Technical Specification Bases Update Status, Revision 27

ML14339A452
Person / Time
Site:	Beaver Valley
Issue date:	11/24/2014
From:	FirstEnergy Nuclear Operating Co
To:	Office of Nuclear Reactor Regulation
Shared Package
ML14339A419	List: L-14-360, Firstenergy Nuclear Operation Company, Quality Assurance Program Manual, Revision 19 ML14339A408 ML14339A410 ML14339A411 ML14339A412 ML14339A413 ML14339A414 ML14339A415 ML14339A416 ML14339A417 ML14339A418 ML14339A420 ML14339A429 ML14339A430 ML14339A431 ML14339A433 ML14339A434 ML14339A435 ML14339A437 ML14339A438 ML14339A439 ML14339A440 ML14339A451 ML14339A452 ML14339A453 ML14339A454
References
L-14-360
Download: ML14339A452 (686)
v • d • e

Text

{{#Wiki_filter:TECHN ICAL SPECI FICATION BASES UPDATE STATUS UNITS: 1 & 2 Revision No.Change No.Pages lssued lmplementation Date 26 14-184 B 3.3.7-7 B 3.7. rc-12B 3.7.11-1 B 3.7.11-77 t24t14 27 14-228 B 3.8.4-1 B 3.8.4-2 B 3.8.4-3 10t10t14 TECHNICAL SPECIFICATION BASES UPDATE STATUS UNITS: 1 & 2 Revision No.Change No.Pages lssued lmplementation Date 21 12-225 B 3.7.14-3 B 3.7.16-2 10129112 22 12-079 & 12-209 12-079B 3.3.2-28B 3.3.2-29B 3.3.2-30 B 3.3.2-31B 3.3.2-32B 3.3.2-33B 3.3.2-34B 3.3.2-35 B 3.3.2-36 B 3.3.2-37 B 3.3.2-38 B 3.3.2-39B 3.3.2-40B 3.3.2-41B 3.3.2-42B 3.3.2-43B 3.3.2-44 B 3.3.2-45 B 3.3.2-46B 3.3.2-47B 3.3.2-48B 3.3.2-49 B 3.3.2-50B 3.3.2-51B 3.3.2-52 B 3.3.2-53 B 3.3.2-54 11tgt12 23 13-045B 3.8.4-2B 3.8.4-4B 3.8.4-5B 3.8.4-7 B 3.8.4-8 B 3.8.4-9 B 3.8.6-6 5131113 24 13-268 B 3.4.1 0-1 3t19114 25 13-025B 3.8.1-6 B 3.8.1-7B 3.8.1-9B 3.8.1-12 5t23t14 TECHNICAL SPECI FICATIONBASES UPDATE STATUS UNITS: 1 & 2 Revision No.Change No.Pages lssued lmplementation Date 15 10-156B 3.5.1-2B 3.5.1-3 10t22110 16 1 1-065 11-073B 3.6.5-2 B 3.6.6-2B 3.6.7-3 B 3.7.12-3B 3.7.14-1B 3.7.14-2 B 3.7.14-3B 3.7.14-4 B 3.7.14-5B 3.7.14-6B 3.7.14-7B 3.7.14-8B 3.7.15-2 B 3.7.16-1B 3.7.16-2B 3.7 .16-3B 3.7.16-4B 3.7.16-5B 3 7.16-6 6124111 171 1-159 B 3.7.14-BB 3 7 .16-6 12116111 18 11-249B 3.4.1 5-1 B 3.4.15-2 B 3.4.15-3B 3.4 15-4B 3.4 15-5 B 3.4 15-6 1t16t12 19 12-069B 3 8.4-4 B 3 8.4-5B 3 8.4-7B 3.8.4-8B 3.8.4-9 B 3.8.6-6 3t15t12 201 1-088B 3 3.2-15 B 3.6.6-1B 3.6.6-4 B367-2B 3.6.8-1B 3.6.8-2B 3.6.8-3B 3 6.8-4 4120112 TECHNICAL SPECIFICATlON BASES UPDATE STATUS UNITS: 1 & 2 Revision No.Change No.Pages lssued lmplementation Date 1108-1 1 5 B 3.3.1-59B 3.3.2-52 B 3.3.5-7u27 tag 12 09-051 B-i B-ii B-iiiB 3.3.2-15 B 3.6.6-1 B 3.6.6-4B 3.6.7-2B 3.6.8-1 B 3.6.8-2B 3.6.8-3B 3.6.8-4B 3.6.8-5 B 3.6.9-1 B 3.6.9-2B 3.6.9-3 B 3.6.9-4 1y2il49 1309-1 73 B 3.8.1-7 B 3.8.1 -8 B 3.8.1-9B 3.8.1-10

B 3.8.1 -1 1 B 3.8.1-12B 3.8.1-13 B 3.8.1-14 B 3.8.1-15 B 3.8.1 -16B 3.8.1-17B 3.8.1-18 B 3.8.1-19B 3.8.1-20B 3.8.1-21B 3.8.1-22

B 3.8. 1-23B 3.8.1-24 B 3.8.1-25B 3.8. 1-26B 3.8.1-27B 3.8.1-28 1t8110 14 10-054 B 3 0-17 B 3.0-18 B 3.0-19 6117110 TECHN ICAL SPEC I FICATION BASES UPDATE STATUS UNITS: 1 & 2 Revision No.Change No.Pages lssued lmplementation Date 10 07-065 B 3.3.1-35B 3.3.1 -36 B 3.3.1 -39B 3.3.1-40 B 3.3.1 -41 B 3.3.1-42B 3.3.1-43 B 3.3.1-44B 3.3.1-45B 3.3.1-46B 3.3.1-47B 3.3.1-48B 3.3.1-49B 3.3.1-50 B 3.3.1-51B 3.3.1-52B 3.3.1-53B 3.3.1-54 B 3.3.1-55 B 3.3.1-56B 3.3.1-57B 3.3.1-58B 3.3.1-59B 3.3.2-34B 3.3.2-35 B 3.3.2-36B 3.3.2-37B 3.3.2-38B 3.3.2-39B 3.3.2-40B 3.3.2-41 'B 3.3.2-42B 3.3.2-43B 3.3.2-44B 3.3.2-45B 3.3 2-46B 3.3.2-47B 3.3 2-48B 3.3.2-49B 3.3.2-50B 3.3 2-51 B 3.3.2-52 B 3.3.5-4 B 3.3.5-5 B 3.3.5-6B 3.3.5-7 1t27 t?g TECHNICAL SPECIFICATION BASES UPDATE STATUS Revision No.Change No.Pages lssued lmplementation Date 6 (continued) 08-020 B 3.3.241 B 3.3.2-42 B 3.3.2-43B 3.3.2-44 B 3.3.2-45B 3.3.2-46 B 3.3.2-47B 3.3.2-48 B 3.3.2-49 B 3.5.2-10B 3.5.2-11B 3.6.1-2B 3.6.2-2B 3.6.4-1 B 3.6.5-2 B 3.6.5-3 B 3.6.6-2 B 3.6.7-2 B 3.6.7-3 B 3.6.7-4 B 3.6.7-8 4t24i2048 08-075B 3.7.7-3B 3.7.8-3B 3.7.10-1B 3.7.10-2 B 3.7.10-3 B 3.7 10-4 B 3.7 10-5 B 3.7.10-6 B 3.7 10-7B 3.7 10-8 B 3.7 10-9B 3.7.10-10B 3.7 10-11 B 3.7.10-12 6t1U2048 8 08-099B 3.4.16-5 8t20tzaa$08-046 08-081B 3.1 7.1-1B 3 1 7.1-2B 3.1 .7.1-3B 3.1 .7.1-4B 3.1 .7.1-5B 3.1 7.1-6B 3.1 .7.1-7B 3.1 .7.1-8B 3.7 .4-3 B 3.7.4-4 B 3.7.4-5B 3.7.4-6 9t4t2008 TECHN ICAL SPECIFICATION BASES UPDATE STATUS 1 &2 Revision No.Change No.Pages lssued lmplementation Date 3 (continued) 07-14707-147 & 07-156 07-147B 3.6.7-3B 3.6.7-4B 3.6.7-4a B 3.6.7-8 B 3.6.7-8a B 3.6.7-9 1011512047 4 07-103 08-005 B 3.5.1-3 B 3.5.1-6 B 3.8.2-4 3t20t2008 08-017 B 3.7 .14-1B 3.7.14-2 B 3.7.14-3B 3.7.14-4B 3.7.14-5B 3.7.14-6 B 3 7.16-1 B 3.7.16-2 B 3.7.1 6-3 B 3.7.16-5 41112008 08-020B 3 3.2-15

B 3.3.2-16B 3.3.2-17B 3.3.2-18 B 3.3.2-19 B 3.3.2-24B 3.3 2-21B 3.3.2-22 B 3.3.2-23 B332-24 B 3.3.2-25 B 3.3.2-26B 3 3.2-27B 3.3 2-28B 3.3.2-29B 3.3.2-30 B 3.3.2-31B 3.3.2-32B 3.3.2-33B 3.3.2-34B 3.3.2-35B 3.3.2-36

