Text

Technical Specifications, Amendment Conversion to Improved Technical Specifications (TAC No. MA5049), B 3.3 Instrumentation
	ML021970142
Person / Time
Site:	FitzPatrick
Issue date:	07/03/2002
From:	Vissing G; NRC/NRR/DLPM/LPD1
To:	Kansler M; Entergy Nuclear Operations
	Vissing G, NRR/DLPM, 415-1441
Shared Package
ML021980178	List: ML021620504; ML021970028; ML021970071; ML021970084; ML021970092; ML021970095; ML021970102; ML021970138; ML021970142;
References
	NUREG-1433, Rev 1, NUREG-1434, Rev 1, TAC MA5049
	Download: ML021970142 (160)
	v • d • e

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 B 3.3 INSTRUMENTATION B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow.

With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level, Level 8 reference point, causing the trip of the two feedwater pump turbines and the main turbine.

Reactor Vessel Water Level -High (Level 8) signals are provided by level sensors that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Three channels of Reactor Vessel Water Level -High (Level 8) instrumentation are provided as input to each of three trip systems. Each trip system is arranged with a two-out-of-three initiation logic such that two high water level trip signals are necessary for the trip system to actuate. One trip system trips one feedwater pump turbine, another trip system trips the other feedwater pump turbine, and the third trip system trips the main turbine. The channels include electronic equipment (e.g., alarm units) that compares measured input signals with pre- established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a feedwater and main turbine trip signal to the trip logic.

A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the turbine from damage due to water entering the turbine.

APPLICABLE The feedwater and main turbine high water level trip SAFETY ANALYSES instrumentation is assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller failure, maximum demand event (Ref. 1).

The Level 8 trip indirectly initiates a reactor scram from the main turbine trip (above 30% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR.

(continued)

JAFNPP B 3.3.2.2-1 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES APPLICABLE Feedwater and main turbine high water level trip SAFETY ANALYSES instrumentation satisfies Criterion 3 of (continued) 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO The LCO requires three channels of the Reactor Vessel Water Level -High (Level 8) instrumentation to be OPERABLE to ensure that no single instrument failure will prevent the feedwater pump turbines and main turbine trip on a valid Level 8 signal. Two of the three channels are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.3.

The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the reactor pressure vessel and also corresponds to the top of a 144 inch fuel column (Ref. 3). The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., alarm unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The trip setpoints are derived from the analytic limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process affects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for (continued)

JAFNPP B 3.3.2.2-2 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES LCO normal effects that would be seen during periodic (continued) surveillance or calibration. These affects are instrumentation uncertainties during normal operation (e.g.,

drift and calibration uncertainties).

APPLICABILITY The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at Ž 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below 25% RTP; therefore, these requirements are only necessary when operating at or above this power level.

ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel.

A.1 With one channel inoperable, the remaining two OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the remaining channels concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only (continued)

JAFNPP B 3.3.2.2-3 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS A.1 (continued) allowed for a limited time with one channel inoperable. If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in a feedwater or main turbine trip), Condition C must be entered and its Required Action taken.

The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel.

B.1 With two or more channels inoperable, the feedwater and main turbine high water level trip instrumentation cannot perform its design function (feedwater and main turbine high water level trip capability is not maintained). Therefore, continued operation is only permitted for a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period, during which feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip signal on a valid signal. This requires two channels to each be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.

(continued)

JAFNPP B 3.3.2.2-4 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2_

BASES ACTIONS C.1 and C.2 (continued)

With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to

< 25% RTP within 4 hours0.167 days 0.0238 weeks 0.00548 months . Alternatively, the affected stop valve(s) may be removed from service since this performs the intended function of the instrumentation. As discussed in the Applicability section of the Bases, operation below 25% RTP results in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours0.167 days 0.0238 weeks 0.00548 months is based on operating experience to reduce THERMAL POWER to < 25% RTP from full power conditions in an orderly manner and without challenging plant systems. Required Action C.1 is modified by a Note which states that the Required Action is only applicable if the inoperable channel is the result of an inoperable feedwater pump turbine stop valve or main turbine stop valve. The Note clarifies the situations under which the associated Required Action would be the appropriate Required Action.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months provided the associated Function maintains feedwater and main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption that 6 hours0.25 days 0.0357 weeks 0.00822 months is the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the feedwater pump turbines and main turbine will trip when necessary.

SR 3.3.2.2.1 Performance of the CHANNEL CHECK once every 24 hours1 days 0.143 weeks 0.0329 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument (continued)

JAFNPP B 3.3.2.2-5 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2_

BASES SURVEILLANCE SR 3.3.2.2.1 (continued)

REQU IREMENTS channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limits.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.2.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

As noted, the CHANNEL FUNCTIONAL TEST is only required to be performed when in MODE 4 for > 24 hours1 days 0.143 weeks 0.0329 months . In MODE 4, the plant is in a condition where a loss of a feedwater pump turbine or a main turbine trip will not jeopardize steady state power operation. The design of the trip systems do not permit functional testing of this trip function without lifting electrical leads. Consequently, testing the trip (continued)

JAFNPP B 3.3.2.2-6 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2_

BASES SURVEILLANCE SR 3.3.2.2.2 (continued)

REQUIREMENTS systems on-line poses an unacceptable risk of an inadvertent trip of the feedwater pump turbines and main turbine, resulting in a plant transient. The 24 hours1 days 0.143 weeks 0.0329 months is intended to indicate an outage of sufficient duration to allow for scheduling a proper performance of the Surveillance.

The 92 day Frequency and the Note to this Surveillance are based on Reference 5.

SR 3.3.2.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.2.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater and main turbine valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a valve is incapable of operating, the associated instrumentation would also be inoperable. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 14.5.9.

2. 10 CFR 50.36(c)(2)(ii).

(continued)

JAFNPP B 3.3.2.2-7 Revision 0

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES REFERENCES 3. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly (continued) Nuclear Boiler, (GE Drawing 919D690BD).

4. GENE-770-06-1-A, Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications, December 1992.

5. NRC letter dated June 19, 1995, Amendment 225 for James A. FitzPatrick Nuclear Power Plant.

JAFNPP B 3.3.2.2-8 Revision 0

PAM Instrumentation B 3.3.3.1_

B 3.3 INSTRUMENTATION B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events.

The instruments that monitor these variables are designated as Type A, Category 1, and non-Type A, Category 1, in accordance with Regulatory Guide 1.97 (Ref. 1).

The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident. This capability is consistent with the recommendations of Reference 1.

APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of SAFETY ANALYSES Regulatory Guide 1.97, Type A variables so that the control room operating staff can:

Perform the diagnosis specified in the Emergency Operating Procedures (EOPs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs),

(e.g., loss of coolant accident (LOCA)), and Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function.

The PAM instrumentation LCO also ensures OPERABILITY of Category 1, non-Type A, variables so that the control room operating staff can:

"* Determine whether systems important to safety are performing their intended functions;

"* Determine the potential for causing a gross breach of the barriers to radioactivity release; Determine whether a gross breach of a barrier has occurred; and (continued)

B 3.3.3.1-1 Revision 0 JAFNPP

PAM Instrumentation B 3.3.3.1 BASES APPLICABLE Initiate action necessary to protect the public and SAFETY ANALYSES for an estimate of the magnitude of any potential (continued) exposure.

The plant specific Regulatory Guide 1.97 Analysis (Ref. 2) documents the process that identified Type A and Category 1, non-Type A, variables.

Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3). Category 1, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents.

Therefore, these Category 1 variables are important for reducing public risk.

LCO LCO 3.3.3.1 requires two OPERABLE channels for all but one Function to ensure that no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following an accident. Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

The exception to the two channel requirement is primary containment isolation valve (PCIV) position. In this case, the important information is the status of the primary containment penetrations. The LCO requires one position indicator for each active PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.

The following list is a discussion of the specified instrument Functions listed in Table 3.3.3.1-1 in the accompanying LCO.

1. Reactor Vessel Pressure Reactor vessel pressure is a Category 1 variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling (continued)

JAFNPP B 3.3.3.1-2 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO 1. Reactor Vessel Pressure (continued)

Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure and associated independent wide range recorders are the primary indication used by the operator during an accident.

Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

2. Reactor Vessel Water Level Reactor vessel water level is a Category 1 variable provided to support monitoring of core cooling and to verify operation of the ECCS. The reactor vessel water level channels provide the PAM Reactor Vessel Water Level Function. The reactor vessel water level channels cover a range from -150 inches (just below the bottom of the active fuel) to +224.5 inches, as referenced (zero) from the top of active fuel (TAF). Reactor vessel water level is measured in overlapping stages by separate independent differential pressure transmitters. Two reactor vessel water level (fuel zone) channels monitor the range from -150 inches to +200 inches (TAF). One fuel zone channel consists of a transmitter and indicator and the other channel consists of a transmitter and recorder. Two reactor vessel water level (wide range) channels monitor the range from +14.5 inches to

+224.5 inches (TAF). The upper limit corresponds to a level of 63.5 inches below the centerline of the main steam lines.

Likewise, one wide range channel consists of a transmitter and indicator and the other channel consists of a transmitter and recorder. These transmitters and associated indicators and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

The reactor vessel water level wide range instruments are uncompensated for variation in reactor water density and are calibrated to be most accurate at operational pressure and temperature. The fuel level instruments are calibrated for cold conditions.

3. Suppression Pool Water Level (Wide Range)

Suppression pool water level is a Category 1 variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function. The wide (continued)

JAFNPP B 3.3.3.1-3 Revision 0

PAM Instrumentation B 3.3.3.L BASES LCO 3. Suppression Pool Water Level (Wide Range) (continued) range suppression pool water level measurement provides the operator with sufficient information to assess the status of both the RCPB and the water supply to the ECCS. The wide range water level instruments have a range of 1.7 feet to 27.5 feet. Two wide range suppression pool water level signals are transmitted from separate differential pressure transmitters and are continuously monitored by two level indicators and recorded on two recorders in the control room. These transmitters, indicators and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

4. Drywell Pressure Drywell pressure is a Category 1 variable provided to detect breach of the RCPB and to verify ECCS functions that operate to maintain RCS integrity. The drywell pressure channels cover a range of -5 psig to +250 psig. The drywell pressure is measured in overlapping stages by separate independent pressure transmitters. Two drywell pressure (narrow range) channels monitor the range from -5 psig to +5 psig. Two drywell pressure (wide range) channels monitor the range from 0 psig to 250 psig. Each drywell pressure channel consists of a separate independent transmitter with an associated indicator and recorder in the control room.

These transmitters and associated indicators and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

5. Containment High Range Radiation Containment high range radiation channels are provided to monitor the potential of significant releases of radioactive material and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Two physically separated and redundant radiation detectors with a range of 1 R/hr to 1E8 R/hr are located inside the drywell. The detectors provide a signal to separate process radiation monitors located in the control room. These radiation detectors and associated monitors provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

(continued)

JAFNPP B 3.3.3.1-4 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO(continued) 6. Drywell Temperature Drywell temperature is a Category 1 variable provided to detect a breach in the RCPB and to verify ECCS functions that operate to maintain RCS integrity. Two drywell temperature channels monitor the range from 40'F to 440'F.

Each drywell temperature channel consists of a separate temperature sensor, with an associated recorder in the control room. These temperature sensors and associated recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

7. Primary Containment Isolation Valve (PCIV) Position PCIV position is a Category 1 variable provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. Therefore, this Function is not required for isolation valves whose associated penetration flow path is isolated by at least one closed and deactivated automatic valve, closed manual valve, blind flange, or check valve with flow through the valve secured (as noted in footnote (a) to Table 3.3.3.1-1). The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE. Each penetration is treated separately and each penetration flow path is considered a separate Function. Therefore, separate Condition entry is allowed for each inoperable penetration flow path.

The PCIV position PAM instrumentation consists of position switches mounted on the valves for the positions to be indicated, associated wiring and control room indicating (continued)

JAFNPP B 3.3.3.1-5 Revision 0

PAM Instrumentation B 3.3.3.L BASES LCO 7. Primary Containment Isolation Valve (PCIV) Position (continued) lamps for active PCIVs (check valves and manual valves are not required to have position indication). These position switches and associated indicators in the control room provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

8. Primary Containment Hydrogen and Oxygen Concentration Primary containment hydrogen and oxygen concentration is a Category 1 variable provided to detect high hydrogen or oxygen concentration conditions that represent a potential for containment breach. This variable is also important in verifying the adequacy of mitigating actions. The primary containment hydrogen and oxygen concentration channels consists of two redundant analyzers. Each analyzer contains a hydrogen and an oxygen detector. Each analyzer can be aligned to sample air from one of four sample points (3 points in the drywell and 1 point in the suppression chamber). Sample air passes through the hydrogen analyzer and the oxygen analyzer and is returned to the suppression chamber air space. During normal operation, the Division I analyzer samples the suppression chamber and the Division II analyzer samples the drywell. The analyzers are capable of determining oxygen and hydrogen concentrations in the range of 0% to 30%, which meets the requirements of Reference 1.

The hydrogen and oxygen concentration from each analyzer may be displayed on its associated recorder in the relay room.

Therefore, the PAM Specification deals specifically with these portions of the instrument channel. A Note allows the primary containment hydrogen and oxygen concentration channels to be inoperable for up to 3 hours0.125 days 0.0179 weeks 0.00411 months per 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period during Post Accident Sampling System (PASS) operation. PASS operation includes realignment from or to the mode. Operation of the PASS may require isolation of the primary containment hydrogen and oxygen concentration channels. This allowance will ensure that the PASS can perform its post accident monitoring function (Ref. 4) while minimizing the time the primary containment hydrogen and oxygen concentration channels are isolated.

(continued)

JAFNPP B 3.3.3.1-6 Revision 0

PAM Instrumentation B 3.3.3.L BASES LCO 9. Suppression Chamber Pressure (continued)

Suppression chamber pressure is a Category 1 variable provided to verify RCS and containment integrity and to verify the effectiveness of ECCS actions taken to prevent containment breach. Two suppression chamber channels monitor a range from -15 psig to +85 psig. Each channel consists of an independent transmitter and associated recorder in the control room. These transmitters and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

10. Suppression Pool Water Temperature Suppression pool water temperature is a Category 1 variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. The suppression pool water temperature instrumentation allows operators to detect trends in suppression pool water temperature. The suppression pool water temperature is monitored by two redundant channels. Each channel consists of sixteen resistance temperature detectors (RTDs) that monitor temperature over a range of 30°F to 230'F. The RTDs are mounted in thermowells spaced at equal intervals around the periphery of the suppression pool. The sixteen RTD signals are averaged and the resulting bulk temperature signal is sent to redundant indicating recorders in the control room. A minimum of fifteen out of sixteen RTDs are required for channel operability. An evaluation (Ref. 5) demonstrates that the maximum error in suppression pool bulk temperature measurement including channel uncertainty is

< 4 0 F with active pool circulation. Thus a 40 F bias has been employed for conservatism. By specifying 15 RTDs the single failure criteria is accounted for. This evaluation conservatively assumed the failure of RTDs at locations that minimized indicated bulk suppression pool temperature and consequently maximized indicated error. These RTDs and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channels.

(continued)

JAFNPP B 3.3.3.1-7 Revision 0

PAM Instrumentation B 3.3.3.1 BASES LCO 11. Drywell Water Level (continued)

Drywell Water Level is a Category 1 variable provided to detect whether plant safety functions are being accomplished. Two drywell water level channels monitor the range from 22 feet to 106 feet. Each drywell water level channel consists of level transmitters, with an associated indicator and recorder in the control room. These level transmitters and associated indicators and recorders provide the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channel.

APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2.

These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1 and 2. In MODES 3, 4, and 5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES.

ACTIONS Note 1 has been added to the ACTIONS to exclude the MODE change restriction of LCO 3.0.4. This exception allows entry into the applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require plant shutdown. This exception is acceptable due to the passive function of the instruments, the operator's ability to diagnose an accident using alternative instruments and methods, and the low probability of an event requiring these instruments.

Note 2 has been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable PAM instrumentation channels provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function.

(continued)

JAFNPP B 3.3.3.1-8 Revision 0

PAM Instrumentation B 3.3.3.1 BASES ACTIONS A.1 (continued)

When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels (or, in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is initiated by these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of action in accordance with Specification 5.6.6, which requires a written report to be submitted to the NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions.

This action is appropriate in lieu of a shutdown requirement, since alternative actions are identified before loss of functional capability, and given the low probability of an event that would require information provided by this instrumentation.

C.1 When one or more Functions have two required channels that are inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.

(continued)

B 3.3.3.1-9 Revision 0 JAFNPP

PAM Instrumentation B 3.3.3.1_

BASES ACTIONS D.1 (continued)

This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1. The applicable Condition referenced in the Table is Function dependent.

Each time an inoperable channel has not met the Required Action of Condition C and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 For the majority of Functions in Table 3.3.3.1-1, if any Required Action and associated Completion Time of Condition C is not met, the plant must be brought to a MODE in which the LCO not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 Since alternate means of monitoring primary containment area radiation have been developed and tested, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.6. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months , provided the other required channel in the associated Function is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the (continued) 3AFNPP B 3.3.3.1-10 Revision 0

PAM Instrumentation B 3.3.3.L BASES SURVEILLANCE applicable Condition entered and Required Actions taken.

REQUIREMENTS The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance is acceptable since it does not (continued) significantly reduce the probability of properly monitoring post-accident parameters, when necessary.

SR 3.3.3.1.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. For the PCIV Position Function, the CHANNEL CHECK consists of verifying the remote indication conforms to expected valve position.

Channel agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency of 31 days is based upon plant operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the channels required by the LCO.

SR 3.3.3.1.2 and SR 3.3.3.1.3 These SRs require a CHANNEL CALIBRATION to be performed.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy. For the PCIV Position Function, the CHANNEL CALIBRATION consists of verifying the remote indication conforms to actual valve position.

(continued)

JAFNPP B 3.3.3.1-11 Revision 0

PAM Instrumentation B 3.3.3.L BASES SURVEILLANCE SR 3.3.3.1.2 and SR 3.3.3.1.3 (continued)

REQUIREMENTS The 92 day Frequency for CHANNEL CALIBRATION of the Primary Containment Hydrogen and Oxygen Concentration channels is based on vendor recommendations. The 24 month Frequency for CHANNEL CALIBRATION of all other PAM instrumentation of Table 3.3.3.1-1 is based on operating experience and consistency with the refueling cycles.

REFERENCES 1. Regulatory Guide 1.97, Revision 3, Instrumentation For Light-Water-Cooled Nuclear Power Plants To Assess Plant And Environs Conditions During And Following An Accident, May 1983.

2. NRC letter, H. I. Abelson to J. C. Brons dated March 14, 1988, regarding conformance to Regulatory Guide 1.97, Rev. 2. Includes NRR Safety Evaluation Report for Regulatory Guide 1.97 and James A. FitzPatrick Nuclear Power Plant.

3. 10 CFR 50.36(c)(2)(ii).

4. UFSAR, Section 9.14.4.

5. DRF-T23-688-1, Error in FitzPatrick Temperature Measurement Based on Monticello In-plant S/RV Test Data.

JAFNPP B 3.3.3.1-12 Revision 0

Remote Shutdown System B 3.3.3.2_

B 3.3 INSTRUMENTATION B 3.3.3.2 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from locations other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible. A safe shutdown condition is defined as MODE 3. With the plant in MODE 3, the safety/relief valves (S/RVs) and the Residual Heat Removal (RHR) System can be used to remove core decay heat and meet all safety requirements. This is accomplished by depressurizing the reactor pressure vessel (RPV) with the use of seven S/RVs and establishing a long term cooling path. Water is pumped from the suppression pool by an RHR pump, through an RHR heat exchanger and to the RPV via the low pressure coolant injection (LPCI) pathway. As reactor water level increases and the main steam lines become flooded, water is recirculated to the suppression pool through the S/RV discharge piping. The long term supply of water from the suppression pool and the ability to operate the RHR System in this closed loop configuration from outside the control room allows operation in a safe shutdown condition for an extended period of time.

