentaborate solution is made by mixing granular, enriched sodium pentaborate with water. Isotopic tests on the granular sodium pentaborate to verify the actual B-10 enrichment must be performed prior to addition to the SLC tank in order to ensure that the proper B-10 atom percentage is being used. A single isotopic test from a single batch can suffice as the required analysis for any number of mixings and additions from this batch. Certified vendor analytical test results may be used to satisfy this requirement.

SR 3.1.7.11 The B-IO enrichment of boron in solution in the SLC tank is only affected by the B-10 enrichment of tank additions. The requirements of SR 3.1.7.10 serve to assure that tank additions contain the proper enrichment. SR 3.1.7.11 requires periodic verification of the B-IO enrichment of the solution in the SLC tank, providing added assurance that the proper B-IO enrichment is maintained.

(continued)

JAFNPP B 3.1.7-6 Revision 0

SLC System B 3.1.7 BASES (continued)

REFERENCES 1. 10 CFR 50.62.

2. UFSAR, Section 3.9.4.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.1.7-7 Revision 0

SDV Vent and Drain Valves B 3.1.8 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves BASES BACKGROUND The SDV vent and drain valves are normally open and discharge any accumulated water in the SDV to ensure that sufficient volume is available at all times to allow a complete scram. During a scram, the SDV vent and drain valves close to contain reactor water. The SDV is a volume of header piping that connects to each hydraulic control unit (HCU) and drains into an instrument volume. There are two SDVs (each SDV consisting of a header and an instrument volume), each receiving approximately one half of the control rod drive (CRD) discharges. Each instrument volume has a drain line each having two valves in series for a total of four drain valves. Each header is connected to a separate vent line each having two valves in series for a total of four vent valves. The header piping is sized to receive and contain all the water discharged by the CRDs during a scram. The design and functions of the SDV are described in Reference 1.

APPLICABLE The Design Basis Accident and transient analyses assume all SAFETY ANALYSES of the control rods are capable of scramming. The acceptance criteria for the SDV vent and drain valves are that they operate automatically to:

a. Close during scram to limit the amount of reactor coolant discharged so that adequate core cooling is maintained and offsite doses remain within the limits of 10 CFR 100 (Ref. 2); and

b. Open on scram reset to maintain the SDV vent and drain path open so that there is sufficient volume to accept the reactor coolant discharged during a scram.

Isolation of the SDV can also be accomplished by manual closure of the SDV valves. Additionally, the discharge of reactor coolant to the SDV can be terminated by scram reset or closure of the HCU manual isolation valves. For a bounding leakage case, the offsite doses are well within the limits of 10 CFR 100 (Ref. 2), and adequate core cooling is maintained (Ref. 3). The SDV vent and drain valves allow continuous drainage of the SDV during normal plant operation to ensure that the SDV has sufficient capacity to contain the reactor coolant discharge during a full core scram. To (continued)

JAFNPP B 3.1.8-1 Revision 0

SDV Vent and Drain Valves B 3.1.8 BASES APPLICABLE automatically ensure this capacity, a reactor scram SAFETY ANALYSES (LCO 3.3.1.1, "Reactor Protection System (RPS)

(continued) Instrumentation") is initiated if the SDV water level in the instrument volume exceeds a specified setpoint. The setpoint is chosen so that all control rods are inserted before the SDV has insufficient volume to accept a full scram.

SDV vent and drain valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

LCO The OPERABILITY of all SDV vent and drain valves ensures that the SDV vent and drain valves will close during a scram to contain reactor water discharged to the SDV piping.

Since the vent and drain lines are provided with two valves in series, the single failure of one valve in the open position will not impair the isolation function of the system. Additionally, the valves are required to open on scram reset to ensure that a path is available for the SDV piping to drain freely at other times.

APPLICABILITY In MODES 1 and 2, scram may be required; therefore, the SDV vent and drain valves must be OPERABLE. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. Also, during MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies.

Therefore, the SDV vent and drain valves are not required to be OPERABLE in these MODES since the reactor is subcritical and only one rod may be withdrawn and subject to scram.

ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each SDV vent and drain line. This is acceptable, since the Required Actions provide appropriate compensatory actions for each inoperable SDV line. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SDV lines are governed by subsequent Condition entry and application of associated Required Actions.

The ACTIONS Table is modified by a second Note stating that an isolated line may be unisolated under administrative control to allow draining and venting of the SDV. When a line is isolated, the potential for an inadvertent scram due to high SDV level is increased. During these periods, the (continued)

JAFNPP B 3.1.8-2 Revision 0

SDV Vent and Drain Valves B 3.1.8 BASES ACTIONS line may be unisolated under administrative control. This (continued) allows any accumulated water in the line to be drained, to preclude a reactor scram on SDV high level. This is acceptable since the administrative controls ensure the valve can be closed quickly, by a dedicated operator, if a scram occurs with the valve open.

A.1 When one SDV vent or drain valve is inoperable in one or more lines the line must be isolated to contain the reactor coolant during a scram. The 7 day Completion Time is reasonable, given the level of redundancy in the lines and the low probability of a scram occurring while the valve(s) are inoperable and the lines are not isolated. The SDV is still isolable since the redundant valve in the affected line is OPERABLE. During these periods, the single failure criterion is not met, and a higher risk exists to allow reactor water out of the primary system during a scram.

B.1 If both valves in a line are inoperable, the line must be isolated to contain the reactor coolant during a scram. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time to isolate the line is based on the low probability of a scram occurring while the line is not isolated and the unlikelihood of significant CRD seal leakage.

C.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.8.1 REQUIREMENTS During normal operation, the SDV vent and drain valves should be in the open position (except when performing SR 3.1.8.2) to allow for drainage of the SDV piping.

Verifying that each valve is in the open position ensures (continued)

JAFNPP B 3.1.8-3 Revision 0

SDV Vent and Drain Valves B 3.1.8 BASES SURVEILLANCE SR 3.1.8.1 (continued)

REQUIREMENTS that the SDV vent and drain valves will perform their intended functions during normal operation. This SR does not require any testing or valve manipulation; rather, it involves verification that the valves are in the correct position.

The 31 day Frequency is based on engineering judgment and is consistent with the procedural controls governing valve operation, which ensure correct valve positions.

SR 3.1.8.2 During a scram, the SDV vent and drain valves should close to contain the reactor water discharged to the SDV piping.

Cycling each valve through its complete range of motion (closed and open) ensures that the valve will function properly during a scram. The Frequency is in accordance with the Inservice Testing Program requirements.

SR 3.1.8.3 SR 3.1.8.3 is an integrated test of the SDV vent and drain valves to verify total system performance. After receipt of a simulated or actual scram signal, the closure of the SDV vent and drain valves is verified. The closure time of 30 seconds after receipt of a scram signal is based on the bounding leakage case evaluated in the accident analysis (Ref. 3). Similarly, after receipt of a simulated or actual scram reset signal, the opening of the SDV vent and drain valves is verified. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1 and the scram time testing of control rods in LCO 3.1.3 overlap this Surveillance to provide complete testing of the assumed safety function. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency; therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

(continued)

JAFNPP B 3.1.8-4 Revision 0

SDV Vent and Drain Valves B 3.1.8 BASES (continued)

REFERENCES 1. UFSAR, Section 3.5.5.2.

2. 10 CFR 100.

3. NUREG-0803, Generic Safety Evaluation Report Regarding Integrity of BWR Scram System Piping, August 1981.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.1.8-5 Revision 0

APLHGR B 3.2.1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)

BASES BACKGROUND The APLHGR is a measure of the average LHGR of all the fuel rods in a fuel assembly at any axial location. Limits on the APLHGR are specified to ensure that the fuel design limits identified in Reference 1 are not exceeded during abnormal operational transients and that the peak cladding temperature (PCT) during the postulated design basis loss of coolant accident (LOCA) does not exceed the limits specified in 10 CFR 50.46.

APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the fuel design limits are presented in References 1 and 2.

The analytical methods and assumptions used in evaluating Design Basis Accidents (DBAs), abnormal operational transients, and normal operation that determine the APLHGR limits are presented in References 1, 2, 3, 4, 5, 6, 7, and 8.

Fuel design evaluations are performed to demonstrate that the 1%limit on the fuel cladding plastic strain and other fuel design limits described in Reference 1 are not exceeded during abnormal operational transients for operation with LHGRs up to the operating limit LHGR. APLHGR limits are equivalent to the LHGR limit for each fuel rod divided by the local peaking factor of the fuel assembly. APLHGR limits are developed as a function of exposure to ensure adherence to fuel design limits during the limiting abnormal operational transients (Refs. 5, 6, and 7).

LOCA analyses are then performed to ensure that the above determined APLHGR limits are adequate to meet the PCT and maximum oxidation limits of 10 CFR 50.46. The analysis is performed using calculational models that are consistent with the requirements of 10 CFR 50, Appendix K. A complete discussion of the analysis code is provided in Reference 8.

The PCT following a postulated LOCA is a function of the average heat generation rate of all the rods of a fuel assembly at any axial location and is not strongly influenced by the rod to rod power distribution within an assembly. The APLHGR limits specified are equivalent to the LHGR of the highest powered fuel rod assumed in the LOCA analysis divided by its local peaking factor. A (continued)

JAFNPP B 3.2.1-1 Revision 0

APLHGR B 3.2.1 BASES APPLICABLE conservative multiplier is applied to the LHGR assumed in SAFETY ANALYSES the LOCA analysis to account for the uncertainty associated (continued) with the measurement of the APLHGR.

For single recirculation loop operation, a conservative multiplier is applied to the exposure dependent APLHGR limits for two loop operation (Refs. 5 and 7). This maximum limit is due to the conservative analysis assumption of an earlier departure from nucleate boiling with one recirculation loop available, resulting in a more severe cladding heatup during a LOCA.

The APLHGR satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii)

(Ref. 9).

LCO The APLHGR limits specified in the COLR are the result of the fuel design, and DBA and transient analyses. For two recirculation loops operating, the limit is determined for each lattice type as a function of average planar exposure and is approved by the NRC. With only one recirculation loop in operation, in conformance with the requirements of LCO 3.4.1, "Recirculation Loops Operating," the limit is determined by multiplying the exposure dependent APLHGR limit by a conservative multiplier determined by a specific single recirculation loop analysis (Ref. 5).

APPLICABILITY The APLHGR limits are primarily derived from fuel design evaluations and analyses of LOCAs and transients that are assumed to occur at high power levels. Design calculations and operating experience have shown that as power is reduced, the margin to the required APLHGR limits increases.

This trend continues down to the power range of 5% to 15% RTP when entry into MODE 2 occurs. When in MODE 2, the intermediate range monitor scram function provides prompt scram initiation during any significant transient, thereby effectively removing any APLHGR limit compliance concern in MODE 2. Therefore, at THERMAL POWER levels < 25% RTP, the reactor is operating with substantial margin to the APLHGR limits; thus, this LCO is not required.

ACTIONS A.1 If any APLHGR exceeds the required limits, an assumption regarding an initial condition of the DBA and transient analyses may not be met. Therefore, prompt action should be taken to restore the APLHGR(s) to within the required limits (continued)

JAFNPP B 3.2.1-2 Revision 0

APLHGR B 3.2.1 BASES ACTIONS A.1 (continued) such that the plant operates within analyzed conditions and within design limits of the fuel rods. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient to restore the APLHGR(s) to within its limits and is acceptable based on the low probability of a transient or DBA occurring simultaneously with the APLHGR out of specification.

B.1 If the APLHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 25% RTP in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.2.1.1 REQUIREMENTS APLHGRs are required to be initially calculated within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after THERMAL POWER is 2 25% RTP and then every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter. They are compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is based on the recognition of the slowness of changes in power distribution during normal operation. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance after THERMAL POWER 2 25% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels.

REFERENCES 1. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, (Revision specified in the COLR).

2. UFSAR, Chapter 3.

3. UFSAR, Chapter 6.

4. UFSAR, Chapter 14.

5. Supplemental Reload Licensing Report for James A.

FitzPatrick (Revision specified in the COLR).

(continued)

JAFNPP B 3.2.1-3 Revision 0

APLHGR B 3.2.1 BASES REFERENCES 6. NEDO-24243, General Electric Boiling Water Reactor (continued) Load Line Limit Analysis For James A. FitzPatrick Nuclear Power Plant, February 1980.

7. NEDC-32016P-1, Power Uprate Safety Analysis For James A. FitzPatrick Nuclear Power Plant, April 1993, including Errata and Addenda Sheet No. 1, dated January 1994.

8. NEDC-31317P, Revision 2, James A. FitzPatrick Nuclear Power Plant SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis, April 1993.

9. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.2.1-4 Revision 0

MCPR B 3.2.2 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR)

BASES BACKGROUND MCPR is a ratio of the fuel assembly power that would result in the onset of boiling transition to the actual fuel assembly power. The MCPR Safety Limit (SL) is set such that 99.9% of the fuel rods avoid boiling transition if the limit is not violated (refer to the Bases for SL 2.1.1.2). The operating limit MCPR is established to ensure that no fuel damage results during abnormal operational transients.

Although fuel damage does not necessarily occur if a fuel rod actually experienced boiling transition (Ref. 1), the critical power at which boiling transition is calculated to occur has been adopted as a fuel design criterion.

The onset of transition boiling is a phenomenon that is readily detected during the testing of various fuel bundle designs. Based on these experimental data, correlations have been developed to predict critical bundle power (i.e.,

the bundle power level at the onset of transition boiling) for a given set of plant parameters (e.g., reactor vessel pressure, flow, and subcooling). Because plant operating conditions and bundle power levels are monitored and determined relatively easily, monitoring the MCPR is a convenient way of ensuring that fuel failures due to inadequate cooling do not occur.

APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the abnormal operational transients to establish the operating limit MCPR are presented in References 2, 3, 4, 5, 6, 7, 8, and 9. To ensure that the MCPR SL is not exceeded during any transient event that occurs with moderate frequency, limiting transients have been analyzed to determine the largest reduction in critical power ratio (CPR). The types of transients evaluated are loss of flow, increase in pressure and power, positive reactivity insertion, and coolant temperature decrease. The limiting transient yields the largest change in CPR (ACPR). When the largest ACPR is added to the MCPR SL, the required operating limit MCPR is obtained.

The MCPR operating limits derived from the transient analysis are dependent on the operating core flow and core exposure to ensure adherence to fuel design limits during the worst transient that occurs with moderate frequency (continued)

JAFNPP B 3.2.2-1 Revision 0

MCPR B 3.2.2 BASES APPLICABLE (Refs. 6, 7, 8, and 9). A generator load reject without SAFETY ANALYSES bypass and a feedwater controller transient normally result (continued) in the worst case MCPR transients for a given fuel cycle.

During operations at low core flows the MCPR operating limit must be increased by a factor of Kf (specified in the COLR) which is derived from the recirculation flow runout transient and is a function of core flow. This will ensure the MCPR safety limit is not exceeded during a recirculation flow runout event.

The MCPR satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii)

(Ref. 10).

LCO The MCPR operating limits specified in the COLR are the result of the Design Basis Accident (DBA) and transient analysis. The operating limit MCPR is a function of exposure, control rod scram times and core flow. The MCPR values for each fuel assembly must remain above the operating limit MCPR.

APPLICABILITY The MCPR operating limits are primarily derived from the analyses of transients that are assumed to occur at high power levels. Below 25% RTP, the reactor is operating at a minimum recirculation pump speed and the moderator void ratio is small. Surveillance of thermal limits below 25% RTP is unnecessary due to the large inherent margin that ensures that the MCPR SL is not exceeded even if a limiting transient occurs. Statistical analyses indicate that the nominal value of the initial MCPR expected at 25% RTP is

> 3.5. Studies of the variation of limiting transient behavior have been performed over the range of power and flow conditions. These studies encompass the range of actual values for key plant parameters important to typically limiting transients. The results of these studies demonstrate that a margin is expected between performance and the MCPR requirements, and that margins increase as power is reduced to 25% RTP. This trend is expected to continue to the 5% to 15% power range when entry into MODE 2 occurs. When in MODE 2, the intermediate range monitor provides rapid scram initiation for any significant power increase transient, which effectively eliminates any MCPR compliance concern. Therefore, at THERMAL POWER levels

< 25% RTP, the reactor is operating with substantial margin to the MCPR limits and this LCO is not required.

(continued)

JAFNPP B 3.2.2-2 Revision 0

MCPR B 3.2.2 BASES (continued)

ACTIONS A.1 If any MCPR is outside the required limits, an assumption regarding an initial condition of the design basis transient analyses may not be met. Therefore, prompt action should be taken to restore the MCPR(s) to within the required limits such that the plant remains operating within analyzed conditions. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is normally sufficient to restore the MCPR(s) to within its limits and is acceptable based on the low probability of a transient or DBA occurring simultaneously with the MCPR out of specification.

B.1 If the MCPR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 25% RTP in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.2.2.1 REQUIREMENTS The MCPR is required to be initially calculated within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after THERMAL POWER is Ž 25% RTP and then every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter. It is compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is based on the recognition of the slowness of changes in power distribution during normal operation.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance after THERMAL POWER Ž 25% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels.

SR 3.2.2.2 Because the transient analysis takes credit for conservatism in the scram speed performance, it must be demonstrated that the specific scram speed distribution is consistent with that used in the transient analysis. SR 3.2.2.2 determines (continued)

JAFNPP B 3.2.2-3 Revision 0

MCPR B 3.2.2 BASES SURVEILLANCE SR 3.2.2.2 (continued)

REQUIREMENTS the value of -, which is a measure of the actual scram speed distribution compared with the assumed distribution.

The MCPR operating limit is then determined based on an interpolation between the applicable limits for Option A (scram times of LCO 3.1.4,"Control Rod Scram Times") and Option B (realistic scram times) analyses. The parameter -rmust be determined once within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months after each set of scram time tests required by SR 3.1.4.1, SR 3.1.4.2, and SR 3.1.4.4 because the effective scram speed distribution may change during the cycle or after maintenance that could affect scram times. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is acceptable due to the relatively minor changes in - expected during the fuel cycle.

REFERENCES 1. NUREG-0562, Fuel Rod Failure as a Consequence of Departure From Nucleate Boiling or Dry Out, June 1979.

2. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, (Revision specified in the COLR).

3. UFSAR, Chapter 3.

4. UFSAR, Chapter 6.

5. UFSAR, Chapter 14.

6. NEDO-24281, FitzPatrick Nuclear Power Plant Single Loop Operation, August 1980.

7. NEDO-24243, General Electric Boiling Water Reactor Load Line Limit Analysis For James A. FitzPatrick Nuclear Power Plant, February 1980.

8. NEDC-32016P-1, Power Uprate Safety Analysis For James A. FitzPatrick Nuclear Power Plant, April 1993, including Errata and Addenda Sheet No. 1, dated January 1994.

9. Supplemental Reload Licensing Report for James A. FitzPatrick (Revision specified in the COLR).

10. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.2.2-4 Revision 0

LHGR B 3.2.3 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR)

BASES BACKGROUND The LHGR is a measure of the heat generation rate of a fuel rod in a fuel assembly at any axial location. Limits on LHGR are specified to ensure that fuel design limits are not exceeded anywhere in the core during normal operation, including abnormal operational transients. Exceeding the LHGR limit could potentially result in fuel damage and subsequent release of radioactive materials. Fuel design limits are specified to ensure that fuel system damage, fuel rod failure, or inability to cool the fuel does not occur during the anticipated operating conditions identified in Reference 1.

APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the fuel system design are presented in Reference 2. The fuel assembly is designed to ensure (in conjunction with the core nuclear and thermal hydraulic design, plant equipment, instrumentation, and protection systems) that fuel damage will not result in the release of radioactive materials in excess of the guidelines of 10 CFR Parts 20, 50, and 100.

The mechanisms that could cause fuel damage during abnormal operational transients and that are considered in fuel evaluations are:

a. Rupture of the fuel rod cladding caused by strain from the relative expansion of the U02 pellet; and

b. Severe overheating of the fuel rod cladding caused by inadequate cooling.

A value of 1%plastic strain of the fuel cladding has been defined as the limit below which fuel damage caused by overstraining of the fuel cladding is not expected to occur (Ref. 2).

Fuel design evaluations have been performed and demonstrate that the 1%fuel cladding plastic strain design limit is not exceeded during continuous operation with LHGRs up to (continued)

JAFNPP B 3.2.3-1 Revision 0

LHGR B 3.2.3 BASES APPLICABLE the operating limit specified in the COLR. The analysis SAFETY ANALYSES also includes allowances for short term transient (continued) operation above the operating limit to account for abnormal operational transients, plus an allowance for densification power spiking.

The LHGR satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii)

(Ref. 3).

LCO The LHGR is a basic assumption in the fuel design analysis.