B 3.3.2-37 B 3.3.2-38B 3.3.2-39B 3.3.2-40 4t24t2008 TECHN ICAL SPECI FICATION BASES UPDATE STATUS UNITS: 1 & 2 Revision No.Change No.Pages lssued lmplementation Date N/A All previous Change NumbersAll Technical Specification Bases pages Prior to 612312007 0 1-031 12-035All lmproved Technical Specification Bases pages 6t2312007 1 07 -087B 3.8.3-5 B 3.8.3-6B 3.8.3-7B 3.8.3-8 B 3.8.9-9 9t18t2007 07-151 07-068 07-151 B-i B 3.0-1B 3.0-1 1B 3.0-12 B 3.0-13B 3.0-14 B 3.0-15 B 3.0-16B 3.0-17B 3.0-18 B 3.0-19 B 3.0-20 B 3.0-21 10t12120a7 07-14707-147 & 07-156 B 3.3.2-9B 3.3.2-14 B 3.3.2-14aB 3.3.2-14bB 3.3.2-14cB 3.3.2-15B 3.3.2-16 B 3.3.2-19 B 3.3.2-20B 3.3 2-28B 3.3.2-34 B 3.3.2-38B 3.5 2-11B 3.6 1-2B 3.6.2-2B 3.6.4-1 B 3.6.5-2B 3.6.6-2 B 3.6.7-1 B 3.6.7-2 10t1512007 TECHNICAL SPECIFICATION BASES LIST OF EFFECTIVE PAGESRevision No. Page B-i B-ii B-iiiB 2.1.1-1 B 2.1.1-2 B 2.1.1-3B 2.1.2-1 B 2.1.2-2B 2.1.2-3 B 3.0-1 B 3.0-2 B 3.0-3 B 3.0-4 B 3.0-5 B 3.0-6 B 3.0-7 B 3.0-8 B 3.0-9B 3.0-10 B 3.0-1 1 B 3.0-12 B 3.0-13 B 3.0-14B 3.0-15 B 3.0-16 B 3.0-17 B 3.0-18 B 3.0-19 B 3.0-20 B 3.0-21 B 3.1 .1-1 B 3.1.1-2 B 3.1.1-3 B 3.1 .1-4 B 3.1 .1 -5 B 3.1.2-1 B 3.1.2-2 B 3.1 .2-3 B 3.1.2-4 B 3.1 .2-5 B 3.1.3-1 B 3.1 .3-2 B 3.1 .3-3 B 3.1 .3-4 B 3.1.3-5 B 3.1.3-6 B 3.1.3-7B 3.1 .4-1 Beaver Valley Units 1Revision 13 Revision 13 Revision 13 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 0Revision 2 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 2 Revision 2Revision 2 Revision 2 Revision 2 Revision 2Revision 14Revision 14Revision 14Revision 2Revision 2 Revision 0 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Paqe B 3.1.4-2B 3.1 .4-3B 3.1.4-4 B 3.1 .4-5B 3.1 .4-6 B 3.1.4-7 B 3.1 .4-8B 3.1 .4-9B 3.1 .4-10B 3.1 .5-1 B 3.1.5-2B 3.1 .5-3 B 3.1 .5-4B 3.1 .6-1 B 3.1 .6-2B 3.1 .6-3 B 3.1 .6-4B 3.1 .6-5 B 3.1 .6-6B 3.1 .6-7 B 3.1 .7.1-1 B 3.1 .7 .1-2B 3.1 .7 .1-3

B 3.1 .7.1-4 B 3.1 .7.1-5B 3. 1 .7 .1-6B 3.1 .7.1-7 B 3.1 .7.1-8 B 3.1.7.2-1B 3.1 .7.2-2 B 3.1 .7 .2-3B 3.1 .7 .2-4 B 3.1 .7.2-5 B 3.1 .7.2-6 B 3.1 .8-1 B 3.1 .8-2B 3.1 .8-3 B 3.1 .9-1 B 3.1 .9-2 B 3.1 .9-3 B 3.1 .9-4B 3.1 .9-5 B 3.1 .1 0-1 B 3.1 10-2B 3.1 .10-3 B 3.1 JA-4B 3.1 .1 0-5 Revision No.Revision 0Revision 0 Revision 0Revision 0

Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0 Revision 0 Revision 0Revision 9Revision 9 Revision 9Revision 9 Revision 9 Revision 9Revision 9Revision 9Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0Revision 0Revision 0 Revision 0Revision 0Revision 0 Revision 0 Revision 0and 2B EP-1 Revision 27 LIST OF EFFECTIVE PAGES Paqe B 3.2.1-1 B 3.2.1-2 B 3.2.1-3 B 3.2.1-4 B 3.2.1-5 B 3.2.1-6 B 3.2.1-7 B 3.2.1-8 B 3.2.1-9 B 3.2.1-10 B 3.2.2-1 B 3.2.2-2 B 3.2.2-3 B 3.2.2-4 B 3.2.2-5B 3.2.2-6 B 3.2.3-1 B 3.2.3-2 B 3.2.3-3 B 3.2.3-4 B 3.2.3-5 B 3.2.4-1 B 3.2.4-2 B 3.2.4-3 B 3.2.4-4 B 3.2.4-5 B 3.2.4-6 B 3.3.1-1 B 3.3.1-2 B 3.3.1-3 B 3.3.1-4 B 3.3.1-5 B 3 3.1-6 B 3.3.1-7 B 3.3.1-8B 3.3.1-9 B 3 3.1 -10 B 3 3.1-1 1 B 3 3.1-12 B 3.3.1-13 B 3 3.1-14 B 3 3.1-15 B 3.3.1-16B 3 3.1-17 B 3.3.1-18 B 3.3.1-19 B 3 3.1-20 B 3 3.1-21 B 3 3.1-22 B 3.3.1-23 B 3 3.1-24B 3 3.1-25 B 3 3.1-26 Beaver Valley Units 1 Revision No.Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0and 2 PaqeB 3.3.1-27B 3.3.1-28 B 3.3.1-29 B 3.3.1-30B 3.3.1-31B 3.3.1-32B 3.3.1-33B 3.3.1-34 B 3.3.1-35 B 3.3.1-36B 3.3.1-37 B 3.3.1-38B 3.3.1-39 B 3.3.1-40 B 3.3.1-41B 3.3.1-42 B 3.3.1-43B 3.3.1-44 B 3.3.1-45B 3.3.1-46

B 3.3.1-47B 3.3.1-48B 3.3.1-49 B 3.3.1-50B 3.3.1 -51B 3.3.1-52 B 3.3.1-53 B 3.3.1-54B 3.3.1-55B 3.3.1-56 B 3.3.1-57B 3 3.1-58B 3.3.1-59 B 3.3.2-1 B 3.3.2-2B 3 3.2-3B 3.3.2-4B 3.3.2-5B 3.3.2-6B 3.3 2-7B 3.3.2-8 B 3.3.2-9 B 3.3.2-10B 3 3 2-11 B 3 3.2-12B 3.3.2-13B 3 3.2-14 B 3.3.2-15 B 3.3.2-16 B 3.3.2-17B 3.3 2-18B 3 3.2-19B 3 3.2-20 B 3.3.2-21 B 3.3.2-22B 3 3.2-23B EP-2Revision 0Revision 0 Revision 0Revision 0Revision 0 Revision 0Revision 0 Revision 0Revision 10 Revision 10Revision 0Revision 0 Revision 10Revision 10Revision 10 Revision 10 Revision 10 Revision 10Revision 10 Revision 10Revision 10 Revision 10 Revision 10 Revision 10 Revision 10 Revision 10Revision 10 Revision 10 Revision 10 Revision 10 Revision 10 Revision 10 Revision 11Revision 0Revision 0 Revision 0Revision 0Revision 0 Revision 0Revision 0 Revision 0 Revision 3 Revision 0 Revision 0 Revision 0Revision 0 Revision 3 Revision 20 Revision 6 Revision 6 Revision 6 Revision 6 Revision 6 Revision 6 Revision 6 Revision 6 Revision 27 LIST OF EFFECTIVE PAGES Paqe B 3.3.2-24 B 3.3.2-25 B 3.3.2-26B 3.3.2-27 B 3.3.2-28B 3.3.2-29 B 3.3.2-30 B 3.3.2-31 B 3.3.2-32 B 3.3.2-33 B 3.3.2-34 B 3.3.2-35 B 3.3.2-36 B 3.3.2-37B 3.3.2-38

B 3.3.2-39 B 3.3.2-40 B 3.3.2-41 B 3.3.2-42 B 3.3.2-43 B 3.3.2-44 B 3.3.2-45 B 3.3.2-46B 3.3.2-47 B 3.3.2-48B 3.3.2-49B 3.3.2-50 B 3.3.2-51 B 3.3.2-52 B 3.3.2-53 B 3.3.2-54 B 3.3.3-1 B 3.3.3-2 B 3.3.3-3 B 3.3.3-4B 3.3.3-5 B 3.3.3-6 B 3.3.3-7 B 3.3.3-g ,B 3.3.3-9 B 3.3.3-10 B 3.3.3-11 B 3.3.3-12 B 3.3.3-13 B 3.3.3-14 B 3 3.3-15 B 3.3.3-16B 3.3.3-17 B 3.3.3-18 B 3.3.4-1 B 3.3.4-2B 3.3.4-3 B 3.3.4-4B 3.3.4-5 B 3.3.4-6 Beaver Valley Units 1Revision No. Revision 6 Revision 6 Revision 6 Revision 6Revision 22 Revision 22Revision 22Revision 22

Revision 22 Revision 22 Revision 22 Revision 22 Revision 22 Revision 22 Revision 22Revision 22Revision 22Revision 22 Revision 22 Revision 22Revision 22 Revision 22Revision 22