In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the plant in MODE 3. Not all controls and necessary transfer switches are located at the remote shutdown panel. Other major controls are located at the Automatic Depressurization System (ADS) panel and auxiliary shutdown panels. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The plant is in MODE 3 following a plant shutdown and can be maintained safely in MODE 3 for an extended period of time.

The OPERABILITY of the Remote Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3 should the control room become inaccessible.

(continued)

JAFNPP B 3.3.3.2-1 Revision 0

Remote Shutdown System B 3.3.3.2 BASES (continued)

APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a design capability to promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition in MODE 3.

The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in the UFSAR (Refs. 1 and 2).

The Remote Shutdown System satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii)(Ref. 3).

LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from locations other than the control room. The instrumentation and controls required are listed in the Technical Requirements Manual (Reference 4). In addition, as stated in the Technical Requirements Manual, this portion of the Technical Requirements Manual is considered part of these Bases. Thus, changes to the instrumentation and controls listed in the Technical Requirements Manual are controlled by the Technical Specifications Bases Control Program.

The controls, instrumentation, and transfer switches are those required for:

"* Reactor pressure vessel (RPV) pressure control:

"* Decay heat removal;

"* RPV inventory control; and

"* Safety support systems for the above functions, including Emergency Service water, RHR Service water, cresent area unit coolers and onsite power, including the emergency diesel generators.

The Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown function are OPERABLE. In some cases, the required information or control capability may be available from several alternate sources. In these cases, the Remote Shutdown System is OPERABLE as long as one channel of any of the alternate information or control sources for each Function is OPERABLE.

(continued)

JAFNPP B 3.3.3.2-2 Revision 0

Remote Shutdown System B 3.3.3.2 BASES LCO The Remote Shutdown System instruments and control circuits (continued) covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation.

APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1 and 2. This is required so that the plant can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODES 3, 4, and 5. In these MODES, the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable. Consequently, the LCO does not require OPERABILITY in MODES 3, 4, and 5.

ACTIONS A Note (Note 1) is included that excludes the MODE change restriction of LCO 3.0.4. This exception allows entry into an applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require a plant shutdown. This exception is acceptable due to the low probability of an event requiring this system.

Note 2 has been provided to modify the ACTIONS related to Remote Shutdown System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable Remote Shutdown System Functions provide appropriate compensatory measures for separate Functions.

As such, a Note has been provided that allows separate Condition entry for each inoperable Remote Shutdown System Function.

(continued)

B 3.3.3.2-3 Revision 0 JAFNPP

Remote Shutdown System B 3.3.3.2_

BASES ACTIONS A.1 (continued)

Condition A addresses the situation where one or more required Functions of the Remote Shutdown System is inoperable. This includes any function listed in Reference 4, as well as the control and transfer switches.

The Required Action is to restore the Function (both divisions, if applicable) to OPERABLE status within 30 days.

The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

B.1 If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months . The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for preformance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months . Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance is acceptable since it does not significantly reduce the probability of properly monitoring remote shutdown parameters, when necessary.

SR 3.3.3.2.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of (continued)

JAFNPP B 3.3.3.2-4 Revision 0

Remote Shutdown System B 3.3.3.2 BASES SURVEILLANCE SR 3.3.3.2.1 (continued)

REQUIREMENTS excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized.

The Frequency is based upon plant operating experience that demonstrates channel failure is rare.

SR 3.3.3.2.2 SR 3.3.3.2.2 verifies each required Remote Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the remote shutdown panel, auxiliary shutdown panels and the local control stations.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience demonstrates that Remote Shutdown System control channels usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.3.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy.

(continued)

JAFNPP B 3.3.3.2-5 Revision 0

Remote Shutdown System B 3.3.3.2_

BASES SURVEILLANCE SR 3.3.3.2.3 (continued)

REQUIREMENTS The 24 month Frequency is based upon operating experience and consistency with the refueling cycle.

REFERENCES 1. UFSAR, Section 16.6.

2. UFSAR, Section 14.5.10.

3. 10 CFR 50.36(c)(2)(ii).

4. Technical Requirements Manual, Appendix D.

JAFNPP B 3.3.3.2-6 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1-B 3.3 INSTRUMENTATION B 3.3.4.1 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur, to lessen the effects of an ATWS event.

Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level -Low Low (Level 2) or Reactor Pressure-High setpoint is reached, the recirculation pump motor generator (MG) drive motor breakers trip.

The ATWS-RPT System (Ref. 1) includes sensors, logic circuits, relays, and switches that are necessary to cause initiation of an RPT. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an ATWS-RPT signal to the trip logic.

The ATWS-RPT logic consists of two trip systems for the Reactor Vessel Water Level - Low Low (Level 2) trip function and two trip systems for the Reactor Pressure -High trip function. Each trip system associated with the Reactor Vessel Water Level - Low Low (Level 2) Function includes two reactor water level channels while each trip system associated with the Reactor Pressure-High Function includes two reactor pressure channels. Each ATWS trip system is a one-out-of-two logic and both trip systems associated with the same function must trip for the ATWS trip logic to actuate. Therefore, the ATWS trip system logic for each Function is one-out-of-two taken twice.

The two channels in each trip system are powered from a common power supply. For each trip function, the two channels in one trip system are powered independently from the two channels in the other trip system. (Divisions 1 and 2). The logic associated with the two trip systems for the Reactor Vessel Water- Low Low (Level 2) trip function and the logic associated with the two trip systems for the Reactor Pressure-High trip function are all powered from one common power supply.

(continued)

B 3.3.4.1-1 Revision 0 JAFNPP

ATWS-RPT Instrumentation B 3.3.4.1 BASES BACKGROUND There is one drive motor breaker provided for each of the (continued) recirculation pump MGs for a total of two breakers. The output of each trip function logic is provided to both recirculation pump MG drive motor breakers.

APPLICABLE The ATWS-RPT is not credited in the safety analysis. The SAFETY ANALYSES, ATWS-RPT initiates an RPT to aid in preserving the integrity LCO, and of the fuel cladding following events in which a scram does APPLICABILITY not, but should, occur. ATWS-RPT instrumentation satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

The OPERABILITY of the ATWS-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have a required number of OPERABLE channels in both trip systems, with their setpoints within the specified Allowable Value of SR 3.3.4.1.4. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Channel OPERABILITY also includes the associated recirculation pump MG drive motor breakers.

Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the ATWS analysis. The trip setpoints are derived from the analytical limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during (continued)

JAFNPP B 3.3.4.1-2 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE periodic surveillance or calibration. These effects are during normal SAFETY ANALYSES, instrumentation uncertainties observed uncertainties).

LCO, and operation (e.g., drift and calibration APPLICABILITY (continued) The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Pressure-High and Reactor Vessel Water Level -Low Low (Level 2) Functions are required to be OPERABLE in MODE 1, since the reactor is producing significant power and the recirculation system could be at high flow. During this MODE, the potential exists for pressure increases or low water level, assuming an ATWS event. In MODE 2, the reactor is at low power and the recirculation system is at low flow; thus, the potential is low for a pressure increase or low water level, assuming an ATWS event. Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWS event is not significant and the possibility of a significant pressure increase or low water level is negligible. In MODE 5, the one rod out interlock ensures that the reactor remains subcritical; thus, an ATWS event is not significant. In addition, the reactor pressure vessel (RPV) head is not fully tensioned and no pressure transient threat to the reactor coolant pressure boundary (RCPB) exists.

The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.

a. Reactor Vessel Water Level - Low Low (Level 2)

Low RPV water level indicates that a reactor scram should have occurred and the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The ATWS-RPT System is initiated at Level 2 to assist in the mitigation of the ATWS event. The resultant reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff.

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

(continued)

B 3.3.4.1-3 Revision 0 JAFNPP

ATWS-RPT Instrumentation B 3.3.4.1-BASES APPLICABLE a. Reactor Vessel Water Level -Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Four channels of Reactor Vessel Water Level -Low Low (Level 2), with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level - Low Low (Level 2) Allowable Value is chosen so that the system will not be initiated after a Level 3 scram with feedwater still available, and also provides an opportunity for the high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) systems to recover water level if feedwater is not available. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 3).

The HPCI, RCIC and ATWS-RPT initiation functions (as described in Table 3.3.5.1-1, Function 3.a; Table 3.3.5.2-1, Function 1; and LCO 3.3.4.1.a including SR 3.3.4.1.4, respectively) describe the reactor vessel water level initiation function as "Low Low (Level 2)." The Allowable Values associated with the HPCI and RCIC initiation function is different from the Allowable Value associated with the ATWS-RPT initiation function as the ATWS function has a separate analog trip unit. Nevertheless, consistent with the nomenclature typically used in design documents, the "Low Low (Level 2)" designation is retained in describing each of these three initiation functions.

b. Reactor Pressure-High Excessively high RPV pressure may rupture the RCPB.

An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and overpressurization. The Reactor Pressure-High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT (continued)

JAFNPP B 3.3.4.1-4 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1_

BASES APPLICABLE b. Reactor Pressure-High (continued)

SAFETY ANALYSES, LCO, and aids in the termination of the ATWS event and, along APPLICABILITY with the safety/relief valves (S/RVs), limits the peak RPV pressure to less than the ASME Section III Code Service Level C limits (1500 psig).

The Reactor Pressure-High signals are initiated from four pressure transmitters that monitor reactor steam dome pressure. Four channels of Reactor Pressure-High, with two channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Pressure-High Allowable Value is chosen to provide an adequate margin to the ASME Section III Code Service Level C allowable Reactor Coolant System pressure. The Allowable Value was derived from the analysis performed in Reference 4.

ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel.

A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT capability for each Function maintained (refer to Required Action B.1 Bases), the ATWS-RPT System is capable of performing the intended function. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the same trip system could result in the inability of the ATWS-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE (continued)

JAFNPP B 3.3.4.1-5 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1_

BASES ACTIONS A.1 and A.2 (continued) status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting both Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and its Required Actions taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining ATWS-RPT trip capability. A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. This requires one channel of the Function in each trip system to each be OPERABLE or in trip, and the recirculation pump MG drive motor breakers to be OPERABLE or in trip.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability.

(continued)

JAFNPP B 3.3.4.1-6 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS C.1 (continued)

Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1 above.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period.

D.1 and D.2 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours0.25 days 0.0357 weeks 0.00822 months (Required Action D.2). Alternately, the associated recirculation pump may be removed from service since this performs the intended function of the instrumentation (Required Action D.1). The allowed Completion Time of 6 hours0.25 days 0.0357 weeks 0.00822 months is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems. Required Action D.1 is modified by a Note which states that the Required Action is only applicable if the inoperable channel is the result of an inoperable RPT breaker. The Note clarifies the situations under which the associated Required Action would be the appropriate Required Action.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Ref. 6) assumption of the average time required to perform channel (continued)

JAFNPP B 3.3.4.1-7 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months REQUIREMENTS testing allowance does not significantly reduce the (continued) probability that the recirculation pumps will trip when necessary.

SR 3.3.4.1.1 Performance of the CHANNEL CHECK once every 12 hours0.5 days 0.0714 weeks 0.0164 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the required channels of this LCO.

SR 3.3.4.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

(continued)

JAFNPP B 3.3.4.1-8 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1_

BASES SURVEILLANCE SR 3.3.4.1.2 (continued)

REQUIREMENTS Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 5.

SR 3.3.4.1.3 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in SR 3.3.4.1.4. If the trip setting is discovered to be less conservative than the setting accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than accounted for in the appropriate setpoint methodology.

The Frequency of 184 days is based on the reliability, accuracy, and low failure rates of these solid-state electronic components.

SR 3.3.4.1.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.4.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is (continued)

JAFNPP B 3.3.4.1-9 Revision 0

ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.5 (continued)

REQU IREMENTS included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channels would be inoperable.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Figure 7.4-9 Reactor Recirculation System (FCD).

2. 10 CFR 50.36(c)(2)(ii).

3. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly Nuclear Boiler, (GE Drawing 919D690BD).

4. "ATWS Overpressure Analysis for FitzPatrick," GE-NE A42-00137-2-01, March 2000.

5. GENE-770-06-1-A, Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications, December 1992.

JAFNPP B 3.3.4.1-10 Revision 0

ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most abnormal operational transients and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS),

and the emergency diesel generators (EDGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS-Operating" and LCO 3.8.1, "AC Sources - Operating."

Core Spray System The CS System may be initiated by either automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches. Automatic initiation occurs for conditions of Reactor Vessel Water Level -Low Low Low (Level 1) or Drywell Pressure-High; or both. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the four trip units associated with each diverse variable are connected to relays whose contacts provide input to two trip systems.

Each trip system is arranged in a one-out-of-two taken twice logic for each Function. Each trip system initiates one of two CS pumps and provides an open signal to both injection valves associated with the same CS pump. Once an initiation signal is received by the CS control circuitry, the signal is sealed in until manually reset.

Upon receipt of an initiation signal, if preferred power is available, both CS pumps start after approximately an 11 second time delay. If a CS initiation signal is received when preferred power is not available, the CS pumps start after approximately 11 seconds after the bus is energized by the EDGs.

(continued)

JAFNPP B 3.3.5.1-1 Revision 0

ECCS Instrumentation B 3.3.5.L BASES BACKGROUND Core Spray System (continued)

The normally closed CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating.

The CS pump discharge flow and pressure are monitored by a differential pressure indicating switch and a pressure switch, respectively. When the pump is running (as indicated by the pressure switch) and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two taken twice logic. Each trip system provides an open permissive signal for two CS injection valves in one of the two CS Systems.

Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR) System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low (Level 1); Drywell Pressure-High; or both. Each of these diverse variables is monitored by four redundant transmitters, which, in turn, are connected to four trip units. The outputs of the four trip units associated with each diverse variable are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two taken twice logic for each Function. Each trip system initiates two of the four LPCI pumps, provides an open signal to each LPCI inboard injection valve, provides an open signal to the associated (continued)

B 3.3.5.1-2 Revision 0 JAFNPP

ECCS Instrumentation B 3.3.5.L BASES BACKGROUND Low Pressure Coolant Injection System (continued)

LPCI outboard injection valve, provides an open signal to the associated LPCI heat exchanger bypass valve, and provides a close signal to both recirculation pump discharge valves. The open signal for the heat exchanger bypass valve is maintained for three minutes to ensure the valve fully opens. Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.

Upon receipt of an initiation signal, if preferred power is available, LPCI pumps A and D start in approximately one second. LPCI pumps B and C are started in approximately 6 seconds to limit the loading of the preferred power sources. With a loss of preferred power, LPCI pumps A and D start in approximately one second after the bus is energized by the EDGs, and LPCI pumps B and C start 6 seconds after the bus is energized by the EDGs to limit the loading of the EDGs. If one EDG should fail to force parallel, an associated LPCI pump will not start (LPCI pump B or C) to ensure the other EDG is not overloaded.

Each LPCI subsystem's discharge flow is monitored by a differential pressure indicating switch. When a pump is running (as indicated by pump breaker position) and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses.

The normally closed RHR suppression pool cooling isolation return valve, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating.

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two (continued)

JAFNPP B 3.3.5.1-3 Revision 0

ECCS Instrumentation B 3.3.5.L BASES BACKGROUND Low Pressure Coolant Injection System (continued) taken twice logic. Each trip system provides an open signal to both inboard injection valves and provides an open permissive signal to the associated outboard injection valve. The open permissive signal for the outboard injection valve is maintained for five minutes to ensure the valve fully opens. Additionally, instruments are provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two taken twice logic. Each trip system provides a closure signal to both recirculation pump discharge valves.

Low reactor water level in the shroud is detected by two additional instruments. When the level is greater than the low level setpoint, LPCI may no longer be required, therefore, other modes of RHR (e.g., suppression pool cooling) are allowed. The variable is monitored by two transmitters, which are, in turn, connected to two trip units. The outputs of the trip units are connected to relays whose contacts provide input to one of two trip systems. Each trip system provides a permissive signal to open the associated subsystems containment spray and suppression pool cooling isolation valves. Manual overrides for these isolations below the low level setpoint are provided.

Containment high pressure is detected by four instruments to automatically isolate the containment spray mode of RHR when containment depressurization is not required. This Function also precludes inadvertent diversion of LPCI flow unless containment overpressurization is indicated. This variable is monitored by four pressure switches, whose contacts provide input to two trip systems. The outputs of the contacts are arranged in a one-out-of-two taken twice logic for each trip system. Each trip system provides an input to the associated subsystems containment spray valves.

High Pressure Coolant Injection System The HPCI System may be initiated by either automatic or manual means, although manual initiation requires manipulation of individual pump and valve control switches.

Automatic initiation occurs for conditions of Reactor Vessel (continued)

JAFNPP B 3.3.5.1-4 Revi sion 0

ECCS Instrumentation B 3.3.5.L BASES BACKGROUND High Pressure Coolant Injection System (continued)

Water Level- Low Low (Level 2) or Drywell Pressure-High.

Each of these variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

The HPCI pump discharge flow and pressure are monitored by a flow switch and pressure switch, respectively. When the pump is running (as indicated by the pressure switch) and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

The HPCI test line isolation valve is closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis.

The HPCI System also monitors the water levels in the condensate storage tanks (CSTs) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CSTs is the normal source. The CST suction source consists of two CSTs connected in parallel to the HPCI pump suction. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in both CSTs falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in each CST. One switch associated with each CST can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool. Two level switches monitor suppression pool water level. Either switch can cause the suppression pool suction valves to open and the CST suction valves to close. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be full open before the other automatically closes.

(continued)

B 3.3.5.1-5 Revision 0 JAFNPP

ECCS Instrumentation B 3.3.5.1_

BASES BACKGROUND High Pressure Coolant Injection System (continued)

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level -High (Level 8) setting, at which time the HPCI turbine trips, which causes the turbine's stop valve to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level- Low Low (Level 2) signal is subsequently received.

Automatic Depressurization System The ADS may be initiated by either automatic or manual means, although manual initiation requires the manipulation of the hand switches associated with each ADS valve.

Automatic initiation occurs when signals indicating Reactor Vessel Water Level- Low Low Low (Level 1); confirmed Reactor Vessel Water Level -Low (Level 3); and CS or LPCI Pump Discharge Pressure-High are all present and the ADS Initiation Timer has timed out. There are two transmitters for Reactor Vessel Water Level -Low Low Low (Level 1), and one transmitter for confirmed Reactor Vessel Water Level-Low (Level 3) in each of the two ADS trip systems.

Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic.

Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals prior to time out of the ADS Initiation Timers resets the ADS Initiation Timers.

The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge pressure permissive switches from one CS and from two LPCI pumps in the associated Division (i.e.,

Division 1 CS subsystem A and LPCI pumps A and C input to ADS trip system A, and Division 2 CS subsystem B and LPCI pumps B and D input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has (continued)

JAFNPP B 3.3.5.1-6 Revision 0

ECCS Instrumentation B 3.3.5.L BASES BACKGROUND Automatic Depressurization System (continued) depressurized the vessel. Any one of the six low pressure pumps is sufficient to permit automatic depressurization.

The switches associated with one ADS trip system also provide signals to the other ADS trip system, but these signals are not required for the other ADS trip system to be considered OPERABLE.