The fuel has been designed to operate at rated core power with sufficient design margin to the LHGR calculated to cause a 1% fuel cladding plastic strain. The operating limit to accomplish this objective is specified in the COLR.

APPLICABILITY The LHGR limits are derived from fuel design analysis that is limiting at high power level conditions. At core thermal power levels < 25% RTP, the reactor is operating with a substantial margin to the LHGR limits and, therefore, the Specification is only required when the reactor is operating at Ž 25% RTP.

ACTIONS A.1 If any LHGR exceeds its required limit, an assumption regarding an initial condition of the fuel design analysis is not met. Therefore, prompt action should be taken to restore the LHGR(s) to within its required limits such that the plant is operating within analyzed conditions. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is normally sufficient to restore the LHGR(s) to within its limits and is acceptable based on the low probability of a transient or Design Basis Accident occurring simultaneously with the LHGR out of specification.

B.1 If the LHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER is reduced to < 25% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER TO < 25% RTP in an orderly manner and without challenging plant systems.

(continued)

JAFNPP B 3.2.3-2 Revision 0

LHGR B 3.2.3 BASES (continued)

SURVEILLANCE SR 3.2.3.1 REQUIREMENTS The LHGR is required to be initially calculated within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after THERMAL POWER is Ž 25% RTP and then every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter. It is compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is based on the recognition of the slow changes in power distribution during normal operation. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance after THERMAL POWER 2 25% RTP is achieved is acceptable given the large inherent margin to operating limits at lower power levels.

REFERENCES 1. UFSAR, Section 14.5.

2. UFSAR, Section 3.2.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.2.3-3 Revision 0

APRM Gain and Setpoint B 3.2.4 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.4 Average Power Range Monitor (APRM) Gain and Setpoint BASES BACKGROUND The OPERABILITY of the APRMs and their setpoints is an initial condition of all safety analyses that assume rod insertion upon reactor scram. Applicable design criteria is discussed in UFSAR, Section 16.6 (Ref. 1). This LCO is provided to require the APRM gain or APRM Neutron Flux- High (Flow Biased) Function Allowable Value (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation,"

Function 2.b) to be adjusted when operating under conditions of excessive power peaking to maintain acceptable margin to the fuel cladding integrity Safety Limit (SL) and the fuel cladding 1% plastic strain limit.

The condition of excessive power peaking is determined by the ratio of the actual power peaking to the limiting power peaking at RTP. This ratio is equal to the ratio of the core limiting MFLPD to the Fraction of RTP (FRTP), where FRTP is the measured THERMAL POWER divided by the RTP.

Excessive power peaking exists when:

MFLPD > 1, FRTP indicating that MFLPD is not decreasing proportionately to the overall power reduction, or conversely, that power peaking is increasing. To maintain margins similar to those at RTP conditions, the excessive power peaking is compensated by a gain adjustment on the APRMs or adjustment of the APRM Neutron Flux-High (Flow Biased) Function Allowable Value. Either of these adjustments has effectively the same result as maintaining MFLPD less than or equal to FRTP and thus maintains RTP margins for APLHGR, MCPR, and LHGR.

The normally selected APRM Neutron Flux-High (Flow Biased)

Function Allowable Value positions the scram above the upper bound of the normal power/flow operating region that has been considered in the design of the fuel rods. The Allowable Value is flow biased with a slope that approximates the upper flow control line, such that an approximately constant margin is maintained between the flow biased trip level and the upper operating boundary for core flows in excess of about 45% of rated core flow. In the range of infrequent operations below 45% of rated core flow, the margin to scram is reduced because of the nonlinear core (continued)

JAFNPP B 3.2.4-1 Revision 0

APRM Gain and Setpoi nt B 3.2.4 BASES BACKGROUND flow versus drive flow relationship. The normally selected (continued) APRM Allowable Value is supported by the analyses presented in References 2 and 3 that concentrate on events initiated from rated conditions. Design experience has shown that minimum deviations occur within expected margins to operating limits (APLHGR, MCPR, and LHGR), at rated conditions for normal power distributions. However, at other than rated conditions, control rod patterns can be established that significantly reduce the margin to thermal limits. Therefore, the APRM Neutron Flux-High (Flow Biased) Function Allowable Value may be reduced during operation when the combination of THERMAL POWER and MFLPD indicates an excessive power peaking distribution. In addition, the APRM Neutron Flux-High (Flow Biased) Function provides protection from reactor thermal hydraulic instability consistent with Boiling Water Reactors Owners' Group Long-Term Solution, Option I-D (Refs. 4, 5 and 6).

APPLICABLE The acceptance criteria for the APRM gain or setpoint SAFETY ANALYSES adjustments are that acceptable margins (to APLHGR, MCPR, and LHGR) be maintained to the fuel cladding integrity SL and the fuel cladding 1% plastic strain limit.

The safety analyses (Refs. 2 and 3) concentrate on the rated power condition for which the minimum expected margin to the operating limits (APLHGR, MCPR, and LHGR) occurs.

LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," and LCO 3.2.3, "Linear Heat Generation Rate (LHGR)," limit the initial margins to these operating limits at rated conditions so that specified acceptable fuel design limits are met during transients initiated from rated conditions. At initial power levels less than rated levels, the margin degradation of either the APLHGR, the MCPR, or the LHGR during a transient can be greater than at the rated condition event. This greater margin degradation during the transient is primarily offset by the larger initial margin to limits at the lower than rated power levels. However, power distributions can be hypothesized that would result in reduced margins to the pre-transient operating limit. When combined with the increased severity of certain transients at other than rated conditions, the SLs could be approached.

At substantially reduced power levels, highly peaked power distributions could be obtained that could reduce thermal margins to the minimum levels required for transient events.

To prevent or mitigate such situations, either the APRM gain is adjusted upward by the ratio of the core limiting MFLPD (continued)

JAFNPP B 3.2.4-2 Revision 0

APRM Gain and Setpoint B 3.2.4 BASES APPLICABLE to the FRTP, or the APRM Neutron Flux-High (Flow Biased)

SAFETY ANALYSES Function Allowable Value is required to be reduced by the (continued) ratio of FRTP to the core limiting MFLPD. Either of these adjustments effectively counters the increased severity of some events at other than rated conditions by proportionally increasing the APRM gain or proportionally lowering the APRM Neutron Flux-High (Flow Biased) Function Allowable Value, dependent on the increased peaking that may be encountered.

The reactor thermal hydraulic stability analyses (Ref. 6) indicates that the APRM Neutron Flux-High (Flow Biased)

Function will suppress power oscillations prior to exceeding the fuel safety limit (MCPR). This protection is provided at a high statistical confidence level for core wide mode oscillations and at a nominal statistical confidence level for regional mode oscillations. This protection is adequate since core wide oscillation is the dominant mode because the plant is designed with relatively tight fuel inlet orificing (Ref. 4).

The APRM gain and setpoints satisfy Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 7).

LCO Meeting any one of the following conditions ensures acceptable operating margins for events described above:

a. Limiting excess power peaking;

b. Reducing the APRM Neutron Flux-High (Flow Biased)

Function Allowable Value by multiplying the APRM Neutron Flux-High (Flow Biased) Function Allowable Value by the ratio of FRTP and the core limiting value of MFLPD; or

c. Increasing APRM gains to cause the APRM to read greater than 100% times MFLPD. This condition is to account for the reduction in margin to the fuel cladding integrity SL and the fuel cladding 1% plastic strain limit.

MFLPD is the ratio of the limiting LHGR to the LHGR limit for the specific bundle type. As power is reduced, if the design power distribution is maintained, MFLPD is reduced in proportion to the reduction in power. However, if power peaking increases above the design value, the MFLPD is not reduced in proportion to the reduction in power. Under (continued)

JAFNPP B 3.2.4-3 Revision 0

APRM Gain and Setpoint B 3.2.4 BASES LCO these conditions, the APRM gain is adjusted upward or the (continued) APRM Neutron Flux-High (Flow Biased) Function Allowable Value is reduced accordingly. When the reactor is operating with peaking less than the design value, it is not necessary to modify the APRM Neutron Flux-High (Flow Biased) Function Allowable Value. Adjusting APRM gain or modifying the Neutron Flux-High (Flow Biased) Function Allowable Value is equivalent to maintaining MFLPD less than or equal to FRTP, as stated in the LCO.

For compliance with LCO Item b (APRM Neutron Flux-High (Flow Biased) Function Allowable Value modification) or Item c (APRM gain adjustment), only APRMs required to be OPERABLE per LCO 3.3.1.1, Function 2.b are required to be modified or adjusted. In addition, each APRM may be allowed to have its gain or Allowable Value adjusted or modified independently of other APRMs that are having their gain or Allowable Value adjusted.

APPLICABILITY The MFLPD limit, APRM gain adjustment, and APRM Neutron Flux-High (Flow Biased) Function Allowable Value modification is provided to ensure that the fuel cladding integrity SL and the fuel cladding 1% plastic strain limit are not violated during design basis transients. As discussed in the Bases for LCO 3.2.1 and LCO 3.2.2, sufficient margin to these limits exists below 25% RTP and, therefore, these requirements are only necessary when the reactor is operating at 2 25% RTP.

ACTIONS A.1 If the APRM gain or Neutron Flux-High (Flow Biased)

Function Allowable Value is not within limits while the MFLPD has exceeded FRTP, the margin to the fuel cladding integrity SL and the fuel cladding 1% plastic strain limit may be reduced. Therefore, prompt action should be taken to restore the MFLPD to within its required limit or make acceptable APRM adjustments such that the plant is operating within the assumed margin of the safety analyses.

The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Time is normally sufficient to restore either the MFLPD to within limits or the APRM gain or Neutron Flux-High (Flow Biased) Function Allowable Value to within limits and is acceptable based on the low probability of a transient or Design Basis Accident occurring simultaneously with the LCO not met.

(continued)

JAFNPP B 3.2.4-4 Revision 0

APRM Gain and Setpoint B 3.2.4 BASES ACTIONS B.1 (continued)

If MFLPD, APRM gain, or Neutron Flux-High (Flow Biased)

Function Allowable Value cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER is reduced to < 25% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 25% RTP in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.2.4.1 and SR 3.2.4.2 REQUIREMENTS The MFLPD is required to be calculated and compared to FRTP or APRM gain or Neutron Flux-High (Flow Biased)

Function Allowable Value to ensure that the reactor is operating within the assumptions of the safety analysis.

These SRs are only required to determine the MFLPD and, assuming MFLPD is greater than FRTP, the appropriate gain or Neutron Flux-High (Flow Biased) Function Allowable Value, and is not intended to be a CHANNEL FUNCTIONAL TEST for the APRM gain or Neutron Flux-High (Flow Biased) Function circuitry. SR 3.2.4.1 and SR 3.2.4.2 have been modified by Notes which clarify that the respective SR does not have to be met if the alternate requirement demonstrated by the other SR is satisfied. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency of SR 3.2.4.1 is chosen to coincide with the determination of other thermal limits, specifically those for the APLHGR (LCO 3.2.1) and LHGR (LCO 3.2.3). The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is based on the recognition of the slowness of changes in power distribution during normal operation. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance after THERMAL POWER 2 25% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency of SR 3.2.4.2 requires a more frequent verification than if MFLPD is less than or equal to FRTP.

When MFLPD is greater than FRTP, more rapid changes in power distribution are typically expected.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.

3. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, (Revision specified in the COLR).

(continued)

JAFNPP B 3.2.4-5 Revision 0

APRM Gain and Setpoi nt B 3.2.4 BASES REFERENCES 4. NEDO-31960-A, BWR Owners' Group Long Term Stability (continued) Solutions Licensing Methodology, June 1991.

5. NEDO-31960-A, Supplement 1, BWR Owners' Group Long Term Stability Solutions Licensing Methodology, March 1992.

6. GENE-637-044-0295, Application Of The "Regional Exclusion With Flow-Biased APRM Neutron Flux Scram" Stability Solution (Option I-D) To The James A.

FitzPatrick Nuclear Power Plant, February 1995.

7. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.2.4-6 Revision 0

RPS Instrumentation B 3.3.1.1 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limits, to preserve the integrity of the fuel cladding and the reactor coolant pressure boundary (RCPB) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA).

This can be accomplished either automatically or manually.

The protection and monitoring functions of the RPS have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to contain LSSS defined by the regulation as "...settings for automatic protective devices.. .so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytic Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytic Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than the Analytic Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The Trip Setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytic Limit and thus ensuring the SL would not be exceeded. As such, the Trip Setpoint accounts for uncertainties in setting the device (e.g., calibration), uncertainties in how the device might actually perform (e.g., repeatability), changes in the point of action of the device over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the Trip Setpoint plays an (continued)

JAFNPP B 3.3.1.1-1 Revision 0

RPS Instrumentation B 3.3.1.1 BASES BACKGROUND important role in ensuring that SLs are not exceeded. As (continued) such, the Trip Setpoint meets the definition of an LSSS and could be used to meet the requirement that they be contained in the Technical Specifications.

Technical Specifications contain values related to the OPERABILITY of equipment required for the safe operation of the facility. Operable is defined in Technical Specifications as "...being capable of performing its safety function(s)." For automatic protective devices, the required safety function is to ensure that a SL is not exceeded and therefore the LSSS as defined by 10 CFR 50.36 is the same as the OPERABILITY limit for those devices.

However, use of the Trip Setpoint to define OPERABILITY in Technical Specifications and its corresponding designation as the LSSS required by 10 CFR 50.36 would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as found" value of a protective device setting during a surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective device with a setting that has been found to be different from the Trip Setpoint due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the Trip Setpoint and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as found" setting of the protective device. Therefore, the device would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the device to the Trip Setpoint to account for further drift during the next surveillance interval.

Use of the Trip Setpoint to define "as found" OPERABILITY and its designation as the LSSS under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are clearly not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value which, as stated above, is the same as the LSSS.

(continued)

JAFNPP B 3.3.1.1-2 Revision 0

RPS Instrumentation B 3.3.1.1 BASES BACKGROUND The Allowable Values specified in Table 3.3.1.1-1 serve as (continued) the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value. As such, the Allowable Value differs from the Trip Setpoint by an amount primarily equal to the expected instrument loop uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a Safety Limit is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval. If the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.

Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowance of the uncertainty terms assigned.

The RPS, as described in the UFSAR, Section 7.2 (Ref. 1),

includes sensors, relays, logic circuits, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters. The input parameters to the scram logic are from instrumentation that monitors reactor vessel water level, reactor vessel pressure, neutron flux, main steam line isolation valve position, turbine control valve (TCV) fast closure, EHC Oil Pressure-Low, turbine stop valve (TSV) position, drywell pressure, and scram discharge volume (SDV) water level, as well as reactor mode switch in shutdown position and manual scram signals. There are at least four redundant sensor input signals from each of these parameters (with the exception of the reactor mode switch in shutdown position and manual scram signals). Most channels include instrumentation that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel outputs an RPS trip signal to the trip logic.

The RPS is comprised of two independent trip systems (A and B) with three trip channels in each trip system (trip channels Al, A2, and A3, B1, B2, and B3) as described in Reference 1. Trip channels Al, A2, B1, and B2 contain (continued)

JAFNPP B 3.3.1.1-3 Revision 0

RPS Instrumentation B 3.3.1.1 BASES BACKGROUND automatic protective instrument logic. The above monitored (continued) parameters are represented by at least one input to each of these automatic trip channels. The outputs of the automatic trip channels in a trip system are combined in a one-out-of-two logic so that either channel can trip the associated trip system. The tripping of both trip systems will produce a reactor scram. This logic arrangement is referred to as a one-out-of-two taken twice logic. There are four RPS channel test switches, one associated with each of the four automatic trip channels. These test switches allow the operator to test the OPERABILITY of the individual trip channel automatic scram contactors. In addition, trip channels A3 and B3 (one trip channel per trip system) are provided for manual scram. Placing the reactor mode switch in shutdown position or depressing both channel push buttons (one per trip system) will initiate the manual trip function. Each trip system is reset by use of a reset switch. If a full scram occurs (both trip systems trip), a relay prevents reset of the trip systems for approximately 10 seconds after the full scram signal is received. This 10 second delay on reset ensures that the scram function will be completed.

Two scram pilot valves are located in the hydraulic control unit for each control rod drive (CRD). Each scram pilot valve is solenoid operated, with the solenoids normally energized. The scram pilot valves control the air supply to the scram inlet and outlet valves for the associated CRD.

When either scram pilot valve solenoid is energized, air pressure holds the scram valves closed and, therefore, both scram pilot valve solenoids must be de-energized to cause a control rod to scram. The scram valves control the supply and discharge paths for the CRD water during a scram. One of the scram pilot valve solenoids for each CRD is controlled by trip system A, and the other solenoid is controlled by trip system B. Any trip of trip system A in conjunction with any trip in trip system B results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod scram.

The backup scram valves, which energize on a scram signal to depressurize the scram air header, are also controlled by the RPS. Additionally, the RPS System controls the SDV vent and drain valves such that when both trip systems trip, the SDV vent and drain valves close to isolate the SDV.

(continued)

JAFNPP B 3.3.1.1-4 Revision 0

RPS Instrumentation B 3.3.1.1 BASES (continued)

APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY ANALYSES, References 1, 2, and 3. The RPS is required to initiate a LCO, and reactor scram when monitored parameter values exceed the APPLICABILITY Allowable Values, specified by the setpoint methodology and listed in Table 3.3.1.1-1 to preserve the integrity of the fuel cladding, the RCPB, and the containment by minimizing the energy that must be absorbed following a LOCA.

RPS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4). Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1. Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints within the specified Allowable Value, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Each channel must also respond within its assumed response time, where appropriate.

Allowable Values are specified, as appropriate, for RPS Functions specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the actual setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The trip setpoints are derived from the analytic limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in (continued)

JAFNPP B 3.3.1.1-5 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE harsh environments as defined by 10 CFR 50.49)). The trip SAFETY ANALYSES, setpoints derived in this manner provide adequate protection LCO, and because all expected uncertainties are accounted for. The APPLICABILITY Allowable Values are then derived from the trip setpoints by (continued) accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

The OPERABILITY of scram pilot valves and associated solenoids, backup scram valves, and SDV valves, described in the Background section, are not addressed by this LCO.

The individual Functions are required to be OPERABLE in the MODES or other conditions specified in the table, which may require an RPS trip to mitigate the consequences of a design basis accident or transient. To ensure a reliable scram function, a combination of Functions are required in each MODE to provide primary and diverse initiation signals.

The only MODES specified in Table 3.3.1.1-1 are MODES 1 and 2 and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies. No RPS Function is required in MODES 3 and 4, since all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block (LCO 3.3.2.1) does not allow any control rod to be withdrawn. In MODE 5, control rods withdrawn from a core cell containing no fuel assemblies do not affect the reactivity of the core and, therefore, are not required to have the capability to scram. Provided all other control rods remain inserted, no RPS function is required. In this condition, the required SDM (LCO 3.1.1) and refuel position one-rod-out interlock (LCO 3.9.2) ensure that no event requiring RPS will occur.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

Intermediate Range Monitor (IRM) 1.a. Intermediate Range Monitor Neutron Flux-High The IRMs monitor neutron flux levels from the upper range of the source range monitor (SRM) to the lower range of the average power range monitors (APRMs). The IRMs are capable of generating trip signals that can be used to prevent fuel damage resulting from abnormal operating transients in the (continued)

JAFNPP B 3.3.1.1-6 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE l.a. Intermediate Range Monitor Neutron Flux-High SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY intermediate power range. In this power range, the most significant source of reactivity change is due to control rod withdrawal. The IRM provides diverse protection for the rod worth minimizer (RWM), which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during startup that could result in an unacceptable neutron flux excursion (Ref. 2). The IRM provides mitigation of the neutron flux excursion. To demonstrate the capability of the IRM System to mitigate control rod withdrawal events, a generic analysis has been performed (Ref. 3) to evaluate the consequences of control rod withdrawal events during startup that are mitigated only by the IRM. This analysis, which assumes that one IRM channel in each trip system is bypassed, demonstrates that the IRMs provide protection against local control rod withdrawal errors and results in peak fuel enthalpy below the 170 cal/gm fuel failure threshold criterion.

The IRMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed.

The IRM System is divided into two groups of IRM channels, with four IRM channels inputting to each trip system. The analysis of Reference 3 assumes that one channel in each trip system is bypassed. Therefore, six channels with three channels in each trip system are required for IRM OPERABILITY to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This trip is active in each of the 10 ranges of the IRM, which must be selected by the operator to maintain the neutron flux within the monitored level of an IRM range.

The analysis of Reference 3 has adequate conservatism to permit the IRM Allowable Value of 120 divisions of a 125 division scale.