Revision 22Revision 22 Revision 22 Revision 22 Revision 22Revision 22Revision 22 Revision 22 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 and 2 Paqe B 3.3.5-1B 3.3.5-2B 3.3.5-3 B 3.3.5-4B 3.3.5-5B 3.3.5-6 B 3.3.5-7B 3.3.6-1 B 3.3.6-2B 3.3.6-3 B 3.3.6-4B 3.3.6-5 B 3.3.6-6B 3.3.7-1 B 3.3.7-2 B 3.3.7-3 B 3.3.7-4 B 3.3.7-5B 3.3.7-6 B 3.3.7-7 B 3.3.8-1B 3.3.8-2B 3.3.8-3B 3.3.8-4 B 3.3.8-5 B 3.4.1-1B 3 4.1-2B 3 4.1-3B 3.4.1-4 B 3 4.1-5 B 3.4.2-1 B 3.4.2-2B 3.4.2-3B 3.4.3-1 B 3.4.3-2 B 3.4.3-3B 3.4 3-4 B 3 4.3-5B 3 4.3-6 B 3.4.4-1B 3.4.4-2B 3.4.4-3 B 3.4.5-1 B 3.4.5-2B 3.4.5-3B 3 4.5-4 B 3.4.5-5B 3 4.5-6B EP-3Revision No.Revision 0Revision 0Revision 0Revision 10 Revision 10 Revision 10 Revision 11Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 26Revision 0 Revision 0 Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0 Revision 0 Revision 0Revision 0Revision 0 Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0 Revision 0 Revision 0Revision 0Revision 0 Revision 0Revision 0Revision 0 Revision 27 LIST OF EFFECTIVE PAGES Paqe B 3.4.6-1 B 3.4.6-2 B 3.4.6-3 B 3.4.6-4 B 3.4 .7 -1B 3.4.7-2 B 3.4.7-3 B 3.4.7 -4 B 3.4.7 -5B 3.4.8-1 B 3.4.8-2 B 3.4.8-3 B 3.4.9-1B 3.4.9-2 B 3.4.9-3 B 3.4.9-4 B 3.4.1 0-1 B 3.4.10-2 B 3.4.10-3 B 3.4.10-4 B 3.4.11-1 B 3 4.11-2 B 3.4.1 1-3B 3.4.11-4 B 3.4.11-5B 3.4.11-6B 3.4.11-7 B 3.4.11-8 B 3.4.12-1 B 3.4.12-2 B 3.4.12-3 B 3 4.12-4 B 3.4.12-5 B 3 4.12-6 B 3.4.12-7 B 3.4.12-B B 3 4.12-9 B 3.4.12-10B 3.4.12-11 B 3 4.12-12 B 3.4.13-1 B 3.4.13-2B 3.4 13-3 B 3 4.13-4 B 3.4.1 3-5 B 3.4.1 3-6 B 3 4.13-7 B 3 4.14-1Beaver Valley Units 1 Revision No.Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 24

Revision 0Revision 0 Revision 0 Revision 0 Revision 0Revision 0

Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0Revision 0

Revision 0Revision 0

Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 and 2 Paqe B 3.4.14-2B 3.4.14-3 B 3.4.14-4B 3.4.14-5B 3.4.1 5-1 B 3.4.15-2 B 3.4.15-3B 3.4.15-4B 3.4.1 5-5 B 3.4.1 5-6 B 3.4.16-1B 3.4.16-2 B 3.4.16-3 B 3.4.16-4B 3.4.16-5B 3.4.17 -1 B 3.4. 17 -2B 3.4.17-3B 3.4.1 8-1B 3.4.18-2B 3.4.1 8-3B 3.4.19-1B 3.4.19-2 B 3.4. 1 9-3B 3.4.19-4B 3.4.20-1 B 3.4.24-2B 3.4.20-3 B 3.4.24-4 B 3.4.20-5B 3.4.20-6B 3 4.20-7B 3.4.20-8B 3.5.1-1B 3.5.1-2B 3.5.1-3B 3.5.1 -4B 3.5 1-5B 3.5.1-6B 3.5.1-7B 3.5.2-1B 3.5 2-2 B 3.5.2-3B 3.5 2-4 B352-5 B 3.5.2-6B 3.5.2-7B 3.5 2-8B 3.5 2-9 B EP-4 Revision No.Revision 0Revision 0Revision 0 Revision 0Revision 18

Revision 18 Revision 18 Revision 18 Revision 18 Revision 18Revision 0 Revision 0Revision 0Revision 0Revision 8 Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0Revlsion 0Revrsion 0Revision 0Revision 0 Revision 15 Revision 15 Revision 0Revision 0 Revision 4 Revision 0Revision 0Revision 0 Revision 0Revision 0Revision 0

Revision 0 Revision 0Revision 0Revlsion 0 Revision 27 L]ST OF EFFECTIVE PAGES Revision No.Paqe B 3.5.2-10 B 3.5.2-1 1 B 3.5.3-1 B 3.5.3-2 B 3.5.3-3 B 3.5.4-1 B 3.5.4-2 B 3.5.4-3 B 3.5.4-4 B 3.5.4-5 B 3.5.4-6 B 3.5.5-1 B 3.5.5-2 B 3.5.5-3 B 3.5.5-4 B 3.6.1-1 B 3.6.1-2 B 3.6.1 -3 B 3.6.1-4 B 3.6.2-1 B 3.6.2-2 B 3.6.2-3 B 3.6.2-4 B 3.6.2-5 B 3.6.2-6 B 3.6.3-1 B 3.6.3-2 B 3.6.3-3 B 3.6.3-4 B 3.6.3-5 B 3.6.3-6 B 3.6.3-7 B 3.6 3-8 B 3.6.3-9 B 3.6.3-10 B 3.6.3-1 1 B 3.6.4-1 B 3.6 4-2 B 3.6.4-3 B 3.6.5-1 B 3.6.5-2 B 3.6.5-3 B 3.6.5-4 B 3.6.6-1 B 3.6 6-2 B 3.6.6-3 B 3.6.6-4 B 3 6.6-5 Beaver Valley Units 1 Revision No.Revision 0Revision 3Revision 20 Revision 16Revision 6Revision 0 Revision 0Revision 0Revision 6Revision 3 Revision 20Revision 20 Revision 20 Revision 20Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0 Revision 0Revision 0Revision 0 Revision 0 Revision 0Revision 0Revision 0

Revision 0Revision 0Revision 0 Revision 0Revision 9 Revision 9Revision 9Revision 9 Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 0 Revision 0Revision 27 Revision 6 Revision 6 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 6Revision 0