The ADS logic in each trip system is arranged in two strings. Each string has a contact from Reactor Vessel Water Level - Low Low Low (Level 1). One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level-Low (Level 3). All contacts in both logic strings must close, the ADS initiation timer must time out, and a CS or LPCI pump discharge pressure signal must be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open.

Once the ADS initiation signal is present, it is individually sealed in until manually reset.

Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

Emergency Diesel Generators The EDGs may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level -Low Low Low (Level 1) or Drywell Pressure-High. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the four trip units associated with each diverse variable are connected to relays whose contacts provide input to two trip systems. Each trip system is arranged in a one-out-of-two taken twice logic for each Function. One trip system will start EDG-A and EDG-C. The other trip system will start EDG-B and EDG-D. The EDGs receive their initiation signals from the LPCI and CS System initiation logic. The EDGs are also initiated upon loss of voltage signals. (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP)

Instrumentation," for a discussion of these signals.) The EDGs can also be started manually from the control room and locally from the associated EDG room. The EDG initiation signal is a sealed in signal and must be manually reset.

The EDG initiation logic is reset by resetting the (continued)

JAFNPP B 3.3.5.1-7 Revision 0

ECCS Instrumentation B 3.3.5.L BASES BACKGROUND Emergency Diesel Generators (continued) associated ECCS initiation logic. Upon receipt of an ECCS initiation signal, each EDG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the EDG output breaker open). The EDGs will only energize their respective emergency buses if a loss of preferred power occurs. (Refer to Bases for LCO 3.3.8.1.)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety SAFETY ANALYSES, analyses of References 1. 2, 3, and 4. The ECCS is LCO, and initiated to preserve the integrity of the fuel cladding by APPLICABILITY limiting the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Table 3.3.5.1-1 is modified by two footnotes. Footnote (a) is added to clarify that the associated functions are required to be OPERABLE in MODES 4 and 5 only when their supported ECCS are required to be OPERABLE per LCO 3.5.2, "ECCS-Shutdown." Footnote (b) is added to show that certain ECCS instrumentation Functions also perform EDG initiation.

Allowable Values are specified for each ECCS Function specified in the table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water (continued)

JAFNPP B 3.3.5.1-8 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE level), and when the measured output value of the process SAFETY ANALYSES, parameter exceeds the setpoint, the associated device (e.g.,

LCO, and trip unit) changes state. The analytic limits are derived APPLICABILITY from the limiting values of the process parameters obtained (continued) from the safety analysis or other appropriate documents.

The trip setpoints are derived from the analytical limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or EDG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and EDG function, a combination of Functions is required to provide primary and secondary initiation signals.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

Core Spray and Low Pressure Coolant Injection Systems 1.a, 2.a. Reactor Vessel Water Level-Low Low Low (Level 1)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

The low pressure ECCS and associated EDGs are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The EDGs are initiated from Function l.a and 2.a. The Reactor Vessel Water Level- Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in Reference 3. In addition, the Reactor Vessel Water Level - Low Low Low (Level 1)

Function is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 4). The core (continued)

JAFNPP B 3.3.5.1-9 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE l.a, 2.a. Reactor Vessel Water Level-Low Low Low (Level 1)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level-Low Low Low (Level 1) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - Low Low Low (Level 1)

Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

Thus, four channels of the CS and LPCI Reactor Vessel Water Level -Low Low Low (Level 1) Function are only required to be OPERABLE when the ECCS are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1 and LCO 3.8.2, "AC Sources- Shutdown," for Applicability Bases for the EDGs.

1.b, 2.b. Drywell Pressure-High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated EDGs are initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. The EDGs are initiated from Function 1.b and 2.b. The Drywell Pressure-High Function, along with the Reactor Water Level -Low Low Low (Level 1)

Function, is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

JAFNPP B 3.3.5.1-10 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE l.b, 2.b. Drywell Pressure-High (continued)

SAFETY ANALYSES, LCO, and High drywell pressure signals are initiated from four APPLICABILITY pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

The Drywell Pressure-High Function is required to be OPERABLE when the ECCS or EDG(s) are required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure-High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and EDG initiation. In MODES 4 and 5, the Drywell Pressure-High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure-High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the EDGs.

1.c, 2.c. Reactor Pressure-Low (Injection Permissive)

Low reactor pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Pressure- Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in Reference 3. In addition, the Reactor Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Refs. 1, 2, and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

The Reactor Pressure- Low signals are initiated from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

(continued)

JAFNPP B 3.3.5.1-11 Revision 0

ECCS Instrumentation B 3.3.5.1-BASES APPLICABLE 1.c, 2.c. Reactor Pressure-Low (Injection Permissive)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Four channels of Reactor Pressure- Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

1.d, 2.f. Core Spray and Low Pressure Coolant Injection Pump Start-Time Delay Relay The purpose of these time delay relays is to stagger the start of the CS and LPCI pumps to enable sequential loading of the appropriate AC source. The CS and LPCI Pump Start Time Delay Relays are assumed to be OPERABLE in the accident analyses requiring ECCS initiation. That is, the analyses assumes that the pumps will initiate when required and no excess loading of the power sources will occur.

There are two CS and four LPCI Pump Start-Time Delay Relays, one in each of the CS and LPCI pump start circuits. While each time delay relay is dedicated to a single pump start circuit, a single failure of a CS or LPCI Pump Start-Time Delay Relay could result in the failure of a CS pump and both the LPCI pumps powered from the same emergency bus to perform their intended function within the assumed ECCS response time (e.g., as in the case where one inoperable time delay relay results in more than one pump starting at nearly the same time). In the worst case this would still leave the other three low pressure ECCS pumps OPERABLE; thus, the single failure of one instrument does not preclude ECCS initiation. The Allowable Values for the CS and LPCI Pump Start-Time Delay Relays are chosen to be short enough so that ECCS operation is within the time period assumed in the accident analyses.

Each CS and LPCI Pump Start-Time Delay Relay Function is required to be OPERABLE only when the associated CS and LPCI subsystem is required to be OPERABLE. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the CS and LPCI subsystems.

(continued)

JAFNPP B 3.3.5.1-12 Revision 0

ECCS Instrumentation B 3.3.5.1_

BASES APPLICABLE 1.e, 2.g, 1.f. Core Spray and Low Pressure Coolant SAFETY ANALYSES, Injection Pump Discharge Flow-Low (Bypass), Core Spray LCO, and Pump Discharge Pressure-High (Bypass)

APPLICABILITY (continued) The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating at reduced flows. The minimum flow line valve is opened when low flow is sensed (if the associated pump is detected to be operating), and the valve is automatically closed when the flow rate is adequate to protect the pump. The CS pump is detected to be operating by sensing high pump discharge pressure, while the LPCI pumps are detected to be operating by the use of pump motor breaker auxiliary contacts. The LPCI and CS Pump Discharge Flow- Low and the CS Pump Discharge Pressure-High (Bypass)

Functions are assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, 3, and 4 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. One differential pressure indicating switch per CS pump and one differential pressure indicating switch per LPCI subsystem are used to detect the associated subsystems' flow rates. In addition, one pressure switch per CS pump is used to detect the associated pumps discharge pressure. The logic is arranged such that each differential pressure indicating switch causes its associated minimum flow valve to open. For CS, both the differential pressure indicating switch and the pressure switch must actuate to cause the valve to open. The logic will close the minimum flow valve once the closure setpoint of the associated differential pressure indicating switch is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow- Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. The Core Spray Pump Discharge Pressure-High (Bypass) Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any (continued)

JAFNPP B 3.3.5.1-13 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE i.e, 2.g, 1.f. Core Spray and Low Pressure Coolant SAFETY ANALYSES, Injection Pump Discharge Flow- Low (Bypass), Core Spray LCO, and Pump Discharge Pressure-High (Bypass) (continued)

APPLICABILITY condition that results in a discharge pressure permissive when the CS pump is aligned for injection and the pump is not running.

Each channel of Pump Discharge Flow-Low Function (two CS channels and four LPCI channels) and each channel of Core Spray Pump Discharge Pressure-High (Bypass) are only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function. Per Footnote (a) to Table 3.3.5.1-1, this ECCS Function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

2.d. Reactor Pressure- Low (Recirculation Discharge Valve Permissive)

Low reactor pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Pressure- Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in Reference 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Refs. 1, 2 and 4).

The Reactor Pressure-Low signals are initiated from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis.

Four channels of the Reactor Pressure- Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function of the instrumentation has been performed: thus, the Function is not required. In (continued)

JAFNPP B 3.3.5.1-14 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE 2.d. Reactor Pressure- Low (Recirculation Discharge SAFETY ANALYSES, Valve Permissive) (continued)

LCO, and APPLICABILITY MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

2.e. Reactor Vessel Shroud Level (Level 0)

The Reactor Vessel Shroud Level (Level 0) Function is provided as a permissive to allow the RHR System to be manually aligned from the LPCI mode to the suppression pool cooling/spray or drywell spray modes. The reactor vessel shroud level permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be overridden during accident conditions as allowed by plant procedures. Reactor Vessel Shroud Level (Level 0) Function is implicitly assumed in the analysis of the recirculation line break (Refs. 1, 2 and 4) since the analysis assumes that no LPCI flow diversion occurs when reactor water level is below Level 0.

Reactor Vessel Shroud Level (Level 0) signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level (Level 0) Allowable Value is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer.

The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

Two channels of the Reactor Vessel Shroud Level (Level 0)

Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves associated with this Function (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used).

(continued)

JAFNPP B 3.3.5.1-15 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.h. Containment Pressure-High SAFETY ANALYSES, LCO, and The Containment Pressure-High Function is provided as an APPLICABILITY isolation of the containment spray mode of RHR on decreasing (continued) containment pressure following manual actuation of the system. This isolation ensures excessive depressurization of the containment does not occur due to containment spray actuation. This Function also serves as an interlock permissive to allow the RHR System to be manually aligned from the LPCI mode to the containment spray mode after containment pressure has exceeded the trip setting. The permissive ensures that containment pressure is elevated before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage until such time that the operator determines that containment pressure control is needed. The Containment Pressure-High Function is implicitly assumed in the analysis of LOCAs inside containment (Refs. 1, 2, and 4) since the analysis assumes that containment spray occurs when containment pressure is high.

Containment Pressure-High signals are initiated from four pressure switches that sense drywell pressure. The Containment Pressure-High lower Allowable Value is chosen to ensure isolation of containment spray prior to a negative containment pressure occurring. This maintains margin to the negative design pressure and minimizes operation of the reactor building-to-suppression chamber vacuum breakers, which in turn prevents de-inerting the atmosphere. The upper Allowable Value is chosen to ensure containment spray is not isolated when there may be a need for containment spray.

Four channels of the Containment Pressure-High Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, containment spray is not assumed to be initiated, and other administrative controls are adequate to control the valves that this Function isolates.

High Pressure Coolant Injection System 3.a. Reactor Vessel Water Level-Low Low (Level 2)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. In addition, the Standby Gas (continued)

JAFNPP B 3.3.5.1-16 Revision 0

ECCS Instrumentation B 3.3.5.1L BASES APPLICABLE 3.a. Reactor Vessel Water Level - Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Treatment (SGT) System suction valves receive an open signal so that the gland seal exhaust from the HPCI turbine can be treated. Opening of the SGT System suction valves results in automatic starting of the SGT System. The Reactor Vessel Water Level -Low Low (Level 2) is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in Reference 3. Additionally, the Reactor Vessel Water Level - Low Low (Level 2) Function associated with HPCI is assumed to be OPERABLE and capable of initiating HPCI in the analysis of line breaks (Refs. 1 and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level- Low Low (Level 2) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level -Low Low (Level 2) Allowable Value is high enough such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC)

System flow with HPCI assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level-Low Low Low (Level 1). The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

The HPCI, RCIC and ATWS-RPT initiation functions (as described in Table 3.3.5.1-1, Function 3.a; Table 3.3.5.2-1, Function 1; and LCO 3.3.4.1.a including SR 3.3.4.1.4, respectively) describe the reactor vessel water level initiation function as "Low Low (Level 2)." The Allowable Values associated with the HPCI and RCIC initiation function is different from the Allowable Value associated with the ATWS-RPT initiation function as the ATWS function has a separate analog trip unit. Nevertheless, consistent with the nomenclature typically used in design documents, the "Low Low (Level 2)" is retained in describing each of these three initiation functions.

(continued)

JAFNPP B 3.3.5.1-17 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.a. Reactor Vessel Water Level- Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Four channels of Reactor Vessel Water Level -Low Low (Level 2) Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.b. Drywell Pressure-High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. In addition, SGT System suction valves receive an open signal so that the gland seal exhaust from the HPCI turbine can be treated. Opening of the SGT System suction valves results in automatic starting of SGT.

The Drywell Pressure-High Function, along with the Reactor Water Level -Low Low (Level 2) Function, is assumed to be OPERABLE and capable of initiating HPCI in the analysis of line breaks (Refs. 1 and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure-High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.

3.c. Reactor Vessel Water Level -High (Level 8)

High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level -High (Level 8) Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk.

(continued)

JAFNPP B 3.3.5.1-18 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE 3.c. Reactor Vessel Water Level-High (Level 8)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Reactor Vessel Water Level-High (Level 8) signals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation. Both Level 8 signals are required in order to trip the HPCI turbine.

This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level -High (Level 8) Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

Two channels of Reactor Vessel Water Level -High (Level 8)

Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.d. Condensate Storage Tank Level- Low Low level in the CSTs indicates the unavailability of an adequate supply of makeup water from this normal source.

Normally the suction valve between HPCI and the CSTs is open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CSTs. However, if the water level in both CSTs falls below a preselected level, the suppression pool suction valves automatically open.

Opening the suppression pool suction valves causes the CST suction valve to automatically close. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be full open before the CST suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Condensate Storage Tank Level- Low signals are initiated from four level switches (2 per CST). The logic is arranged such that one switch associated with each CST must actuate to cause the suppression pool suction valves to open and the CST suction valve to close. The Condensate Storage Tank Level-Low Function Allowable Value is high enough to ensure (15,600 gallons of water is available in each CST) adequate pump suction head while water is being taken from the CSTs.

(continued)

JAFNPP B 3.3.5.1-19 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.d. Condensate Storage Tank Level- Low (continued)

SAFETY ANALYSES, LCO, and Four channels of the Condensate Storage Tank Level - Low APPLICABILITY Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source.

Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.e. Suppression Pool Water Level-High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CSTs to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be full open before the CST suction valve automatically closes.

This Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Suppression Pool Water Level -High signals are initiated from two level switches. The logic is arranged such that either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Allowable Value for the Suppression Pool Water Level -High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded.

Two channels of Suppression Pool Water Level -High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

(continued)

JAFNPP B 3.3.5.1-20 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE 3.f, 3.g. High Pressure Coolant Injection Pump Discharge SAFETY ANALYSES, Flow-Low (Bypass), High Pressure Coolant Injection Pump LCO, and Discharge Pressure- High (Bypass)

APPLICABILITY (continued) The minimum flow instruments are provided to protect the HPCI pump from overheating when the pump is operating at reduced flow. The minimum flow line valve is opened when low flow is sensed (if the HPCI pump is operating), and the valve is automatically closed when the discharge flow rate is adequate to protect the pump. Pump operation is determined by sensing high pump discharge pressure. The High Pressure Coolant Injection Pump Discharge Flow-Low and Pump Discharge Pressure-High Functions are assumed to be OPERABLE and capable of opening the minimum flow valve to protect the pump and closing the minimum flow valve to ensure that the ECCS flow assumed during the transients and accidents analyzed in References 1, 2 and 4 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

One flow switch is used to detect the HPCI System's flow rate and one pressure switch is used to detect the HPCI pump discharge pressure. The logic is arranged such that the flow switch and pressure switch must actuate to cause the minimum flow valve to open. The logic will close the minimum flow valve once the flow closure setpoint is exceeded.

The High Pressure Coolant Injection Pump Discharge Flow- Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. The High Pressure Coolant Injection Pump Discharge Pressure-High (Bypass) Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the HPCI pump is aligned for injection and the pump is not running.

One channel of each Function is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

(conti nued)

JAFNPP B 3.3.5.1-21 Revision 0

ECCS Instrumentation B 3.3.5.1_

BASES APPLICABLE Automatic Depressurization System SAFETY ANALYSES, LCO, and 4.a, 5.a. Reactor Vessel Water Level-Low Low Low (Level 1)

APPLICABILITY (continued) Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in References 1, 2, and 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level -Low Low Low (Level 1) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low (Level 1) Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel Water Level - Low Low Low (Level 1)

Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

4.b, 5.b. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide (continued)

JAFNPP B 3.3.5.1-22 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE 4.b, 5.b. Automatic Depressurization System Initiation SAFETY ANALYSES, Timer (continued)

LCO, and APPLICABILITY whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 1, 2, and 4 that require ECCS initiation and assume failure of the HPCI System.

There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.c, 5.c. Reactor Vessel Water Level -Low (Level 3)

The Reactor Vessel Water Level - Low (Level 3) Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level -Low Low Low (Level 1) signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.

Reactor Vessel Water Level -Low (Level 3) signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level- Low (Level 3) is selected to be the same as the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 6).

(continued)

JAFNPP B 3.3.5.1-23 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE 4.c, 5.c. Reactor Vessel Water Level - Low (Level 3)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Two channels of Reactor Vessel Water Level- Low (Level 3)

Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d, 4.e, 5.d, 5.e. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High The Pump Discharge Pressure-High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel.

Pump Discharge Pressure-High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in References 1, 2, and 4 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling function. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Pump discharge pressure signals are initiated from twelve pressure switches, two on the discharge side of each of the six low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (both channels for the pump) indicate the high discharge pressure condition. The Pump Discharge Pressure-High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running.

The actual operating point of this function is not assumed in any transient or accident analysis. However, this function is implicitly assumed to operate to provide the ADS permissive to depressurize the RCS to allow the ECCS low pressure systems to operate.

Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can (continued)

JAFNPP B 3.3.5.1-24 Revision 0

ECCS Instrumentation B 3.3.5.L BASES APPLICABLE 4.d, 4.e, 5.d, 5.e. Core Spray and Low Pressure Coolant SAFETY ANALYSES, Injection Pump Discharge Pressure-High (continued)

LCO, and APPLICABILITY preclude ADS initiation. Two CS channels associated with CS pump A and four LPCI channels associated with LPCI pumps A and C are required for trip system A. Two CS channels associated with CS pump B and four LPCI channels associated with LPCI pumps B and D are required for trip system B.

Refer to LCO 3.5.1 for ADS Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent.

Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions l.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS). The Required Action B.2 system would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if (a) two or more Function l.a channels are inoperable and untripped such that both trip systems lose initiation capability, (b) two or (continued)

JAFNPP B 3.3.5.1-25 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS B.1, B.2, and B.3 (continued) more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability, (c) two or more Function L.b channels are inoperable and untripped such that both trip systems lose initiation capability, or (d) two or more Function 2.b channels are inoperable and untripped such that both trip systems lose initiation capability. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and EDGs to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and EDGs being concurrently declared inoperable.

For Required Action B.2, redundant automatic HPCI initiation capability is lost if two or more Function 3.a or two or more Function 3.b channels are inoperable and untripped such that trip capability is lost. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action B.3 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours1 days 0.143 weeks 0.0329 months (as allowed by Required Action B.3) is allowed during MODES 4 and 5.

There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary.

Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable.