The Intermediate Range Monitor Neutron Flux-High Function must be OPERABLE during MODE 2 when control rods may be withdrawn and the potential for criticality exists. In MODE 5, when a cell with fuel has its control rod withdrawn, the IRMs provide monitoring for and protection against (continued)

JAFNPP B 3.3.1.1-7 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE l.a. Intermediate Range Monitor Neutron Flux-High SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY unexpected reactivity excursions. In MODE 1, the APRM System, the RWM, and Rod Block Monitor provide protection against control rod withdrawal error events and the IRMs are not required. The IRMs are automatically bypassed when the reactor mode selector switch is in the run position.

l.b. Intermediate Range Monitor-Inop This trip signal provides assurance that a minimum number of IRMs are OPERABLE. If an IRM Operate-Calibrate switch is moved to any position other than "Operate," the detector voltage drops below a preset level, or a module is not plugged in, an inoperative trip signal will be received by the RPS unless the IRM is bypassed. Since only one IRM in each trip system may be bypassed, only one IRM in each RPS trip system may be inoperable without resulting in an RPS trip signal.

This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

Six channels of Intermediate Range Monitor- Inop, with three channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.

Since this Function is not assumed in the safety analysis, there is no Allowable Value for this Function.

This Function is required to be OPERABLE when the Intermediate Range Monitor Neutron Flux-High Function is required.

Average Power Range Monitor 2.a. Average Power Range Monitor Neutron Flux-High (Startup)

The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core that provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to (continued)

JAFNPP B 3.3.1.1-8 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.a. Average Power Range Monitor Neutron Flux-High SAFETY ANALYSES, (Startup) (continued)

LCO, and APPLICABILITY provide a continuous indication of average reactor power from a few percent to greater than RTP. For operation at low power (i.e., MODE 2), the Average Power Range Monitor Neutron Flux-High (Startup) Function is capable of generating a trip signal that prevents fuel damage resulting from abnormal operating transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux-High (Startup) Function will provide a secondary scram to the Intermediate Range Monitor Neutron Flux-High Function because of the relative setpoints. With the IRMs at Range 9 or 10, it is possible that the Average Power Range Monitor Neutron Flux- High (Startup) Function will provide the primary trip signal for a core-wide increase in power.

No specific safety analyses take direct credit for the Average Power Range Monitor Neutron Flux-High (Startup)

Function. However, this Function indirectly ensures that before the reactor mode switch is placed in the run position, reactor power does not exceed 25% RTP (SL 2.1.1.1) when operating at low reactor pressure and low core flow.

Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER

< 25% RTP.

The APRM System is divided into two groups of channels with three APRM channels providing input to each trip system.

The system is designed to allow one channel in each trip system to be bypassed. Any one APRM channel in a trip system can cause the associated trip system to trip. Four channels of Average Power Range Monitor Neutron Flux -High (Startup) with two channels in each trip system are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located.

The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 25% RTP.

The Average Power Range Monitor Neutron Flux-High (Startup)

Function must be OPERABLE during MODE 2 when control rods may be withdrawn since the potential for criticality exists.

In MODE 1, the Average Power Range Monitor Neutron (continued)

JAFNPP B 3.3.1.1-9 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.a. Average Power Range Monitor Neutron Flux-High SAFETY ANALYSES, (Startup) (continued) and

LCO, APPLICABILITY Flux-High (Fixed) Function provides protection against reactivity transients and the RWM and rod block monitor protect against control rod withdrawal error events. The APRM Neutron Flux-High (Startup) Function is bypassed when the reactor mode switch is in the run position.

2.b. Average Power Range Monitor Neutron Flux-High (Flow Biased)

The Average Power Range Monitor Neutron Flux-High (Flow Biased) Function monitors neutron flux and approximates the THERMAL POWER being transferred to the reactor coolant. The APRM neutron flux trip level is varied as a function of recirculation drive flow but is clamped at an upper limit that is lower than the Average Power Range Monitor Neutron Flux-High (Fixed) Function, Function 2.c. Allowable Value.

The Average Power Range Monitor Neutron Flux-High (Flow Biased) Function provides protection against transients where THERMAL POWER increases slowly (such as the loss of feedwater heating event), however, no credit is taken for this Function in the safety analyses except in the case of the thermal-hydraulic instability analysis. This protection is primarily achieved by the clamped portion of the Allowable Value. The APRM Neutron Flux-High (Flow Biased)

Function will suppress power oscillations prior to exceeding the fuel safety limit (MCPR) caused by thermal hydraulic instability. As described in References 5 and 6, this protection is provided at a high statistical confidence level for core-wide mode oscillations and at a nominal statistical confidence level for regional mode oscillations.

References 5 and 6 also show that the core-wide mode of oscillation is more likely to occur due to the large single phase channel pressure drop associated with the small fuel inlet orifice diameters. This protection for power oscillations is achieved by that portion of the Allowable Value which varies as a function of the recirculation drive flow.

The APRM System is divided into two groups of channels with three APRM channels providing input to each trip system.

The system is designed to allow one channel in each trip system to be bypassed. Any one APRM channel in a trip system can cause the associated trip system to trip. Four channels of Average Power Range Monitor Neutron Flux-High (continued)

JAFNPP B 3.3.1.1-10 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.b. Average Power Range Monitor Neutron Flux- High SAFETY ANALYSES, (Flow Biased) (continued)

LCO, and APPLICABILITY (Flow Biased) with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located. Each APRM channel receives two independent, redundant flow signals representative of total recirculation loop flow. The recirculation loop flow signals are generated by four flow units, two of which supply signals to the trip system A APRMs, while the other two supply signals to the trip system B APRMs. Each flow unit signal is provided by summing up the flow signals from the two recirculation loops. To obtain the most conservative reference signals, the total flow signals from the two flow units (associated with a trip system as described above) are routed to a low auction circuit associated with each APRM. Each APRM's auction circuit selects the lower of the two flow unit signals for use as the scram trip reference for that particular APRM. Each required Average Power Range Monitor Neutron Flux-High (Flow Biased) channel requires an input from one OPERABLE flow unit, since the individual APRM channel will perform the intended function with only one OPERABLE flow unit input. However, in order to maintain single failure capability for the Function, at least one required Average Power Range Monitor Neutron Flux-High (Flow Biased) channel in each trip system must be capable of maintaining an OPERABLE flow unit signal in the event of a failure of an auction circuit, or a flow unit, in the associated trip system (e.g., if a flow unit is inoperable, one of the two required Average Power Range Monitor Neutron Flux-High (Flow Biased) channels in the associated trip system must be considered inoperable).

The flow biased Allowable Value is credited in the safety analyses (thermal-hydraulic instability) and is specifically confirmed for each operating cycle. For this reason the Allowable Value is included in the COLR for both single and two recirculation loop operation. The clamped portion of the Allowable Value is set more conservative than the APRM Neutron Flux-High (Fixed) (Function 2.c).

(continued)

JAFNPP B 3.3.1.1-11 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.b. Average Power Range Monitor Neutron Flux-High SAFETY ANALYSES, (Flow Biased) (continued)

LCO, and APPLICABILITY The Average Power Range Monitor Neutron Flux-High (Flow Biased) Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions provide protection for fuel cladding integrity.

2.c. Average Power Range Monitor Neutron Flux- High (Fixed)

The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases. The Average Power Range Monitor Neutron Flux-High (Fixed) Function is capable of generating a trip signal to prevent fuel damage or excessive Reactor Coolant System (RCS) pressure. For the overpressurization protection analysis of Reference 7, the Average Power Range Monitor Neutron Flux-High (Fixed) Function is assumed to terminate the main steam isolation valve (MSIV) closure event and, along with the safety/relief valves (S/RVs),

limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 8) takes credit for the Average Power Range Monitor Neutron Flux-High (Fixed)

Function to terminate the CRDA.

The APRM System is divided into two groups of channels with three APRM channels providing input to each trip system.

The system is designed to allow one channel in each trip system to be bypassed. Any one APRM channel in a trip system can cause the associated trip system to trip. Four channels of Average Power Range Monitor Neutron Flux-High (Fixed) with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located.

The Allowable Value is based on the Analytical Limit assumed in the CRDA analyses.

(continued)

JAFNPP B 3.3.1.1-12 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.c. Average Power Range Monitor Neutron Flux-High (Fixed)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY The Average Power Range Monitor Neutron Flux-High (Fixed)

Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded. Although the Average Power Range Monitor Neutron Flux-High (Fixed) Function is assumed in the CRDA analysis (Ref. 8), which is applicable in MODE 2, the Average Power Range Monitor Neutron Flux-High (Startup) Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection.

Therefore, the Average Power Range Monitor Neutron Flux-High (Fixed) Function is not required in MODE 2.

2.d. Average Power Range Monitor- Inop This signal provides assurance that a minimum number of APRMs are OPERABLE. Anytime an APRM Operate-Calibrate switch is moved to any position other than "Operate," an APRM module is unplugged, or the APRM has too few LPRM inputs (< 11), an inoperative trip signal will be received by the RPS, unless the APRM is bypassed. Since only one APRM in each trip system may be bypassed, only one APRM in each trip system may be inoperable without resulting in an RPS trip signal. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

Four channels of Average Power Range Monitor-Inop with two channels in each trip system are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal.

There is no Allowable Value for this Function. This Function is required to be OPERABLE in the MODES where the APRM Functions are required.

3. Reactor Pressure-High An increase in the RCS pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes the neutron flux and THERMAL POWER transferred to the reactor coolant to (continued)

JAFNPP B 3.3.1.1-13 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 3. Reactor Pressure-High (continued)

SAFETY ANALYSES, LCO, and increase, which could challenge the integrity of the fuel APPLICABILITY cladding and the RCPB. The Reactor Pressure-High Function is specifically credited in the safety analyses for the generator load reject and turbine trip events when initiated from low power levels (Refs. 9 and 10). At low power levels (e.g., below 29% RTP), the Turbine Stop Valve-Closure and Turbine Control Valve Fast Closure, EHC Oil Pressure-Low Functions are not required to be OPERABLE. For the overpressurization protection analysis of Reference 7, reactor scram (the analyses conservatively assume scram on the Average Power Range Monitor Neutron Flux-High (Fixed) signal, not the Reactor Pressure-High signal), along with the S/RVs, limits the peak Reactor Pressure Vessel (RPV) pressure to less than the ASME Section III Code limits.

High reactor pressure signals are initiated from four pressure transmitters that sense reactor pressure. The Reactor Pressure-High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during pressurization events.

Four channels of Reactor Pressure-High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 when the RCS is pressurized and the potential for pressure increase exists.

4. Reactor Vessel Water Level -Low (Level 3)

Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat generated in the fuel from fission. The Reactor Vessel Water Level -Low (Level 3) Function is one of the Functions assumed in the analysis of the recirculation line break (Ref. 11). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the Emergency Core Cooling Systems (ECCS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

JAFNPP B 3.3.1.1-14 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 4. Reactor Vessel Water Level - Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and Reactor Vessel Water Level -Low (Level 3) signals are APPLICABILITY initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

Four channels of Reactor Vessel Water Level -Low (Level 3)

Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal.

The Reactor Vessel Water Level- Low (Level 3) Allowable Value is selected to ensure that during normal operation the separator skirts are not uncovered (this protects available recirculation pump net positive suction head (NPSH) from significant carryunder) and, for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS subsystems at Reactor Vessel Water- Low Low Low (Level 1) will not be required. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 12).

The Function is required in MODES 1 and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. ECCS initiations at Reactor Vessel Water Level -Low Low (Level 2) and Low Low Low (Level 1) provide sufficient protection for level transients in all other MODES.

5. Main Steam Isolation Valve- Closure MSIV closure results in loss of the main turbine and the condenser as a heat sink for the nuclear steam supply system and indicates a need to shut down the reactor to reduce heat generation. Therefore, a reactor scram is initiated on a Main Steam Isolation Valve-Closure signal before the MSIVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurization transient. However, for the overpressurization protection analysis of Reference 7, the Average Power Range Monitor Neutron Flux-High (Fixed) Function, along with the S/RVs, limits the peak RPV pressure to less than the ASME Code limits. That is, the direct scram on position switches for (continued)

JAFNPP B 3.3.1.1-15 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 5. Main Steam Isolation Valve-Closure (continued)

SAFETY ANALYSES, LCO, and MSIV closure events is not assumed in the overpressurization APPLICABILITY analysis. Additionally, MSIV closure is assumed in the transients analyzed in References 13 and 14 (i.e., failure of the pressure regulator and manual closure of MSIVs, respectively) and in the main steam line break accident analyzed in Reference 15.

The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

MSIV closure signals are initiated from position switches located on each of the eight MSIVs. Each MSIV has two position switches; one inputs to RPS trip system A while the other inputs to RPS trip system B. Thus, each RPS trip system receives an input from eight Main Steam Isolation Valve-Closure channels, each consisting of one position switch. The logic for the Main Steam Isolation Valve-Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines must close in order for a scram to occur. The design permits closure of any two lines without a full scram being initiated.

The Main Steam Isolation Valve-Closure Allowable Value is specified to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient.

Sixteen channels of the Main Steam Isolation Valve-Closure Function, with eight channels in each trip system, are required to be OPERABLE to ensure that no single failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection.

6. Drywell Pressure-High High pressure in the drywell could indicate a break in the RCPB. A reactor scram is initiated to minimize the possibility of fuel damage and to reduce the amount of energy being added to the coolant and the drywell. The (continued)

JAFNPP B 3.3.1.1-16 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 6. Drywell Pressure-High (continued)

SAFETY ANALYSES, LCO, and Drywell Pressure-High Function is assumed to scram the APPLICABILITY reactor for LOCAs inside primary containment (Ref. 11). The reactor scram reduces the amount of energy required to be absorbed and along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and indicative of a LOCA inside primary containment.

Four channels of Drywell Pressure-High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS, resulting in the limiting transients and accidents.

7.a, 7.b. Scram Discharge Volume Water Level -High The SDVs, east and west, are independent with separate drain lines and isolation valves. Each SDV accommodates approximately half of the water displaced by the motion of the CRD pistons during a reactor scram. Should either SDV fill to a point where there is insufficient volume to accept the displaced water, control rod insertion would be hindered. Therefore, a reactor scram is initiated while the remaining free volumes are still sufficient to accommodate the water from a full core scram. The two types of Scram Discharge Volume Water Level -High Functions are an input to the RPS logic. No credit is taken for a scram initiated from these Functions for any of the design basis accidents or transients analyzed in the UFSAR. However, they are retained to ensure the RPS remains OPERABLE.

SDV water level is measured by two diverse methods. The level in each of the two SDVs (instrument volume portions of the SDVs) is measured by two float type level switches and two differential pressure transmitters for a total of eight level signals. The outputs of these devices are arranged so that there are either two level switch signals or two differential pressure transmitter signals to each RPS trip channel. Each trip channel receives signals from (continued)

JAFNPP B 3.3.1.1-17 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 7.a, 7.b. Scram Discharge Volume Water Level-High SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY instrumentation from both the east and west SDVs and each RPS trip system receives signals from the two diverse methods. The level measurement instrumentation satisfies the recommendations of Reference 16.

The Allowable Value is chosen low enough to ensure that there is sufficient volume in each SDV to accommodate the water directed to it from a full scram.

Four channels of each type of Scram Discharge Volume Water Level -High Function, with two channels of each type in each trip system, are required to be OPERABLE to ensure that no single failure will preclude a scram from these Functions on a valid signal. These Functions are required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. At all other times, this Function may be bypassed.

8. Turbine Stop Valve-Closure Closure of the TSVs results in the loss of the heat sink and produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated at the start of TSV closure in anticipation of the transients that would result from the closure of these valves. The Turbine Stop Valve-Closure Function is the primary scram signal for the turbine trip (Ref. 10) and feedwater controller failure-maximum demand (Ref. 17) events. For these events, the reactor scram reduces the amount of energy required to be absorbed and ensures that the MCPR SL is not exceeded.

Turbine Stop Valve-Closure signals are initiated from position switches located on each of the four TSVs. One double pole (contact) position switch is associated with each stop valve. One of the two contacts provides input to RPS trip system A; the other, to RPS trip system B. Thus, each RPS trip system receives an input from four Turbine (continued)

JAFNPP B 3.3.1.1-18 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 8. Turbine Stop Valve-Closure (continued)

SAFETY ANALYSES, LCO, and Stop Valve-Closure channels, each consisting of one APPLICABILITY position switch contact inputting to a relay. The relay contacts provide a parallel logic input to an RPS trip channel. The logic for the Turbine Stop Valve-Closure Function is such that three or more TSVs must be closed to produce a scram. This Function must be enabled at THERMAL POWER Ž 29% RTP as measured by turbine first stage pressure.

This is accomplished automatically by pressure transmitters sensing turbine first stage pressure; therefore, to consider this Function OPERABLE, the turbine bypass valves must remain shut (except during required testing or upon actual demand) at THERMAL POWER 2 29% RTP. In addition, other steam loads, such as second stage reheaters in operation, must be accounted for in establishing the setpoint for turbine first stage pressure. Otherwise, the setpoint would be non-conservative with respect to the 29% RTP RPS bypass.

The Turbine Stop Valve-Closure Allowable Value is selected to detect imminent TSV closure, thereby reducing the severity of the subsequent pressure transient.

Eight channels of Turbine Stop Valve-Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function even if one TSV should fail to close. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is Ž 29% RTP. This Function is not required when THERMAL POWER is < 29% RTP since the Reactor Pressure-High and the Average Power Range Monitor Neutron Flux- High (Fixed) Functions are adequate to maintain the necessary safety margins.

9. Turbine Control Valve Fast Closure, EHC Oil Pressure- Low Fast closure of the TCVs results in the loss of the heat sink and produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated on TCV fast closure in anticipation of the transients that would result from the closure of these valves. The Turbine Control Valve Fast Closure, EHC Oil Pressure-Low Function is the primary scram signal for the (continued)

JAFNPP B 3.3.1.1-19 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 9. Turbine Control Valve Fast Closure, EHC Oil SAFETY ANALYSES, Pressure -Low (continued)

LCO, and APPLICABILITY generator load rejection event analyzed in Reference 9. For this event, the reactor scram reduces the amount of energy required to be absorbed and ensures that the MCPR SL is not exceeded.

Turbine Control Valve Fast Closure, EHC Oil Pressure- Low signals are initiated by low electrohydraulic control (EHC) fluid pressure in the emergency trip header, between the fast closure solenoid and the disc dump valve for each control valve. One pressure switch is associated with each control valve, and the signal from each switch is assigned to a separate RPS trip channel. This Function must be enabled at THERMAL POWER Ž 29% RTP as measured by turbine first stage pressure. This is accomplished automatically by pressure transmitters sensing turbine first stage pressure; therefore, to consider this Function OPERABLE, the turbine bypass valves must remain shut (except during required testing or upon actual demand) at THERMAL POWER > 29% RTP.

In addition, other steam loads, such as second stage reheaters in operation, must be accounted for in establishing the setpoint for turbine first stage pressure.

Otherwise, the setpoint would be non-conservative with respect to the 29% RTP RPS bypass.

The Turbine Control Valve Fast Closure, EHC Oil Pressure-Low Allowable Value is selected high enough to detect imminent TCV fast closure and low enough to avoid inadvertent scrams.

Four channels of Turbine Control Valve Fast Closure, EHC Oil Pressure-Low Function with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is 2 29% RTP. This Function is not required when THERMAL POWER is < 29% RTP, since the Reactor Pressure-High and the Average Power Range Monitor Neutron Flux-High (Fixed) Functions are adequate to maintain the necessary safety margins.

10. Reactor Mode Switch-Shutdown Position The Reactor Mode Switch- Shutdown Position Function provides signals, via the manual scram trip channels, directly to the scram pilot valve solenoid power circuits. The manual scram (continued)

JAFNPP B 3.3.1.1-20 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 10. Reactor Mode Switch-Shutdown Position (continued)

SAFETY ANALYSES, LCO, and trip channels are redundant to the automatic protective APPLICABILITY instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

The reactor mode switch is a keylock four-position, four bank switch. The reactor mode switch will scram the reactor if it is placed in the shutdown position. Scram signals from the reactor mode switch are input into each of the two RPS manual scram trip channels.

There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on reactor mode switch position.

Two channels of Reactor Mode Switch-Shutdown Position Function, with one channel in each trip system, are available and required to be OPERABLE. The Reactor Mode Switch-Shutdown Position Function is required to be OPERABLE in MODES 1 and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

11. Manual Scram The Manual Scram push button channels provide signals, via the manual scram trip channels, directly to the scram pilot valve solenoid power circuits. These manual scram trip channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

There is one Manual Scram push button channel for each of the two RPS manual scram trip channels. In order to cause a scram it is necessary that the channel in both manual scram trip systems be actuated.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

(continued)

JAFNPP B 3.3.1.1-21 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 11. Manual Scram (continued)

SAFETY ANALYSES, LCO, and Two channels of Manual Scram, with one channel in each APPLICABILITY manual scram trip system, are available and required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

ACTIONS A Note has been provided to modify the ACTIONS related to RPS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition unless specifically stated. Section 1.3 also specifies that the Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable RPS instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RPS instrumentation channel.