Revision 0 Revision 0 Revision 6 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 6 Revision 0 Revision 0 Revision 0Revision 16 Revision 6 Revision 0Revision 20Revision 16 Revision 0Revision 20 Revision 0 PaqeB 3.6.6-6B 3.6.7-1 B 3.6.7-2 B 3.6.7-3B 3.6.7-4B 3.6.7-5 B 3.6.7-6B 3.6.7-7 B 3.6.7-8 B 3.6.7-9B 3.6.8-1 B 3.6.8-2 B 3.6.8-3 B 3.6.8-4 B 3.7.1-1B 3.7.1-2 B 3.7.1-3B 3.7.1-4 B 3.7.1-5 B 3.7.1-6 B 3.7.1-7B 3.7.2-1 B 3.7.2-2B 3.7.2-3 B 3.7.2-4 B 3.7.2-5B 3.7.2-6 B 3.7.3-1 B 3.7.3-2 B 3.7.3-3 B 3.7.3-4 B 3.7.3-5 B 3.7.4-1B 3.7 .4-Z B 3.7.4-3B 3.7.4-4 B 3.7.4-5B 3.7.4-6B 3.7.5-1B 3.7 5-2 B 3.7.5-3B 3.7.5-4 B 3.7.5-5 B 3.7.5-6 B 3.7.5-7B 3.7.5-8 B 3.7.5-9 B 3.7.5-10 B 3.7.5-11 B 3.7.5-12B EP-sand 2 L]ST OF EFFECTIVE PAGES Paqe B 3.7.6-1 B 3.7.6-2 B 3.7.6-3 B 3.7 .7 -1 B 3.7.7-2 B 3.7.7-3 B 3.7.7-4 B 3.7.8-1 B 3.7.8-2 B 3.7.8-3 B 3.7.8-4 B 3.7.9-1 B 3.7.9-2 B 3.7.9-3 B 3.7.1 0-1B 3.7.10-2 B 3.7.10-3 B 3.7.10-4 B 3.7.10-5 B 3.7.10-6 B 3.7.10-7 B 3.7.1 0-8 B 3.7.10-9 B 3.7.10-10 B 3.7 .10-1 1 B 3.7.10-12 B 3.7.11-1 B 3.7.11-2 B 3.7.11-3 B 3.7.11-4 B 3.7.11-5 B 3.7.11-6 B 3.7 11-7 B 3.7 .12-1 B 3.7 .12-2 B 3.7.12-3 B 3.7.12-4 B 3.7.12-5 B 3.7.12-6 B 3.7.13-1 B 3.7 .13-2 B 3.7.13-3 B 3.7.14-1 B 3.7. 14-2 B 3.7.14-3 B 3.7 14-4 B 3.7.14-5 B 3.7.14-6 Beaver Valley Units 1 Revision No.Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 7 Revision 0 Revision 0 Revision 0Revision 7 Revision 0 Revision 0 Revision 0 Revision 0Revision 7 Revision 7Revision 7Revision 7Revision 7 Revision 7Revision 7Revision 7 Revision 7Revision 7 Revision 7 Revision 26 Revision 26 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 26 Revision 0 Revision 0Revision 16 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 16Revision 16Revision 21 Revision 16Revision 16Revision 16and 2 PaqeB 3.7.14-7 B 3.7.14-8 B 3.7.15-1B 3.7.15-2B 3.7.15-3 B 3.7.16-1 B 3.7.16-2 B 3.7.16-3B 3.7.16-4 B 3.7.16-5B 3.7.1 6-6B 3.8.1-1 B 3.8.1-2 B 3.8.1-3B 3.8.1-4 B 3.8.1-5B 3.8.1 -6 B 3.8.1-7 B 3.8.1-8 B 3.8.1-9 B 3.8.1-10B 3.8.1-11B 3.8.1-12B 3.8.1-13B 3.8.1-14B 3.8.1-15B 3.8.1-16 B 3.8.1-17 B 3.8.1-18 B 3.8.1-19 B 3 8.1-20B 3.8.1-21B 3 8.1-22 B 3.8.1-23 B 3.8.1-24 B 3.8.1-25B 3.8.1-26B 3.8.1-27B 3.8.1-28B 3 8.2-1 B 3.8.2-2 B 3.8.2-3 B 3.8.2-4 B 3.8.2-5B 3.8.2-6 B 3.8.2-7B 3.8.3-1 B 3.8.3-2B 3.8.3-3 B 3.8.3-4 B 3.8.3-5B 3.8.3-6 B EP-6 Revision No.Revision 16 Revision 17Revision 0 Revision 16Revision 0 Revision 16 Revision 21 Revision 16Revision 16 Revision 16 Revision 17Revision 0 Revision 0Revision 0Revision 0Revision 0 Revision 25 Revision 25 Revision 13Revision 25 Revision 13 Revision 13Revision 25 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13 Revision 13Revision 0 Revision 0 Revision 0 Revision 4 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revlsion 0 Revision 1 Revision 1 Revision 27 LIST OF EFFECTIVE PAGESRevision No. PaqeB 3.8.3-7 B 3.8.3-8 B 3.8.4-1 B 3.8.4-2 B 3.8.4-3 B 3.8.4-4B 3.8.4-5 B 3.8.4-6 B 3.8.4-7 B 3.8.4-8 B 3.8.4-9 B 3.8.5-1 B 3.8.5-2 B 3.8.5-3 B 3.8.5-4 B 3.8.6-1 B 3.8.6-2 B 3.8.6-3 B 3.8.6-4 B 3.8.6-5 B 3.8.6-6 B 3.8.6-7B 3.8.6-8B 3.8.7-1B 3.8.7-2B 3.8.7-3B 3.8.7 -4 B 3.8.8-1B 3.8.8-2B 3.8.8-3B 3.8.8-4B 3.8.9-1B 3.8.9-2B 3.8.9-3B 3.8.9-4B 3.8.9-5B 3.8.9-6 B 3.8.9-7 B 3.8.9-8 B 3.8.9-9 B 3.8.10-1 B 3.8.10-2 B 3.8 10-3 B 3.8.10-4 B 3.9.1-1 B 3.9.1 -2 B 3.9.1-3 B 3.9. 1 -4 Revision No.Revision 0 Revision 0 Revision 0Revision 0Revision 0Revision 0 Revision 0Revision 0Revision 0Revision 0Revlsion 0Revision 0 Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0Revision 0 Revision 1 Revision 1Revision 27Revision 27 Revision 27 Revision 23 Revision 23 Revision 0 Revision 23Revision 23 Revision 23 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 23 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 Revision 0Revision 1 Revision 0 Revision 0 Revision 0Revision 0 Revision 0 Revision 0 Revision 0 Revision 0 PaqeB 3.9.2-1B 3.9.2-2 B 3.9.2-3 B 3.9.3-1 B 3.9.3-2B 3.9.3-3B 3.9.3-4 B 3.9.3-5 B 3.9.3-6 B 3.9.3-7B 3.9.4-1 B 3.9.4-2B 3.9.4-3 B 3.9.4-4 B 3.9.5-1 B 3.9.5-2 B 3.9.5-3B 3.9.5-4 B 3.9.5-5B 3.9.6-1B 3.9.6-2 Revision 0 Revision 0 Revision 0 Revision 0Beaver Valley Units 1 and 2B EP-7 Revision 27 TECHNICAL SPECIFICATION BASES TABLE OF CONTENTSPage No.B 2.0 SAFETY LIMITS (SLs)B 2.1 .1 Reactor Core SLs . ....... B 2.1 .1-1B 2.1.2 Reactor Coolant System (RCS) Pressure SL.... .... B 2.1.2-1 B 3.0 LIMTTTNG CONDTTTON FOR OPERATlON (LCO) APPLTCABTLTTY .. B 3.0-1 B 3.0 SURVETLLANCE REQUTREMENT (SR) AppLtCABrLrTy .. B 3.0-16 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 Shutdown Margin (SDM) ...... B 3.1.1-1 B 3.1.2 Core Reactivity. ... B 3.1.2-1 B 3.1.3 Moderator Temperature Coefficient (MTC) . B 3.1.3-1 B 3.1.4 Rod Group Alignment Limits ..... .... B 3.1.4-1 B 3.1.5 Shutdown Bank lnsertion Limits .... B 3.1.5-1 B 3.1 .6 Control Bank lnsertion Limits B 3.1 .6-1B 3.1.7 Rod Position Indication B 3.1 .7.1-1 B 3.1.7.1 Unit 1 Rod Position Indication B 3.1.7.1-1 B 3.1.7.2 Unit 2 Rod Position Indication B 3.1 .7.2-1 B 3.1.8 Unborated Water Source lsolation Valves. .... B 3.1 .8-1B 3.1.9 PHYSICS TESTS Exceptions - MODE2.. ..... B 3.1.9-1 B 3.1.10 RCS Boron Limitations < 500'F .... B 3.1.10-1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Heat Flux Hot Channel Factor (Fq(Z)) ... B 3.2.1-1 B 3.2.2 Nuclear Enthalpy Rise Hot Channel Factor (FNIH). B 3.2.2-1B 3.2.3 AXIAL FLUX DTFFERENCE (AFD) . ..... B 3.2.3-1B 3.2.4 QUADRANT POWER TILT RATTO (OPTR) .. B 3.2.4-1B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation B 3.3.1-1 B 3.3.2 Engineered Safety Feature Actuation System (ESFAS)Instrumentation B 3.3.2-1Post Accident Monitoring (PAM) Instrumentation .. B 3.3.3-1 Remote Shutdown System .... B 3.3.4-1 Loss of Power (LOP) Diesel Generator (DG) Start and BusSeparation Instrumentation ..... B 3.3.5-1Unit 2 Containment Purge and Exhaust lsolation lnstrumentation........ B 3.3.6-1Control Room Emergency Ventilation System (CREVS)Actuation lnstrumentation B 3.3.7-1 Boron Dilution Detection Instrumentation ...... B 3.3.8-1B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.1 RCS Pressure, Temperature, and Flow Departure fromNucleate Boiling (DNB) Limits . B 3.4.1-1RCS Minimum Temperature for Criticality ..... B 3.4.2-1RCS Pressure and Temperature (P/T) Limits. ....... B 3.4.3-1RCS Loops - MODES 1 and 2..... .. B 3.4.4-1RCS Loops - MODE 3..... ...... B 3.4.5-1 B 3.3.3 B3.34B 3.3.5B 3.3.6B 3.3.7B 3.3.8 B 3.4.2 B 3.4.3B 3.4.4 B 3.4.5 Beaver Valley Units 1 and 2 B-i Revision 13 TECHNICAL SPECIFICATION BASES TABLE OF CONTENTSPage No.B 3.4 REACTOR COOLANT SYSTEM (RCS) (continued) B 3.4.6 RCS Loops - MODE 4...... .... B 3.4.6-1B 3.4.7 RCS Loops - MODE 5, Loops Filled ...... B 3.4.7-1 B 3.4.8 RCS Loops - MODE 5, Loops Not Filled ....... B 3.4.8-1 B 3.4.9 Pressurizer.... ...... B 3.4.9-1 B 3.4.10 Pressurizer Safety Valves .. B 3.4.10-1 B 3.4.1 1 Pressurizer Power Operated Relief Valves (PORVs) .. B 3.4.11-1 B 3.4.12 Overpressure Protection System (OPPS) .... B 3.4.12-1 B 3.4.13 RCS Operational LEAKAGE.. B 3.4.13-1B 3.4.14 RCS Pressure lsolation Valve (PlV) Leakage ...... B 3.4.14-1B 3.4.15 RCS Leakage Detection Instrumentation ..... B 3.4.15-1B 3.4.16 RCS Specific Activity .... B 3.4.16-1B 3.4.17 RCS Loop lsolation Valves .... B 3.4.17-1 B 3.4.18 RCS lsolated Loop Startup .. B 3.4.18-1 B 3.4.19 RCS Loops - Test Exceptions... .. B 3.4.19-1 B 3.4.20 Steam Generator (SG) Tube lntegrity .. B 3.4.20-1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.1 Accumulators... ...... B 3.5.1-1 B 3.5.2 ECCS - Operating ... ...... B 3.5.2-1 B 3.5.3 ECCS - Shutdown... ...... B 3.5.3-1 B 3.5.4 Refueling Water Storage Tank (RWST) B 3.5.4-1 B 3.5.5 Seal Injection Flow B 3.5.5-1 B 3.6 CONTAINMENT SYSTEMSB 3.6.1 Containment.... ..... B 3.6.1-1 B 3.6.2 Containment Air Locks .. B 3.6.2-1 B 3.6.3 Containment lsolation Valves... .... B 3.6.3-1 B 3.6.4 Containment Pressure ..i.,.... ... B 3.6.4-1 B 3.6.5 Containment Air Temperature . ..... B 3.6.5-1B 3.6.6 Quench Spray (OS) System .. B 3.6.6-1B 3.6.7 Recirculation Spray (RS) System .. B 3.6.7-1B 3.6.8 Containment Sump pH Control System . B 3.6.8-1B 3.7 PLANT SYSTEMSB 3.7.1 Main Steam Safety Valves (MSSVs) ..... B 3.7.1-1B 3.7.2 Main Steam lsolation Valves (MSlVs) ... B 3.7.2-1 B 3.7.3 Main Feedwater lsolation Valves (MFlVs) and Main FeedwaterRegulation Valves (MFRVs) and MFRV Bypass Valves . B 3.7.3-1 B 3.7.4 Atmospheric Dump Valves (ADVs). ....... B 3.7.4-1 B 3.7.5 Auxiliary Feedwater (AFW) System. ...... B 3.7.5-1 B 3.7.6 Primary Plant Demineralized Water Storage Tank (PPDWST).... B 3.7.6-1 B 3.7.7 Component Cooling Water (CCW) System .. B 3.7 .7-1B 3.7.8 Service Water System (SWS) ....... B 3.7.8-1 B 3.7.9 Ultimate Heat Sink (UHS) ...... B 3 7 .9-1 B 3.7.10 Control Room Emergency Ventilation System (CREVS) B 3.7.10-1B 3.7.11 Control Room Emergency Air Cooling System (CREACS)... B 3.7.11-1 B 3.7.12 Supplemental Leak Collection and Release System (SLCRS) ..... B 3.7.12-1 B-ii Beaver Valley Units 1 and 2 Revision 13 TECHNICAL SPECIFICATION BASES TABLE OF CONTENTS Page No.3.7 PLANT SYSTEMS (continued) B 3.7.13 Secondary Specific Activity B 3.7.13-1 B 3.7 .14 Spent Fuel Pool Storage .... B 3.7.14-1B 3.7.15 Fuel Storage Pool Water Level .... B 3.7.15-1B 3.7.16 Fuel Storage Pool Boron Concentration B 3.7.16-1B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.1 AC Sources - Operating . ...... B 3.8.1-1 B 3.8.2 AC Sources - Shutdown ..... B 3.8.2-1 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air... .. B 3.8.3-1 B 3.8.4 DC Sources - Operating ...... . B 3.8.4-1 B 3.8.5 DC Sources - Shutdown..... B 3.8.5-1 B 3.8.6 Battery Parameters.. .... B 3.8.6-1 B 3.8.7 lnverters - Operating ... .. B 3.8.7-1 B 3.8.8 Inverters - Shutdown.. B 3.8.8-1 B 3.8.9 Distribution Systems - Operating . .... B 3.8.9-1 B 3.8.10 Distribution Systems - Shutdown....... .... B 3.8.10-1 B 3.9 REFUELING OPERATIONS B 3.9.1 Boron Concentration .... B 3.9.1-1 B 3.9.2 Nuclear lnstrumentation B 3.9.2-1 B 3.9.3 Containment Penetrations .... B 3.9.3-1B 3.9.4 Residual Heat Removal (RHR) and Coolant Circulation -High Water Level ..... B 3.9.4-1 Residual Heat Removal (RHR) and Coolant Circulation -Low Water Level ...... B 3.9.5-1 Refueling Cavity Water Level B 3.9.6-1B 3.9.5B 3.9.6 B-iiiBeaver Valley Units 1 and 2 Revision 13 Reactor Core SLsB 2.1.1B 2.0 SAFETY LIMITS (SLs)B 2.1.1 Reactor Core SLs BASES BACKGROUNDGDC 10 (Ref. 1) requires that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95o/o probability at a 95% confidence level (the 95/95 DNB criterion) that DNB will not occur and by requiring thatfuel centerline temperature stays below the melting temperature.The restrictions of this SL prevent overheating of the fuel and cladding, aswell as possible cladding perforation, that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state peak linear heat rate (LHR)below the level at which fuel centerline melting occurs. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large andthe cladding surface temperature is slightly above the coolant saturation temperature. Fuel centerline melting occurs when the local LHR, or power peaking, in aregion of the fuel is high enough to cause the fuel centerline temperatureto reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. Thisweaker form may lose its integrity, resulting in an uncontrolled release ofactivity to the reactor coolant.The proper functioning of the Reactor Protection System (RPS) and MainSteam Safety Valves (MSSVs) prevents violation of the reactor core SLs.Beaver Valley Units 1 and 2B 2.1.1 - 1Revision 0 Reactor Core SLs B 2.1.1 BASES APPLICABLE SAFETY ANALYSES The fuel cladding must not sustain damage as a result of normal operation and AOOs. The reactor core SLs are established to preclude violation of the following fuel design criteria:a. There must be at least 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does notexperience DNB and b. The hot fuel pellet in the core must not experience centerline fuel melting.The Reactor Trip System (RTS) setpoints associated with the RTS functions described in Reference 2, in combination with all the LCOs, aredesigned to prevent any anticipated combination of transient conditionsfor Reactor Coolant System (RCS) temperature, pressure, RCS Flow, Al,and THERMAL POWER level that would result in a departure fromnucleate boiling ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities. Automatic enforcement of these reactor core SLs is provided by the appropriate operation of the RPS and the MSSVs. The SLs represent a design requirement for establishing the RTS tripsetpoints associated with the RTS functions described in Reference 2.LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits," or the assumed initial conditions of the safety analyses provide more restrictive limits to ensure that the SLs are not exceeded.SAFETY LIM SThe figure provided in the COLR shows the loci of points of THERMALPOWER, RCS pressure, and average temperature for which the minimumDNBR is not less than the safety analyses limit, that fuel centerlinetemperature remains below melting, that the average enthalpy in the hotleg is less than or equal to the enthalpy of saturated liquid, and that the core hot channel exit quality is within the limits defined by the DNBR correlation.The reactor core SLs are established to preclude violation of the following fuel design criteria:a. There must be at least a 95% probability at a 95o/o confidence ]evel (the 95/95 DNB criterion) that the hot fuel rod in the core does notexperience DNB and b. There must be at least a 95% probability at a 95% confidence levefthat the hot fuel pellet in the core does not experience centerlinefuel melting. Beaver Valley Units 1 and 2B 2.1.1 - 2 Revision 0 Reactor Core SLsB 2.1.1 BASESSAFETY LIM ITS (continued)The reactor core SLs are used to define the various RPS functions suchthat the above criteria are satisfied during steady state operation, normaloperational transients, and anticipated operational occurrences (AOOs).To ensure that the RPS precludes the violation of the above criteria,additional criteria are applied to the Overtemperature and Overpower AT reactor trip functions. That is, it must be demonstrated that the average enthalpy in the hot leg is less than or equal to the saturation enthalpy and the core hot channel exit quality is within the limits defined by the DNBRcorrelation. Appropriate functioning of the RPS ensures that for variations in the THERMAL POWER, RCS Pressure, RCS average temperature,RCS flow rate, and Al that the reactor core SLs wilf be satisfied duringsteady state operation, normal operational transients, and AOOs.APPLICABILlTY SL 2.1.1 only applies in MODES 1 and 2 because these are the onlyMODES in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODES 1 and 2 to ensure operation within the reactor core SLs. The MSSVs or automatic protection actionsserve to prevent RCS heatup to the reactor core SL conditions or toinitiate a reactor trip function, which forces the unit into MODE 3.Setpoints for the reactor trip functions are specified in the LlcensingRequirements Manual for each unit. 1n MODES 3, 4, 5, and 6, Applicability is not required since the reactor is not generating significant THERMAL POWER.SAFETY LIMIT VIOLATlONS The following SL violation responses are applicable to the reactor coreSLs. lf SL 2.1.1 is violated, the requirement to go to MODE 3 places theunit in a MODE in which this SL is not applicable. The allowed Completion Time of t hour recognizes the importance ofbringing the unit to a MODE of operation where this SL is not applicable,and reduces the probability of fuel d,amage. REFERENCES 1.Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance withNRC General Design Criteria." UFSAR, Section 7.2.2.Beaver Valley Units 1 and 2B 2.1.1 - 3Revision 0 RCS Pressure SLB 2.1.2B 2.0 SAFEry LIMITS (SLs)B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASES BACKGROUND The SL on RCS pressure protects the integrity of the RCS against overpressurization. ln the event of fuel cladding failure, fission productsare released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. By establishing an upper limit on RCS pressure, the continued integrity of the RCS is ensured. According to 10 CFR 50, Appendix A, GDC 14, "Reactor Coolant Pressure Boundary," and GDC 15, "Reactor Coolant System Design" (Ref. 1), the reactor coolant pressure boundary (RCPB) design conditions are not to be exceeded during normal operation and anticipated operational occurrences (AOOs).Also, in accordance with GDC 28, "Reactivity Limits" (Ref. 1), reactivityaccidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding.The design pressure of the RCS is 2500 psia. During normal operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10o/o, in accordance with Section lll of the ASME Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested al125% of design pressure, according to the ASME Code requirements prior to initial operation when there is no fuel in thecore. Following inception of unit operation, RCS components shall be pressure tested, in accordance with the requirements of ASME Code,Section Xl (Ref. 3).Overpressurization of the RCS could result in a breach of the RCPB. lf such a breach occurs in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere, raising concerns relative to limits on radioactive releases specified in 10 CFR 50.67,"Accident Source Term" (Ref. a).APPLICABLE SAFETY ANALYSES The RCS pressurizer safety valves, the main steam safety valves (MSSVs), and the reactor high pressure trip have settings established to ensure that the RCS pressure SL will not be exceeded. The RCS pressurizer safety valves are sized to prevent system pressure from exceeding the design pressure by more than 1Ao/o, as specified in Section 111 of the ASME Code for Nuclear Power Plant Components (Ref. 2). The transient that establishes the required relief capacity, andhence valve size requirements and lift settings, is a complete loss of external load without a direct reactor trip. During the transient, no control Beaver Valley Units 1 and 2B 2.1.2 - 1 Revision 0 RCS Pressure SL B 2.1.2 BASES APPLICABLE SAFETY ANALYSES (continued)actions are assumed, except that the MSSVs are assumed to open whenthe steam pressure reaches the safety valve settings, and nominal feedwater supply is maintained.The Reactor Trip System setpoints (Ref. 5), together with the settings of the pressurizer safety valves and the MSSVs, provide pressure protectionfor normal operation and AOOs. The reactor high pressure trip setpoint is specifically set to provide protection against overpressurization (Ref. 5).The safety analyses for both the high pressure trip and the RCS pressurizer safety valves are performed using conservative assumptions relative to pressure control devices.More specifically, no credit is taken for operation of any of the following:a. Pressurizer power operated relief valves (PORVS),b. Steam line atmospheric relief valves,c. Steam Dump System,d. Reactor Control System, e. Pressurizer Level Control System, orf. Pressurizer spray valve. SAFETY LIMITS The maximum transient pressure allowed in the Unit 1 and 2 RCS pressure vessels under the ASME Code, Section lll, is 11A% of design pressure. The Unit 1 RCS piping and fittings are designed to ANSI 831.1 (Ref. 6) and the valves are designed to ASA 16.5 (Ref. 7) which permit amaximum transient pressure of 120% of design. The Unit 2 RCS piping, valves, and fittings are designed to Section lll of the ASME Code and have a maxlmum transient pressure of 11A% of design. The most limitingof these two allowances is the 110% of design pressure; therefore, theUnit 1 and2 SL on maximum allowable RCS pressure is 2735 psig.APPLICABILITYSL 2.1.2 applies in MODES 1 ,2,3,4, and 5 because this SL could be approached or exceeded in these MODES due to overpressurizationevents. The SL is not applicable in MODE 6 because the reactor vessel head closure bolts are not fully tightened, making it unlikely that the RCScan be pressurized. Beaver Valley Units 1 and 2B 2.1.2 - 2Revision 0 RCS Pressure SLB 2.1.2 BASES SAFETY LIMIT lf the RCS pressure SL is violated when the reactor is in MODE 1or2, VIOLATIONS the requirement is to restore compliance and be in MODE 3 withint hour.Exceeding the RCS pressure SL may cause immediate RCS failure and create a potential for radioactive releases in excess of 10 CFR 50.67,"Accident Source Term," limits (Ref. a).The allowable Completion Time of t hour recognizes the importance of reducing power level to a MODE of operation where the potential forchallenges to safety systems is minimized.lf the RCS pressure SL is exceeded in MODE3,4, or 5, RCS pressure must be restored to within the SL value within 5 minutes. Exceeding the RCS pressure SL in MODE 3, 4, or 5 is more SeVer*r than exceeding thisSL in MODE 1 or 2, since the reactor vessel temperature may be lowerand the vessel material, consequently, less ductile. As such, pressuremust be reduced to less than the SL within 5 minutes. The action doesnot require reducing MODES, since this would require reducing temperature, which would compound the problem by adding thermal gradient stresses to the existing pressure stress.REFERENCES

1. Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria." 2. ASME, Boiler and Pressure Vessel Code, Section lll,Article NB-70003. ASME, Boiler and Pressure Vessel Code, Section Xl,Article IWX-5000.4. 10 CFR 50.67.5. UFSAR, Section 7.2.6. ANSI Power Piping Code, 831.1, The American National Standards Institute.

1967.7. ANSI Steel Pipe Flanges, Flanged Valves, and Fittings, 816.5, The Anrerican National Standards lnstitute. Beaver Valley Units I and 2B 2.1.2 - 3 Revision 0 LCO Applicability B 3.0 B 3.0 LIMTTTNG CONDTTTON FOR OPERATlON (LCO) APPLlCABTLITY BASES LCOs LCO 3.0.1 through LCO 3.0.8 establish the general requirements applicable to all Specifications and apply at all times, unless otheruvise stated.LCO 3.0.1LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification). LCO 3.0.2LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO,the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is appficable from the point intime that an ACTIONS Condition is entered. The Required Actionsestablish those remedial measures that must be taken within specifiedCompletion Times when the requirements of an LCO are not met. This S pecification establishes that: Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification and Completion of the Required Actions is not required when an LCO ismet within the specified Completion Time, unless otherwise specified. There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specifled limits. lf thistype of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE orcondition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an actionthat may always be considered upon entering ACTIONS.) The secondtype of Required Action specifies the remedial measures that permit continued operation of the unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation. Completing the Required Actions is not required when an LCO is met oris no longer applicable, unless otheruuise stated in the individual Specifications. a.b.Beaver Valley Units 1 and 2 83.0-1 Revision 2 LCO ApplicabilityB 3.0 BASES LCO 3.0.2 (continued)The nature of some Required Actions of some Conditions necessitatesthat, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Actions where this is thecase. An example of this is in LCO 3.4.3, 'RCS Pressure and Temperature (P/T) Limits."The Completion Times of the Required Actions are also applicable whena system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems.Entering ACTIONS for these reasons must be done in a manner thatdoes not compromise safety. Intentional entry into ACTIONS should notbe made for operational convenience. Additionally, if intentional entry into ACTIONS would result in redundant equipment being inoperable, alternatives should be used instead. Doing so limits the time both subsystems/trarns of a safety function are inoperable and limits the time conditions exist which may result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. ln this case,the Completion Times of the Required Actions are applicable when thistime limit expires, if the equipment remains removed from service or bypassed.When a change in MODE or other specified condition is required tocomply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. lnthis case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered,LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and either: An associated Required Action and Completion Time is not met andno other Condition applies or The condition of the unit is not specifically addressed by theassociated ACTIONS. This means that no combination ofConditions stated in the ACTIONS can be made that exactlycorresponds to the actual condition of the unit. Sometimes, possiblecombinations of Conditions are such that entering LCO 3.0.3 is a.bBeaver Valley Units 1 and 2 83.0-2 Revision 0 LCO ApplicabilityB 3.0 BASES LCO 3.0.3 (continued)warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also thatLCO 3.0.3 be entered immediately. This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintainedwithin the limits for safe operation as defined by the LCO and itsACTIONS. lt is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems orcomponents from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.Upon entering LCO 3.0.3, t hour is allowed to prepare for an orderlyshutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderlymanner that is well within the specified maximum cooldown rate andwithin the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses oncomponents of the Reactor Coolant System and the potential for a plantupset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion ofSection 1.3, Completion Times.A unit shutdown required in accordance with LCO 3,0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs:a. The LCO is now met, , b. A Condition exists for which the Required Actions have now been performed, orc. ACTIONS exist that do not have expired Completion Times. TheseCompletion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.The time limits of LCO 3.0.3 allow 37 hours for the unit to be in MODE 5 when a shutdown is required during MODE 1 operation. lf the unit is in a lower MODE of operation when a shutdown is required, the time limit forreaching the next lower MODE applies. lf a lower MODE is reached in less time than allowed, however, the total allowable time to reachBeaver Valley Units 1 and 2 83.0-3 Revision 0 LCO ApplicabifityB 3.0 BASES LCO 3.0.3 (continued) MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is reached in 2 hours, then the time allowed for reachingMODE 4 is the next 1 t hours, because the total time for reaching MODE 4 is not reduced from the allowable limit of 13 hours. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions notcovered in other Specifications. The requirements of LCO 3.0.3 do notapply in MODES 5 and 6 because the unit is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, 3, or 4) because the ACTIONS of individualSpecifications sufficiently define the remedial measures to be taken.Exceptions to LCO 3.0.3 are provided in instances where requiring a unitshutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An exampleof this is in LCO 3.7.15, "Fuel Storage Pool Water Level." LCO 3.7.15 has an Applicability of "During movement of irradiated fuel assemblies inthe fuel storage pool and during movement of fuel assemblies over irradiated fuel assemblies in the fuel storage pool." Therefore, this LCO can be applicable in any or all MODES. lf the LCO and theRequired Actions of LCO 3.7 .15 are not met while in MODE 1,2, or 3,there is no safety benefit to be gained by placing the unit in a shutdowncondition. The Required Actions of LCO 3.7.15 of "Suspend movement ofirradiated fuel assemblies in the fuel storage pool and suspend movementof fuel assemblies over irradiated fuel assemblies in the fuel storage pool"are the appropriate Required Actions to complete in lieu of the actions ofLCO 3.0.3. These exceptions are addressed in the individual Specifications. LCO 3.0 4 LCO 3.0.4 establishes limitations on changes in MODES or otherspecified conditions in the Applicability when an LCO is not met. lt allows placing the unit in a MODE or other specified condition stated in that Applicability (e.9., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c.LCO 3.0.4.a allows entry into a MODE or other specified condition in theApplicability with the LCO not met when the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time. Compliance Beaver Valley Units 1 and 2 830-4Revision 0 LCO ApplicabilityB 3.0 BASES LCO 3.0.4 (continued)with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition providesan acceptable level of safety for continued operation. This is withoutregard to the status of the unit before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provisions of the Required Actions.LCO 3.0.4.b allows entry into a MODE or other specified condition in theApplicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or otherspecified condition in the Applicability, and establishment of risk management actions, if appropriate.The risk assessment may use quantitative, qualitative, or blendedapproaches, and the risk assessment will be conducted using the plantprogram, procedures, and criteria in place to implement 10 CFR50.65(a)(4), which requires that risk impacts of maintenance activities tobe assessed and managed. The risk assessment, for the purposes ofLCO 3.0.4(b), must take into account all inoperable TechnicalSpecification equipment regardless of whether the equipment is includedin the normal 10 CFR 50.65(a)(4) risk assessment scope. The riskassessments will be conducted using the procedures and guidanceendorsed by Regulatory Guide 1.182, "Assessing and Managing RiskBefore Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1182 endorses the guidance in Section 11 of NUMARC 93-01,"lndustry Guideline for Monitoring the Effectiveness of Maintenance atNuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines forestablishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition,actions to minimize the magnitude of risk increases (establishment ofbackup success paths or compensatory measures), and determinationthat the proposed MODE change is acceptable. Consideration shouldalso be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability. LCO 3.0.4.b may be used with slngle, or multiple systems andcomponents unavailable. NUMARC 93-01 provides guidance relative toconsideration of simultaneous unavailability of multiple systems and components.Beaver Valley Units 1 and 2 83.0-5Revision 0 LCO Applicability B 3.0 BASES LCO 3.0-4 (continued)The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions. The LCO 3.0.4.b risk assessments do not have to be documented.The Technical Specifications allow continued operation with equipmentunavailable in MODE 1 for the duration of the Completion Time. Sincethis is allowable, and since in general the risk impact in that particular MODE bounds the risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCO, theuse of the LCO 3.0.4.b allowance should be generally acceptable, as longas the risk is assessed and managed as stated above. However, there isa small subset of systems and components that have been determined tobe more important to risk and use of the LCO 3.0.4.b allowance is prohibited. The LCOs governing these systems and components contain Notes prohibiting the use of LCO 3.0.4.b by stating that LCO 3.0.4.b is not applicable. LCO 3.0.4.c allows entry into a MODE or other specified condition in theApplicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permitentry into MODES or other specified conditions in the Applicability whenthe associated ACTIONS to be entered do not provide for continuedoperation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to aspecific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systemsand components. For this reason, LCO 3.0.4.c is typically applied toSpecifications which describe values and parameters (e g., RCS Specific Activity), and may be applied to other Specifications based on NRC plant-specific approval. The provisions of this Specification should not be interpreted asendorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODEor other specified condition in the Applicability. The provisions of LCO 3.0.4 shall not prevent changes in MODES orother specified conditions in the Applicability that are required to complywith ACTIONS. ln addition, the provisions of LGO 3.0.4 shall not preventchanges in MODES or other specified conditions in the Applicability thatresult from any unit shutdown. ln this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE2toMODE 3, MODE 3 to MODE 4, and MODE 4 to MODE 5.Beaver Valley Units 1 and 2 830-6Revision 0 LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)Upon entry into a MODE or other specified condition in the Applicabilitywith the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into theapplicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification. Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted bySR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 orSR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to serviceunder administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.A.2 (e.9., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate either:The OPERABILITY of the equipment being returned to service or The OPERABILITY of other equipment. The administrative controls ensure the time the equipment is returned toservice in conflict with the requirements of the ACT1ONS is limited to thetime absolutely necessary to perform the required testing to demonstrate OPERABILITY. lf the OPERABILITY of the affected equipment can not be demonstrated, the administrative controls will also ensure the equipment/plant is restored to the required condition in a timely manner.This Specification does not provide time to perform any other preventiveor corrective maintenance. Minor correctrons such as adjustments of limitswitches to correct position indication anomalies are considered withinthe scope of this Specification. An example of demonstrating the OPERABILITY of the equipment beingreturned to service is reopening a containment isolation valve that hasbeen closed to comply with Required Actions and must be reopened to perform the required testing.An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance ofrequired testing on another channel in the other trip system. A similar a.b.Beaver Valley Units 1 and 2 83.0-7Revrsion 0 LCO ApplicabilityB 3.0 BASES LCO 3.0.5 (continued) example of demonstrating the OPERABILITY of other equipment is takingan inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for supported systemsthat have a support system LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require thatthe Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specifiedin the support system LCO's Required Actions. These Required Actionsmay include.entering the supported system's Conditions and Required Actions or may specify other Required Actions.When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple supportand supported systems' LCOs'Conditions and Required Actions are eliminated by providing all the actions that are necessary to eflsure the unit is maintained in a safe condition in the support system's Required Actions.However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system.This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.Specrfication 5.5.1 1, "Safety Function Determination Program (SFDP),"ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made todetermrne if loss of safety function exists. Additionally, other limitations,Beaver Valley Units 1 and 2 830-8 Revision 0 LCO Applicability B 3.0 BASESLCO 3.0.6 (continued) a.b.remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to enteringsupported system Conditions and Required Actions. The SFDPimplements the requirements of LCO 3.0.6.Cross train checks to identifu a loss of safety function for those supportsystems that support multiple and redundant safety systems are required.The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuringsafety function is retained. A loss of safety function may exist when asupport system is inoperable, and:A required system redundant to system(s) supported by the inoperable support system is also inoperable (EXAMPLE B 3.0.6-1),A required system redundant to system(s) in turn supported by the inoperable supported system is also inoperable (EXAMPLEB 3.0.6-2), orA required system redundant to support system(s) for the supported systems (a) and (b) above is also inoperable (EXAMPLE B 3.0.6-3).EXAMPLE B 3.0.6-1lf System 2 of Train A is inoperable and System 5 of Train B is inoperable, a loss of safety function exists in supported System 5 EXAMPLE B 3.0.6-2 lf System 2 of Train A is inoperable, and System 1 1 of Train B is inoperable, a loss of safety function exists in System 11 which is in turn supported by System 5.EXAMPLE B 3.0.6-3 c.lf System 2 of Train A is inoperable, and System 1 of Train B inoperable, a loss of safety function exists in Systems 2, 4, 5, and 11.9, 10lf this evaluation determines that a loss of safety function extsts, the appropriate Conditions and Required Actions of the LCO in which the lossof safety function exists are required to be entered.Beaver Valley Units 1 and 2 83.0-9Revision 0 LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)TR^AIN B System ISystem 5System 5Syst*m ISystem 9 Systam 10Syrtcm 1 I System 1Systom 12 Systcm I 3 System 14System 15 System 8 System 9 System l0 System 13 System 14 System 15System 7 Figure B 3.0-1 Configuration of Trains and Systems This loss of safety function does not require the assumption of additional single failures or loss of offsite power. Since operations are being restricted in accordance with the ACTIONS of the support system, any resulting temporary loss of redundancy or single failure protection is taken into account. Similarly, the ACTIONS for inoperable offsite circuit(s) and inoperable diesel generator(s) provide the necessary restriction for cross train inoperabilities. This explicit cross train verification for inoperable AC electricaf power sources also acknowledges that supported system(s) are not declared inoperable solely as a result of inoperability of a normal or emergency electrical power source (refer to the definition of'oPERABTLTTY) When loss of safety function is determined to exist, and the SFDP requires entry into the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely due to a single Technical Specification support system (e.9., loss of automatic start due to inoperable instrumentation, or loss of pump suction source due to low tank level) the appropriate LCO is the LCO for the support system. The ACTIONS for a support system LCO adequately Beaver Valley Units 1 and 28 3 0 - 10 Revision 0 LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)address the inoperabilities of that system without reliance on entering itssupported system LCO. When the loss of function is the result of multiple support systems, the appropriate LCO is the LCO for the supported system.LCO 3.0.7 There are certain special tests and operations required to be performed atvarious times over the life of the unit. These special tests and operationsare necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions.Test Exception LCOs 3.1.9 and 3.4.19 allow specified Technical Specification (TS) requirements to be changed to permit performances ofthese special tests and operations, which othenruise could not be performed if required to comply with the requirements of these TS.Unless othenruise specified, all the other TS requirements remainunchanged. This will ensure all appropriate requirements of the MODE orother specified condition not directly associated with or required to bechanged to perform the special test or operation will remain in effect.The Applicability of a Test Exception LCO represents a condition notnecessarily in compliance with the normal requirements of the TS.Compliance with Test Exception LCOs is optional. A special operationmay be performed either under the provisions of the appropriate TestException l-CO or under the other applicable TS requirements. lf it isdesired to perform the special operation under the provisions of the TestException LCO, the requirements of the Test Exception LCO shall be followed.LCO 3.0.8LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended safety function whenassociated snubbers are not capable of providing their associated supportr'unction(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, orrepair of one or more snubbers not capable of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical Specifications (TS) under licensee control. The snubber requirements do not meet the criteria in 10 CFR 50.36(c)(2xii), and, assuch, are appropriate for control by the licensee. Beaver Valley Units 1 and 2 83.0-11 Revision 2 LCO ApplicabilityB 3.0 BASESLCO 3.0.8 (continued)lf the allowed time expires and the snubber(s) are unable to perform theirassociated support function(s), the affected supported system's LCO(s)must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2. LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single train orsubsystem of a muftiple train or subsystem supported system or to asingle train or subsystem supported system. LCO 3.0.8.a allows 72 hoursto restore the snubber(s) before declaring the supported system inoperable. The 72 hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubbe(s)are not capable of performing their associated support function and due to the availability of the redundant train of the supported systemLCO 3.0.8.b applies when one or more snubbers are not capable of providing their associated support function(s) to more than one train or subsystem of a multiple train or subsystem supported system.LCO 3.0.8.b allows 12 hours to restore the snubber(s) before declaringthe supported system inoperable. The 12 hour Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported systemoccurring while the snubber(s) are not capable of performing theirassociated support function.LCO 3.0.8 requires that risk be assessed and managed. lndustry and NRC guidance on the implementation of 10 CFR 50.65(a)(a) (the Maintenance Rule) does not address seismic risk. However, use ofLCO 3.0.8 must be considered with respect to other plant maintenanceactivities, and integrated into the existing Maintenance Rule process tothe extent possible so that maintenance on any unaffected train or subsystem is properly controlled, and emergent issues are properly addressed. The risk assessment need not be quantified, but may be a qualitative awareness of the vulnerability of systems and components when one or more snubbers are not able to perform their associatedsupport function. Beaver Valley Units 1 and 2 B 3.0 - 12 Revision 2 LCO Applicability B 3.0 BASES LCO 3.0.8 (continued) Required Administrative ControlsAt least one Auxiliary Feedwater train (including a minimum set ofsupporting equipment required for its successful operation) not associated with the inoperable snubber(s) must be available when LCO 3.0.8a is used.At least one Auxiliary Feedwater train (including a minimum set ofsupporting equipment required for its successful operation) notassociated with the inoperable snubber(s), or some alternative means ofcore cooling (e.g., feed and bleed, fire water system or "aggressivesecondary cooldown" using the steam generators), must be availablewhen LCO 3.0.8b is used.Every time the provisions of LCO 3.0.8 are used, it shall be confirmed that at least one train (or subsystem) of systems supported by the inoperable snubbers would remain capable of performing the system's requiredsafety or support functions for postulated design loads other than seismicloads. LCO 3.0.8 does not apply to non-seismic snubbers. In addition, a record of the design function of the inoperable snubber (i.e., seismicversus non-seismic), the implementation of any Tier 2 restrictions, andthe associated plant configuration shall al! be available on a recoverable basis for NRC staff inspection.Utilization of LCO