This ensures that the proper loss of initiation capability check is performed. Required Action B.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Functions 2.e and 2.h, since these Functions provide backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed, and do not spray the containment unless needed. Thus, a total loss of (continued)

JAFNPP B 3.3.5.1-26 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS B.1, B.2, and B.3 (continued)

Function 2.e or 2.h capability for 24 hours1 days 0.143 weeks 0.0329 months is allowed, since the LPCI subsystems remain capable of performing their intended function.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours1 days 0.143 weeks 0.0329 months has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action C.1 features would be those that are initiated by Functions 1.c, 1.d, 2.c, 2.d, and 2.f (i.e., low pressure (continued)

JAFNPP B 3.3.5.1-27 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS C.1 and C.2 (continued)

ECCS). Redundant automatic initiation capability is lost if either (a) two or more Function 1.c channels are inoperable such that both trip systems lose initiation capability, (b) two Function 1.d channels are inoperable, (c) two or more Function 2.c channels are inoperable such that both trip systems lose initiation capability, (d) two or more Function 2.d channels are inoperable such that both trip systems lose initiation capability, or (e) three Function 2.f channels are inoperable. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g.,

both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.c, 1.d, 2.c, 2.d, and 2.f, the affected portions are the associated low pressure ECCS pumps. As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours1 days 0.143 weeks 0.0329 months (as allowed by Required Action C.2) is allowed during MODES 4 and 5.

Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 1.d, 2.c, 2.d, and 2.f. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic).

This loss was considered during the development of Reference 7 and considered acceptable for the 24 hours1 days 0.143 weeks 0.0329 months allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (continued)

JAFNPP B 3.3.5.1-28 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS C.1 and C.2 (continued)

(e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours1 days 0.143 weeks 0.0329 months has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels associated with one CST or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (continued)

JAFNPP B 3.3.5.1-29 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS D.1, D.2.1, and D.2.2 (continued)

Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours1 days 0.143 weeks 0.0329 months has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System piping remains filled with water. Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g.,

as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken.

E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray and Low Pressure Coolant Injection Pump Discharge Flow- Low Bypass and the Core Spray Pump Discharge Pressure- High Functions result in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Functions 1.e, 1.f, and 2.g (e.g., low pressure ECCS). Redundant automatic initiation capability is lost if (a) two Function i.e channels are inoperable, (b) two Function 1.f channels are inoperable, (c) two Function 2.g channels are inoperable, or (d) one Function 1.e channel and one Function 1.f channel associated with different CS pumps are inoperable. Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump to be declared inoperable.

However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started (continued)

JAFNPP B 3.3.5.1-30 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS E.1 and E.2 (continued) concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable.

In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . As noted (Note 1 to Required Action E.1), Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low pressure ECCS Functions. Required Action E.1 is not applicable to HPCI Functions 3.f and 3.g since the loss of one channel results in a loss of the Function (one-out-of one logic). This loss was considered during the development of Reference 7 and considered acceptable for the 7 days allowed by Required Action E.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump (continued)

JAFNPP B 3.3.5.1-31 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS E.1 and E.2 (continued) protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken.

The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one Function 4.a channel and one Function 5.a channel are inoperable and untripped, or (b) one Function 4.c channel and one Function 5.c channel are inoperable and untripped.

In this situation (loss of automatic initiation capability),

the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

(continued)

JAFNPP B 3.3.5.1-32 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS F.1 and F.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours4 days 0.571 weeks 0.132 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours4 days 0.571 weeks 0.132 months , the 96 hours4 days 0.571 weeks 0.132 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours4 days 0.571 weeks 0.132 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. Automatic initiation capability is lost if either (a) one Function 4.b channel and one Function 5.b channel are inoperable, or (b) a combination of Function 4.d, 4.e, 5.d, and 5.e channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable.

In this situation (loss of automatic initiation capability),

the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

(continued)

JAFNPP B 3.3.5.1-33 Revision 0

ECCS Instrumentation B 3.3.5.L BASES ACTIONS G.1 and G.2 (continued)

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 7) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours4 days 0.571 weeks 0.132 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours4 days 0.571 weeks 0.132 months , the 96 hours4 days 0.571 weeks 0.132 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours4 days 0.571 weeks 0.132 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately.

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

(continued)

JAFNPP B 3.3.5.1-34 Revision 0

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for (continued) performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months as follows: (a) for Functions 3.c, 3.f, and 3.g; (b) for Functions other than 3.c, 3.f, and 3.g provided the associated Function or redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 7) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours0.5 days 0.0714 weeks 0.0164 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited to 12 hours0.5 days 0.0714 weeks 0.0164 months : thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

(continued)

JAFNPP B 3.3.5.1-35 Revision 0

ECCS Instrumentation B 3.3.5.1_

BASES SURVEILLANCE SR 3.3.5.1.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of Reference 7.

SR 3.3.5.1.3 and SR 3.3.5.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.1.3 i! based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

The Frequency of SR 3.3.5.1.5 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.1.4 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.5.1-1. If the trip setting is discovered to be less conservative than (continued)

JAFNPP B 3.3.5.1-36 Revision 0

ECCS Instrumentation B 3.3.5.L BASES SURVEILLANCE SR 3.3.5.1.4 (continued)

REQUIREMENTS accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analyses. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than the setting accounted for in the appropriate setpoint methodology.

The Frequency of 184 days is based on the reliability, accuracy, and lower failure rates of the associated solid state electronic Analog Transmitter/Trip System components.

SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 6.5.

2. UFSAR, Section 14.6.

3. UFSAR, Section 14.5.

4. NEDC-31317P, Revision 2, James A. FitzPatrick Nuclear Power Plant, SAFER/GESTR-LOCA, Loss-of-Coolant Accident Analysis, April 1993.

5. 10 CFR 50.36(c)(2)(ii).

6. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly Nuclear Boiler, (GE Drawing 919D690BD).

(continued)

JAFNPP B 3.3.5.1-37 Revision 0

ECCS Instrumentation B 3.3.5.L BASES REFERENCES 7. NEDC-30936P-A, BWR Owners' Group Technical (continued) Specification Improvement Methodology (With Demonstration for BWR ECCS Actuation Instrumentation),

Part 2, December 1988.

JAFNPP B 3.3.5.1-38 Revision 0

RCIC System Instrumentation B 3.3.5.2 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is insufficient or unavailable, such that RCIC System initiation occurs and maintains sufficient reactor water level such that an initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System."

The RCIC System may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level -Low Low (Level 2). The variable is monitored by four transmitters that are connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement. Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared.

The normally closed RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow.

The RCIC System also monitors the water level in each condensate storage tank (CST) since this is the initial source of water for RCIC operation. Reactor grade water in the CSTs is the normal source. The CST suction source consists of two CSTs connected in parallel to the RCIC pump suction. Upon receipt of a RCIC initiation signal, the CSTs suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from the suppression pool valves are open. If the water level in both CSTs fall below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in each CST. A level switch associated with each CST must actuate to cause the suppression pool suction valves to open and the CSTs suction valve to close. The channels are arranged in a one out-of-two taken twice logic. To prevent losing suction to the pump when automatically transferring suction from the (continued)

JAFNPP B 3.3.5.2-1 Revision 0

RCIC System Instrumentation B 3.3.5.2_

BASES BACKGROUND CSTs to the suppression pool on low CST level, the suction (continued) valves are interlocked so that the suppression pool suction path must be open before the CST suction path automatically closes.

The RCIC System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) trip (two-out-of-two logic), at which time the RCIC steam inlet valve closes. The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2).

APPLICABLE The function of the RCIC System is to respond to transient SAFETY ANALYSES, events by providing makeup coolant to the reactor. The LCO, and RCIC System is not an Engineered Safeguard System and APPLICABILITY no credit is taken in the safety analyses for RCIC System operation. The RCIC System instrumentation satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 1). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.2-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations.

The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis or (continued)

JAFNPP B 3.3.5.2-2 Revision 0

RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE other appropriate documents. The trip setpoints are derived SAFETY ANALYSES, from the analytical limits and account for all worst case LCO, and instrumentation uncertainties as appropriate (e.g., drift, APPLICABILITY process effects, calibration uncertainties, and severe (continued) environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System.)

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level-Low Low (Level 2)

Low reactor pressure vessel (RPV) water level indicates that normal feedwater flow is insufficient to maintain reactor vessel water level and that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel.

Reactor Vessel Water Level- Low Low (Level 2) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level -Low Low (Level 2) Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1. The (continued)

JAFNPP B 3.3.5.2-3 Revision 0

RCIC System Instrumentation B 3.3.5.Z.

BASES APPLICABLE 1. Reactor Vessel Water Level - Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 2).

The HPCI, RCIC and ATWS-RPT initiation functions (as described in Table 3.3.5.1-1, Function 3.a; Table 3.3.5.2-1, Function 1; and LCO 3.3.4.1.a including SR 3.3.4.1.4, respectively) describe the reactor vessel water level initiation function as "Low Low (Level 2)." The Allowable Values associated with the HPCI and RCIC initiation function is different from the Allowable Value associated with the ATWS-RPT initiation function as the ATWS function has a separate analog trip unit. Nevertheless, consistent with the nomenclature typically used in design documents, the "Low Low (Level 2)" is retained in describing each of these three initiation functions.

Four channels of Reactor Vessel Water Level - Low Low (Level 2) Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation.

Refer to LCO 3.5.3 for RCIC Applicability Bases.

2. Reactor Vessel Water Level-High (Level 8)

High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam inlet valve to prevent overflow into the main steam lines (MSLs).

Reactor Vessel Water Level -High (Level 8) signals for RCIC are initiated from two level transmitters from the narrow range water level measurement instrumentation, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Both Level 8 signals are required in order to close the RCIC steam inlet valve.

The Reactor Vessel Water Level -High (Level 8) Allowable Value is high enough to preclude isolating the steam inlet valve during normal operation, yet low enough to prevent water overflowing into the MSLs. The Allowable Value is (continued)

JAFNPP B 3.3.5.2-4 Revision 0

RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE 2. Reactor Vessel Water Level -High (Level 8) (continued)

SAFETY ANALYSES, LCO, and referenced from a level of water 352.56 inches above the APPLICABILITY lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 2).

Two channels of Reactor Vessel Water Level -High (Level 8)

Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.

3. Condensate Storage Tank (CST) Level - Low Low level in the CSTs indicates the unavailability of an adequate supply of makeup water from this normal source.

Normally, the suction valve between the RCIC pump and the CSTs is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the CSTs.

However, if the water level in both CSTs falls below a preselected level, first the suppression pool suction valves automatically open, and then the CSTs suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the RCIC pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CSTs suction valve automatically closes.

Two level switches are used to detect low water level in each CST. The Condensate Storage Tank Level - Low Function Allowable Value is set high enough (15,600 gallons of water is available in each CST) to ensure adequate pump suction head while water is being taken from the CST.

Four channels of Condensate Storage Tank Level -Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC automatic suction source alignment to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases.

4. Manual Initiation The Manual Initiation push button switch introduces a signal into the RCIC System initiation logic that is redundant to the automatic protective instrumentation and provides manual initiation capability. There is one push button for the RCIC System.

(continued)

JAFNPP B 3.3.5.2-5 Revision 0

RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE 4. Manual Initiation (continued)

SAFETY ANALYSES, LCO, and The Manual Initiation Function is not assumed in any APPLICABILITY accident or transient analyses in the UFSAR. However, the Function is retained for overall redundancy and diversity of the RCIC function as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button. One channel of Manual Initiation is required to be OPERABLE when RCIC is required to be OPERABLE.

ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent.

Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

B.1 and B.2 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In (continued)

JAFNPP B 3.3.5.2-6 Revision 0

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS B.1 and B.2 (continued) this case, automatic initiation capability is lost if two Function 1 channels in the same trip system are inoperable and untripped. In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action B.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of RCIC initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two inoperable, untripped Reactor Vessel Water Level- Low Low (Level 2) channels in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours1 days 0.143 weeks 0.0329 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.

C.1 A risk based analysis was performed and determined that an allowable out of service time of 24 hours1 days 0.143 weeks 0.0329 months (Ref. 3) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B.1) limiting the allowable out (continued)

JAFNPP B 3.3.5.2-7 Revision 0

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS C.1 (continued) of service time, if a loss of automatic RCIC initiation capability exists, is not required. This Condition applies to the Reactor Vessel Water Level -High (Level 8) Function whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC initiation capability due to closure of the RCIC steam inlet valve. As stated above, this loss of automatic RCIC initiation capability was analyzed and determined to be acceptable.

This Condition also applies to the Manual Initiation Function. Since this Function is not assumed in any accident or transient analysis, a total loss of manual initiation capability (Required Action C.1) for 24 hours1 days 0.143 weeks 0.0329 months is allowed. The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this case, automatic initiation capability (automatic suction source alignment) is lost if two Function 3 channels associated with the same CST are inoperable and untripped. In this situation (loss of automatic suction source alignment), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Actions D.2.1 and D.2.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months from discovery of loss of RCIC initiation capability. As noted, Required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System suction source cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The (continued)

JAFNPP B 3.3.5.2-8 Revision 0

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued) 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability (automatic suction source alignment) is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours1 days 0.143 weeks 0.0329 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel (shifting the suction source to the suppression pool). Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the RCIC System piping remains filled with water. If it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the RCIC suction piping), Condition E must be entered and its Required Action taken.

E.1 With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately.

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC REQUIREMENTS System instrumentation Function are found in the SRs column of Table 3.3.5.2-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows:

(a) for up to 6 hours0.25 days 0.0357 weeks 0.00822 months for Functions 2 and 4; and (b) for up to 6 hours0.25 days 0.0357 weeks 0.00822 months for Functions 1 and 3, provided the associated Function maintains trip capability. Upon completion of the (continued)

JAFNPP B 3.3.5.2-9 Revision 0

RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the REQUIREMENTS channel must be returned to OPERABLE status or the (continued) applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary.

SR 3.3.5.2.1 Performance of the CHANNEL CHECK once every 12 hours0.5 days 0.0714 weeks 0.0164 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required (continued)

JAFNPP B 3.3.5.2-10 Revision 0

RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.2 (continued)

REQUIREMENTS contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 3.

SR 3.3.5.2.3 and SR 3.3.5.2.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.2.3 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

The Frequency of SR 3.3.5.2.5 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.2.4 The calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.5.2-1. If the trip setting is discovered to be less conservative than the setting accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than accounted for in the appropriate setpoint methodology.

(continued)

JAFNPP B 3.3.5.2-11 Revision 0

RCIC System Instrumentation B 3.3.5.2-BASES SURVEILLANCE SR 3.3.5.2.4 (continued)

REQUIREMENTS The Frequency of 184 days is based on the reliability, accuracy, and low failure rates of the associated solid state electronic Analog Transmitter/Trip System components.

SR 3.3.5.2.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. 10 CFR 50.36(c)(2)(ii).

2. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly Nuclear Boiler, (GE Drawing 919D690BD).

3. GENE-770-06-2-A, Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications, December 1992.

JAFNPP B 3.3.5.2-12 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 B 3.3 INSTRUMENTATION B 3.3.6.1 Primary Containment Isolation Instrumentation BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents CDBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA.

The isolation instrumentation includes the sensors, logic circuits, relays, and switches that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a primary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are (a) reactor vessel water level, (b) main steam line (MSL) pressure, (c) MSL flow, (d) condenser vacuum, (e) main steam tunnel area temperatures, (f) main steam line radiation, (g) drywell pressure, (h) containment radiation, (i) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line flow, (j) HPCI and RCIC steam line pressure, (k) HPCI and RCIC turbine exhaust diaphragm pressure, (1) HPCI and RCIC area temperatures, (m) reactor water cleanup (RWCU) area temperature, (n) Standby Liquid Control (SLC) System initiation, and (o) reactor pressure.

Redundant sensor input signals from each parameter are provided for initiation of isolation. The only exception is SLC System initiation.

Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below.

(continued)

JAFNPP B 3.3.6.1-1 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 1. Main Steam Line Isolation (continued)

Most MSL Isolation Functions receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of all main steam isolation valves (MSIVs). The outputs from the same channels are arranged into two two-out-of-two logic trip systems to isolate all MSL drain valves. The MSL drain line has two isolation valves with one two-out-of-two logic system associated with each valve.

The exceptions to this arrangement are the Main Steam Line Flow-High, Main Steam Tunnel Temperature- High and the Main Steam Line Radiation-High Functions. The Main Steam Line Flow-High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip channels. Two trip channels make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip channel has four inputs (one per MSL),

any one of which will trip the trip channel. The trip channels are arranged in a one-out-of-two taken twice logic.

This is effectively a one-out-of-eight taken twice logic arrangement to initiate isolation of the MSIVs. Similarly, the 16 flow channels are connected into two two-out-of-two logic trip systems (effectively, two one-out-of-four twice logic), with each trip system isolating one of the two MSL drain valves on the associated steam line. The Main Steam Tunnel Temperature-High Function receives input from 16 channels. The logic is arranged similar to the Main Steam Line Flow-High Function. The Main Steam Line Radiation-High Function receives inputs from four channels.

The outputs from the channels are arranged into two two-out of-two logic trip systems and isolates the MSL drain valves.

This Function does not provide an MSIV isolation signal.

Each trip system is associated with one MSL drain valve with a two-out-of-two logic.

2. Primary Containment Isolation The Reactor Vessel Water Level - Low (Level 3) and Drywell Pressure-High Primary Containment Isolation Functions (Functions 2.a and 2.b) receive inputs from four channels.

Normally the outputs from these channels are arranged into two two-out-of-two logic trip systems. One trip system initiates isolation of all inboard primary containment isolation valves, while the other trip system initiates isolation of all outboard primary containment isolation valves. Each logic closes one of the two valves on each (continued)

JAFNPP B 3.3.6.1-2 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 2. Primary Containment Isolation (continued) penetration, so that operation of either logic isolates the penetration. The exception to this arrangement for the Reactor Vessel Water Level - Low (Level 3) and Drywell Pressure-High Functions (Functions 2.d and 2.g) are with certain penetration flow paths (i.e., hydrogen/oxygen sample supply and return valves, and gaseous/particulate sample supply and return valves). For these penetration flow paths only one logic trip system closes two valves in each flow path as noted by footnote (c) to Table 3.3.6.1-1. The design is acceptable since it helps ensure post-accident sampling capability is maintained. The remainder of the penetration flow paths isolated by the Reactor Vessel Water Level-Low (Level 3) and Drywell Pressure-High Functions (Functions 2.a and 2.b) are extensive and are identified in Reference 1.

The Containment Radiation- High Function (Function 2.c) includes two channels, whose outputs are arranged in two one-out-of-one logic trip systems. Each trip system isolates one valve per associated penetration, so that operation of either logic isolates the penetration. The penetration flow paths isolated by this Function include the drywell and suppression chamber vent and purge valves.

The Reactor Vessel Water Level - Low Low Low (Level 1) and the Main Steam Line Radiation-High Functions (Functions 2.e and 2.f) both have four channels, whose outputs are arranged into two two-out-of-two logic trip systems for each Function. One trip system initiates isolation of the associated inboard isolation valves, while the other trip system initiates the isolation of the associated outboard valves. The penetration flow path isolated by these Functions is the recirculation loop sample valves.

3, 4. High Pressure Coolant Injection System Isolation and Reactor Core Isolation Cooling System Isolation Most Functions that isolate HPCI and RCIC receive input from two channels, with each channel in one trip system using a one-out-of-one logic. Each trip system for HPCI and RCIC closes the associated steam supply valves. Each HPCI trip system closes the associated pump suction isolation valve.

One HPCI trip system and both RCIC trip systems will also initiate a turbine trip which in turn closes the main pump minimum flow isolation valve and pump discharge to reactor isolation valve.