A.1 and A.2 Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months has been shown to be acceptable (Ref. 18) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function's inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions B.1, B.2, and C.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternatively, if it is not desired to place the channel (or trip system) in trip (e.g.,

as in the case where placing the inoperable channel in trip would result in a full scram), Condition D must be entered and its Required Action taken.

(continued)

JAFNPP B 3.3.1.1-22 Revision 0

RPS Instrumentation B 3.3.1.1 BASES ACTIONS B.1 and B.2 (continued)

Condition B exists when, for any one or more Functions, at least one required channel is inoperable in each trip system. In this condition, provided at least one channel per trip system is OPERABLE, the RPS still maintains trip capability for that Function, but cannot accommodate a single failure in either trip system.

Required Actions B.1 and B.2 limit the time the RPS scram logic, for any Function, would not accommodate single failure in both trip systems (e.g., one-out-of-one and one-out-of-one arrangement for a typical four channel Function). The reduced reliability of this logic arrangement was not evaluated in Reference 18 for the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time. Within the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the associated Function will have all required channels OPERABLE or in trip (or any combination) in one trip system.

Completing one of these Required Actions restores RPS to a reliability level equivalent to that evaluated in Reference 18, which justified a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowable out of service time as presented in Condition A. The trip system in the more degraded state should be placed in trip or, alternatively, all the inoperable channels in that trip system should be placed in trip (e.g., a trip system with two inoperable channels could be in a more degraded state than a trip system with four inoperable channels if the two inoperable channels are in the same Function while the four inoperable channels are all in different Functions). The decision of which trip system is in the more degraded state should be based on prudent judgment and take into account current plant conditions (i.e., what MODE the plant is in).

If this action would result in a scram, it is permissible to place the other trip system or its inoperable channels in trip.

The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram.

Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as in the case where placing the inoperable channel or associated trip system in trip would result in a scram), Condition D must be entered and its Required Action taken.

(continued)

JAFNPP B 3.3.1.1-23 Revision 0

RPS Instrumentation B 3.3.1.1 BASES ACTIONS C.1 (continued)

Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same trip system for the same Function result in the Function not maintaining RPS trip capability.

A Function is considered to be maintaining RPS trip capability when sufficient channels are OPERABLE or in trip (or the associated trip system is in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For the typical Function with one-out-of-two taken twice logic and the IRM and APRM Functions, this would require both trip systems to have one channel OPERABLE or in trip (or the associated trip system in trip). For Function 5 (Main Steam Isolation Valve-Closure), this would require both trip systems to have each channel associated with the MSIVs in three main steam lines (not necessarily the same main steam lines for both trip systems) OPERABLE or in trip (or the associated trip system in trip). For Function 8 (Turbine Stop Valve-Closure), this would require both trip systems to have three channels, each OPERABLE or in trip (or the associated trip system in trip).

For Functions 10 (Reactor Mode Switch- Shutdown Position) and 11 (Manual Scram) this would require both trip systems to have one channel each OPERABLE or in trip (or the associated trip system in trip).

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

D.1 Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1. The applicable Condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A, B, or C and the associated Completion Time has expired, Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

(continued)

JAFNPP B 3.3.1.1-24 Revision 0

RPS Instrumentation B 3.3.1.1 BASES ACTIONS E.1, F.1, and G.1 (continued)

If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Time of Required Action E.1 is consistent with the Completion Time provided in LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)."

H.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each RPS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1.

The Surveillances are modified by a second Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains RPS trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Ref. 18) assumption of the average time required to perform channel Surveillances. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RPS will trip when necessary.

(continued)

JAFNPP B 3.3.1.1-25 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. For Functions 8 and 9, this SR is associated with the enabling circuit sensing first stage pressure.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.1.1.2 To ensure that the APRMs are accurately indicating the true core average power, the APRMs are calibrated to the reactor power calculated from a heat balance. LCO 3.2.4, "Average Power Range Monitor (APRM) Gain and Setpoints," allows the APRMs to be reading greater than actual THERMAL POWER to compensate for localized power peaking. When this adjustment is made, the requirement for the APRMs to indicate within 2% RTP of calculated power is modified to require the APRMs to indicate within 2% RTP of calculated MFLPD. The Frequency of once per 7 days is based on minor changes in LPRM sensitivity, which could affect the APRM reading between performances of SR 3.3.1.1.8.

A restriction to satisfying this SR when < 25% RTP is provided that requires the SR to be met only at Ž 25% RTP because it is difficult to accurately maintain APRM indication of core THERMAL POWER consistent with a heat (continued)

JAFNPP B 3.3.1.1-26 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.2 (continued)

REQUIREMENTS balance when < 25% RTP. At low power levels, a high degree of accuracy is unnecessary because of the large, inherent margin to thermal limits (MCPR and APLHGR). At Ž 25% RTP, the Surveillance is required to have been satisfactorily performed within the last 7 days, in accordance with SR 3.0.2. A Note is provided which allows an increase in THERMAL POWER above 25% if the 7 day Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reaching or exceeding 25% RTP. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

SR 3.3.1.1.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with the applicable extensions. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

As noted, SR 3.3.1.1.3 is not required to be performed when entering MODE 2 from MODE 1, since testing of the MODE 2 required IRM and APRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This allows entry into MODE 2 if the 7 day Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after entering MODE 2 from MODE 1.

Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

A Frequency of 7 days provides an acceptable level of system average unavailability over the Frequency interval and is based on reliability analysis (Ref. 18).

(continued)

JAFNPP B 3.3.1.1-27 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.4 REQUIREMENTS (continued) A functional test of each automatic scram contactor is performed to ensure that each automatic RPS trip channel will perform the intended function. There are four RPS channel test switches, one associated with each of the four automatic trip channels (Al, A2, B1, and B2). These test switches allow the operator to test the OPERABILITY of the individual trip channel automatic scram contactors as an alternative to using an automatic scram function trip. This is accomplished by placing the RPS channel test switch in the test position, which will input a trip signal into the associated RPS trip channel. The RPS channel test switches are not specifically credited in the accident analysis. The Manual Scram Functions at JAFNPP are not configured the same as the generic model used in Reference 18. However, Reference 18 concluded that the Surveillance Frequency extensions for RPS Functions were not affected by the difference in configuration since each automatic RPS trip channel has a test switch which is functionally the same as the manual scram switches in the generic model. As such, a functional test of each RPS automatic scram contactor using either its associated test switch or by test of any of the associated automatic RPS Functions is required to be performed once every 7 days. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. In accordance with Reference 18, the scram contactors must be tested as part of the Manual Scram Function. The Frequency of 7 days is based on the reliability analysis of Reference 18. (This automatic scram contactor testing is credited in the analysis to extend many automatic Scram Function Surveillance Frequencies).

SR 3.3.1.1.5 and SR 3.3.1.1.6 These Surveillances are established to ensure that no gaps in neutron flux indication exist from subcritical to power operation for monitoring core reactivity status.

The overlap between SRMs and IRMs is required to be demonstrated to ensure that reactor power will not be (continued)

JAFNPP B 3.3.1.1-28 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.5 and SR 3.3.1.1.6 (continued)

REQUIREMENTS increased into a neutron flux region without adequate indication. This is required prior to fully withdrawing SRMs since indication is being transitioned from the SRMs to the IRMs.

The overlap between IRMs and APRMs is of concern when reducing power into the IRM range. On power increases, the system design will prevent further increases (by initiating a rod block) if adequate overlap is not maintained. Overlap between IRMs and APRMs exists when sufficient IRMs and APRMs concurrently have onscale readings such that the transition between MODE 1 and MODE 2 can be made without either APRM downscale rod block, or IRM upscale rod block. Overlap between SRMs and IRMs similarly exists when, prior to fully withdrawing the SRMs, IRMs are above mid-scale on range 1 before SRMs have reached the upscale rod block.

As noted, SR 3.3.1.1.6 is only required to be met during entry into MODE 2 from MODE 1. That is, after the overlap requirement has been met and indication has transitioned to the IRMs, maintaining overlap is not required (APRMs may be reading downscale once in MODE 2).

If overlap for a group of channels is not demonstrated (e.g., IRM/APRM overlap), the reason for the failure of the Surveillance should be determined and the appropriate channel(s) declared inoperable. Only those appropriate channels that are required in the current MODE or condition should be declared inoperable.

A Frequency of 7 days is reasonable based on engineering judgment and the reliability of the IRMs and APRMs.

SR 3.3.1.1.7 LPRM gain settings are determined from the local flux profiles measured by the Traversing Incore Probe (TIP)

System. This establishes the relative local flux profile for appropriate representative input to the APRM System.

The 1000 MWD/T Frequency is based on operating experience with LPRM sensitivity changes.

(continued)

JAFNPP B 3.3.1.1-29 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.8 and SR 3.3.1.1.11 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with the applicable extensions. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. For Function 2.b, the CHANNEL FUNCTIONAL TEST includes the adjustment of the APRM channel to conform to the calibrated flow signal. This ensures that the total loop drive flow signals from the flow units used to vary the setpoint is appropriately compared to a valid core flow signal to verify the flow signal trip setpoint and, therefore, the APRM Function accurately reflects the required setpoint as a function of flow. If the flow unit signal is not within the appropriate flow limit, one required APRM that receives an input from the inoperable flow unit must be declared inoperable. For Function 7.b, the CHANNEL FUNCTIONAL TEST is performed utilizing a water column or similar device to provide assurance that damage to a float or other portions of the float assembly will be detected. For Function 10, the CHANNEL FUNCTIONAL TEST is performed by actually placing the reactor mode switch in the shutdown position.

The 92 day Frequency of SR 3.3.1.1.8 is based on the reliability analysis of Reference 18.

The 24 month Frequency of SR 3.3.1.1.11 is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.1.1.9 and SR 3.3.1.1.12 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel (continued)

JAFNPP B 3.3.1.1-30 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.9 and SR 3.3.1.1.12 (continued)

REQUIREMENTS adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology. For Function 7.b, the CHANNEL CALIBRATION must be performed utilizing a water column or similar device to provide assurance that damage to a float or other portions of the float assembly will be detected. For Functions 8 and 9, SR 3.3.1.1.12 is associated with the enabling circuit sensing first stage turbine pressure as well as the trip function.

SR 3.3.1.1.9 has been modified by three Notes. Note 1 states that neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Changes in neutron detector sensitivity are compensated for by performing the 7 day calorimetric calibration (SR 3.3.1.1.2) and the 1000 MWD/T LPRM calibration against the TIPs (SR 3.3.1.1.7). A second Note is provided that requires the APRM and IRM SRs to be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 from MODE 1.

Testing of the MODE 2 APRM and IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2.

Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. Note 3 to SR 3.3.1.1.9 and the Note to SR 3.3.1.1.12 concerns the Neutron Flux-High (Flow Biased)

Function (Function 2). Note 3 to SR 3.3.1.1.9 excludes the recirculation loop flow signal portion of the channel, since this portion of the channel is calibrated by SR 3.3.1.1.12.

Similarly, the Note to SR 3.3.1.1.12 excludes all portions of the channel except the recirculation loop flow signal portion, since they are covered by SR 3.3.1.1.9. Since the recirculation loop flow signal is also a portion of the Rod Block Monitor (RBM)-Upscale control rod block Function channels (Table 3.3.2.1-1, Control Rod Block Instrumentation, Function 1.a), satisfactory performance of SR 3.3.1.1.12 also results in satisfactory performance of SR 3.3.2.1.8 for the associated RBM-Upscale control rod block Function channels.

Reactor Pressure-High and Reactor Vessel Water Level -Low (Level 3) Function sensors (Functions 3 and 4, respectively) are excluded from the RPS RESPONSE TIME testing (Ref. 19).

However, prior to the CHANNEL CALIBRATION of these sensors a response check must be performed to ensure adequate (continued)

JAFNPP B 3.3.1.1-31 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.9 and SR 3.3.1.1.12 (continued)

REQUIREMENTS response. This testing is required by Reference 20.

Personnel involved in this testing must have been trained in response to Reference 21 to ensure they are aware of the consequences of instrument response time degradation. This response check must be performed by placing a fast ramp or a step change into the input of each required sensor. The personnel, must monitor the input and output of the associated sensor so that simultaneous monitoring and verification may be accomplished.

The Frequency of SR 3.3.1.1.9 is based on the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.1.1.12 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.1.1.10 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.1.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than accounted for in the appropriate setpoint methodology. For Functions 8 and 9, this SR is associated with the enabling circuit sensing first stage turbine pressure.

The Frequency of 184 days is based on the reliability, accuracy, and lower failure rates of the solid-state electronic Analog Transmitter/Trip System components.

SR 3.3.1.1.13 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The functional testing of control rods (LCO 3.1.3), and SDV vent and drain valves (LCO 3.1.8),

overlaps this Surveillance to provide complete testing of the assumed safety function.

(continued)

JAFNPP B 3.3.1.1-32 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.13 (continued)

REQUIREMENTS The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.1.1.14 This SR ensures that scrams initiated from the Turbine Stop Valve- Closure and Turbine Control Valve Fast Closure, EHC Oil Pressure- Low Functions will not be inadvertently bypassed when THERMAL POWER is ; 29% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from turbine first stage pressure), the main turbine bypass valves must remain closed during an inservice calibration at THERMAL POWER 2 29% RTP to ensure that the calibration is valid.

If any bypass channel's setpoint is nonconservative (i.e.,

the Functions are bypassed at ; 29% RTP, either due to open main turbine bypass valve(s) or other reasons), then the affected Turbine Stop Valve- Closure and Turbine Control Valve Fast Closure, EHC Oil Pressure-Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met and the channel is considered OPERABLE.

The Frequency of 24 months is based on engineering judgment and reliability of the components.

SR 3.3.1.1.15 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The RPS RESPONSE TIME acceptance criteria are included in Reference 22.

RPS RESPONSE TIME may be verified by actual response time measurements in any series of sequential, overlapping, or (continued)

JAFNPP B 3.3.1.1-33 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.15 (continued)

REQUIREMENTS total channel measurements. However, the sensors for Functions 3 and 4 are excluded from specific RPS RESPONSE TIME measurement since the conditions of Reference 19 are satisfied. For Functions 3 and 4, sensor response time may be allocated based on either assumed design sensor response time or the manufacturer's stated design response time. For all other Functions, sensor response time must be measured.

Note 1 excludes neutron detectors from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time.

RPS RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Note 2 requires STAGGERED TEST BASIS Frequency to be determined based on 2 channels. This ensures all required channels are tested during two Surveillance Frequency intervals. For Functions 2.b, 2.c, 3, 4, 6, and 9, two channels must be tested during each test; while for Functions 5 and 8, eight and four channels must be tested. This Frequency is based on the logic interrelationships of the various channels required to produce an RPS scram signal. The 24 month Frequency is consistent with the refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

REFERENCES 1. UFSAR, Section 7.2.

2. UFSAR, Section 14.5.4.2.

3. NEDO-23842, Continuous Control Rod Withdrawal Transient In The Startup Range, April 18, 1978.

4. 10 CFR 50.36(c)(2)(ii).

5. NEDO-31960-A, BWR Owners' Group Long Term Stability Solutions Licensing Methodology, June 1991.

6. NEDO-31960-A, Supplement 1, BWR Owners' Group Long Term Stability Solutions Licensing Methodology, Supplement 1, March 1992.

7. UFSAR, Section 14.5.1.2.

8. UFSAR, Section 14.6.1.2.

(continued)

JAFNPP B 3.3.1.1-34 Revision 0

RPS Instrumentation B 3.3.1.1 BASES REFERENCES 9. UFSAR, Section 14.5.2.1.

(continued)

10. UFSAR, Section 14.5.2.2.

11. UFSAR, Section 6.3.

12. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly Nuclear Boiler, (GE Drawing 919D690BD).

13. UFSAR, Section 14.5.5.1.

14. UFSAR, Section 14.5.2.3.

15. UFSAR, Section 14.6.1.5.

16. P. Check (NRC) letter to G. Lainas (NRC), BWR Scram Discharge System Safety Evaluation, December 1, 1980.

17. UFSAR, Section 14.5.9.

18. NEDC-30851P-A. Technical Specification Improvement Analyses for BWR Reactor Protection System, March 1988.

19. NEDO-32291-A System Analyses For the Elimination of Selected Response Time Testing Requirements, October 1995.

20. NRC letter dated October 28, 1996, Issuance of Amendment 235 to Facility Operating License DPR-59 for James A. FitzPatrick Nuclear Power Plant.

21. NRC Bulletin 90-01, Supplement 1, Loss of Fill-Oil in Transmitters Manufactured by Rosemount, December 1992.

22. UFSAR, Table 7.2-5.

JAFNPP B 3.3.1.1-35 Revision 0

SRM Instrumentation B 3.3.1.2 B 3.3 INSTRUMENTATION B 3.3.1.2 Source Range Monitor (SRM) Instrumentation BASES BACKGROUND The SRMs provide the operator with information relative to the neutron flux level at very low flux levels in the core.

As such, the SRM indication is used by the operator to monitor the approach to criticality and determine when criticality is achieved. The SRMs are maintained fully inserted until the count rate is greater than a minimum allowed count rate (a control rod block is set at this condition). After SRM to intermediate range monitor (IRM) overlap is demonstrated (as required by SR 3.3.1.1.5), the SRMs are normally fully withdrawn from the core.

The SRM subsystem of the Neutron Monitoring System (NMS) consists of four channels. Each of the SRM channels can be bypassed, but only one at any given time, by the operation of a bypass switch. Each channel includes one detector that can be physically positioned in the core. Each detector assembly consists of a miniature fission chamber with associated cabling, signal conditioning equipment, and electronics associated with the various SRM functions. The signal conditioning equipment converts the current pulses from the fission chamber to analog DC currents that correspond to the count rate. Each channel also includes indication, alarm, and control rod blocks. However, this LCO specifies OPERABILITY requirements only for the monitoring and indication functions of the SRMs.

During refueling, shutdown, and low power operations, the primary indication of neutron flux levels is provided by the SRMs or special movable detectors connected to the normal SRM circuits. The SRMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operator early indication of unexpected subcritical multiplication that could be indicative of an approach to criticality.

APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling and low power operation is provided by LCO 3.9.1, "Refueling Equipment Interlocks"; LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"; LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation": IRM Neutron Flux-High and (continued)

JAFNPP B 3.3.1.2-1 Revision 0

SRM Instrumentation B 3.3.1.2 BASES APPLICABLE Average Power Range Monitor (APRM) Neutron Flux-High, SAFETY ANALYSES (Startup) Functions; and LCO 3.3.2.1, "Control Rod Block (continued) Instrumentation."

The SRMs have no safety function and are not assumed to function during any UFSAR design basis accident or transient analysis. However, the SRMs provide the only on-scale monitoring of neutron flux levels during startup and refueling. Therefore, they are being retained in Technical Specifications.

LCO During startup in MODE 2, three of the four SRM channels are required to be OPERABLE to monitor the reactor flux level prior to and during control rod withdrawal, subcritical multiplication and reactor criticality, and neutron flux level and reactor period until the flux level is sufficient to maintain the IRMs on Range 3 or above. All but one of the channels are required in order to provide a representation of the overall core response during those periods when reactivity changes are occurring throughout the core.

In MODES 3 and 4, with the reactor shut down, two SRM channels provide redundant monitoring of flux levels in the core.

In MODE 5, during a spiral offload or reload, an SRM outside the fueled region will no longer be required to be OPERABLE, since it is not capable of monitoring neutron flux in the fueled region of the core. Thus, CORE ALTERATIONS are allowed in a quadrant with no OPERABLE SRM in an adjacent quadrant provided the Table 3.3.1.2-1, footnote (b),

requirement that the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE SRM is met. Spiral reloading and offloading encompass reloading or offloading a cell on the edge of a continuous fueled region (the cell can be reloaded or offloaded in any sequence).

In nonspiral routine operations, two SRMs are required to be OPERABLE to provide redundant monitoring of reactivity changes occurring in the reactor core. Because of the local nature of reactivity changes during refueling, adequate coverage is provided by requiring one SRM to be OPERABLE in the quadrant of the reactor core where CORE ALTERATIONS are being performed, and the other SRM to be OPERABLE in an adjacent quadrant containing fuel. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS.

(continued)

JAFNPP B 3.3.1.2-2 Revision 0

SRM Instrumentation B 3.3.1.2 BASES LCO Special movable detectors, according to footnote (c) of (continued) Table 3.3.1.2-1, may be used in place of the normal SRM nuclear detectors. These special detectors must be connected to the normal SRM circuits in the NMS, such that the applicable neutron flux indication can be generated.

These special detectors provide more flexibility in monitoring reactivity changes during fuel loading, since they can be positioned anywhere within the core during refueling. They must still meet the location requirements of SR 3.3.1.2.2 and all other required SRs for SRMs.

For an SRM channel to be considered OPERABLE, it must be providing neutron flux monitoring indication.

APPLICABILITY The SRMs are required to be OPERABLE in MODES 2, 3, 4, and 5 prior to the IRMs being on scale on Range 3 to provide for neutron monitoring. In MODE 1, the APRMs provide adequate monitoring of reactivity changes in the core; therefore, the SRMs are not required. In MODE 2, with IRMs on Range 3 or above, the IRMs provide adequate monitoring and the SRMs are not required.

ACTIONS A.1 and B.1 In MODE 2, with the IRMs on Range 2 or below, SRMs provide the means of monitoring core reactivity and criticality.

With any number of the required SRMs inoperable, the ability to monitor neutron flux is degraded. Therefore, a limited time is allowed to restore the inoperable channels to OPERABLE status.

Provided at least one SRM remains OPERABLE, Required Action A.1 allows 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to restore the required SRMs to OPERABLE status. This time is reasonable because there is adequate capability remaining to monitor the core, there is limited risk of an event during this time, and there is sufficient time to take corrective actions to restore the required SRMs to OPERABLE status or to establish alternate IRM monitoring capability. During this time, control rod withdrawal and power increase is not precluded by this Required Action. Having the ability to monitor the core with at least one SRM, proceeding to IRM Range 3 or greater (with overlap required by SR 3.3.1.1.5), and thereby exiting the Applicability of this LCO, is acceptable for ensuring adequate core monitoring and allowing continued operation.

(continued)

JAFNPP B 3.3.1.2-3 Revision 0

SRM Instrumentation B 3.3.1.2 BASES ACTIONS A.1 and B.1 (continued)

With three required SRMs inoperable, Required Action B.1 allows no positive changes in reactivity (control rod withdrawal must be immediately suspended) due to inability to monitor the changes. Required Action A.1 still applies and allows 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to restore monitoring capability prior to requiring control rod insertion. This allowance is based on the limited risk of an event during this time, provided that no control rod withdrawals are allowed, and the desire to concentrate efforts on repair, rather than to immediately shut down, with no SRMs OPERABLE.

C.1 In MODE 2, if the required number of SRMs is not restored to OPERABLE status within the allowed Completion Time, the reactor shall be placed in MODE 3. With all control rods fully inserted, the core is in its least reactive state with the most margin to criticality. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 in an orderly manner and without challenging plant systems.

D.1 and D.2 With one or more required SRMs inoperable in MODE 3 or 4, the neutron flux monitoring capability is degraded or nonexistent. The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level while no neutron monitoring capability is available. Placing the reactor mode switch in the shutdown position prevents subsequent control rod withdrawal by maintaining a control rod block. The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is sufficient to accomplish the Required Action, and takes into account the low probability of an event requiring the SRM occurring during this interval.

E.1 and E.2 With one or more required SRMs inoperable in MODE 5, the ability to detect local reactivity changes in the core during refueling is degraded or nonexistent. CORE ALTERATIONS must be immediately suspended and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies.

(continued)

JAFNPP B 3.3.1.2-4 Revision 0

SRM Instrumentation B 3.3.1.2 BASES ACTIONS E.1 and E.2 (continued)

Suspending CORE ALTERATIONS prevents the two most probable causes of reactivity changes, fuel loading and control rod withdrawal, from occurring. Inserting all insertable control rods ensures that the reactor will be at its minimum reactivity given that fuel is present in the core.

Suspension of CORE ALTERATIONS shall not preclude completion of the movement of a component to a safe, conservative position.

Action (once required to be initiated) to insert control rods must continue until all insertable rods in core cells containing one or more fuel assemblies are inserted.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each SRM REQUIREMENTS Applicable MODE or other specified conditions are found in the SRs column of Table 3.3.1.2-1.

SR 3.3.1.2.1 and SR 3.3.1.2.3 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious.

A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency of once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for SR 3.3.1.2.1 is based on operating experience that demonstrates channel failure is rare. While in MODES 3 and 4, reactivity changes are not expected; therefore, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is relaxed to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for SR 3.3.1.2.3. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

(continued)

JAFNPP B 3.3.1.2-5 Revision 0

SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.2 REQUIREMENTS (continued) To provide adequate coverage of potential reactivity changes in the core when the fueled region encompasses more than one SRM, one SRM is required to be OPERABLE in the quadrant where CORE ALTERATIONS are being performed, and the other OPERABLE SRM must be in an adjacent quadrant containing fuel. Note 1 states that the SR is required to be met only during CORE ALTERATIONS. It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring. This Surveillance consists of a review of plant logs to ensure that SRMs required to be OPERABLE for given CORE ALTERATIONS are, in fact, OPERABLE. In the event that only one SRM is required to be OPERABLE (when the fueled region encompasses only one SRM), per Table 3.3.1.2-1, footnote (b), only the a. portion of this SR is required.

Note 2 clarifies that more than one of the three requirements can be met by the same OPERABLE SRM. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is based upon operating experience and supplements operational controls over refueling activities that include steps to ensure that the SRMs required by the LCO are in the proper quadrant.

SR 3.3.1.2.4 This Surveillance consists of a verification of the SRM instrument readout to ensure that the SRM reading is greater than a specified minimum count rate with the detector full in, which ensures that the detectors are indicating count rates indicative of neutron flux levels within the core.

With few fuel assemblies loaded, the SRMs will not have a high enough count rate to satisfy the SR. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the minimum count rate.

To accomplish this, the SR is modified by a Note that states that the count rate is not required to be met on an SRM that has less than or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant. With four or less fuel assemblies loaded around each SRM and no other fuel assemblies in the associated core quadrant, even with a control rod withdrawn, the configuration will not be critical.

The Frequency is based upon channel redundancy and other information available in the control room, and ensures that the required channels are frequently monitored while core (continued)

JAFNPP B 3.3.1.2-6 Revision 0

SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.4 (continued)

REQUIREMENTS reactivity changes are occurring. When no reactivity changes are in progress, the Frequency is relaxed from 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

SR 3.3.1.2.5 and SR 3.3.1.2.6 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with the applicable extensions.

SR 3.3.1.2.5 is required in MODE 5, and the 7 day Frequency ensures that the channels are OPERABLE while core reactivity changes could be in progress. This Frequency is reasonable, based on operating experience and on other Surveillances (such as a CHANNEL CHECK), that ensure proper functioning between CHANNEL FUNCTIONAL TESTS.

SR 3.3.1.2.6 is required in MODE 2 with IRMs on Range 2 or below, and in MODES 3 and 4. Since core reactivity changes do not normally take place in MODES 3 and 4, and core reactivity changes are due only to control rod movement in MODE 2, the Frequency has been extended from 7 days to 31 days. The 31 day Frequency is based on operating experience and on other Surveillances (such as CHANNEL CHECK) that ensure proper functioning between CHANNEL FUNCTIONAL TESTS.

Verification of the signal to noise ratio also ensures that the detectors are inserted to an acceptable operating level.

In a fully withdrawn condition, the detectors are sufficiently removed from the fueled region of the core to essentially eliminate neutrons from reaching the detector.

Any count rate obtained while the detectors are fully withdrawn is assumed to be "noise" only.

With few fuel assemblies loaded, the SRMs will not have a high enough count rate to determine the signal to noise ratio. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the conditions necessary to (continued)

JAFNPP B 3.3.1.2-7 Revision 0

SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.5 and SR 3.3.1.2.6 (continued)

REQUIREMENTS determine the signal to noise ratio. To accomplish this, SR 3.3.1.2.5 is modified by a Note that states that the determination of signal to noise ratio is not required to be met on an SRM that has less than or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant. With four or less fuel assemblies loaded around each SRM and no other fuel assemblies in the associated quadrant, even with a control rod withdrawn the configuration will not be critical.

The Note to SR 3.3.1.2.6 allows the Surveillance to be delayed until entry into the specified condition of the Applicability (THERMAL POWER decreased to IRM Range 2 or below). The SR must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after IRMs are on Range 2 or below. The allowance to enter the Applicability with the 31 day Frequency not met is reasonable, based on the limited time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels.

Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. Twelve hours is reasonable based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

SR 3.3.1.2.7 Performance of a CHANNEL CALIBRATION at a Frequency of 92 days verifies the performance of the SRM monitors and associated circuitry. The Frequency considers the plant conditions required to perform the test, the ease of performing the test, and the likelihood of a change in the system or component status. The neutron detectors are excluded from the CHANNEL CALIBRATION (Note 1) because they cannot readily be adjusted. The detectors are fission chambers that are designed to have a relatively constant sensitivity over the range and with an accuracy specified for a fixed useful life.

Note 2 to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability. The SR must be performed in MODE 2 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 with IRMs on Range 2 or below.

The allowance to enter the Applicability with the 92 day (continued)

JAFNPP B 3.3.1.2-8 Revision 0

SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.7 (continued)

REQUIREMENTS Frequency not met is reasonable, based on the limited time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. Twelve hours is reasonable based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

REFERENCES None.

JAFNPP B 3.3.1.2-9 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 B 3.3 INSTRUMENTATION B 3.3.2.1 Control Rod Block Instrumentation BASES BACKGROUND Control rods provide the primary means for control of reactivity changes. Control rod block instrumentation includes channel sensors, logic circuits, bypass circuits, switches, and relays that are designed to ensure that specified fuel design limits are not exceeded for postulated transients and accidents. During high power operation, the rod block monitor (RBM) provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM) enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA).

During shutdown conditions, control rod blocks from the Reactor Mode Switch-Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent critical ities.

The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations. It is assumed to function to block further control rod withdrawal to preclude a MCPR Safety Limit (SL) violation. The RBM supplies a trip signal to the Reactor Manual Control System (RMCS) to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint. The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint. One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit. The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals. One RBM channel averages the signals of the LPRM detectors from the A and C level of the assigned LPRM assemblies, while the other RBM channel averages the signals of the LPRM detectors at the B and D level. Assignment of LPRM assemblies to be used in RBM averaging is controlled by the selection of control rods. If any LPRM detector assigned to an RBM is bypassed, the computed average signal is automatically adjusted to compensate for the number of LPRM input signals.

The minimum number of LPRM inputs required for each RBM channel to prevent an instrument inoperative alarm is four when using four.LPRM assemblies, three when using three LPRM assemblies, and two when using two LPRM assemblies. Each (continued)

JAFNPP B 3.3.2.1-1 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND RBM also receives a recirculation loop flow signal. The RBM (continued) is automatically bypassed and the output set to zero if a peripheral rod is selected or the APRM used to normalize the RBM reading is < 30% RTP (Ref. 1). In addition, one of the two RBM channels can be manually bypassed.

When a control rod is selected, the gain of each RBM channel output is normalized to the assigned APRM channel. The assigned APRM channel is on the same RPS trip system as the RBM channel. The gain setting is held constant during the movement of the selected control rod to provide an indication of the change in the relative local power level.

If the indicated local power level increases above the preset limit, a rod block will occur. There are three parallel rod block setpoint lines which have an adjustable slope. These setpoint lines provide a setpoint that is a function of the recirculation loop flow signal. Intercepts of these setpoint lines with rated recirculation loop flow are adjustable. Lights in the control room indicate which rod block setpoint line is active. Two percent of RTP below the intermediate and lower rod block setpoint are the setup permissive and setdown lines. These lines, on increasing power, light a setup permissive indicator so that the operator can evaluate the conditions and manually change the setpoint to the next higher rod block setpoint line. On decreasing power these lines provide automatic setdown. In addition, to preclude rod movement with an inoperable RBM (if not bypassed), a downscale trip and an inoperable trip are provided. A rod block signal is generated if an RBM downscale trip or an inoperable trip occurs, since this could indicate a problem with the RBM channel. The downscale trip will occur if the RBM channel signal decreases below the downscale trip setpoint after the RBM channel signal has been normalized. The inoperable trip will occur during the nulling (normalization) sequence, if the RBM channel fails to null, too few LPRM inputs are available, a module is not plugged in, or the function switch is moved to any position other than "Operate" The purpose of the RWM is to control rod patterns during startup and shutdown, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 10% RTP.

The sequences effectively limit the potential amount an rate of reactivity increase during a CRDA. Prescribed control rod sequences are stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored (continued)

JAFNPP B 3.3.2.1-2 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND sequence. The RWM determines the actual sequence based on (continued) position indication for each control rod. The RWM also uses steam flow signals compensated for steam pressure to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 2).

The RWM is a single channel system that provides input into both RMCS rod block circuits.

With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the shutdown position. The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control rods.

APPLICABLE 1. Rod Block Monitor SAFETY ANALYSES, LCO, and The RBM is designed to prevent violation of the MCPR APPLICABILITY SL and the cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference 3. A statistical analysis of RWE events was performed to determine the RBM response for both channels for each event.

From these responses, the fuel thermal performance as a function of RBM Allowable Value was determined. The Allowable Values are chosen as a function of power level and flow. Based on the specified Allowable Values, operating limits are established.

The RBM Function satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

Two channels of the RBM are required to be OPERABLE, with their setpoints within the appropriate Allowable Value specified in the COLR, to ensure that no single failure can preclude a rod block from this Function. The actual setpoints are calibrated consistent with applicable setpoint methodology.

Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Values (continued)

JAFNPP B 3.3.2.1-3 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 1. Rod Block Monitor (continued)

SAFETY ANALYSES, LCO, and between successive CHANNEL CALIBRATIONS. Operation with a APPLICABILITY trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor power), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g.,

trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The trip setpoints are derived from the analytical limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

The RBM is assumed to mitigate the consequences of an RWE event when operating Ž 30% RTP and a peripheral control rod is not selected. Below this power level, or if a peripheral control rod is selected, the consequences of an RWE event will not exceed the MCPR SL and, therefore, the RBM is not required to be OPERABLE (Ref. 1).

2. Rod Worth Minimizer The RWM enforces the banked position withdrawal sequence (BPWS) to ensure that the initial conditions of the CRDA analysis are not violated. The analytical methods and assumptions used in evaluating the CRDA are summarized in Reference 5. The BPWS requires that control rods be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions.

Requirements that the control rod sequence is in compliance with the BPWS are specified in LCO 3.1.6, "Rod Pattern Control."

The RWM Function satisfies Criterion 3 of (continued)

JAFNPP B 3.3.2.1-4 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 2. Rod Worth Minimizer (continued)

SAFETY ANALYSES, LCO, and 10 CFR 50.36(c)(2)(ii) (Ref. 4).

APPLICABILITY Since the RWM is a system designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to be OPERABLE (Ref. 6).

Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.6 may necessitate bypassing the RWM to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed.

Compliance with the BPWS, and therefore OPERABILITY of the RWM, is required in MODES 1 and 2 when THERMAL POWER is g 10% RTP. When THERMAL POWER is > 10% RTP, there is no possible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Refs. 6 and 7). In MODES 3 and 4, all control rods are required to be inserted into the core; therefore, a CRDA cannot occur. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will be subcritical.

3. Reactor Mode Switch-Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is in the shutdown position, the core is assumed to be subcritical; therefore, no positive reactivity insertion events are analyzed. The Reactor Mode Switch-Shutdown Position control rod withdrawal block ensures that the reactor remains subcritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis.

The Reactor Mode Switch-Shutdown Position Function satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

Two channels are required to be OPERABLE to ensure that no single failure will preclude a rod block when required.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position.

(continued)

JAFNPP B 3.3.2.1-5 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 3. Reactor Mode Switch-Shutdown Position (continued)

SAFETY ANALYSES, LCO, and During shutdown conditions (MODE 3, 4, or 5), no positive APPLICABILITY reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality. Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal block is required to be OPERABLE. During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2 "Refuel Position One Rod-Out Interlock") provides the required control rod withdrawal blocks.

ACTIONS A. 1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A.1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is based on the low probability of an event occurring coincident with a failure in the remaining OPERABLE channel.

B.1 If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . If both RBM channels are inoperable, the RBM is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels.

C.1, C.2.1.1, C.2.1.2, and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed (continued)

JAFNPP B 3.3.2.1-6 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS C.1, C.2.1.1, C.2.1.2, and C.2.2 (continued) control rod sequence. However, the overall reliability is reduced because a single operator error can result in violating the control rod sequence. Therefore, control rod movement must be immediately suspended except by scram.

Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM during withdrawal of one or more of the first 12 control rods has not been performed in the current calendar year. These requirements minimize the number of reactor startups initiated with RWM inoperable. Required Actions C.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications. Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily completed, control rod withdrawal may proceed in accordance with the restrictions imposed by Required Action C.2.2. Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff (i.e., reactor engineer). Plant procedures prohibit this individual from having other concurrent duties during withdrawal or insertion.

The RWM may be bypassed under these conditions to allow continued operations. In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken.

D.1 With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescribed control rod sequence. Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff (i.e., reactor engineer). The RWM may be bypassed under these conditions to allow the reactor shutdown to continue.

(continued)

JAFNPP B 3.3.2.1-7 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS E.1 and E.2 (continued)

With one Reactor Mode Switch-Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function. However, since the Required Actions are consistent with the normal action of an OPERABLE Reactor Mode Switch- Shutdown Position Function (i.e., maintaining all control rods inserted), there is no distinction between having one or two channels inoperable.

In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SDM, (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"). Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are therefore not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.

SURVEILLANCE As noted (Note 1) at the beginning of the SRs, the SRs for REQUIREMENTS each Control Rod Block instrumentation Function are found in the SRs column of Table 3.3.2.1-1.

The Surveillances are modified by Note 2 to indicate that when an RBM channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains control rod block capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Ref. 8) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that a control rod block will be initiated when necessary.

SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the entire channel will perform the intended (continued)

JAFNPP B 3.3.2.1-8 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.1 (continued)

REQUIREMENTS function. It includes the Reactor Manual Control Multiplexing System input. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with the applicable extensions. Testing of the Reactor Manual Control Multiplexing System input shall include inputs of "no control rod selected," "peripheral control rod selected," and other control rods selected with two, three, or four LPRM assemblies around it. In addition, testing shall include a verification that an inoperable trip occurs when a module is not plugged in, or the function switch is moved to any position other than "Operate". The Frequency of 92 days is based on reliability analyses (Ref. 9).

SR 3.3.2.1.2 and SR 3.3.2.1.3 A CHANNEL FUNCTIONAL TEST is performed for the RWM to ensure that the entire system will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with the applicable extensions. The CHANNEL FUNCTIONAL TEST for the RWM is performed by attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod block occurs. As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after any control rod is withdrawn at ! 10% RTP in MODE 2 and, SR 3.3.2.1.3 is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after THERMAL POWER is

10% RTP in MODE 1. This allows entry into MODE 2 for SR 3.3.2.1.2, and entry into MODE 1 when THERMAL POWER is

10% RTP for SR 3.3.2.1.3, to perform the required Surveillance if the 92 day Frequency is not met per (continued)

JAFNPP B 3.3.2.1-9 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.2 and SR 3.3.2.1.3 (continued)

REQUIREMENTS SR 3.0.2. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs. The 92 day Frequencies are based on reliability analysis (Ref. 9).

SR 3.3.2.1.4 The RBM is automatically bypassed when power is below a specified value or if a peripheral control rod is selected.

The power level is determined from the APRM signals input to each RBM channel. The automatic bypass must be verified periodically to be < 30% RTP. In addition, it must also be verified that the RBM is not bypassed when a non-peripheral control rod is selected (only one non-peripheral control rod is required to be verified). If any bypass setpoint is nonconservative, then the affected RBM channel is considered inoperable. Alternatively, the APRM channel can be placed in the conservative condition (i.e., enabling the nonbypass). If placed in this condition, the SR is met and the RBM channel is not considered inoperable. As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.7. The 92 day Frequency is based on the actual trip setpoint methodology utilized for these channels.

SR 3.3.2.1.5 and SR 3.3.2.1.8 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

SR 3.3.2.1.5 is modified by two Notes. Note 1 to SR 3.3.2.1.5 excludes neutron detectors from the CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.7. Note 2 to SR 3.3.2.1.5 (continued)

JAFNPP B 3.3.2.1-10 Revi sion 0

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.5 and SR 3.3.2.1.8 (continued)

REQUIREMENTS excludes the recirculation loop flow signal portion of the channel from the CHANNEL CALIBRATION, since this portion of the channel is calibrated by SR 3.3.2.1.8.