(continued)

JAFNPP B 3.3.6.1-3 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 3, 4. High Pressure Coolant Injection System Isolation and Reactor Core Isolation Cooling System Isolation (continued)

The exceptions are the HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High, Steam Supply Line Pressure-Low, and the Equipment Area Temperature-High Functions (Functions 3.b through 3.j and 4.b through 4.f). These Functions receive inputs from four channels. The outputs from the turbine exhaust diaphragm pressure and steam supply pressure channels are each connected to two two-out-of-two trip systems. The output of each equipment area temperature channel is connected to one trip system so that any channel will trip its associated trip system. This arrangement is consistent with all other area temperature Functions, in that any channel will trip its associated trip system.

5. Reactor Water Cleanup System Isolation The Reactor Vessel Water Level - Low (Level 3) and Drywell Pressure-High Isolation Functions (Functions 5.e and 5.f) receive input from four channels. The outputs from these channels are connected into two two-out-of-two trip systems for each function. The SLC System Initiation Function (Function 5.d) receives input from two channels, with both channels providing input to one trip system. Any channel will initiate the trip logic. The Function is initiated by placing the SLC System initiation switch in any position other than stop (start system A or start system B).

Therefore, a channel is defined as the circuitry required to trip the trip logic when the switch is in position start system A or start system B. The Area Temperature-High Functions (Functions 5.a, 5.b and 5.c) receive input from eight temperature monitors, four to each trip system. These are configured so that any one input will trip the associated trip system. Each of the two trip systems is connected to one of the two valves on the RWCU suction penetration and only one trip system is connected to the RWCU return penetration outboard valve. The trip system associated with the SLC System Initiation Function is connected to the outboard RWCU suction valve and the outboard RWCU return penetration valve.

(continued)

JAFNPP B 3.3.6.1-4 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 6. Shutdown Cooling System Isolation (continued)

The Reactor Vessel Water Level -Low (Level 3) Function (Function 6.b) receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected to two two-out-of-two trip systems. Each of the two trip systems is connected to one of the two valves on the RHR shutdown cooling pump suction penetration and on one of the two inboard LPCI injection valves if in shutdown cooling mode. The Reactor Pressure-High Function (Function 6.a) receives input from two channels, with each channel providing input into each trip system using a one-out-of-two logic. However, only one channel input is required to be OPERABLE for a trip system to be considered OPERABLE. Each of the two trip systems is connected to one of the two valves on the shutdown cooling pump suction penetration.

7. Traversing Incore Probe System Isolation The Reactor Vessel Water Level -Low (Level 3) Isolation Function receives input from two reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected into one two-out-of-two logic trip system. The Drywell Pressure-High Isolation function receives input from two drywell pressure channels. The outputs from the drywell pressure channels are connected into one two-out-of-two logic trip system.

When either Isolation Function actuates, the TIP drive mechanisms will withdraw the TIPs, if inserted, and close the inboard TIP system isolation ball valves when the TIPs are fully withdrawn. The outboard TIP system isolation valves are manual shear valves.

APPLICABLE The isolation signals generated by the primary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the LCO, and safety analyses of References 2 and 3 to initiate closure APPLICABILITY of valves to limit offsite doses. Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)," Applicable Safety Analyses Bases for more detail of the safety analyses.

Primary containment isolation instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

(continued)

JAFNPP B 3.3.6.1-5 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1_

BASES APPLICABLE The OPERABILITY of the primary containment instrumentation SAFETY ANALYSES, is dependent on the OPERABILITY of the individual LCO, and instrumentation channel Functions specified in APPLICABILITY Table 3.3.6.1-1. Each Function must have a required number (continued) of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Each channel must also respond within its assumed response time, where appropriate.

Allowable Values are specified for each Primary Containment Isolation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The trip setpoints are derived from the analytical limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

Certain Emergency Core Cooling Systems (ECCS) and RCIC valves (e.g., minimum flow) also serve the dual function of automatic PCIVs. The signals that isolate these valves are also associated with the automatic initiation of the ECCS and RCIC. The instrumentation requirements and ACTIONS (continued)

JAFNPP B 3.3.6.1-6 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE associated with these signals are addressed in LCO 3.3.5.1, SAFETY ANALYSES "Emergency Core Cooling Systems (ECCS) Instrumentation," and LCO, and LCO 3.3.5.2, "Reactor Core Isolation Cooling (RCIC) System APPLICABILITY Instrumentation," and are not included in this LCO.

(continued)

In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, "Primary Containment."

Functions that have different Applicabilities are discussed below in the individual Functions discussion.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

Main Steam Line Isolation l.a. Reactor Vessel Water Level -Low Low Low (Level 1)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level - Low Low Low (Level 1) Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. The Reactor Vessel Water Level - Low Low Low (Level 1) Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 2). The isolation of the MSLs on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA.

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -Low Low Low (Level 1) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level -Low Low Low (Level 1)

Allowable Value is chosen to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 100 limits. In addition, the setting is low enough to allow the removal of heat from the reactor for a predetermined time following a (continued)

JAFNPP B 3.3.6.1-7 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE l.a. Reactor Vessel Water Level-Low Low Low (Level 1)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY scram, prevent isolation on a partial loss of feedwater and to reduce challenges to the safety/relief valves (S/RVs).

The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 13).

This Function isolates the MSIVs and MSL drain valves.

1.b. Main Steam Line Pressure-Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low reactor vessel water level condition and the RPV cooling down at a rate greater than 100°F/hr if the pressure loss is allowed to continue. The Main Steam Line Pressure-Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 2). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100°F/hr) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior to pressure decreasing below 785 psig, which results in a scram due to MSIV closure, thus reducing reactor power to < 25% RTP.)

The MSL low pressure signals are initiated from four transmitters that are connected to the MSL pressure averaging manifold. The transmitters are arranged such that, even though physically separated from each other, each transmitter is able to detect low MSL pressure. Four channels of Main Steam Line Pressure- Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be high enough to detect a pressure regulator malfunction and prevent excessive RPV depressurization. In addition, the setting is low enough to prevent spurious isolations.

(continued)

JAFNPP B 3.3.6.1-8 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE l.b. Main Steam Line Pressure- Low (continued)

SAFETY ANALYSES LCO, and The Main Steam Line Pressure- Low Function is only required APPLICABILITY to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 2). The Function is automatically bypassed when the reactor mode switch is not in the run position.

This Function isolates the MSIVs and MSL drain valves.

1.c. Main Steam Line Flow-High Main Steam Line Flow-High is provided to detect a break of the MSL and to initiate closure of the MSIVs. If the steam were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow- High Function is directly assumed in the analysis of the main steam line break (MSLB) (Ref. 3). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the 10 CFR 100 limits.

The MSL flow signals are initiated from 16 transmitters that are connected to the four MSLs. The transmitters are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow-High Function for each unisolated MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL.

The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break. In addition, the setting is high enough to permit the isolation of one main steam line at reduced power without causing an automatic isolation of the steam lines yet low enough to permit early detection of a gross steam line break.

This Function isolates the MSIVs and MSL drain valves.

(continued)

JAFNPP B 3.3.6.1-9 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1_

BASES APPLICABLE 1.d. Condenser Vacuum-Low SAFETY ANALYSES, LCO, and The Condenser Vacuum- Low Function is provided to prevent APPLICABILITY overpressurization of the main condenser in the event of a (continued) loss of the main condenser vacuum. Since the integrity of the condenser is an assumption in offsite dose calculations, the Condenser Vacuum-Low Function is assumed to be OPERABLE and capable of initiating closure of the MSIVs. The closure of the MSIVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby preventing a potential radiation leakage path following an accident.

Condenser vacuum pressure signals are derived from four pressure transmitters that sense the pressure in the condenser. Four channels of Condenser Vacuum - Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation, function.

The Allowable Value is chosen to prevent damage to the condenser due to pressurization, thereby ensuring its integrity for offsite dose analysis. As noted (footnote (a) to Table 3.3.6.1-1), the channels are not required to be OPERABLE in MODES 2 and 3 when all turbine stop valves (TSVs) are closed, since the potential for condenser overpressurization is minimized. The Function is automatically bypassed when the reactor mode switch is not in the run position and when all TSVs are closed.

This Function isolates the MSIVs and MSL drain valves.

i.e. Main Steam Tunnel Area Temperature-High Main Steam Tunnel Area temperature is provided to detect a break in a main steam line and provides diversity to the high flow instrumentation. High temperature in the main steam tunnel outside the primary containment could indicate a break in a main steam line. The automatic closure of the MSIVs and MSL drains, prevents excessive loss of reactor coolant and the release of significant amounts of radioactive material from the reactor coolant pressure boundary. The isolation occurs when a very small leak has occurred. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. However, credit for these instruments is not taken in any transient or accident analysis in the UFSAR, since bounding analyses are performed for large breaks, such as MSLBs.

(continued)

JAFNPP B 3.3.6.1-10 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1_

BASES APPLICABLE i.e. Main Steam Tunnel Area Temperature-High (continued)

SAFETY ANALYSES, LCO, and Main Steam Tunnel Area temperature signals are initiated APPLICABILITY from resistance temperature detectors (RTDs) located in the area being monitored. Sixteen channels of Main Steam Tunnel Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is chosen high enough above the temperature expected during power operations to avoid spurious isolation, yet low enough to provide early indication of a steam line break.

This Function isolates the MSIVs and MSL drain valves.

1.f. Main Steam Line Radiation-High The Main Steam Line Radiation-High isolation signal has been removed from the MSIV isolation logic circuitry (Ref. 1); however, this isolation Function has been retained for the MSL drains valves (and other valves discussed under Function 2.f) to ensure that the assumptions utilized to determine that acceptable offsite doses resulting from a control rod drop accident (CRDA) are maintained.

Main Steam Line Radiation- High signals are generated from four radiation elements and associated monitors, which are located near the main steam lines in the steam tunnel. Four instrumentation channels of the Main Steam Line Radiation-High Function are available and required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be low enough that a high radiation trip results from the fission products released in the CRDA. In addition, the setting is adjusted high enough above the background radiation level in the vicinity of the main steam lines so that spurious trips are avoided at rated power.

This Function isolates the MSL drain valves.

(continued)

JAFNPP B 3.3.6.1-11 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Primary Containment Isolation SAFETY ANALYSES, LCO, and 2.a, 2.g. Reactor Vessel Water Level-Low (Level 3)

APPLICABILITY Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded.

The Reactor Vessel Water Level - Low (Level 3) Function associated with isolation is implicitly assumed in the UFSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor Vessel Water Level -Low (Level 3) signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. For Function 2.a, four channels of Reactor Vessel Water Level - Low (Level 3)

Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. For Function 2.g, two channels of Reactor Vessel Water Level - Low (Level 3) are required to be OPERABLE for each hydrogen/oxygen and gaseous/particulate sample supply and return penetration to ensure these penetrations can be isolated.

The Reactor Vessel Water Level -Low (Level 3) Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1). since the capability to cool the fuel may be threatened. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 13).

This Function isolates the valves listed in Reference 1.

2.b, 2.d. Drywell Pressure-High High drywell pressure can indicate a break in the RCPB inside the Primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Drywell Pressure-High Function, associated with isolation of the primary (continued)

JAFNPP B 3.3.6.1-12 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.b, 2.d. Drywell Pressure-High (continued)

SAFETY ANALYSES, LCO, and containment, is implicitly assumed in the UFSAR accident APPLICABILITY analysis as these leakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. For Function 2.b, four channels of Drywell Pressure- High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. For Function 2.d, two channels of Drywell Pressure-High are required to be OPERABLE for each hydrogen/oxygen and gaseous/particulate sample supply and return penetration to ensure these penetrations can be isolated.

The Allowable Value was selected to be as low as possible without inducing spurious trips. The Allowable Value is chosen to be the same as the RPS Drywell Pressure-High Allowable Value (LCO 3.3.1.1), since this may be indicative of a LOCA inside primary containment.

These Functions isolate the valves listed in Reference 1.

2.c. Containment Radiation-High High containment radiation indicates possible gross failure of the fuel cladding. Therefore, when Containment Radiation-High is detected, an isolation is initiated to limit the release of fission products. However, this Function is not assumed in any accident or transient analysis in the UFSAR because other leakage paths (e.g.,

MSIVs) are more limiting.

The containment radiation signals are initiated from radiation detectors that are located in the drywell. Two channels of Containment Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is low enough to promptly detect gross failures in the fuel cladding. However, the setting is high enough to avoid spurious isolation.

This Function isolates the containment vent and purge valves.

(continued)

B 3.3.6.1-13 Revision 0 JAFNPP

Primary Containment Isolation Instrumentation B 3.3.6.1.

BASES APPLICABLE 2.e. Reactor Vessel Water Level - Low Low Low (Level 1)

SAFETY ANALYSES, LCO, and Low reactor pressure vessel (RPV) water level indicates that APPLICABILITY the capability to cool the fuel may be threatened. Should (continued) RPV water level decrease too far, fuel damage could result.

Therefore, isolation of the recirculation loop sample valves occurs to prevent offsite dose limits from being exceeded.

The Reactor Vessel Water Level - Low Low Low (Level 1)

Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. The Reactor Vessel Water Level - Low Low Low (Level 1) Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 3). The isolation of the recirculation loop sample valves on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA.

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -Low Low Low (Level 1) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level- Low Low Low (Level 1)

Allowable Value is chosen to ensure that the recirculation loop sample valves close on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 100 limits. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 13).

This Function isolates the recirculation loop sample valves.

2.f. Main Steam Line Radiation-High The Main Steam Line Radiation-High isolation signal has been removed from the MSIV isolation logic circuitry (Ref. 1):

however, this isolation Function has been retained for the recirculation loop sample valves to ensure that the assumptions utilized to determine that acceptable offsite doses resulting from a CRDA are maintained.

Main Steam Line Radiation-High signals are generated from four radiation elements and associated monitors, which are (continued)

B 3.3.6.1-14 Revision 0 JAFNPP

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.f. Main Steam Line Radiation-High (continued)

SAFETY ANALYSES, LCO, and located near the main steam lines in the steam tunnel. Four APPLICABILITY Instrumentation channels of the Main Steam Line Radiation-High Function are available and required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be low enough that a high radiation trip results from the fission products released in the Design Basis CRDA. In addition, the setting is adjusted high enough above the background radiation level in the vicinity of the main steam lines so that spurious trips are avoided at rated power.

This Function isolates the recirculation loop sample valves.

High Pressure Coolant Injection and Reactor Core Isolation Cooling Systems Isolation 3.a, 4.a. HPCI and RCIC Steam Line Flow-High Steam Line Flow-High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any UFSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding.

The HPCI and RCIC Steam Line Flow-High signals are initiated from transmitters (two for HPCI and two for RCIC) that are connected to the system steam lines. Two channels of both HPCI and RCIC Steam Line Flow- High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

JAFNPP B 3.3.6.1-15 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.a, 4.a. HPCI and RCIC Steam Line Flow-High (continued)

SAFETY ANALYSES, LCO, and The Allowable Values are chosen to be low enough to ensure a APPLICABILITY timely detection of a turbine steam line break so that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event. The setting is adjusted high enough to avoid spurious isolations during HPCI and RCIC startups.

These Functions isolate the valves, as appropriate, as listed in Reference 1.

3.b, 4.b. HPCI and RCIC Steam Supply Line Pressure-Low Low steam pressure indicates that the pressure of the steam in the HPCI or RCIC turbine may be too low to continue operation of the associated system's turbine. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the UFSAR.

However, they also provide a diverse signal to indicate a possible system break. These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 5).

The HPCI and RCIC Steam Supply Line Pressure- Low signals are initiated from transmitters (four for HPCI and four for RCIC) that are connected to the system steam line. Four channels of both HPCI and RCIC Steam Supply Line Pressure-Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are selected to be high enough to prevent damage to the system's turbine and low enough to ensure HPCI and RCIC Systems remain OPERABLE.

These Functions isolate the valves, as appropriate, as listed in Reference 1.

3.c, 4.c. HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High High turbine exhaust diaphragm pressure could indicate that the turbine rotor is not turning, or there is a broken turbine blading or shrouding, thus allowing reactor pressure to act on the turbine exhaust line. The system is isolated (continued)

JAFNPP B 3.3.6.1-16 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.c, 4.c. HPCI and RCIC Turbine Exhaust Diaphragm SAFETY ANALYSES, Pressure-High (continued)

LCO, and APPLICABILITY to prevent overpressurization of the turbine exhaust line.

These isolations are for equipment protection and are not assumed in any transient or accident analysis in the UFSAR.

These instruments are included in the TS because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 5).

The HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High signals are initiated from switches (four for HPCI and four for RCIC) that are connected to the area between the rupture diaphragms on each system's turbine exhaust line. Four channels of both HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are high enough to prevent damage to low pressure components in the turbine exhaust pathway. The settings are adjusted low enough to avoid isolation of the system's turbine.

These Functions isolate the valves, as appropriate, as listed in Reference 1.

3.d, 3.e, 3.f, 3.g, 3.h, 3.i, 3.j, 4.d, 4.e. 4.f.

HPCI and RCIC Area Temperature-High HPCI and RCIC Area temperatures are provided to detect a leak from the associated system steam piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any UFSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area Temperature-High signals are initiated from resistance temperature detectors (RTDs) that are appropriately located to protect the system that is being monitored. Two instruments monitor each area for a total of 16 channels for HPCI and 8 channels for RCIC. All channels for each HPCI and RCIC Area Temperature- High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

JAFNPP B 3.3.6.1-17 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.d, 3.e, 3.f, 3.g, 3.h, 3.i, 3.j, 4.d, 4.e, 4.f.

SAFETY ANALYSES, HPCI and RCIC Area Temperature-High (continued)

LCO, and APPLICABILITY The Allowable Values are set high enough above normal operating levels to avoid spurious operation but low enough to provide timely detection of a steam leak.

These Functions isolate the valves, as appropriate, as listed in Reference 1.

Reactor Water Cleanup (RWCU) System Isolation 5.a, 5.b, 5.c. RWCU Area Temperatures-High RWCU area temperatures are provided to detect a leak from the RWCU System. The isolation occurs even when very small leaks have occurred. If the small leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the UFSAR, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area temperature signals are initiated from temperature elements that are located in the area that is being monitored. Eight thermocouples provide input to the Area Temperature-High Functions (two per area or room). Eight channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Area Temperature-High Allowable Values are set high enough to avoid spurious isolation yet low enough to provide timely detection and isolation of a break in the RWCU System.

These Functions isolates both RWCU suction valves and the return valve.

5.d. SLC System Initiation The isolation of the RWCU System is required when the SLC of System has been initiated to prevent dilution and removal the boron solution by the RWCU System (Ref. 6). The RWCU isolation signal is initiated when the control room SLC initiation switch is in any position other than stop.

(continued)

B 3.3.6.1-18 Revision 0 JAFNPP

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.d. SLC System Initiation (continued)

SAFETY ANALYSES, LCO, and There is no Allowable Value associated with this Function APPLICABILITY since the channels are mechanically actuated based solely on the position of the SLC System initiation switch.

Two channels (start system A or start system B) of the SLC System Initiation Function are available and are required to be OPERABLE only in MODES 1 and 2, since these are the only MODES where the reactor can be critical, and these MODES are consistent with the Applicability for the SLC System (LCO 3.1.7).

As noted (footnote (d) to Table 3.3.6.1-1), this Function is only required to close one of the RWCU suction isolation valves and one return isolation valve since the signals only provide input into one of the two trip systems.

5.e. Reactor Vessel Water Level - Low (Level 3)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 3 supports actions to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Vessel Water Level -Low (Level 3)

Function associated with RWCU isolation is not directly assumed in the UFSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting).