SR 3.3.2.1.8 is modified by a Note that excludes all portions of channel except the recirculation loop flow signal from CHANNEL CALIBRATION. SR 3.3.2.1.5, in conjunction with SR 3.3.2.1.8, results in calibration of the entire channel. Since the recirculation loop flow signal is also a portion of the APRM Neutron Flux - High (Flow Biased) RPS scram Function channels (Table 3.3.1.1-1, RPS Instrumentation, Function 2.b), satisfactory performance of SR 3.3.2.1.8 also results in satisfactory completion of SR 3.3.1.1.12 for the associated APRM Neutron Flux-High (Flow Biased) RPS scram Function channels.

The Frequency of SR 3.3.2.1.5 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.2.1.8 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of the equipment drift in the setpoint analysis.

SR 3.3.2.1.6 The RWM is automatically bypassed when power is above a specified value. The power level is determined from steam flow signals compensated for steam pressure. The automatic bypass setpoint must be verified periodically to be

! 10% RTP. If the RWM low power setpoint is nonconservative, then the RWM is considered inoperable.

Alternately, the low power setpoint channel can be placed in the conservative condition (nonbypass). If placed in the nonbypassed condition, the SR is met and the RWM is not considered inoperable. The Frequency is based on the trip setpoint methodology utilized for the low power setpoint channel.

(continued)

JAFNPP B 3.3.2.1-11 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.7 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed for the Reactor Mode Switch-Shutdown Position Function to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with the applicable extensions. The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch-Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs.

As noted in the SR, the Surveillance is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links. This allows entry into MODES 3 and 4 if the 24 month Frequency is not met per SR 3.0.2. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.2.1.9 The RWM will only enforce the proper control rod sequence if the rod sequence is properly input into the RWM computer.

This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function. The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible.

JAFNPP B 3.3.2.1-12 Revision 0

Control Rod Block Instrumentation B 3.3.2.1 BASES REFERENCES 1. UFSAR, Section 7.5.8.2.

2. UFSAR, Section 7.16.5.3.

3. NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, Supplement for United States, Section S.2.2.1.5, (Revision specified in the COLR).

4. 10 CFR 50.36(c)(2)(ii).

5. UFSAR, Section 14.6.1.2.

6. NRC SER, Acceptance of Referencing of Licensing Topical Report NEDE-24011-P-A, General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17, December 27, 1987.

7. Letter from T.A. Pickens (BWROG) to G.C. Lainas (NRC),

Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A, BWROG-8644, August 15, 1986.

8. GENE-770-06-1-A, Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications, December 1992.

9. NEDC-30851P-A, Supplement 1, Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation, October 1988.

JAFNPP B 3.3.2.1-13 Revi sion 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 B 3.3 INSTRUMENTATION B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow.

With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level, Level 8 reference point, causing the trip of the two feedwater pump turbines and the main turbine.

Reactor Vessel Water Level -High (Level 8) signals are provided by level sensors that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Three channels of Reactor Vessel Water Level -High (Level 8) instrumentation are provided as input to each of three trip systems. Each trip system is arranged with a two-out-of-three initiation logic such that two high water level trip signals are necessary for the trip system to actuate. One trip system trips one feedwater pump turbine, another trip system trips the other feedwater pump turbine, and the third trip system trips the main turbine. The channels include electronic equipment (e.g., alarm units) that compares measured input signals with pre- established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a feedwater and main turbine trip signal to the trip logic.

A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the turbine from damage due to water entering the turbine.

APPLICABLE The feedwater and main turbine high water level trip SAFETY ANALYSES instrumentation is assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller failure, maximum demand event (Ref. 1).

The Level 8 trip indirectly initiates a reactor scram from the main turbine trip (above 30% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR.

(continued)

JAFNPP B 3.3.2.2-1 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES APPLICABLE Feedwater and main turbine high water level trip SAFETY ANALYSES instrumentation satisfies Criterion 3 of (continued) 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO The LCO requires three channels of the Reactor Vessel Water Level -High (Level 8) instrumentation to be OPERABLE to ensure that no single instrument failure will prevent the feedwater pump turbines and main turbine trip on a valid Level 8 signal. Two of the three channels are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.3.

The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the reactor pressure vessel and also corresponds to the top of a 144 inch fuel column (Ref. 3). The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., alarm unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The trip setpoints are derived from the analytic limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process affects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for (continued)

JAFNPP B 3.3.2.2-2 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES LCO normal effects that would be seen during periodic (continued) surveillance or calibration. These affects are instrumentation uncertainties during normal operation (e.g.,

drift and calibration uncertainties).

APPLICABILITY The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at 2 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below 25% RTP; therefore, these requirements are only necessary when operating at or above this power level.

ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel.

A.1 With one channel inoperable, the remaining two OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the remaining channels concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only (continued)

JAFNPP B 3.3.2.2-3 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS A.1 (continued) allowed for a limited time with one channel inoperable. If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in a feedwater or main turbine trip), Condition C must be entered and its Required Action taken.

The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel.

B.1 With two or more channels inoperable, the feedwater and main turbine high water level trip instrumentation cannot perform its design function (feedwater and main turbine high water level trip capability is not maintained). Therefore, continued operation is only permitted for a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period, during which feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip signal on a valid signal. This requires two channels to each be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.

(continued)

JAFNPP B 3.3.2.2-4 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS C.1 and C.2 (continued)

With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to

< 25% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Alternatively, the affected stop valve(s) may be removed from service since this performs the intended function of the instrumentation. As discussed in the Applicability section of the Bases, operation below 25% RTP results in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is based on operating experience to reduce THERMAL POWER to < 25% RTP from full power conditions in an orderly manner and without challenging plant systems. Required Action C.1 is modified by a Note which states that the Required Action is only applicable if the inoperable channel is the result of an inoperable feedwater pump turbine stop valve or main turbine stop valve. The Note clarifies the situations under which the associated Required Action would be the appropriate Required Action.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains feedwater and main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption that 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the feedwater pump turbines and main turbine will trip when necessary.

SR 3.3.2.2.1 Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument (continued)

JAFNPP B 3.3.2.2-5 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE SR 3.3.2.2.1 (continued)

REQUIREMENTS channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limits.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.2.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

As noted, the CHANNEL FUNCTIONAL TEST is only required to be performed when in MODE 4 for > 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In MODE 4, the plant is in a condition where a loss of a feedwater pump turbine or a main turbine trip will not jeopardize steady state power operation. The design of the trip systems do not permit functional testing of this trip function without lifting electrical leads. Consequently, testing the trip (continued)

JAFNPP B 3.3.2.2-6 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE SR 3.3.2.2.2 (continued)

REQUIREMENTS systems on-line poses an unacceptable risk of an inadvertent trip of the feedwater pump turbines and main turbine, resulting in a plant transient. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is intended to indicate an outage of sufficient duration to allow for scheduling a proper performance of the Surveillance.

The 92 day Frequency and the Note to this Surveillance are based on Reference 5.

SR 3.3.2.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.2.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater and main turbine valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a valve is incapable of operating, the associated instrumentation would also be inoperable. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 14.5.9.

2. 10 CFR 50.36(c)(2)(ii).

(continued)

JAFNPP B 3.3.2.2-7 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES REFERENCES 3. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly (continued) Nuclear Boiler, (GE Drawing 919D690BD).

4. GENE-770-06-1-A, Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications, December 1992.

5. NRC letter dated June 19, 1995, Amendment 225 for James A. FitzPatrick Nuclear Power Plant.

JAFNPP B 3.3.2.2-8 Revision 0

PAM Instrumentation B 3.3.3.1 B 3.3 INSTRUMENTATION B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events.

The instruments that monitor these variables are designated as Type A, Category 1, and non-Type A, Category 1, in accordance with Regulatory Guide 1.97 (Ref. 1).

The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident. This capability is consistent with the recommendations of Reference 1.

APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of SAFETY ANALYSES Regulatory Guide 1.97, Type A variables so that the control room operating staff can:

Perform the diagnosis specified in the Emergency Operating Procedures (EOPs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs),

(e.g., loss of coolant accident (LOCA)), and Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function.

The PAM instrumentation LCO also ensures OPERABILITY of Category 1, non-Type A, variables so that the control room operating staff can:

"* Determine whether systems important to safety are performing their intended functions;

"* Determine the potential for causing a gross breach of the barriers to radioactivity release; Determine whether a gross breach of a barrier has occurred; and (continued)

JAFNPP B 3.3.3.1-1 Revision 0

PAM Instrumentation B 3.3.3.1 BASES APPLICABLE Initiate action necessary to protect the public and SAFETY ANALYSES for an estimate of the magnitude of any potential (continued) exposure.

The plant specific Regulatory Guide 1.97 Analysis (Ref. 2) documents the process that identified Type A and Category 1, non-Type A, variables.

Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3). Category 1, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents.

Therefore, these Category 1 variables are important for reducing public risk.

LCO LCO 3.3.3.1 requires two OPERABLE channels for all but one Function to ensure that no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following an accident. Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

The exception to the two channel requirement is primary containment isolation valve (PCIV) position. In this case, the important information is the status of the primary containment penetrations. The LCO requires one position indicator for each active PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.

The following list is a discussion of the specified instrument Functions listed in Table 3.3.3.1-1 in the accompanying LCO.

1. Reactor Vessel Pressure Reactor vessel pressure is a Category 1 variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling (continued)

JAFNPP B 3.3.3.1-2 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO 1. Reactor Vessel Pressure (continued)

Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure and associated independent wide range recorders are the primary indication used by the operator during an accident.

Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

2. Reactor Vessel Water Level Reactor vessel water level is a Category 1 variable provided to support monitoring of core cooling and to verify operation of the ECCS. The reactor vessel water level channels provide the PAM Reactor Vessel Water Level Function. The reactor vessel water level channels cover a range from -150 inches (just below the bottom of the active fuel) to +224.5 inches, as referenced (zero) from the top of active fuel (TAF). Reactor vessel water level is measured in overlapping stages by separate independent differential pressure transmitters. Two reactor vessel water level (fuel zone) channels monitor the range from -150 inches to +200 inches (TAF). One fuel zone channel consists of a transmitter and indicator and the other channel consists of a transmitter and recorder. Two reactor vessel water level (wide range) channels monitor the range from +14.5 inches to

+224.5 inches (TAF). The upper limit corresponds to a level of 63.5 inches below the centerline of the main steam lines.

Likewise, one wide range channel consists of a transmitter and indicator and the other channel consists of a transmitter and recorder. These transmitters and associated indicators and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

The reactor vessel water level wide range instruments are uncompensated for variation in reactor water density and are calibrated to be most accurate at operational pressure and temperature. The fuel level instruments are calibrated for cold conditions.

3. Suppression Pool Water Level (Wide Range)

Suppression pool water level is a Category 1 variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function. The wide (continued)

JAFNPP B 3.3.3.1-3 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO 3. Suppression Pool Water Level (Wide Range) (continued) range suppression pool water level measurement provides the operator with sufficient information to assess the status of both the RCPB and the water supply to the ECCS. The wide range water level instruments have a range of 1.7 feet to 27.5 feet. Two wide range suppression pool water level signals are transmitted from separate differential pressure transmitters and are continuously monitored by two level indicators and recorded on two recorders in the control room. These transmitters, indicators and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

4. Drywell Pressure Drywell pressure is a Category 1 variable provided to detect breach of the RCPB and to verify ECCS functions that operate to maintain RCS integrity. The drywell pressure channels cover a range of -5 psig to +250 psig. The drywell pressure is measured in overlapping stages by separate independent pressure transmitters. Two drywell pressure (narrow range) channels monitor the range from -5 psig to +5 psig. Two drywell pressure (wide range) channels monitor the range from 0 psig to 250 psig. Each drywell pressure channel consists of a separate independent transmitter with an associated indicator and recorder in the control room.

These transmitters and associated indicators and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

5. Containment High Range Radiation Containment high range radiation channels are provided to monitor the potential of significant releases of radioactive material and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Two physically separated and redundant radiation detectors with a range of 1 R/hr to 1E8 R/hr are located inside the drywell. The detectors provide a signal to separate process radiation monitors located in the control room. These radiation detectors and associated monitors provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

(continued)

JAFNPP B 3.3.3.1-4 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO 6. Drywell Temperature (continued)

Drywell temperature is a Category 1 variable provided to detect a breach in the RCPB and to verify ECCS functions that operate to maintain RCS integrity. Two drywell temperature channels monitor the range from 407F to 440'F.

Each drywell temperature channel consists of a separate temperature sensor, with an associated recorder in the control room. These temperature sensors and associated recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

7. Primary Containment Isolation Valve (PCIV) Position PCIV position is a Category 1 variable provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. Therefore, this Function is not required for isolation valves whose associated penetration flow path is isolated by at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured (as noted in footnote (a) to Table 3.3.3.1-1). The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE. Each penetration is treated separately and each penetration flow path is considered a separate Function. Therefore, separate Condition entry is allowed for each inoperable penetration flow path.

The PCIV position PAM instrumentation consists of position switches mounted on the valves for the positions to be indicated, associated wiring and control room indicating (continued)

JAFNPP B 3.3.3.1-5 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO 7. Primary Containment Isolation Valve (PCIV) Position (continued) lamps for active PCIVs (check valves and manual valves are not required to have position indication). These position switches and associated indicators in the control room provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

8. Primary Containment Hydrogen and Oxygen Concentration Primary containment hydrogen and oxygen concentration is a Category 1 variable provided to detect high hydrogen or oxygen concentration conditions that represent a potential for containment breach. This variable is also important in verifying the adequacy of mitigating actions. The primary containment hydrogen and oxygen concentration channels consists of two redundant analyzers. Each analyzer contains a hydrogen and an oxygen detector. Each analyzer can be aligned to sample air from one of four sample points (3 points in the drywell and 1 point in the suppression chamber). Sample air passes through the hydrogen analyzer and the oxygen analyzer and is returned to the suppression chamber air space. During normal operation, the Division I analyzer samples the suppression chamber and the Division II analyzer samples the drywell. The analyzers are capable of determining oxygen and hydrogen concentrations in the range of 0% to 30%, which meets the requirements of Reference 1.

The hydrogen and oxygen concentration from each analyzer may be displayed on its associated recorder in the relay room.

Therefore, the PAM Specification deals specifically with these portions of the instrument channel. A Note allows the primary containment hydrogen and oxygen concentration channels to be inoperable for up to 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months per 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period during Post Accident Sampling System (PASS) operation. PASS operation includes realignment from or to the mode. Operation of the PASS may require isolation of the primary containment hydrogen and oxygen concentration channels. This allowance will ensure that the PASS can perform its post accident monitoring function (Ref. 4) while minimizing the time the primary containment hydrogen and oxygen concentration channels are isolated.

(continued)

JAFNPP B 3.3.3.1-6 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO 9. Suppression Chamber Pressure (continued)

Suppression chamber pressure is a Category 1 variable provided to verify RCS and containment integrity and to verify the effectiveness of ECCS actions taken to prevent containment breach. Two suppression chamber channels monitor a range from -15 psig to +85 psig. Each channel consists of an independent transmitter and associated recorder in the control room. These transmitters and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

10. Suppression Pool Water Temperature Suppression pool water temperature is a Category 1 variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. The suppression pool water temperature instrumentation allows operators to detect trends in suppression pool water temperature. The suppression pool water temperature is monitored by two redundant channels. Each channel consists of sixteen resistance temperature detectors (RTDs) that monitor temperature over a range of 30'F to 230'F. The RTDs are mounted in thermowells spaced at equal intervals around the periphery of the suppression pool. The sixteen RTD signals are averaged and the resulting bulk temperature signal is sent to redundant indicating recorders in the control room. A minimum of fifteen out of sixteen RTDs are required for channel operability. An evaluation (Ref. 5) demonstrates that the maximum error in suppression pool bulk temperature measurement including channel uncertainty is

< 4 0 F with active pool circulation. Thus a 40 F bias has been employed for conservatism. By specifying 15 RTDs the single failure criteria is accounted for. This evaluation conservatively assumed the failure of RTDs at locations that minimized indicated bulk suppression pool temperature and consequently maximized indicated error. These RTDs and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channels.

(continued)

JAFNPP B 3.3.3.1-7 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO 11. Drywell Water Level (continued)

Drywell Water Level is a Category 1 variable provided to detect whether plant safety functions are being accomplished. Two drywell water level channels monitor the range from 22 feet to 106 feet. Each drywell water level channel consists of level transmitters, with an associated indicator and recorder in the control room. These level transmitters and associated indicators and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2.

These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1 and 2. In MODES 3, 4, and 5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES.

ACTIONS Note 1 has been added to the ACTIONS to exclude the MODE change restriction of LCO 3.0.4. This exception allows entry into the applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require plant shutdown. This exception is acceptable due to the passive function of the instruments, the operator's ability to diagnose an accident using alternative instruments and methods, and the low probability of an event requiring these instruments.

Note 2 has been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable PAM instrumentation channels provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function.

(continued)

JAFNPP B 3.3.3.1-8 Revision 0

PAM Instrumentation B 3.3.3.1 BASES ACTIONS A.1 (continued)

When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels (or, in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is initiated by these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of action in accordance with Specification 5.6.6, which requires a written report to be submitted to the NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions.

This action is appropriate in lieu of a shutdown requirement, since alternative actions are identified before loss of functional capability, and given the low probability of an event that would require information provided by this instrumentation.

C.1 When one or more Functions have two required channels that are inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

(continued)

JAFNPP B 3.3.3.1-9 Revision 0

PAM Instrumentation B 3.3.3.1 BASES ACTIONS D.1 (continued)

This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1. The applicable Condition referenced in the Table is Function dependent.

Each time an inoperable channel has not met the Required Action of Condition C and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 For the majority of Functions in Table 3.3.3.1-1, if any Required Action and associated Completion Time of Condition C is not met, the plant must be brought to a MODE in which the LCO not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 Since alternate means of monitoring primary containment area radiation have been developed and tested, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.6. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the other required channel in the associated Function is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the (continued)

JAFNPP B 3.3.3.1-10 Revision 0

PAM Instrumentation B 3.3.3.1 BASES SURVEILLANCE applicable Condition entered and Required Actions taken.

REQUIREMENTS The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance is acceptable since it does not (continued) significantly reduce the probability of properly monitoring post-accident parameters, when necessary.

SR 3.3.3.1.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. For the PCIV Position Function, the CHANNEL CHECK consists of verifying the remote indication conforms to expected valve position.

Channel agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency of 31 days is based upon plant operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the channels required by the LCO.

SR 3.3.3.1.2 and SR 3.3.3.1.3 These SRs require a CHANNEL CALIBRATION to be performed.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy. For the PCIV Position Function, the CHANNEL CALIBRATION consists of verifying the remote indication conforms to actual valve position.

(continued)

JAFNPP B 3.3.3.1-11 Revision 0

PAM Instrumentation B 3.3.3.1 BASES SURVEILLANCE SR 3.3.3.1.2 and SR 3.3.3.1.3 (continued)

REQUIREMENTS The 92 day Frequency for CHANNEL CALIBRATION of the Primary Containment Hydrogen and Oxygen Concentration channels is based on vendor recommendations. The 24 month Frequency for CHANNEL CALIBRATION of all other PAM instrumentation of Table 3.3.3.1-1 is based on operating experience and consistency with the refueling cycles.

REFERENCES 1. Regulatory Guide 1.97, Revision 3, Instrumentation For Light-Water-Cooled Nuclear Power Plants To Assess Plant And Environs Conditions During And Following An Accident, May 1983.

2. NRC letter, H. I. Abelson to J. C. Brons dated March 14, 1988, regarding conformance to Regulatory Guide 1.97, Rev. 2. Includes NRR Safety Evaluation Report for Regulatory Guide 1.97 and James A. FitzPatrick Nuclear Power Plant.

3. 10 CFR 50.36(c)(2)(ii).

4. UFSAR, Section 9.14.4.

5. DRF-T23-688-1, Error in FitzPatrick Temperature Measurement Based on Monticello In-plant S/RV Test Data.

JAFNPP B 3.3.3.1-12 Revision 0

Remote Shutdown System B 3.3.3.2 B 3.3 INSTRUMENTATION B 3.3.3.2 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from locations other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible. A safe shutdown condition is defined as MODE 3. With the plant in MODE 3, the safety/relief valves (S/RVs) and the Residual Heat Removal (RHR) System can be used to remove core decay heat and meet all safety requirements. This is accomplished by depressurizing the reactor pressure vessel (RPV) with the use of seven S/RVs and establishing a long term cooling path. Water is pumped from the suppression pool by an RHR pump, through an RHR heat exchanger and to the RPV via the low pressure coolant injection (LPCI) pathway. As reactor water level increases and the main steam lines become flooded, water is recirculated to the suppression pool through the S/RV discharge piping. The long term supply of water from the suppression pool and the ability to operate the RHR System in this closed loop configuration from outside the control room allows operation in a safe shutdown condition for an extended period of time.

In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the plant in MODE 3. Not all controls and necessary transfer switches are located at the remote shutdown panel. Other major controls are located at the Automatic Depressurization System (ADS) panel and auxiliary shutdown panels. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The plant is in MODE 3 following a plant shutdown and can be maintained safely in MODE 3 for an extended period of time.

The OPERABILITY of the Remote Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3 should the control room become inaccessible.

(cont-in-ued)

JAFNPP B 3.3.3.2-1 Revision 0

Remote Shutdown System B 3.3.3.2 BASES (continued)

APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a design capability to promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition in MODE 3.

The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in the UFSAR (Refs. 1 and 2).

The Remote Shutdown System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii)(Ref. 3).

LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from locations other than the control room. The instrumentation and controls required are listed in the Technical Requirements Manual (Reference 4). In addition, as stated in the Technical Requirements Manual, this portion of the Technical Requirements Manual is considered part of these Bases. Thus, changes to the instrumentation and controls listed in the Technical Requirements Manual are controlled by the Technical Specifications Bases Control Program.

The controls, instrumentation, and transfer switches are those required for:

Reactor pressure vessel (RPV) pressure control;

° Decay heat removal;

RPV inventory control; and Safety support systems for the above functions, including Emergency Service water, RHR Service water, cresent area unit coolers and onsite power, including the emergency diesel generators.

The Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown function are OPERABLE. In some cases, the required information or control capability may be available from several alternate sources. In these cases, the Remote Shutdown System is OPERABLE as long as one channel of any of the alternate information or control sources for each Function is OPERABLE.

(continued)

JAFNPP B 3.3.3.2-2 Revision 0

Remote Shutdown System B 3.3.3.2 BASES LCO The Remote Shutdown System instruments and control circuits (continued) covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation.

APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1 and 2. This is required so that the plant can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODES 3, 4, and 5. In these MODES, the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable. Consequently, the LCO does not require OPERABILITY in MODES 3. 4, and 5.

ACTIONS A Note (Note 1) is included that excludes the MODE change restriction of LCO 3.0.4. This exception allows entry into an applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require a plant shutdown. This exception is acceptable due to the low probability of an event requiring this system.

Note 2 has been provided to modify the ACTIONS related to Remote Shutdown System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable Remote Shutdown System Functions provide appropriate compensatory measures for separate Functions.

As such, a Note has been provided that allows separate Condition entry for each inoperable Remote Shutdown System Function.

(continued)

JAFNPP B 3.3.3.2-3 Revision 0

Remote Shutdown System B 3.3.3.2 BASES ACTIONS A.1 (continued)

Condition A addresses the situation where one or more required Functions of the Remote Shutdown System is inoperable. This includes any function listed in Reference 4, as well as the control and transfer switches.

The Required Action is to restore the Function (both divisions, if applicable) to OPERABLE status within 30 days.

The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

B.1 If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for preformance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance is acceptable since it does not significantly reduce the probability of properly monitoring remote shutdown parameters, when necessary.

SR 3.3.3.2.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of (continued)

JAFNPP B 3.3.3.2-4 Revision 0

Remote Shutdown System B 3.3.3.2 BASES SURVEILLANCE SR 3.3.3.2.1 (continued)

REQUIREMENTS excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized.

The Frequency is based upon plant operating experience that demonstrates channel failure is rare.

SR 3.3.3.2.2 SR 3.3.3.2.2 verifies each required Remote Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the remote shutdown panel, auxiliary shutdown panels and the local control stations.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience demonstrates that Remote Shutdown System control channels usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.3.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy.

(continued)

JAFNPP B 3.3.3.2-5 Revision 0

Remote Shutdown System B 3.3.3.2 BASES SURVEILLANCE SR 3.3.3.2.3 (continued)

REQUIREMENTS The 24 month Frequency is based upon operating experience and consistency with the refueling cycle.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.10.

3. 10 CFR 50.36(c)(2)(ii).

4. Technical Requirements Manual, Appendix D.

JAFNPP B 3.3.3.2-6 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 B 3.3 INSTRUMENTATION B 3.3.4.1 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur, to lessen the effects of an ATWS event.

Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level -Low Low (Level 2) or Reactor Pressure-High setpoint is reached, the recirculation pump motor generator (MG) drive motor breakers trip.

The ATWS-RPT System (Ref. 1) includes sensors, logic circuits, relays, and switches that are necessary to cause initiation of an RPT. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an ATWS-RPT signal to the trip logic.

The ATWS-RPT logic consists of two trip systems for the Reactor Vessel Water Level - Low Low (Level 2) trip function and two trip systems for the Reactor Pressure -High trip function. Each trip system associated with the Reactor Vessel Water Level - Low Low (Level 2) Function includes two reactor water level channels while each trip system associated with the Reactor Pressure-High Function includes two reactor pressure channels. Each ATWS trip system is a one-out-of-two logic and both trip systems associated with the same function must trip for the ATWS trip logic to actuate. Therefore, the ATWS trip system logic for each Function is one-out-of-two taken twice.

The two channels in each trip system are powered from a common power supply. For each trip function, the two channels in one trip system are powered independently from the two channels in the other trip system. (Divisions 1 and 2). The logic associated with the two trip systems for the Reactor Vessel Water-Low Low (Level 2) trip function and the logic associated with the two trip systems for the Reactor Pressure-High trip function are all powered from one common power supply.

(continued)

JAFNPP B 3.3.4.1-1 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES BACKGROUND There is one drive motor breaker provided for each of the (continued) recirculation pump MGs for a total of two breakers. The output of each trip function logic is provided to both recirculation pump MG drive motor breakers.

APPLICABLE The ATWS-RPT is not credited in the safety analysis. The SAFETY ANALYSES, ATWS-RPT initiates an RPT to aid in preserving the integrity LCO, and of the fuel cladding following events in which a scram does APPLICABILITY not, but should, occur. ATWS-RPT instrumentation satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

The OPERABILITY of the ATWS-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have a required number of OPERABLE channels in both trip systems, with their setpoints within the specified Allowable Value of SR 3.3.4.1.4. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Channel OPERABILITY also includes the associated recirculation pump MG drive motor breakers.

Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the ATWS analysis. The trip setpoints are derived from the analytical limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during (continued)

JAFNPP B 3.3.4.1-2 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE periodic surveillance or calibration. These effects are SAFETY ANALYSES, instrumentation uncertainties observed during normal LCO, and operation (e.g., drift and calibration uncertainties).

APPLICABILITY (continued) The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Pressure- High and Reactor Vessel Water Level -Low Low (Level 2) Functions are required to be OPERABLE in MODE 1, since the reactor is producing significant power and the recirculation system could be at high flow. During this MODE, the potential exists for pressure increases or low water level, assuming an ATWS event. In MODE 2, the reactor is at low power and the recirculation system is at low flow; thus, the potential is low for a pressure increase or low water level, assuming an ATWS event. Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWS event is not significant and the possibility of a significant pressure increase or low water level is negligible. In MODE 5, the one rod out interlock ensures that the reactor remains subcritical; thus, an ATWS event is not significant. In addition, the reactor pressure vessel (RPV) head is not fully tensioned and no pressure transient threat to the reactor coolant pressure boundary (RCPB) exists.

The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.

a. Reactor Vessel Water Level -Low Low (Level 2)

Low RPV water level indicates that a reactor scram should have occurred and the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The ATWS-RPT System is initiated at Level 2 to assist in the mitigation of the ATWS event. The resultant reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff.

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

(continued)

JAFNPP B 3.3.4.1-3 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE a. Reactor Vessel Water Level -Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Four channels of Reactor Vessel Water Level - Low Low (Level 2), with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level - Low Low (Level 2) Allowable Value is chosen so that the system will not be initiated after a Level 3 scram with feedwater still available, and also provides an opportunity for the high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) systems to recover water level if feedwater is not available. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 3).

The HPCI, RCIC and ATWS-RPT initiation functions (as described in Table 3.3.5.1-1, Function 3.a; Table 3.3.5.2-1, Function 1; and LCO 3.3.4.1.a including SR 3.3.4.1.4, respectively) describe the reactor vessel water level initiation function as "Low Low (Level 2)." The Allowable Values associated with the HPCI and RCIC initiation function is different from the Allowable Value associated with the ATWS-RPT initiation function as the ATWS function has a separate analog trip unit. Nevertheless, consistent with the nomenclature typically used in design documents, the "Low Low (Level 2)" designation is retained in describing each of these three initiation functions.

b. Reactor Pressure-High Excessively high RPV pressure may rupture the RCPB.

An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and overpressurization. The Reactor Pressure-High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT (continued)

JAFNPP B 3.3.4.1-4 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE b. Reactor Pressure-High (continued)

SAFETY ANALYSES, LCO, and aids in the termination of the ATWS event and, along APPLICABILITY with the safety/relief valves (S/RVs), limits the peak RPV pressure to less than the ASME Section III Code Service Level C limits (1500 psig).

The Reactor Pressure-High signals are initiated from four pressure transmitters that monitor reactor steam dome pressure. Four channels of Reactor Pressure-High, with two channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Pressure- High Allowable Value is chosen to provide an adequate margin to the ASME Section III Code Service Level C allowable Reactor Coolant System pressure. The Allowable Value was derived from the analysis performed in Reference 4.

ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel.

A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT capability for each Function maintained (refer to Required Action B.1 Bases), the ATWS-RPT System is capable of performing the intended function. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the same trip system could result in the inability of the ATWS-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE (continued)

JAFNPP B 3.3.4.1-5 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS A.1 and A.2 (continued) status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting both Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and its Required Actions taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining ATWS-RPT trip capability. A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. This requires one channel of the Function in each trip system to each be OPERABLE or in trip, and the recirculation pump MG drive motor breakers to be OPERABLE or in trip.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability.

(continued)

JAFNPP B 3.3.4.1-6 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS C.1 (continued)

Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1 above.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period.

D.1 and D.2 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (Required Action D.2). Alternately, the associated recirculation pump may be removed from service since this performs the intended function of the instrumentation (Required Action D.1). The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems. Required Action D.1 is modified by a Note which states that the Required Action is only applicable if the inoperable channel is the result of an inoperable RPT breaker. The Note clarifies the situations under which the associated Required Action would be the appropriate Required Action.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Ref. 6) assumption of the average time required to perform channel (continued)

JAFNPP B 3.3.4.1-7 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months REQUIREMENTS testing allowance does not significantly reduce the (continued) probability that the recirculation pumps will trip when necessary.

SR 3.3.4.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the required channels of this LCO.

SR 3.3.4.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

(continued)

JAFNPP B 3.3.4.1-8 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.2 (continued)

REQU IREMENTS Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 5.

SR 3.3.4.1.3 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in SR 3.3.4.1.4. If the trip setting is discovered to be less conservative than the setting accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than accounted for in the appropriate setpoint methodology.

The Frequency of 184 days is based on the reliability, accuracy, and low failure rates of these solid-state electronic components.

SR 3.3.4.1.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.4.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is (continued)

JAFNPP B 3.3.4.1-9 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.5 (continued)

REQU IREMENTS included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channels would be inoperable.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Figure 7.4-9 Reactor Recirculation System (FCD).

2. 10 CFR 50.36(c)(2)(ii).

3. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly Nuclear Boiler, (GE Drawing 919D690BD).

4. "ATWS Overpressure Analysis for FitzPatrick," GE-NE A42-00137-2-01, March 2000.

5. GENE-770-06-1-A, Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications, December 1992.

JAFNPP B 3.3.4.1-10 Revision 0

ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most abnormal operational transients and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS),

and the emergency diesel generators (EDGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS-Operating" and LCO 3.8.1, "AC Sources- Operating."

Core Spray System The CS System may be initiated by either automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches. Automatic initiation occurs for conditions of Reactor Vessel Water Level -Low Low Low (Level 1) or Drywell Pressure-High; or both. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the four trip units associated with each diverse variable are connected to relays whose contacts provide input to two trip systems.

Each trip system is arranged in a one-out-of-two taken twice logic for each Function. Each trip system initiates one of two CS pumps and provides an open signal to both injection valves associated with the same CS pump. Once an initiation signal is received by the CS control circuitry, the signal is sealed in until manually reset.

Upon receipt of an initiation signal, if preferred power is available, both CS pumps start after approximately an 11 second time delay. If a CS initiation signal is received when preferred power is not available, the CS pumps start after approximately 11 seconds after the bus is energized by the EDGs.

(continued)

JAFNPP B 3.3.5.1-1 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Core Spray System (continued)

The normally closed CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating.

The CS pump discharge flow and pressure are monitored by a differential pressure indicating switch and a pressure switch, respectively. When the pump is running (as indicated by the pressure switch) and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two taken twice logic. Each trip system provides an open permissive signal for two CS injection valves in one of the two CS Systems.

Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR) System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches. Automatic initiation occurs for conditions of Reactor Vessel Water Level -Low Low Low (Level 1); Drywell Pressure-High; or both. Each of these diverse variables is monitored by four redundant transmitters, which, in turn, are connected to four trip units. The outputs of the four trip units associated with each diverse variable are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two taken twice logic for each Function. Each trip system initiates two of the four LPCI pumps, provides an open signal to each LPCI inboard injection valve, provides an open signal to the associated (continued)

JAFNPP B 3.3.5.1-2 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant Injection System (continued)

LPCI outboard injection valve, provides an open signal to the associated LPCI heat exchanger bypass valve, and provides a close signal to both recirculation pump discharge valves. The open signal for the heat exchanger bypass valve is maintained for three minutes to ensure the valve fully opens. Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.

Upon receipt of an initiation signal, if preferred power is available, LPCI pumps A and D start in approximately one second. LPCI pumps B and C are started in approximately 6 seconds to limit the loading of the preferred power sources. With a loss of preferred power, LPCI pumps A and D start in approximately one second after the bus is energized by the EDGs, and LPCI pumps B and C start 6 seconds after the bus is energized by the EDGs to limit the loading of the EDGs. If one EDG should fail to force parallel, an associated LPCI pump will not start (LPCI pump B or C) to ensure the other EDG is not overloaded.

Each LPCI subsystem's discharge flow is monitored by a differential pressure indicating switch. When a pump is running (as indicated by pump breaker position) and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses.

The normally closed RHR suppression pool cooling isolation return valve, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating.

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two (continued)

JAFNPP B 3.3.5.1-3 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant Injection System (continued) taken twice logic. Each trip system provides an open signal to both inboard injection valves and provides an open permissive signal to the associated outboard injection valve. The open permissive signal for the outboard injection valve is maintained for five minutes to ensure the valve fully opens. Additionally, instruments are provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two taken twice logic. Each trip system provides a closure signal to both recirculation pump discharge valves.

Low reactor water level in the shroud is detected by two additional instruments. When the level is greater than the low level setpoint, LPCI may no longer be required, therefore, other modes of RHR (e.g., suppression pool cooling) are allowed. The variable is monitored by two transmitters, which are, in turn, connected to two trip units. The outputs of the trip units are connected to relays whose contacts provide input to one of two trip systems. Each trip system provides a permissive signal to open the associated subsystems containment spray and suppression pool cooling isolation valves. Manual overrides for these isolations below the low level setpoint are provided.

Containment high pressure is detected by four instruments to automatically isolate the containment spray mode of RHR when containment depressurization is not required. This Function also precludes inadvertent diversion of LPCI flow unless containment overpressurization is indicated. This variable is monitored by four pressure switches, whose contacts provide input to two trip systems. The outputs of the contacts are arranged in a one-out-of-two taken twice logic for each trip system. Each trip system provides an input to the associated subsystems containment spray valves.

High Pressure Coolant Injection System The HPCI System may be initiated by either automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches.

Automatic initiation occurs for conditions of Reactor Vessel (continued)

JAFNPP B 3.3.5.1-4 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND High Pressure Coolant Injection System (continued)

Water Level- Low Low (Level 2) or Drywell Pressure-High.

Each of these variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

The HPCI pump discharge flow and pressure are monitored by a flow switch and pressure switch, respectively. When the pump is running (as indicated by the pressure switch) and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

The HPCI test line isolation valve is closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis.

The HPCI System also monitors the water levels in the condensate storage tanks (CSTs) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CSTs is the normal source. The CST suction source consists of two CSTs connected in parallel to the HPCI pump suction. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in both CSTs falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in each CST. One switch associated with each CST can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool. Two level switches monitor suppression pool water level. Either switch can cause the suppression pool suction valves to open and the CST suction valves to close. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be full open before the other automatically closes.

(continued)

JAFNPP B 3.3.5.1-5 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND High Pressure Coolant Injection System (continued)

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level -High (Level 8) setting, at which time the HPCI turbine trips, which causes the turbine's stop valve to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level- Low Low (Level 2) signal is subsequently received.

Automatic Depressurization System The ADS may be initiated by either automatic or manual means, although manual initiation requires the manipulation of the hand switches associated with each ADS valve.

Automatic initiation occurs when signals indicating Reactor Vessel Water Level -Low Low Low (Level 1); confirmed Reactor Vessel Water Level - Low (Level 3); and CS or LPCI Pump Discharge Pressure-High are all present and the ADS Initiation Timer has timed out. There are two transmitters for Reactor Vessel Water Level - Low Low Low (Level 1), and one transmitter for confirmed Reactor Vessel Water Level -Low (Level 3) in each of the two ADS trip systems.

Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic.

Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals prior to time out of the ADS Initiation Timers resets the ADS Initiation Timers.

The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge pressure permissive switches from one CS and from two LPCI pumps in the associated Division (i.e.,

Division 1 CS subsystem A and LPCI pumps A and C input to ADS trip system A, and Division 2 CS subsystem B and LPCI pumps B and D input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has (continued)

.IAFNPP B 3.3.5.1-6 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Automatic Depressurization System (continued) depressurized the vessel. Any one of the six low pressure pumps is sufficient to permit automatic depressurization.

The switches associated with one ADS trip system also provide signals to the other ADS trip system, but these signals are not required for the other ADS trip system to be considered OPERABLE.

The ADS logic in each trip system is arranged in two strings. Each string has a contact from Reactor Vessel Water Level- Low Low Low (Level 1). One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level -Low (Level 3). All contacts in both logic strings must close, the ADS initiation timer must time out, and a CS or LPCI pump discharge pressure signal must be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open.

Once the ADS initiation signal is present, it is individually sealed in until manually reset.

Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

Emergency Diesel Generators The EDGs may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level- Low Low Low (Level 1) or Drywell Pressure-High. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the four trip units associated with each diverse variable are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two taken twice logic for each Function. One trip system will start EDG-A and EDG-C. The other trip system will start EDG-B and EDG-D. The EDGs receive their initiation signals from the LPCI and CS System initiation logic. The EDGs are also initiated upon loss of voltage signals. (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP)

Instrumentation," for a discussion of these signals.) The EDGs can also be started manually from the control room and locally from the associated EDG room. The EDG initiation signal is a sealed in signal and must be manually reset.

The EDG initiation logic is reset by resetting the (continued)

JAFNPP B 3.3.5.1-7 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Emergency Diesel Generators (continued) associated ECCS initiation logic. Upon receipt of an ECCS initiation signal, each EDG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the EDG output breaker open). The EDGs will only energize their respective emergency buses if a loss of preferred power occurs. (Refer to Bases for LCO 3.3.8.1.)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety SAFETY ANALYSES, analyses of References 1, 2, 3, and 4. The ECCS is LCO, and initiated to preserve the integrity of the fuel cladding by APPLICABILITY limiting the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Table 3.3.5.1-1 is modified by two footnotes. Footnote (a) is added to clarify that the associated functions are required to be OPERABLE in MODES 4 and 5 only when their supported ECCS are required to be OPERABLE per LCO 3.5.2, "ECCS-Shutdown." Footnote (b) is added to show that certain ECCS instrumentation Functions also perform EDG initiation.

Allowable Values are specified for each ECCS Function specified in the table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water (continued)

JAFNPP B 3.3.5.1-8 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE level), and when the measured output value of the process SAFETY ANALYSES, parameter exceeds the setpoint, the associated device (e.g.,

LCO, and trip unit) changes state. The analytic limits are derived APPLICABILITY from the limiting values of the process parameters obtained (continued) from the safety analysis or other appropriate documents.