Reactor Vessel Water Level -Low (Level 3) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level- Low (Level 3) Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level- Low (Level 3) Allowable Value (LCO 3.3.1.1),

since the capability to cool the fuel may be threatened.

The Allowable Value is referenced from a level of water (continued)

JAFNPP B 3.3.6.1-19 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.e. Reactor Vessel Water Level -Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and 352.56 inches above the lowest point in the inside bottom of APPLICABILITY the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 13).

This Function isolates both RWCU suction valves and the RWCU return valve.

5.f. Drywell Pressure-High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Drywell Pressure-High Function, associated with isolation of the primary containment, is implicitly assumed in the UFSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure-High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable value was selected to be as low as possible without inducing spurious trips. The Allowable Value is chosen to be the same as the RPS Drywell Pressure-High Allowable Value (LCO 3.3.1.1), since this may be indicative of a LOCA inside primary containment.

This Function isolates both RWCU suction valves and one RWCU return valve.

6.a. Reactor Pressure-High The Reactor Pressure-High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System. This interlock Function is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the UFSAR.

The Reactor Pressure- High signals are initiated from two pressure switches that are connected to different taps on (continued)

JAFNPP B 3.3.6.1-20 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.a. Reactor Pressure-High (continued)

SAFETY ANALYSES, LCO, and reactor recirculation pump B suction line. Each switch APPLICABILITY provides input to each trip system. However, only one channel input is required to be OPERABLE for a trip system to be considered OPERABLE. Two channels of Reactor Pressure-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized; thus, equipment protection is needed.

The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization.

This Function isolates both RHR shutdown cooling pump suction valves.

6.b. Reactor Vessel Water Level- Low (Level 3)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level - Low (Level 3) Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Cooling System is bounded by breaks of the reactor water recirculation system and MSL. The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.

Reactor Vessel Water Level -Low (Level 3) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water Level -Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. As noted (footnote (e) to Table 3.3.6.1-1), only one trip system of the Reactor Vessel Water Level -Low (Level 3) Function are required to (continued)

JAFNPP B 3.3.6.1-21 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.b. Reactor Vessel Water Level- Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and be OPERABLE in MODES 4 and 5, provided the RHR Shutdown APPLICABILITY Cooling System integrity is maintained. System integrity is maintained provided the piping is intact and no maintenance or other activity is being performed that has the potential for draining the reactor vessel through the system.

The Reactor Vessel Water Level-Low (Level 3) Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level-Low (Level 3) Allowable Value (LCO 3.3.1.1),

since the capability to cool the fuel may be threatened.

The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 13).

The Reactor Vessel Water Level - Low (Level 3) Function is only required to be OPERABLE in MODES 3, 4, and 5 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel. In MODES 1 and 2, another isolation (i.e., Reactor Pressure-High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path.

This Function isolates both RHR shutdown cooling pump suction valves and the inboard LPCI injection valves.

Traversing Incore Probe System Isolation 7.a. Reactor Vessel Water Level-Low (Level 3)

Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded.

The Reactor Vessel Water Level-Low (Level 3) Function associated with isolation is implicitly assumed in the UFSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor Vessel Water Level- Low (Level 3) signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Two channels of Reactor (continued)

JAFNPP B 3.3.6.1-22 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 7.a. Reactor Vessel Water Level- Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and Vessel Water Level- Low (Level 3) Function are available and APPLICABILITY are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The isolation function is ensured by the manual shear valve in each penetration.

The Reactor Vessel Water Level -Low (Level 3) Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 13).

This Function isolates the TIP System isolation ball valves.

7.b Drywell Pressure- High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Drywell Pressure-High Function, associated with isolation of the primary containment, is implicitly assumed in the UFSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Two channels of Drywell Pressure- High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The isolation function is ensured by the manual shear valve in each penetration.

The Allowable Value is chosen to be the same as the RPS Drywell Pressure- High Allowable Value (LCO 3.3.1.1), since this may be indicative of a LOCA inside primary containment.

This Function isolates the TIP System isolation ball valves.

ACTIONS The ACTIONS are modified by two Notes. Note 1 allows penetration flow path(s) to be unisolated intermittently under administrative controls. These controls consist of (continued)

JAFNPP B 3.3.6.1-23 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS stationing a dedicated operator at the controls of the (continued) valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated.

Note 2 has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.

A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours0.5 days 0.0714 weeks 0.0164 months for Functions 2.a, 2.b, 2.d, 2.g, 5.e, 5.f, 6.b, 7.a and 7.b (which have components common to RPS) and 24 hours1 days 0.143 weeks 0.0329 months for Functions other than Functions 2.a, 2.b, 2.d, 2.g, 5.e, 5.f, 6.b, 7.a and 7.b has been shown to be acceptable (Refs. 6 and 7) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation),

Condition C must be entered and its Required Action taken.

(continued)

B 3.3.6.1-24 Revision 0 JAFNPP

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS B.1 (continued) Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant isolation capability being lost for the associated penetration flow path(s). The MSL Isolation Functions (associated with MSIV isolation) are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip (or the associated trip system in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. The other isolation functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that at least one of the PCIVs in the associated penetration flow path can receive an isolation signal from the given Function. For Functions 1.a, 1.b, and 1.d (associated with MSIV isolation), this would require both trip systems to have one channel OPERABLE or in trip. For Function 1.c (associated with MSIV isolation), this would require both trip systems to have one channel, associated with each MSL, OPERABLE or in trip. For Function 1.e, four areas are monitored by four channels (e.g., different locations within the main steam tunnel area). Therefore, this would require both trip systems to have one channel per location OPERABLE or in trip (associated with MSIV isolation). For Functions l.a. 1.b, 1.d, and 1.f (associated with MSL drain isolation) this would require one trip system to have two channels, each OPERABLE or in trip.

For Function 1.c (associated with MSL drain isolation) this will require one trip system to have two channels, associated with each MSL, each OPERABLE or in trip. For Function i.e this would require one trip system to have two channels, associated with each main steam tunnel area, each to be OPERABLE or in trip. For Functions 2.d and 2.g, as noted by footnote (c) to Table 3.3.6.1-1, there is only one trip system provided for each associated penetration. For these penetrations (i.e., hydrogen/oxygen sample and return, and gaseous/particulate sample supply and return), this will require both channels to be OPERABLE or in trip in order to close at least one valve. For Functions 2.a, 2.b, 2.e, 2.f, 3.b, 3.c, 4.b, 4.c, 5.e, 5.f, and 6.b, this would require one trip system to have two channels, each OPERABLE or in trip. For Functions 2.c, 3.a, 3.d, 3.e, 3.f, 3.g, 3.h, 3.i, 4.a, 4.d, 4.e, 5.a, 5.c, and 6.a, this would require one trip system to have one channel OPERABLE or in trip. For Functions 3.j, 4.f, and 5.b each Function consists of (continued)

B 3.3.6.1-25 Revision 0 JAFNPP

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS B.1 (continued) channels that monitor two different locations. Therefore, this would require one channel per location to be OPERABLE or in trip (the channels are not required to be in the same trip system). For Function 5.d, this would require that with the SLC initiation switch in start system A or B the associated valve will close. For Function 7.a and 7.b the logic is arranged in one trip system, therefore this would require both channels to be OPERABLE or in trip, or the manual shear valves to be OPERABLE.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

D.1, D.2.1, and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months and in MODE 4 within 36 hours1.5 days 0.214 weeks 0.0493 months (Required Actions D.2.1 and D.2.2). Alternately, the associated MSLs may be isolated (Required Action D.1),

and, if allowed (i.e., plant safety analysis allows operation with one MSL isolated), operation with that MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel.

The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

JAFNPP B 3.3.6.1-26 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS E.1 (continued)

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours0.25 days 0.0357 weeks 0.00822 months .

The allowed Completion Time of 6 hours0.25 days 0.0357 weeks 0.00822 months is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

F.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels.

Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition H must be entered and its Required Actions taken. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s).

G.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is acceptable due to the fact the penetrations associated with these Functions (TIP System penetration) are a small bore (approx 1/2 inch), its isolation in a design basis event (with loss of offsite power) would be via the manually operated shear valves, and the ability to manually isolate by either the normal isolation valve or the shear valve is unaffected by the inoperable instrumentation.

(continued)

JAFNPP B 3.3.6.1-27 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1_

BASES ACTIONS H.1 and H.2 (continued)

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or any Required Action of Condition F or G is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months and in MODE 4 within 36 hours1.5 days 0.214 weeks 0.0493 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

1.1 and 1.2 If the channel is not restored to OPERABLE status within the allowed Completion Time, the associated SLC subsystem is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the associated SLC subsystems inoperable or isolating the RWCU System.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System.

J.1 and J.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status or to isolate the RHR Shutdown Cooling System (i.e., provide alternate decay heat removal capabilities so the penetration flow path can be isolated). Actions must continue until the channel is restored to OPERABLE status or the RHR Shutdown Cooling System is isolated.

SURVEILLANCE As noted (Note 1) at the beginning of the SRs, the SRs for REQUIREMENTS each Primary Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1.

(continued)

JAFNPP B 3.3.6.1-28 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE The Surveillances are modified by Note 2 to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for (continued) performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months as follows: (a) for Functions 2.d, 2.g, 7.a, and 7.b; and (b) for Functions other than 2.d, 2.g, 7.a, and 7.b provided the associated Function maintains trip capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 7 and 8) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary. For Functions 2.d and 2.g, this allowance is permitted since the associated penetration flow path(s) involve sample lines which form a closed system with the primary containment atmosphere. For Functions 7.a and 7.b, this is permitted since the associated penetrations can be manually isolated if needed.

SR 3.3.6.1.1 Performance of the CHANNEL CHECK once every 12 hours0.5 days 0.0714 weeks 0.0164 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

(continued)

JAFNPP B 3.3.6.1-29 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.1 (continued)

REQU IREMENTS The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.6.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 92 day Frequency of SR 3.3.6.1.2 is based on the reliability analysis described in References 7 and 8.

SR 3.3.6.1.3. SR 3.3.6.1.5, and SR 3.3.6.1.6 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

SR 3.3.6.1.6 however is only a calibration of the radiation detectors using a standard radiation source. As noted for SR 3.3.6.1.3, the main steam tunnel radiation detectors are excluded from CHANNEL CALIBRATION due to ALARA reasons (when the plant is operating, the radiation detectors are generally in a high radiation area; the steam tunnel). This exclusion is acceptable because the radiation detectors are passive devices, with minimal drift. The radiation (continued)

B 3.3.6.1-30 Revision 0 JAFNPP

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.3, SR 3.3.6.1.5, and SR 3.3.6.1.6 (continued)

REQUIREMENTS detectors are calibrated in accordance with SR 3.3.6.1.6 on a 24 month Frequency. The CHANNEL CALIBRATION of the remaining portions of the channel (SR 3.3.6.1.3) are performed using a standard current source.

Reactor Vessel Water Level- Low Low Low (Level 1), Main Steam Line Pressure- Low and Main Steam Line Flow-High Function sensors (Functions l.a, 1.b, and 1.c, respectively) are excluded from ISOLATION INSTRUMENTATION RESPONSE TIME testing (Ref. 11). However, during the CHANNEL CALIBRATION of these sensors, a response check must be performed to ensure adequate response. This testing is required by Reference 11. Personnel involved in this testing must have been trained in response to Reference 12 to ensure that they are aware of the consequences of instrument response time degradation. This response check must be performed by placing a fast ramp or a step change into the input of each required sensor. The personnel must monitor the input and output of the associated sensor so that simultaneous monitoring and verification may be accomplished.

The Frequency of SR 3.3.6.1.3 is based on the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequencies of SR 3.3.6.1.5 and SR 3.3.6.1.6 are based on the assumption of an 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.6.1.4 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.6.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than that accounted for in the appropriate setpoint methodology.

The Frequency of 184 days is based on operating experience that demonstrates this equipment to be reliable.

(continued)

JAFNPP B 3.3.6.1-31 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.7 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. While this Surveillance can be performed with the reactor at power for some Functions, the 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint.

SR 3.3.6.1.8 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. Testing is performed only on channels where the assumed response time does not correspond to the emergency diesel generator (EDG) start time. For channels assumed to respond within the EDG start time, sufficient margin exists in the 10 second start time when compared to the typical channel response time (milliseconds) so as to assure adequate response without a specific measurement test.

ISOLATION INSTRUMENTATION RESPONSE TIME acceptance criteria are included in Reference 9. ISOLATION SYSTEM RESPONSE TIME may be verified by actual response time measurements in any series of sequential, overlapping, or total channel measurements. However, the sensors for Functions 1.a, 1.b, and 1.c are excluded from specific ISOLATION SYSTEM RESPONSE TIME measurement since the conditions of Reference 10 are satisfied. For Functions 1.a, 1.b, and 1.c, sensor response time may be allocated based on either assumed design sensor response time or the manufacturer's stated design response time.

ISOLATION INSTRUMENTATION RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. A Note requires STAGGERED TEST BASIS Frequency to be determined based on 2 channels. This will ensure that all required channels are tested during two Surveillance Frequency intervals. For Functions l.a and 1.b, two channels must be tested during (continued)

JAFNPP B 3.3.6.1-32 Revision 0

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.8 (continued)

REQUIREMENTS each test, while for Function 1.c, eight channels must be tested. The 24 month Frequency is consistent with the refueling cycle and is based upon plant operating experience that shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

REFERENCES 1. UFSAR, Table 7.3-1.

2. UFSAR, Section 14.5.

3. UFSAR, Section 14.6.

4. 10 CFR 50.36(c)(2)(ii).

5. NEDO-31466, Technical Specification Screening Criteria Application and Risk Assessment, November 1987.

6. UFSAR, Section 3.9.3.

7. NEDC-31677P-A, Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation, July 1990.

8. NEDC-30851P-A, Supplement 2, Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation, March 1989.

9. UFSAR, Table 7.3-12.

10. NEDO-32291-A, System Analyses For the Elimination of Selected Response Time Testing Requirements, October 1995.

11. NRC letter dated October 28, 1996, Issuance of Amendment 235 to Facility Operating License DPR-59 for James A. FitzPatrick Nuclear Power Plant.

12. NRC Bulletin 90-01, Supplement 1, Loss of Fill-Oil in Transmitters Manufactured by Rosemount, December 1992.

13. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly Nuclear Boiler, (GE Drawing 919D690BD).

JAFNPP B 3.3.6.1-33 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.2-B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation BASES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs), trips the refuel floor exhaust fans, trips the tank and equipment drain sump exhaust fan, and places the reactor building ventilation system in the recirculation mode of operation and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1).

Secondary containment isolation and establishment of vacuum with the SGT System within the required time limits ensures that fission products that leak from primary containment following a DBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits.

The isolation instrumentation includes the sensors, logic circuits, relays, and switches that are necessary to cause initiation of secondary containment isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a secondary containment isolation signal to the isolation logic.

Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logic are (1) reactor vessel water level, (2) drywell pressure, (3) reactor building ventilation exhaust radiation, and (4) refueling floor ventilation exhaust radiation. Redundant sensor input signals from each parameter are provided for initiation of isolation.

The outputs of the logic channels for reactor water level and drywell pressure are arranged into two two-out-of-two trip system logics. The outputs of the logic channels for reactor building ventilation exhaust and refueling ventilation exhaust radiation are arranged into two one-out of-one trip system logics. One trip system initiates isolation of one automatic isolation valve (damper) and starts one SGT subsystem while the other trip system initiates isolation of the other automatic isolation valve in the penetration and starts the other SGT subsystem. Each (continued)

JAFNPP B 3.3.6.2-1 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES BACKGROUND logic closes one of the two valves on each penetration and (continued) starts one SGT subsystem, so that operation of either logic isolates the secondary containment and provides for the necessary filtration of fission products.

APPLICABLE The isolation signals generated by the secondary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the LCO, and safety analyses of References 1 and 2 to initiate closure APPLICABILITY of valves and start the SGT System to limit offsite and control room doses.

Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," Applicable Safety Analyses Bases for more detail of the safety analyses.

The secondary containment isolation instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

The OPERABILITY of the secondary containment isolation instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Allowable Values are specified for each Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process (continued)

JAFNPP B 3.3.6.2-2 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE parameters obtained from the safety analysis. The trip SAFETY ANALYSES, setpoints are derived from the analytical limits and account LCO, and for all worst case instrumentation uncertainties as APPLICABILITY appropriate (e.g., drift, process effects, calibration (continued) uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions when SCIVs and the SGT System are required.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level -Low (Level 3)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential for release of radioactive material and of the resulting offsite and control room dose. The Reactor Vessel Water Level-Low (Level 3) Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The isolation and initiation systems on Reactor Vessel Water Level-Low (Level 3) support actions to ensure that any offsite releases are within the limits calculated in the safety analysis (Ref. 4).

Reactor Vessel Water Level- Low (Level 3) signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

Revision 0 JAFNPP B 3.3.6.2-3

Secondary Containment Isolation Instrumentation B 3.3.6.2_

BASES APPLICABLE 1. Reactor Vessel Water Level -Low (Level 3) (continued)

SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level -Low (Level 3) Allowable APPLICABILITY Value was chosen to be the same as the RPS level scram Allowable Value (LCO 3.3.1.1, "Reactor Protection System Instrumentation"), since this could indicate that the capability to cool the fuel is being threatened. The Allowable Value is referenced from a level of water 352.56 inches above the lowest point in the inside bottom of the RPV and also corresponds to the top of a 144 inch fuel column (Ref. 8).

The Reactor Vessel Water Level -Low (Level 3) Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the Reactor Coolant System (RCS); thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required. In addition, the Function is also required to be OPERABLE during operations with a potential for draining the reactor vessel (OPDRVs) because the capability of isolating potential sources of leakage must be provided to ensure that offsite and control room dose limits are not exceeded if core damage occurs.

2. Drywell Pressure-High High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite and control room release. The Drywell Pressure-High Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiating signals. The isolation and initiation systems on high drywell pressure supports actions to ensure that any offsite and control room releases are within the limits calculated in the safety analysis (Ref. 4).

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function.

(continued)

JAFNPP B 3.3.6.2-4 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.2_

BASES APPLICABLE 2. Drywell Pressure-High (continued)

SAFETY ANALYSES, LCO, and The Allowable Value was chosen to be the same as the RPS APPLICABILITY Drywell Pressure-High Function Allowable Value (LCO 3.3.1.1) since this is indicative of a loss of coolant accident (LOCA).

The Drywell Pressure-High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.

3, 4. Reactor Building and Refueling Floor Ventilation Exhaust Radiation -High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding.

The release may have originated from the primary containment due to a break in the RCPB or the refueling floor due to a refueling accident. When Exhaust Radiation-High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the UFSAR safety analyses (Refs. 4 and 5).

The Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust piping coming from the reactor building and the refueling floor zones. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Two channels of Reactor Building Ventilation Exhaust Radiation-High Function and two channels of Refueling Floor Ventilation Exhaust Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are chosen to promptly detect gross failure of the fuel cladding and are set in accordance with the ODCM.

(continued)

JAFNPP B 3.3.6.2-5 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 3, 4. Reactor Building and Refueling Floor Ventilation SAFETY ANALYSES, Exhaust Radiation- High (continued)

LCO, and APPLICABILITY The Reactor Building and Refueling Floor Ventilation Exhaust Radiation-High Functions are required to be OPERABLE in MODES 1, 2, and 3 where considerable RCS energy exists:

thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, these Functions are not required. In addition, the Functions are also required to be OPERABLE during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (due to fuel uncovery or dropped fuel assemblies) must be provided to ensure that offsite and control room dose limits are not exceeded.

ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel.