The trip setpoints are derived from the analytical limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or EDG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and EDG function, a combination of Functions is required to provide primary and secondary initiation signals.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

Core Spray and Low Pressure Coolant Injection Systems 1.a, 2.a. Reactor Vessel Water Level-Low Low Low (Level 1)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

The low pressure ECCS and associated EDGs are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The EDGs are initiated from Function l.a and 2.a. The Reactor Vessel Water Level -Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in Reference 3. In addition, the Reactor Vessel Water Level - Low Low Low (Level 1)

Function is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 4). The core (continued)

JAFNPP B 3.3.5.1-9 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE l.a, 2.a. Reactor Vessel Water Level- Low Low Low (Level 1)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low Low (Level 1) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - Low Low Low (Level 1)

Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

Thus, four channels of the CS and LPCI Reactor Vessel Water Level -Low Low Low (Level 1) Function are only required to be OPERABLE when the ECCS are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1 and LCO 3.8.2, "AC Sources- Shutdown," for Applicability Bases for the EDGs.

1.b, 2.b. Drywell Pressure-High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated EDGs are initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. The EDGs are initiated from Function 1.b and 2.b. The Drywell Pressure-High Function, along with the Reactor Water Level- Low Low Low (Level 1)

Function, is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

JAFNPP B 3.3.5.1-10 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE l.b, 2.b. Drywell Pressure-High (continued)

SAFETY ANALYSES, LCO, and High drywell pressure signals are initiated from four APPLICABILITY pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

The Drywell Pressure-High Function is required to be OPERABLE when the ECCS or EDG(s) are required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure-High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and EDG initiation. In MODES 4 and 5, the Drywell Pressure-High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure-High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the EDGs.

1.c, 2.c. Reactor Pressure-Low (Injection Permissive)

Low reactor pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Pressure- Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in Reference 3. In addition, the Reactor Pressure- Low Function is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

The Reactor Pressure-Low signals are initiated from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

(continued)

JAFNPP B 3.3.5.1-11 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.c, 2.c. Reactor Pressure-Low (Injection Permissive)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Four channels of Reactor Pressure- Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

1.d, 2.f. Core Spray and Low Pressure Coolant Injection Pump Start-Time Delay Relay The purpose of these time delay relays is to stagger the start of the CS and LPCI pumps to enable sequential loading of the appropriate AC source. The CS and LPCI Pump Start Time Delay Relays are assumed to be OPERABLE in the accident analyses requiring ECCS initiation. That is, the analyses assumes that the pumps will initiate when required and no excess loading of the power sources will occur.

There are two CS and four LPCI Pump Start-Time Delay Relays, one in each of the CS and LPCI pump start circuits. While each time delay relay is dedicated to a single pump start circuit, a single failure of a CS or LPCI Pump Start-Time Delay Relay could result in the failure of a CS pump and both the LPCI pumps powered from the same emergency bus to perform their intended function within the assumed ECCS response time (e.g., as in the case where one inoperable time delay relay results in more than one pump starting at nearly the same time). In the worst case this would still leave the other three low pressure ECCS pumps OPERABLE; thus, the single failure of one instrument does not preclude ECCS initiation. The Allowable Values for the CS and LPCI Pump Start-Time Delay Relays are chosen to be short enough so that ECCS operation is within the time period assumed in the accident analyses.

Each CS and LPCI Pump Start-Time Delay Relay Function is required to be OPERABLE only when the associated CS and LPCI subsystem is required to be OPERABLE. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the CS and LPCI subsystems.

(continued)

JAFNPP B 3.3.5.1-12 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.e, 2.g, l.f. Core Spray and Low Pressure Coolant SAFETY ANALYSES, Injection Pump Discharge Flow -Low (Bypass), Core Spray LCO, and Pump Discharge Pressure- High (Bypass)

APPLICABILITY (continued) The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating at reduced flows. The minimum flow line valve is opened when low flow is sensed (if the associated pump is detected to be operating), and the valve is automatically closed when the flow rate is adequate to protect the pump. The CS pump is detected to be operating by sensing high pump discharge pressure, while the LPCI pumps are detected to be operating by the use of pump motor breaker auxiliary contacts. The LPCI and CS Pump Discharge Flow- Low and the CS Pump Discharge Pressure- High (Bypass)

Functions are assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, 3, and 4 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. One differential pressure indicating switch per CS pump and one differential pressure indicating switch per LPCI subsystem are used to detect the associated subsystems' flow rates. In addition, one pressure switch per CS pump is used to detect the associated pumps discharge pressure. The logic is arranged such that each differential pressure indicating switch causes its associated minimum flow valve to open. For CS, both the differential pressure indicating switch and the pressure switch must actuate to cause the valve to open. The logic will close the minimum flow valve once the closure setpoint of the associated differential pressure indicating switch is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow- Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. The Core Spray Pump Discharge Pressure-High (Bypass) Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any (continued)

JAFNPP B 3.3.5.1-13 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE i.e, 2.g, 1.f. Core Spray and Low Pressure Coolant SAFETY ANALYSES, Injection Pump Discharge Flow- Low (Bypass), Core Spray LCO, and Pump Discharge Pressure-High (Bypass) (continued)

APPLICABILITY condition that results in a discharge pressure permissive when the CS pump is aligned for injection and the pump is not running.

Each channel of Pump Discharge Flow- Low Function (two CS channels and four LPCI channels) and each channel of Core Spray Pump Discharge Pressure-High (Bypass) are only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

2.d. Reactor Pressure-Low (Recirculation Discharge Valve Permissive)

Low reactor pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Pressure-Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in Reference 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Refs. 1, 2 and 4).

The Reactor Pressure- Low signals are initiated from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis.

Four channels of the Reactor Pressure- Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function of the instrumentation has been performed; thus, the Function is not required. In (continued)

JAFNPP B 3.3.5.1-14 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.d. Reactor Pressure- Low (Recirculation Discharge SAFETY ANALYSES, Valve Permissive) (continued)

LCO, and APPLICABILITY MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

2.e. Reactor Vessel Shroud Level (Level 0)

The Reactor Vessel Shroud Level (Level 0) Function is provided as a permissive to allow the RHR System to be manually aligned from the LPCI mode to the suppression pool cooling/spray or drywell spray modes. The reactor vessel shroud level permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be overridden during accident conditions as allowed by plant procedures. Reactor Vessel Shroud Level (Level 0) Function is implicitly assumed in the analysis of the recirculation line break (Refs. 1, 2 and 4) since the analysis assumes that no LPCI flow diversion occurs when reactor water level is below Level 0.

Reactor Vessel Shroud Level (Level 0) signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level (Level 0) Allowable Value is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer.

The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

Two channels of the Reactor Vessel Shroud Level (Level 0)

Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves associated with this Function (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used).

(continued)

JAFNPP B 3.3.5.1-15 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.h. Containment Pressure-High SAFETY ANALYSES, LCO, and The Containment Pressure-High Function is provided as an APPLICABILITY isolation of the containment spray mode of RHR on decreasing (continued) containment pressure following manual actuation of the system. This isolation ensures excessive depressurization of the containment does not occur due to containment spray actuation. This Function also serves as an interlock permissive to allow the RHR System to be manually aligned from the LPCI mode to the containment spray mode after containment pressure has exceeded the trip setting. The permissive ensures that containment pressure is elevated before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage until such time that the operator determines that containment pressure control is needed. The Containment Pressure-High Function is implicitly assumed in the analysis of LOCAs inside containment (Refs. 1, 2, and 4) since the analysis assumes that containment spray occurs when containment pressure is high.

Containment Pressure-High signals are initiated from four pressure switches that sense drywell pressure. The Containment Pressure-High lower Allowable Value is chosen to ensure isolation of containment spray prior to a negative containment pressure occurring. This maintains margin to the negative design pressure and minimizes operation of the reactor building-to-suppression chamber vacuum breakers, which in turn prevents de-inerting the atmosphere. The upper Allowable Value is chosen to ensure containment spray is not isolated when there may be a need for containment spray.

Four channels of the Containment Pressure-High Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, containment spray is not assumed to be initiated, and other administrative controls are adequate to control the valves that this Function isolates.

High Pressure Coolant Injection System 3.a. Reactor Vessel Water Level -Low Low (Level 2)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. In addition, the Standby Gas (continued)

JAFNPP B 3.3.5.1-16 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.a. Reactor Vessel Water Level -Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Treatment (SGT) System suction valves receive an open signal so that the gland seal exhaust from the HPCI turbine can be treated. Opening of the SGT System suction valves results in automatic starting of the SGT System. The Reactor Vessel Water Level- Low Low (Level 2) is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in Reference 3. Additionally, the Reactor Vessel Water Level -Low Low (Level 2) Function associated with HPCI is assumed to be OPERABLE and capable of initiating HPCI in the analysis of line breaks (Refs. 1 and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level -Low Low (Level 2) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level -Low Low (Level 2) Allowable Value is high enough such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC)

System flow with HPCI assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level-Low Low Low (Level 1). The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

The HPCI, RCIC and ATWS-RPT initiation functions (as described in Table 3.3.5.1-1, Function 3.a; Table 3.3.5.2-1, Function 1; and LCO 3.3.4.1.a including SR 3.3.4.1.4, respectively) describe the reactor vessel water level initiation function as "Low Low (Level 2)." The Allowable Values associated with the HPCI and RCIC initiation function is different from the Allowable Value associated with the ATWS-RPT initiation function as the ATWS function has a separate analog trip unit. Nevertheless, consistent with the nomenclature typically used in design documents, the "Low Low (Level 2)" is retained in describing each of these three initiation functions.

(continued)

JAFNPP B 3.3.5.1-17 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.a. Reactor Vessel Water Level -Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Four channels of Reactor Vessel Water Level - Low Low (Level 2) Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.b. Drywell Pressure-High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. In addition, SGT System suction valves receive an open signal so that the gland seal exhaust from the HPCI turbine can be treated. Opening of the SGT System suction valves results in automatic starting of SGT.

The Drywell Pressure-High Function, along with the Reactor Water Level -Low Low (Level 2) Function, is assumed to be OPERABLE and capable of initiating HPCI in the analysis of line breaks (Refs. 1 and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure-High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.

3.c. Reactor Vessel Water Level -High (Level 8)

High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level-High (Level 8) Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk.

(continued)

JAFNPP B 3.3.5.1-18 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.c. Reactor Vessel Water Level -High (Level 8)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Reactor Vessel Water Level -High (Level 8) signals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation. Both Level 8 signals are required in order to trip the HPCI turbine.

This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level -High (Level 8) Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

Two channels of Reactor Vessel Water Level -High (Level 8)

Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.d. Condensate Storage Tank Level - Low Low level in the CSTs indicates the unavailability of an adequate supply of makeup water from this normal source.

Normally the suction valve between HPCI and the CSTs is open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CSTs. However, if the water level in both CSTs falls below a preselected level, the suppression pool suction valves automatically open.

Opening the suppression pool suction valves causes the CST suction valve to automatically close. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be full open before the CST suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Condensate Storage Tank Level- Low signals are initiated from four level switches (2 per CST). The logic is arranged such that one switch associated with each CST must actuate to cause the suppression pool suction valves to open and the CST suction valve to close. The Condensate Storage Tank Level -Low Function Allowable Value is high enough to ensure (15,600 gallons of water is available in each CST) adequate pump suction head while water is being taken from the CSTs.

(continued)

JAFNPP B 3.3.5.1-19 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.d. Condensate Storage Tank Level-Low (continued)

SAFETY ANALYSES, LCO, and Four channels of the Condensate Storage Tank Level -Low APPLICABILITY Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source.

Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.e. Suppression Pool Water Level-High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CSTs to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be full open before the CST suction valve automatically closes.

This Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Suppression Pool Water Level -High signals are initiated from two level switches. The logic is arranged such that either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Allowable Value for the Suppression Pool Water Level - High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded.

Two channels of Suppression Pool Water Level -High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

(continued)

JAFNPP B 3.3.5.1-20 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.f, 3.g. High Pressure Coolant Injection Pump Discharge SAFETY ANALYSES, Flow-Low (Bypass), High Pressure Coolant Injection Pump LCO, and Discharge Pressure-High (Bypass)

APPLICABILITY (continued) The minimum flow instruments are provided to protect the HPCI pump from overheating when the pump is operating at reduced flow. The minimum flow line valve is opened when low flow is sensed (if the HPCI pump is operating), and the valve is automatically closed when the discharge flow rate is adequate to protect the pump. Pump operation is determined by sensing high pump discharge pressure. The High Pressure Coolant Injection Pump Discharge Flow- Low and Pump Discharge Pressure- High Functions are assumed to be OPERABLE and capable of opening the minimum flow valve to protect the pump and closing the minimum flow valve to ensure that the ECCS flow assumed during the transients and accidents analyzed in References 1, 2 and 4 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

One flow switch is used to detect the HPCI System's flow rate and one pressure switch is used to detect the HPCI pump discharge pressure. The logic is arranged such that the flow switch and pressure switch must actuate to cause the minimum flow valve to open. The logic will close the minimum flow valve once the flow closure setpoint is exceeded.

The High Pressure Coolant Injection Pump Discharge Flow- Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. The High Pressure Coolant Injection Pump Discharge Pressure-High (Bypass) Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the HPCI pump is aligned for injection and the pump is not running.

One channel of each Function is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

(continued)

JAFNPP B 3.3.5.1-21 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Automatic Depressurization System SAFETY ANALYSES, LCO, and 4.a, 5.a. Reactor Vessel Water Level-Low Low Low (Level 1)

APPLICABILITY (continued) Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in References 1, 2, and 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low Low (Level 1) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low (Level 1) Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel Water Level - Low Low Low (Level 1)

Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

4.b, 5.b. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide (continued)

JAFNPP B 3.3.5.1-22 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.b, 5.b. Automatic Depressurization System Initiation SAFETY ANALYSES, Timer (continued)

LCO, and APPLICABILITY whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 1, 2, and 4 that require ECCS initiation and assume failure of the HPCI System.

There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.c, 5.c. Reactor Vessel Water Level-Low (Level 3)

The Reactor Vessel Water Level -Low (Level 3) Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level- Low Low Low (Level 1) signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.

Reactor Vessel Water Level-Low (Level 3) signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level-Low (Level 3) is selected to be the same as the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

(continued)

JAFNPP B 3.3.5.1-23 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.c, 5.c. Reactor Vessel Water Level-Low (Level 3)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Two channels of Reactor Vessel Water Level -Low (Level 3)

Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d, 4.e, 5.d, 5.e. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High The Pump Discharge Pressure-High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel.

Pump Discharge Pressure-High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in References 1, 2, and 4 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling function. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Pump discharge pressure signals are initiated from twelve pressure switches, two on the discharge side of each of the six low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (both channels for the pump) indicate the high discharge pressure condition. The Pump Discharge Pressure-High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running.

The actual operating point of this function is not assumed in any transient or accident analysis. However, this function is implicitly assumed to operate to provide the ADS permissive to depressurize the RCS to allow the ECCS low pressure systems to operate.

Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can (continued)

JAFNPP B 3.3.5.1-24 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.d, 4.e, 5.d, 5.e. Core Spray and Low Pressure Coolant SAFETY ANALYSES, Injection Pump Discharge Pressure-High (continued)

LCO, and APPLICABILITY preclude ADS initiation. Two CS channels associated with CS pump A and four LPCI channels associated with LPCI pumps A and C are required for trip system A. Two CS channels associated with CS pump B and four LPCI channels associated with LPCI pumps B and D are required for trip system B.

Refer to LCO 3.5.1 for ADS Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent.

Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS). The Required Action B.2 system would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if (a) two or more Function 1.a channels are inoperable and untripped such that both trip systems lose initiation capability, (b) two or (continued)

JAFNPP B 3.3.5.1-25 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.1, B.2, and B.3 (continued) more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability, (c) two or more Function L.b channels are inoperable and untripped such that both trip systems lose initiation capability, or (d) two or more Function 2.b channels are inoperable and untripped such that both trip systems lose initiation capability. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and EDGs to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and EDGs being concurrently declared inoperable.

For Required Action B.2, redundant automatic HPCI initiation capability is lost if two or more Function 3.a or two or more Function 3.b channels are inoperable and untripped such that trip capability is lost. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action B.3 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action B.3) is allowed during MODES 4 and 5.

There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary.

Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable.

This ensures that the proper loss of initiation capability check is performed. Required Action B.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Functions 2.e and 2.h, since these Functions provide backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed, and do not spray the containment unless needed. Thus, a total loss of (continued)

JAFNPP B 3.3.5.1-26 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.1, B.2, and B.3 (continued)

Function 2.e or 2.h capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed, since the LPCI subsystems remain capable of performing their intended function.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action C.1 features would be those that are initiated by Functions 1.c, 1.d, 2.c, 2.d, and 2.f (i.e., low pressure (continued)

JAFNPP B 3.3.5.1-27 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued)

ECCS). Redundant automatic initiation capability is lost if either (a) two or more Function 1.c channels are inoperable such that both trip systems lose initiation capability, (b) two Function 1.d channels are inoperable, (c) two or more Function 2.c channels are inoperable such that both trip systems lose initiation capability, (d) two or more Function 2.d channels are inoperable such that both trip systems lose initiation capability, or (e) three Function 2.f channels are inoperable. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g.,

both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.c, 1.d, 2.c, 2.d, and 2.f, the affected portions are the associated low pressure ECCS pumps. As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action C.2) is allowed during MODES 4 and 5.

Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 1.d, 2.c, 2.d, and 2.f. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic).

This loss was considered during the development of Reference 7 and considered acceptable for the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (continued)

JAFNPP B 3.3.5.1-28 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued)

(e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels associated with one CST or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (continued)

JAFNPP B 3.3.5.1-29 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued)

Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System piping remains filled with water. Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g.,

as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken.

E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray and Low Pressure Coolant Injection Pump Discharge Flow-Low Bypass and the Core Spray Pump Discharge Pressure- High Functions result in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Functions 1.e, 1.f, and 2.g (e.g., low pressure ECCS). Redundant automatic initiation capability is lost if (a) two Function i.e channels are inoperable, (b) two Function 1.f channels are inoperable, (c) two Function 2.g channels are inoperable, or (d) one Function i.e channel and one Function 1.f channel associated with different CS pumps are inoperable. Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump to be declared inoperable.

However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started (continued)

JAFNPP B 3.3.5.1-30 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2 (continued) concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable.

In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . As noted (Note 1 to Required Action E.1), Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low pressure ECCS Functions. Required Action E.1 is not applicable to HPCI Functions 3.f and 3.g since the loss of one channel results in a loss of the Function (one-out-of one logic). This loss was considered during the development of Reference 7 and considered acceptable for the 7 days allowed by Required Action E.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump (continued)

JAFNPP B 3.3.5.1-31 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2 (continued) protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken.

The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one Function 4.a channel and one Function 5.a channel are inoperable and untripped, or (b) one Function 4.c channel and one Function 5.c channel are inoperable and untripped.

In this situation (loss of automatic initiation capability),

the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

(continued)

JAFNPP B 3.3.5.1-32 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS F.1 and F.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months , the 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. Automatic initiation capability is lost if either (a) one Function 4.b channel and one Function 5.b channel are inoperable, or (b) a combination of Function 4.d, 4.e, 5.d, and 5.e channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable.

In this situation (loss of automatic initiation capability),

the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

(continued)

JAFNPP B 3.3.5.1-33 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS G.1 and G.2 (continued)

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months , the 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately.

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

(continued)

JAFNPP B 3.3.5.1-34 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for (continued) performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months as follows: (a) for Functions 3.c, 3.f, and 3.g; (b) for Functions other than 3.c, 3.f, and 3.g provided the associated Function or redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 7) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

(continued)

JAFNPP B 3.3.5.1-35 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of Reference 7.

SR 3.3.5.1.3 and SR 3.3.5.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.1.3 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

The Frequency of SR 3.3.5.1.5 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.1.4 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.5.1-1. If the trip setting is discovered to be less conservative than (continued)

JAFNPP B 3.3.5.1-36 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.4 (continued)

REQUIREMENTS accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analyses. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than the setting accounted for in the appropriate setpoint methodology.

The Frequency of 184 days is based on the reliability, accuracy, and lower failure rates of the associated solid state electronic Analog Transmitter/Trip System components.

SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 6.5.

2. UFSAR, Section 14.6.

3. UFSAR, Section 14.5.

4. NEDC-31317P, Revision 2, James A. FitzPatrick Nuclear Power Plant, SAFER/GESTR-LOCA, Loss-of-Coolant Accident Analysis, April 1993.

5. 10 CFR 50.36(c)(2)(ii).

6. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly Nuclear Boiler, (GE Drawing 919D690BD).

(continued)

JAFNPP B 3.3.5.1-37 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES REFERENCES 7. NEDC-30936P-A, BWR Owners' Group Technical (continued) Specification Improvement Methodology (With Demonstration for BWR ECCS Actuation Instrumentation),

Part 2, December 1988.

JAFNPP B 3.3.5.1-38 Revision 0

ML021750488

Text

Navigation menu

Search