A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours0.5 days 0.0714 weeks 0.0164 months for Functions 1 and 2 (which have components common to RPS), and 24 hours1 days 0.143 weeks 0.0329 months for Functions 3 and 4, has been shown to be acceptable (Refs. 6 and 7) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required (continued)

JAFNPP B 3.3.6.2-6 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS A.1 (continued)

Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Actions taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a loss of isolation capability for the associated penetration flow path(s) or a loss of initiation capability for the SGT System. A Function is considered to be maintaining secondary containment isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two SCIVs in the associated penetration flow path and one SGT subsystem can be initiated on an isolation signal from the given Function.

For the Functions with two two-out-of-two logic trip systems (Functions 1 and 2), this would require one trip system to have both channels OPERABLE or in trip. For Functions 3 and 4, this would require one trip system to have one OPERABLE or tripped channel.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

C.1.1, C.1.2, C.2.1, and C.2.2 If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the SGT System cannot be ensured. Therefore, further actions must be performed to (continued)

JAFNPP B 3.3.6.2-7 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.Z BASES ACTIONS C.1.1, C.1.2, C.2.1, and C.2.2 (continued) ensure the ability to maintain the secondary containment function. Isolating the associated secondary containment penetration flow path(s) (closing the ventilation supply and exhaust automatic isolation dampers) and starting the associated SGT subsystem (Required Actions C.1.1 and C.2.1) performs the intended function of the instrumentation and allows operation to continue.

Alternately, declaring the associated SCIVs or SGT subsystem(s) inoperable (Required Actions C.1.2 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components.

One hour is sufficient for plant operations personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Secondary Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months provided the associated Function maintains secondary containment isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

This Note is based on the reliability analysis (Refs. 6 and 7) assumption of the average time required to perform channel surveillance. That analysis demonstrated the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and that the SGT System will initiate when necessary.

SR 3.3.6.2.1 Performance of the CHANNEL CHECK once every 12 hours0.5 days 0.0714 weeks 0.0164 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other (continued)

JAFNPP B 3.3.6.2-8 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.Z BASES SURVEILLANCE SR 3.3.6.2.1 (continued)

REQUIREMENTS channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.6.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of References 6 and 7.

(continued)

JAFNPP B 3.3.6.2-9 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE SR 3.3.6.2.3 and SR 3.3.6.2.5 REQUIREMENTS (continued) A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequencies of SR 3.3.6.2.3 and SR 3.3.6.2.5 are based on the assumption of a 92 day and a 24 month calibration interval, respectively, in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.6.2.4 Calibration of trip units provides a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.6.2-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than accounted for in the appropriate setpoint methodology.

The Frequency of 184 days is based on the reliability, accuracy and lower failure rates of the solid-state electronic Analog Transmitters/Trip System components.

SR 3.3.6.2.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3 respectively, overlaps this Surveillance to provide complete testing of the assumed safety function.

While this Surveillance can be performed with the reactor at power for some Functions, the 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an (continued)

JAFNPP B 3.3.6.2-10 Revision 0

Secondary Containment Isolation Instrumentation B 3.3.6.2_

BASES SURVEILLANCE SR 3.3.6.2.6 (continued)

REQU IREMENTS unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 5.3.

2. UFSAR, Chapter 14.

3. 10 CFR 50.36(c)(2)(ii).

4. UFSAR, Section 14.6.1.3.

5. UFSAR, Section 14.6.1.4.

6. NEDC-31677P-A, Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation, July 1990.

7. NEDC-30851P-A, Supplement 2, Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation, March 1989.

8. Drawing 11825-5.01-15D, Rev. D, Reactor Assembly Nuclear Boiler, (GE Drawing 919D690BD).

B 3.3.6.2-11 Revision 0 JAFNPP

CREVAS System Instrumentation B 3.3.7.1 B 3.3 INSTRUMENTATION B 3.3.7.1 Control Room Emergency Ventilation Air Supply (CREVAS)

System Instrumentation BASES BACKGROUND The CREVAS System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent CREVAS subsystems are each capable of fulfilling the stated safety function. The instrumentation for the CREVAS System provides an alarm so that manual action can be taken to place the CREVAS System in the isolate mode of operation to pressurize the control room to minimize the infiltration of radioactive material into the control room environment.

In the event of a Control Room Air Inlet Radiation-High signal, the CREVAS System is manually started in the isolate mode. Air is then drawn in from the air intake source and passes through one of two special filter trains each consisting of a prefilter, a high efficiency (HEPA) filter, two charcoal filters and a second HEPA filter. This air is then combined with recirculated air and directed to one of two control room ventilation fans and directed to the control room to maintain the control room slightly pressurized with respect to the adjacent areas.

The CREVAS System instrumentation consists of a single trip system with one Control Room Air Inlet Radiation-High channel. The channel includes electronic equipment (e.g.,

detector, monitor and trip relay) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs to an alarm in the control room.

APPLICABLE The ability of the CREVAS System to maintain the SAFETY ANALYSES habitability of the control room is explicitly assumed for certain accidents as discussed in the UFSAR safety analyses (Refs. 1, 2, 3, and 4) and further discussed in Reference 5.

CREVAS System operation ensures that the radiation exposure of control room personnel, through the duration of any one of the postulated accidents, does not exceed the limits set by GDC 19 of 10 CFR 50, Appendix A.

(continued)

JAFNPP B 3.3.7.1-1 Revision 0

CREVAS System Instrumentation B 3.3.7.1 BASES APPLICABLE CREVAS System instrumentation satisfies Criterion 3 of SAFETY ANALYSES 10 CFR 50.36(c)(2)(ii) (Ref. 6).

(continued)

LCO The OPERABILITY of the CREVAS System instrumentation is dependent upon the OPERABILITY of the Control Room Air Inlet Radiation-High Function. This Function must have one OPERABLE channel, with its setpoint within the specified Allowable Value. The channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

An Allowable Value is specified for the Control Room Air Inlet Radiation-High Function in SR 3.3.7.1.2. A nominal trip setpoint is specified in the setpoint calculation. The nominal setpoint is selected to ensure that the setpoint does not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., control room air inlet radiation),

and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., output relay) changes state. The analytic limit is derived from the limiting value of the process parameters obtained from the safety analysis. The trip setpoint is derived from the analytical limit and accounts for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoint derived in this manner provides adequate protection because all expected uncertainties are accounted for. The Allowable Value is then derived from the trip setpoint by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties). The Allowable Value was selected to ensure protection of the control room personnel.

The control room air inlet radiation monitor measures radiation levels in the inlet ducting of the control room.

A high radiation level may pose a threat to control room (continued)

JAFNPP B 3.3.7.1-2 Revision 0

CREVAS System Instrumentation B 3.3.7.1 BASES LCO personnel; thus, an alarm is provided in the control room so (continued) that the CREVAS System can be placed in the isolate mode of operation.

APPLICABILITY The Control Room Air Inlet Radiation-High Function is required to be OPERABLE in MODES 1, 2, and 3 and during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, to ensure that control room personnel are protected during a LOCA, fuel handling event, or vessel draindown event. During MODES 4 and 5, when these specified conditions are not in progress (e.g., CORE ALTERATIONS), the probability of a LOCA or fuel damage is low; thus, the Function is not required.

ACTIONS A.1 and A.2 With the Control Room Air Inlet Radiation-High Function inoperable one CREVAS subsystem must be placed in the isolate mode of operation per Required Action A.1 to ensure that control room personnel will be protected in the event of a Design Basis Accident. Alternately, if it is not desired to start a CREVAS subsystem, the CREVAS System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is intended to allow the operator time to place the CREVAS subsystem in operation. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration of the channel, for placing one CREVAS subsystem in operation, or for entering the applicable Conditions and Required Actions for two inoperable CREVAS subsystems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months . Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the low probability of an event requiring this Function during this time period and since many other alarms are available to indicate whether a design basis event has occurred.

(continued)

JAFNPP B 3.3.7.1-3 Revision 0

CREVAS System Instrumentation B 3.3.7.1_

BASES SURVEILLANCE SR 3.3.7.1.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 12 hours0.5 days 0.0714 weeks 0.0164 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.7.1.2 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

REFERENCES 1. UFSAR, Section 14.6.1.2.

2. UFSAR, Section 14.6.1.3.

3. UFSAR, Section 14.6.1.4.

4. UFSAR, Section 14.6.1.5.

5. UFSAR, Section 14.8.2.

6. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.3.7.1-4 Revision 0

Condenser Air Removal Pump Isolation Instrumentation B 3.3.7.2-B 3.3 INSTRUMENTATION B 3.3.7.2 Condenser Air Removal Pump Isolation Instrumentation BASES BACKGROUND The condenser air removal pump isolation instrumentation initiates an isolation of the suction and discharge valves of the condenser air removal pumps following events in which main steam line radiation exceeds predetermined values.

Isolating the condenser air removal pump limits the offsite doses in the event of a control rod drop accident (CRDA).

The condenser air removal pump isolation instrumentation (Ref. 1) includes sensors, logic circuits, relays and switches that are necessary to cause initiation of the condenser air removal pumps isolation. The channels include electronic equipment that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an isolation signal to the condenser air removal pump isolation logic.

The isolation logic consists of two trip systems, with two channels of Main Steam Line Radiation-High in each trip system. Each trip system is a one-out-of-two logic for this Function. Thus, either channel of Main Steam Line Radiation-High in each trip system are needed to trip a trip system. The outputs of the channels in a trip system are combined in a logic so that both trip systems must trip to result in an isolation signal.

There are two isolation valves associated with this function.

APPLICABLE The condenser air removal pump isolation is assumed in the SAFETY ANALYSES safety analysis for the CRDA. The condenser air removal pump isolation instrumentation initiates an isolation of the condenser air removal pump to limit offsite doses resulting from fuel cladding failure in a CRDA (Ref. 2).

The condenser air removal pump isolation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The OPERABILITY of the condenser air removal pump isolation is dependent on the OPERABILITY of the individual Main Steam Line Radiation-High instrumentation channels, which must have a required number of OPERABLE channels in each trip (continued)

JAFNPP B 3.3.7.2-1 Revision 0

Condenser Air Removal Pump Isolation Instrumentation B 3.3.7.2 BASES LCO system, with their setpoints within the specified Allowable (continued) Value of SR 3.3.7.2.2. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Channel OPERABILITY also includes the associated isolation valve.

An Allowable Value is specified for the Main Steam Line Radiation-High isolation Function in SR 3.3.7.2.2. A nominal trip setpoint is specified in the setpoint calculations. The nominal setpoint is selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (i.e., Main Steam Line Radiation-High),

and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limit is derived from the limiting values of the process parameters obtained from the safety analysis. The trip setpoint is derived from the analytical limit and accounts for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoint derived in this manner provides adequate protection because all expected uncertainties are accounted for. The Allowable Value is then derived from the trip setpoint by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties). The Allowable Value was selected to be low enough that a high radiation trip results from the fission products released in the CRDA. In addition, the setting is adjusted high enough above the background radiation level in the vicinity of the main steam lines so that spurious trips are avoided at rated power.

APPLICABILITY The condenser air removal pump isolation is required to be OPERABLE in MODES 1 and 2 when any condenser air removal pump is not isolated and any main steam line not isolated to mitigate the consequences of a postulated CRDA. In this condition fission products released during a CRDA could be discharged directly to the environment. Therefore, (continued)

JAFNPP B 3.3.7.2-2 Revision 0

Condenser Air Removal Pump Isolation Instrumentation B 3.3.7.2 BASES APPLICABILITY condenser air removal pump isolation is necessary to assure (continued) conformance with the radiological evaluation of the CRDA.

In MODE 3, 4 or 5 the consequences of a control rod drop are insignificant, and are not expected to result in any fuel damage or fission product releases. When the condenser air removal pumps or main steam lines are isolated in MODE 1 or 2, fission product releases via this pathway would not occur.

ACTIONS A Note has been provided to modify the ACTIONS related to condenser air removal pump isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable condenser air removal pump isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable condenser air removal pump isolation instrumentation channel.

A.1 and A.2 With one or more channels inoperable, but with condenser air removal pump isolation capability maintained (refer to Required Action B.1 Bases), the condenser air removal pump isolation instrumentation is capable of performing the intended function. However, the reliability and redundancy of the condenser air removal pump isolation instrumentation is reduced, such that a single failure in one of the remaining channels could result in the inability of the condenser air removal pump isolation instrumentation to perform the intended function. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status. Because of the low probability of extensive numbers of inoperabilities affecting multiple channels, and the low probability of an event requiring the initiation of condenser air removal pump isolation, 24 hours1 days 0.143 weeks 0.0329 months has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status.

(continued)

JAFNPP B 3.3.7.2-3 Revision 0

Condenser Air Removal Pump Isolation Instrumentation B 3.3.7.2 BASES ACTIONS A.1 and A.2 (continued)

(Required Action A.1). Alternately, the inoperable channel, or associated trip system, may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable isolation valve, since this may not adequately compensate for the inoperable valve (e.g., the valve may be inoperable such that it will not isolate). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in loss of condenser vacuum), or if the inoperable channel is the result of an inoperable valve, Condition B must be entered and its Required Actions taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels result in the Function not maintaining condenser air removal pump isolation capability. The Function is considered to be maintaining condenser air removal pump isolation capability when sufficient channels are OPERABLE or in trip such that the condenser air removal pump isolation instruments will generate a trip signal from a valid Main Steam Line Radiation-High signal, and at least one isolation valve will close. This requires one channel of the Function in each trip system to be OPERABLE or in trip, and one condenser air removal pump isolation valve to be OPERABLE.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

C.1, C.2, and C.3 With any Required Action and associated Completion Time of Condition A or B not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to (continued)

JAFNPP B 3.3.7.2-4 Revision 0

Condenser Air Removal Pump Isolation Instrumentation B 3.3.7.2 BASES ACTIONS C.1, C.2, and C.3 (continued) at least MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months (Required Action C.3).

Alternately, the condenser air removal pumps may be isolated since this performs the intended function of the instrumentation (Required Action C.1). An additional option is provided to isolate the main steam lines (Required Action C.2), which may allow operation to continue.

Isolating the main steam lines effectively provides an equivalent level of protection by precluding fission product transport to the condenser.

The allowed Completion Time of 12 hours0.5 days 0.0714 weeks 0.0164 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions, or to remove the condenser air removal pump from service, or to isolate the main steam lines, in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months provided the associated Function maintains condenser air removal pump isolation trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the condenser air removal pumps will isolate when necessary.

SR 3.3.7.2.1 Performance of the CHANNEL CHECK once every 12 hours0.5 days 0.0714 weeks 0.0164 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect (continued)

JAFNPP B 3.3.7.2-5 Revision 0

Condenser Air Removal Pump Isolation Instrumentation B 3.3.7.2_

BASES SURVEILLANCE SR 3.3.7.2.1 (continued)

REQUIREMENTS gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Channel agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the required channels of this LCO.

SR 3.3.7.2.2 and SR 3.3.7.2.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology. SR 3.3.7.2.3, however, is only a calibration of the radiation detectors using a standard radiation source.

As noted for SR 3.3.7.2.2, the main steam line radiation detectors are excluded from CHANNEL CALIBRATION due to ALARA reasons (when the plant is operating, the radiation detectors are generally in a high radiation area; the steam tunnel). This exclusion is acceptable because the radiation detectors are passive devices, with minimal drift. The radiation detectors are calibrated in accordance with SR 3.3.7.2.3 on a 24 month Frequency. The CHANNEL CALIBRATION of the remaining portions of the channel (SR 3.3.6.1.2) are performed using a standard current source.

The Frequency of SR 3.3.7.2.2 is based on the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.7.2.3 is based on the assumption of a 24 month calibration interval in the determination of the magnitude of detector drift in the setpoint analysis.

(continued)

JAFNPP B 3.3.7.2-6 Revision 0

Condenser Air Removal Pump Isolation Instrumentation B 3.3.7.2_

BASES SURVEILLANCE SR 3.3.7.2.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would be inoperable.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 10.4.3.1.

2. UFSAR, Section 14.6.1.2.

3. 10 CFR 50.36(c)(2)(ii).

4. NEDC-31677P-A, Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation, July 1990.

JAFNPP B 3.3.7.2-7 Revision 0

Emergency Service Water (ESW) System Instrumentation B 3.3.7.3 B 3.3 INSTRUMENTATION B 3.3.7.3 Emergency Service Water (ESW) System Instrumentation BASES BACKGROUND The purpose of the ESW System instrumentation is to initiate appropriate responses from the system to ensure the ESW safe shutdown loads are cooled following a Design Basis Accident (DBA) or transient coincident with a loss of preferred power. The ESW safe shutdown loads are described in the Bases for LCO 3.7.2, "Emergency Service Water (ESW) System and Ultimate Heat Sink (UHS)".

The ESW System may be initiated by either automatic or manual means. Upon receipt of a loss of power signal as described in the Bases of LCO 3.3.8.1, "Loss of Power (LOP)

Instrumentation," or an ECCS initiation signal as described in the Bases of LCO 3.3.5.1, "Emergency Core Cooling System Instrumentation," the Emergency Diesel Generators (EDGs) will start, which in turn starts the associated ESW pump.

Each ESW pump will automatically pump lake water to the associated EDG cooler. The remaining ESW loads will be automatically cooled when the associated ESW supply header isolation valve opens and the associated ESW minimum flow valve closes. This occurs when the ESW instrumentation initiation logic (known as the ESW lockout matrix) actuates upon low reactor building closed loop cooling water (RBCLCW) pump discharge pressure. In addition, the ESW pumps will automatically start in response to the ESW instrumentation initiation logic.

ESW instrumentation are provided inputs by pressure switches that sense RBCLCW pump discharge pressure. Four channels of ESW instrumentation are provided as input to two one-out-of-two twice initiation logics. Each initiation logic system will open the associated ESW pump discharge header valve, close the minimum flow control valve to ensure cooling water is provided to supply the safe shutdown loads of the ESW System, start the associated ESW pump, and open the associated RBCLCW System discharge valves. However, the opening of the RBCLCW System discharge valves are not required. The opening of these RBCLCW System discharge valves are not necessary since RBCLCW does not cool any safe shutdown loads. Each channel consists of a pressure sensor and switch, that compares measured input signals with pre established setpoints. When the setpoint is exceeded, the channel outputs a RBCLCW pump discharge initiation signal to both ESW initiation logic circuits.

(continued)

JAFNPP B 3.3.7.3-1 Revision 0

Emergency Service Water (ESW) System Instrumentation B 3.3.7.3_

BASES (continued)

APPLICABLE The actions of the ESW System are implicitly assumed in the SAFETY ANALYSES safety analyses of References 1 and 2. The ESW System instrumentation is required to be OPERABLE to support the ESW System. Refer to LCO 3.7.2 for Applicable Safety Analyses Bases of ESW System.

The ESW System instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The LCO requires four ESW instrumentation channels, which monitor the RBCLCW pump discharge header pressure, to be OPERABLE. The four channels provide input to both logic systems to ensure that no single instrument failure will prevent ESW from supplying the safe shutdown loads. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.7.3.1. The Allowable Value is set high enough to ensure logic initiation during a complete loss of the RBCLCW System and low enough to avoid logic initiation during small RBCLCW System pressure transients.

The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (i.e., RBCLCW pump discharge header pressure), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., pressure switch) changes state.

The analytic limit is derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The trip setpoint is derived from the analytic limit and accounts for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Value is then derived from the trip setpoint by (continued)

JAFNPP B 3.3.7.3-2 Revision 0

Emergency Service Water (ESW) System Instrumentation B 3.3.7.3_

BASES LCO accounting for normal effects that would be seen during (continued) periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

APPLICABILITY The ESW System instrumentation is required to be OPERABLE in MODES 1, 2, and 3 to support the ESW System. (Refer to LCO 3.7.2 for Applicability Bases of ESW System).

ACTIONS A Note has been provided to modify the ACTIONS related to ESW pressure channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ESW pressure channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable ESW pressure channel.

A.1 Because of the redundancy of the actuation signals, an allowable out of service time of 24 hours1 days 0.143 weeks 0.0329 months is considered to be acceptable to permit restoration of any inoperable channel to OPERABLE status. This out of service time is consistent with the allowed out of service times for other similar Functions in the Technical Specifications. The ESW System instrumentation redundancy is consistent with redundancy of certain ECCS Functions as described in the Bases of LCO 3.5.1, "Emergency Core Cooling System Operating".

This out of service time is only acceptable provided the ESW pressure channels are still maintaining actuation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further (continued)

JAFNPP B 3.3.7.3-3 Revision 0

Emergency Service Water (ESW) System Instrumentation B 3.3.7.3_

BASES ACTIONS A.1 (continued) restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an ESW System initiation), Condition C must be entered and its Required Action taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels result in redundant automatic initiation capability being lost for both ESW initiation logic systems. The ESW initiation logic systems are considered to be maintaining initiation capability when sufficient channels are OPERABLE or in trip such that one logic system will generate an initiation signal from the given Function on a valid signal.

This will ensure that at least one ESW System will receive an initiation signal.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The Completion Time is acceptable because it minimizes risk while allowing for restoration or tripping of channels.

C.1 If any Required Action and associated Completion Time of Condition A or B are not met, the associated ESW subsystem(s) must be declared inoperable immediately. This declaration also requires entry into applicable Conditions and Required Actions for inoperable ESW subsystem(s) in LCO 3.7.2.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours0.25 days 0.0357 weeks 0.00822 months provided the associated Function maintains ESW initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on a reliability analysis assumption that 6 hours0.25 days 0.0357 weeks 0.00822 months is the average (continued)

JAFNPP B 3.3.7.3-4 Revision 0

Emergency Service Water (ESW) System Instrumentation B 3.3.7.3.

BASES SURVEILLANCE time required to perform channel Surveillance. That REQUIREMENTS analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does (continued) not significantly reduce the probability that the ESW initiation will occur when necessary.

SR 3.3.7.3.1 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.7.3.2 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional test performed in LCO 3.7.2 overlaps this Surveillance to provide complete testing of the safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Chapter 5.

2. UFSAR, Chapter 14.

3. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.3.7.3-5 Revision 0

LOP Instrumentation B 3.3.8.1-B 3.3 INSTRUMENTATION B 3.3.8.1 Loss of Power (LOP) Instrumentation BASES BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the availability of adequate power sources for energizing the various components such as pump motors, motor operated valves, and the associated control components. The LOP instrumentation monitors the 4.16 kV emergency buses. The Main Generator (normal), the 115 kV transmission network (reserve), the 345 kV transmission network (backfeed) are the preferred sources of power for the 4.16 kV emergency buses. If the monitors determine that insufficient power is available, the buses are disconnected from these power sources and connected to the onsite emergency diesel generator (EDG) power sources.

Each 4.16 kV emergency bus has its own independent LOP instrumentation and associated trip logic. The voltage for each bus is monitored at two levels, which can be considered as two different types of undervoltage protection Functions:

Loss of Voltage and Degraded Voltage (Ref. 1). Each 4.16 kV Emergency Bus Loss of Voltage Function and Degraded Voltage Function is monitored by two undervoltage relays for each emergency bus. These relay outputs are arranged in a two out-of-two logic configuration for each 4.16 kV Emergency Bus Loss of Voltage and Degraded Voltage Function. The Emergency Bus Undervoltage and Degraded Voltage Function signals provide input to their respective Bus Undervoltage and Degraded Voltage-Time Delay Functions. Each 4.16 kV Emergency Bus has one Loss of Voltage-Time Delay relay. The Degraded Voltage Function utilizes two time delay relays, one time delay for a bus undervoltage (degraded voltage) in conjunction with a loss of coolant accident (LOCA) signal and the other for a bus undervoltage (degraded voltage) without a LOCA (non-LOCA). When a voltage Function setpoint has been exceeded and the respective time delay completed, the time delay relay will start the associated EDG subsystem, trip the associated breakers providing normal, backfeed, or reserve power, trip all associated 4.16 kV motor breakers (after EDG reaches 75% of rated voltage),

initiate EDG breaker close permissive (in conjunction with 90% of rated voltage), and initiate sequential starting of the ECCS pumps if the LOCA signal is present. The sequential starting of the ECCS pumps is not considered part of the LOP Instrumentation and is tested in LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown."

(continued)

B 3.3.8.1-1 Revision 0 JAFNPP

LOP Instrumentation B 3.3.8.1 BASES BACKGROUND The channels include electronic equipment (e.g., internal (continued) relay contacts, coils) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a LOP trip signal to the trip logic.

APPLICABLE The LOP instrumentation is required for Engineered SAFETY ANALYSES, Safeguards to function in any accident with a loss LCO, and of the preferred power sources. The required channels of APPLICABILITY LOP instrumentation ensure that the ECCS and other assumed systems powered from the EDGs, provide plant protection in the event of any of the Reference 2 and 3 analyzed accidents in which a loss of all the preferred power sources are assumed. The initiation of the EDGs on loss of all the preferred power sources, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Accident analyses credit the loading of the EDGs based on the loss of the preferred power sources during a loss of coolant accident. The emergency diesel starting and loading times have been included in the delay time associated with each safety system component requiring EDG supplied power following a loss of the preferred power sources.

The LOP instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).

The OPERABILITY of the LOP instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.8.1-1. Each Function must have a required number of OPERABLE channels per 4.16 kV emergency bus, with their setpoints within the specified Allowable Values. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

The Allowable Values are specified for each Function in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual (continued)

JAFNPP B 3.3.8.1-2 Revision 0

LOP Instrumentation B 3.3.8.1 BASES APPLICABLE process parameter (e.g., emergency bus voltage via secondary SAFETY ANALYSES, windings), and when the measured output value of the process LCO, and parameter exceeds the setpoint, the associated device (e.g.,

APPLICABILITY internal relay contacts) changes state. The analytic (continued) limits are derived from the limiting values of the process parameters obtained from the design and safety analysis.

The trip setpoints are derived from the analytical limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. 4.16 kV Emergency Bus Undervoltage (Loss of Voltage)

Loss of voltage on a 4.16 kV emergency bus indicates that preferred power may be completely lost to the respective emergency bus and is unable to supply sufficient power for proper operation of the applicable equipment. The Loss of Voltage Function is monitored via the secondary windings of two transformers associated with each emergency bus.

Therefore, the power supply to the bus is transferred from the preferred power source to EDG power when the voltage on the bus drops below the Loss of Voltage Function Allowable Values (loss of voltage with a short time delay). This ensures that adequate power will be available to the required equipment.

The 4.16 kV Emergency Bus Undervoltage (Loss of Voltage)

Allowable Value is low enough to prevent spurious power supply transfer, but high enough to ensure that power is available to the required equipment. The Allowable Value corresponds to approximately 71.5% of nominal emergency bus voltage. The Time Delay Allowable Values are long enough to provide time for the preferred power supply to recover to normal voltages, but short enough to ensure that power is available to the required equipment.

(continued)

JAFNPP B 3.3.8.1-3 Revision 0

LOP Instrumentation B 3.3.8.1_

BASES APPLICABLE 1. 4.16 kV Emergency Bus Undervoltage (Loss of Voltage)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Two channels of 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) Function and one channel of Loss of Voltage-Time Delay per associated emergency bus are required to be OPERABLE when the associated EDG is required to be OPERABLE to ensure that no single instrument failure can preclude the EDG function. Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the EDGs.

2. 4.16 kV Emergency Bus Undervoltage (Degraded Voltage)

A reduced voltage condition on a 4.16 kV emergency bus indicates that, while preferred power may not be completely lost to the respective emergency bus, available power may be insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS function.

The Degraded Voltage Function is monitored via the secondary windings of two transformers associated with each emergency bus. Therefore, power supply to the bus is transferred from the preferred power source to onsite EDG power when the voltage on the bus drops below the Degraded Voltage Function Allowable Values (degraded voltage with a time delay). This ensures that adequate power will be available to the required equipment.

The 4.16 kV Bus Undervoltage (Degraded Voltage) Allowable Value is low enough to prevent spurious power supply transfer, but high enough to ensure that sufficient power is available to the required equipment. The Allowable Value corresponds to approximately 93% of nominal emergency bus voltage. The Time Delay Allowable Values are long enough to provide time for the preferred power supply to recover to normal voltages, but short enough to ensure that sufficient power is available to the required equipment.

Two channels of 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) Function, one channel of Degraded Voltage-Time Delay (LOCA), and one channel of Degraded Voltage-Time Delay (non-LOCA) per associated bus are required to be OPERABLE when the associated EDG is required to be OPERABLE to ensure that no single instrument failure can preclude the EDG function. Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the EDGs.

(continued)

B 3.3.8.1-4 Revision 0 JAFNPP

LOP Instrumentation B 3.3.8.L BASES (continued)

ACTIONS A Note has been provided to modify the ACTIONS related to LOP instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel.

A.1 With one or more channels of a Function inoperable, the Function is not capable of performing the intended function.

Therefore, only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to restore the inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure (within the LOP instrumentation), and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in an EDG initiation), Condition B must be entered and its Required Action taken.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

B.1 If any Required Action and associated Completion Time are not met, the associated Function is not capable of performing the intended function. Therefore, the associated EDG(s) is declared inoperable immediately. This requires (continued)

JAFNPP B 3.3.8.1-5 Revision 0

LOP Instrumentation B 3.3.8.1 BASES ACTIONS B.1 (continued) entry into applicable Conditions and Required Actions of LCO 3.8.1 and LCO 3.8.2, which provide appropriate actions for the inoperable EDG(s).

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each LOP REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.8.1-1.

SR 3.3.8.1.1 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.8.1.2 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specific channel. The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

(continued)

JAFNPP B 3.3.8.1-6 Revision 0

LOP Instrumentation B 3.3.8.1_

BASES (continued)

REFERENCES 1. UFSAR, Section 8.6.5.

2. UFSAR, Section 6.4.

3. UFSAR, Section 14.6.

4. 10 CFR 50.36(c)(2)(ii).

JAFNPP B 3.3.8.1-7 Revision 0

RPS Electric Power Monitoring B 3.3.8.2 B 3.3 INSTRUMENTATION B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring BASES BACKGROUND RPS Electric Power Monitoring System is provided to isolate the RPS bus from the motor generator (MG) set or an alternate power supply in the event of overvoltage, undervoltage, or underfrequency. This system protects the loads connected to the RPS bus against unacceptable voltage and frequency conditions (Ref. 1) and forms an important part of the primary success path of the essential safety circuits. Some of the essential equipment powered from the RPS buses includes the RPS logic, scram pilot valve solenoids, and various valve isolation logic.

RPS electric power monitoring assembly will detect any abnormal high or low voltage or low frequency condition in the outputs of the two MG sets or the alternate power supply and will de-energize its respective RPS bus, thereby causing all safety functions normally powered by this bus to de-energize. (Safety functions powered by the RPS buses deenergize to actuate.)

In the event of failure of an RPS Electric Power Monitoring System (e.g., both in-series electric power monitoring assemblies), the RPS loads may experience significant effects from the unregulated power supply. Deviation from the nominal conditions can potentially cause damage to the scram pilot valve solenoids and other Class 1E devices.

In the event of a low voltage condition for an extended period of time, the scram pilot valve solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action.

In the event of an overvoltage condition, the RPS logic relays and scram pilot valve solenoids may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function.

Two redundant Class 1E circuit breakers are connected in series between each RPS bus and its MG set, and between each RPS bus and its alternate power supply. Each of these circuit breakers has an associated independent set of Class 1E overvoltage, undervoltage, and underfrequency sensing logic. Together, a circuit breaker and its sensing (continued)

JAFNPP B 3.3.8.2-1 Revision 0

RPS Electric Power Monitoring B 3.3.8.2 BASES BACKGROUND logic constitute an electric power monitoring assembly. If (continued) the output of the inservice MG set or alternate power supply exceeds predetermined limits of overvoltage, undervoltage, or underfrequency, a trip coil driven by this logic circuitry opens the circuit breaker, which removes the associated power supply from service.

APPLICABLE The RPS electric power monitoring is necessary to meet the SAFETY ANALYSES assumptions of the safety analyses by ensuring that the equipment powered from the RPS buses can perform its intended function. RPS electric power monitoring provides protection to the RPS and other systems that receive power from the RPS buses, by acting to disconnect the RPS from the power supply under specified conditions that could damage the RPS bus powered equipment.

RPS electric power monitoring satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO The OPERABILITY of each RPS electric power monitoring assembly is dependent on the OPERABILITY of the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITY of the associated circuit breaker. Two electric power monitoring assemblies are required to be OPERABLE for each inservice power supply. This provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single RPS electric power monitoring assembly failure can preclude the function of RPS components. Each of the inservice electric power monitoring assembly trip logic setpoints is required to be within the specified Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each RPS electric power monitoring assembly trip logic (refer to SR 3.3.8.2.2 and SR 3.3.8.2.3). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual (continued)

JAFNPP B 3.3.8.2-2 Revision 0

RPS Electric Power Monitoring B 3.3.8.2_

BASES LCO process parameter (e.g., overvoltage), and when the measured (continued) output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the design and safety analysis. The trip setpoints are derived from the analytical limits and account for all worst case instrumentation uncertainties as appropriate (e.g., drift, process effects, calibration uncertainties, and severe environmental errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)). The trip setpoints derived in this manner provide adequate protection because all expected uncertainties are accounted for. The Allowable Values are then derived from the trip setpoints by accounting for normal effects that would be seen during periodic surveillance or calibration. These effects are instrumentation uncertainties observed during normal operation (e.g., drift and calibration uncertainties).

The Allowable Values for the instrument settings are based on the RPS providing 2 57 Hz, 120 V +/- 10% (to all equipment), and 115 V +/- 10 V (to scram pilot valve solenoids). The most limiting voltage requirement and associated line losses determine the settings of the electric power monitoring instrument channels. The settings are calculated based on the loads on the buses and RPS MG set or alternate power supply being 120 VAC and 60 Hz.

APPLICABILITY The operation of the RPS electric power monitoring assemblies is essential to disconnect the RPS components from the inservice MG set or alternate power supply during abnormal voltage or frequency conditions. Since the degradation of a non-class 1E source supplying power to the RPS bus can occur as a result of any random single failure, the OPERABILITY of the RPS electric power monitoring assemblies is required when the RPS bus powered components are required to be OPERABLE. This results in the RPS Electric Power Monitoring System OPERABILITY being required in MODES 1 and 2; and in MODES 3, 4, and 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies.

ACTIONS A.1 If one RPS electric power monitoring assembly for an inservice power supply (MG set or alternate) is inoperable, or one RPS electric power monitoring assembly on each (continued)

JAFNPP B 3.3.8.2-3 Revision 0

RPS Electric Power Monitoring B 3.3.8.2_

BASES ACTIONS A.1 (continued) inservice power supply is inoperable, the OPERABLE assembly will still provide protection to the RPS bus under degraded voltage or frequency conditions. However, the reliability and redundancy of the RPS Electric Power Monitoring System is reduced, and only a limited time (72 hours3 days 0.429 weeks 0.0986 months ) is allowed to restore the inoperable assembly to OPERABLE status. If the inoperable assembly cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service (Required Action A.1). This places the RPS bus in a safe condition. An alternate power supply with OPERABLE power monitoring assemblies may then be used to power the RPS bus.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the remaining OPERABLE electric power monitoring assembly and the low probability of an event requiring RPS electric power monitoring protection occurring during this period. It allows time for plant operations personnel to take corrective actions or to place the plant in the required condition in an orderly manner and without challenging plant systems.

Alternately, if it is not desired to remove the power supply from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.

B.1 If both power monitoring assemblies for an inservice power supply (MG set or alternate) are inoperable or both power monitoring assemblies in each inservice power supply are inoperable, the system protective function is lost. In this condition, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to restore one assembly to OPERABLE status for each inservice power supply. If one inoperable assembly for each inservice power supply cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (Required Action B.1). An alternate power supply with OPERABLE assemblies may then be used to power one RPS bus.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient for the plant operations personnel to take corrective actions and is acceptable because it minimizes risk while allowing time for restoration or removal from service of the electric power monitoring assemblies.

(continued)

JAFNPP B 3.3.8.2-4 Revision 0

RPS Electric Power Monitoring B 3.3.8.2_

BASES ACTIONS B.1 (continued)

Alternately, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.

C.1 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 1 or 2, a plant shutdown must be performed. This places the plant in a condition where minimal equipment, powered through the inoperable RPS electric power monitoring assembly(s), is required and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours0.5 days 0.0714 weeks 0.0164 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 3, 4, or 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Required Action D.1 results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. All actions must continue until the applicable Required Actions are completed.

SURVEILLANCE SR 3.3.8.2.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST is performed on each overvoltage, undervoltage, and underfrequency channel to ensure that the entire channel will perform the intended function. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what (continued)

JAFNPP B 3.3.8.2-5 Revision 0

RPS Electric Power Monitoring B 3.3.8.2_

BASES SURVEILLANCE SR 3.3.8.2.1 (continued)

REQU IREMENTS is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

As noted in the Surveillance, the CHANNEL FUNCTIONAL TEST is only required to be performed while the plant is in a condition in which the loss of the RPS bus will not jeopardize steady state power operation (the design of the system is such that the power source must be removed from service to conduct the Surveillance). The 24 hours1 days 0.143 weeks 0.0329 months is intended to indicate an outage of sufficient duration to allow for scheduling and proper performance of the Surveillance.

The 184 day Frequency and the Note in the Surveillance are based on guidance provided in Generic Letter 91-09 (Ref. 3).

SR 3.3.8.2.2 and SR 3.3.8.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based on the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.8.2.4 Performance of a system functional test demonstrates that, with a required system actuation (simulated or actual) signal, the logic of the system will automatically trip open the associated electric power monitoring assembly. The system functional test shall include actuation of the protective relays, tripping logic, and output circuit breakers. Only one signal per electric power monitoring (continued)

JAFNPP B 3.3.8.2-6 Revision 0

RPS Electric Power Monitoring B 3.3.8.2_

BASES SURVEILLANCE SR 3.3.8.2.4 (continued)

REQUIREMENTS assembly is required to be tested. This Surveillance overlaps with the CHANNEL CALIBRATION to provide complete testing of the safety function. The system functional test of the Class 1E circuit breakers is included as part of this test to provide complete testing of the safety function. If the breakers are incapable of operating, the associated electric power monitoring assembly would be inoperable.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES 1. UFSAR, Section 8.9.5.

2. 10 CFR 50.36(c)(2)(ii).

3. NRC Generic Letter 91-09, Modification of Surveillance Interval for the Electric Protective Assemblies in Power Supplies for the Reactor Protection System, June 1991.

JAFNPP B 3.3.8.2-7 Revision 0

v t e Letter Sequence Acceptance Review
TAC:MA5049, (Open)
Initiation Acceptance, Acceptance, Acceptance, Acceptance, Acceptance, Acceptance, Acceptance, Acceptance, Acceptance Administration Meeting Questions Answers Results Approval... Other: ML052060191
MONTHYEAR2002-07-03 [Table View]

ML021970142

Text

Navigation menu

Search