3.0.8 Sections

A, B, C, D and E, extracted from the TSTF-372' Revision 4,, lmplementation Guidance document, dated October 2A45, describe the steps to be followed when utilizing LCO 3.0.8.A. Determine Whether a Technical Specifipation Svstem is Rendered lnoperable by a Nonfunctional Snubber When a snubber is to be rendered incapable of performing its related support function (i.e., nonfunctional) for testing or maintenance or isdiscovered to not be functional, it must be determined whether any Technical Specification (TS) system(s) require the affected snubber(s) forsystem OPERABILITY, and whether the plant is in a MODE or specified condition in the Applicability that requires the supported TS system(s) tobe OPERABLE, 1. lf an analysis determines that the supported TS system(s) do not require the snubber(s) to be funclional in order to support the OPERABILITY of the system(s), LCO 3,0.8 is not needed.Beaver Valley Units 1 and 2B 3.0 - 13 Revision 2 LCO ApplicabilityB 3.0 BASES LCO 3.0.8 (continued) 2.3.lf the LCO(s) associated with any supported TS system(s) are not currently applicable (i.e., the plant is not in a MODE or otherspecified condition in the Applicability of the LCO), LCO 3.0.8 is not needed.lf the supported TS system(s) are inoperable for reasons other thansnubbers, LCO 3.0.8 cannot be used.LCO 3.0.8 is an allowance, not a requirement. When a snubber is nonfunctional, any supported TS system(s) may be declared inoperableinstead of using LCO 3.0.8.B. Determine the Desiqn Basis of the Nonfunctional SnubberThe NRC Safety Evaluation associated with License Amendments 279and 162 only considered the loss of the ability of a snubber to respond toa seismic event. However, some snubbers have design functions otherthan response to a seismic event. The inability to perform these non-seismic design functions were not considered or justified in NRC SafetyEvaluation associated with License Amendments 279 and 162.Therefore, when a snubber is to be rendered nonfunctional for testing or maintenance or is discovered to not be functional, the design function ofthe snubber must be determined in order to determine if LCO 3.0.8 maybe used.lf the design function of the snubber is to react to only seismicloads, LCO 3.0.8 may be applied.lf the design function of the snubber includes both seismic loads and nonseismic loads (e g , thrust loads, blowdown loads,waterhammer loads, steamhammer loads, LOCA loads, and piperupture loads), any TS systems supported by the nonfunctional snubber must be able to remain OPERABLE if subjected to the non-seismic loads with the snubber removed. lf the supported TSsystem will remain OPERABLE when subjected to non-seismicloads, LCO 3.0.8 may be applied. Otherwise, LCO 3.0.8 may not beapplied to TS systems supported by the nonfunctional snubber.lf the design function of the snubber includes only non-seismic loads (e.g., thrust loads, blowdown loads, waterhammer loads,steamhammer loads, LOCA loads, and pipe rupture loads),LCO 3.0,8 cannot be applied to the TS systems supported by the nonfunctional snubber. However, if it can be confirmed that snubberis not needed for OPERABILITY of the TS system, LCO 3.0.8 is not needed.1.3.Beaver Valley Units 1 and 2 830-14 Revision 2 LCO ApplicabilityB 3.0 BASES LCO 3.0.8 (continued) As stated in the Required Administrative Controls section, every time LCO 3.0,8 is used for TS systems supported by nonfunctional snubberswhose design loads include non-seismic loads, licensees must be able to produce a record of the design function of the nonfunctional snubber (i.e.,seismic vs. non-seismic).This record does not have to be created prior to or following use of LCO 3.0.8, but must be able to be created or produced if requested. Forexample, if a system engineer knows from previous experience that a particular snubber is only designed for seismic loads, it is not necessaryto collect existing design documents or create design documents or calculations to demonstrate that fact prior to using LCO 3.0.8. However, if asked to demonstrate the design basis of the snubber, the licenseemust be able to produce or create appropriate documentation to support that position.C. Verifv that the Required Safety Functions are AvailableThe risk evaluation that justifies the use of LCO 3.0.8 assumed that thecore could be cooled following a loss of offsite power resulting from aseismic event. The three conditions to ensure this capability aredescribed in the Required Administrative Controls section. D. Consider Effects on Plant RiskWhen LCO 3.0.8 is applied to TS systems supported by nonfunctionalsnubbers, the effect of the nonfunctional snubber on plant risk must beconsidered. There is no requirement to quantitatively assess the risk associated with a nonfunctional snubber when using LCO 3.0.8. lt is notrequired, for example, to consider a train supported by nonfunctionalsnubbers unavailable in the 10 CFR 50.65(aX4) risk assessments. All that is required is a qualitative consideration of the use of LCO 3.0.8,such as not removing the snubbers on one train while the opposite train is inoperable. The LCO 3.0.8 requirement to assess and manage risk ismet by programs to comply with the requirements of paragraph (a)(a) of the Maintenance Rule, 10 CFR 50.65, to assess and manage riskresulting from maintenance activities.E. Respond to Emerqent Conditions Should plant conditions change while LCO 3.0.8 is being used, an evaluation must be performed to ensure the requirements of Sections A,C and D above, are still met. lf these requirements are not met,LCO 3.0.8 cannot be used to consider the supported TS system OPERABLE.Beaver Valley Units 1 and 2 B 3.0 - 15 Revision 2 SR ApplicabilityB 3.0B 3.0 SURVETLLANCE REQUTREMENT (SR) AppltCABtLrTy BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.sR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless othenruise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO. Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency. Additionally, the definitions related to instrument testing (e.9., CHANNEL CALIBRATION) specify that these tests are performed by means of any series of sequential, overlapping, or total steps.Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when: The systems or components are known to be inoperable, although still meeting the SRs; orThe requirements of the Surveillance(s) are known not to be metbetween required Su rveillance performances.Surveillances do not have to be performed when the unit is in a MODE orother specified condition for which the requirements of the associated LCO are not applicable, unless othenruise specified. The SRs associatedwith a test exception are only applicable when the test exception is used as an allowable exception to the requirements of a Specification.Unplanned events may satisfy the requirements (including applicableacceptance criteria) for a given SR. ln this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowanceincludes those SRs whose performance is normally precluded in a givenMODE or other specified condition. Surveillances, including Surveillances invoked by Required Actions, donot have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have a.b.Beaver Valley Units 1 and 2 B3.0-16 Revision 2 SR ApplicabilityB 3.0 BASESSR 3.0.1 (continued) to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performanceis in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having beenestablished. ln these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed. An example of this process is: Auxiliary feedwater (AFW) pump turbine maintenance during refuelingthat requires testing at steam pressures > 600 psig. However, if other appropriate testing is satisfactorily completed, the AFW System can beconsidered OPERABLE. This allows startup and other necessary testing to proceed until the plant reaches the steam pressure required to perform the testing.sR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a"once per . . ." interval. SR 3.0.2 permits a 25oh extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable forconducting the Surveillance (e.9., transient conditions or other ongoing Surveillance or maintenance activities). The 25o/o extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance wlth theSRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extensron of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications. The 25%surveillance rnterval extension per SR 3.0.2 also does not apply to Inservice Testing Program (lST) frequencies which are greater than Beaver Valley Units 1 and 2B 3.0 - 17 Revision 14 SR ApplicabilityB 3.0 BASESSR 3.0.2 (continued) 2 years, per Specification 5.5.4.b. The requirements of regulations take precedence over the TS. An example of where SR 3.0.2 does not applyis in the Containment Leakage Rate Testing Program (per Specification5.5.12). This program establishes testing requirements and Frequencies in accordance with the requirements of regulations. The TS cannot inand of themselves extend a test interval specified in the regulations. As stated in SR 3.0.2, the 25o/o extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a"once per ..." basis. The 25% extension applies to each performanceafter the initial performance. The initial performance of the RequiredAction, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is thatsuch an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishesthe function of the inoperable equipment in an alternative manner.The provisions of SR 3.0.2 are not intended to be used repeatedly merelyas an operational convenience to extend Surveillance intervals (otherthan those consistent with refueling intervals) or periodic CompletionTime intervals beyond those specified.sR 3.0.3SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when aSurveillance has not been completed within the specified Frequency. A delay period of up to 24 hours or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordancewith SR 3.0.2, and not at the time that the specified Frequency was not met.This delay period provides adequate time to complete Surveiitances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance. The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements. When a Surveillance with a Frequency based not on time interyals, but upon specified unit conditions, operating situations, or requirements of regulations (e g., prior to enteringBeaver Valley Units 1 and 2B 3.0 - 18 Revision 14 SR Applicability B 3.0 BASESSR 3.0.3 (continued)MODE 1 after eaoh fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered tonot have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance, However, since there is not a time interval specified, the missedSurveillance should be performed at the first reasonable opportunity.SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODEchanges imposed by Required Actions.Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 isa flexibility which is not intended to be used as an operationalconvenience to extend Surveillance intervals. While up to 24 hours or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performedat the first reasonable opportunity. The determination of the firstreasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant : configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1 .182, "Assessing andManaging Risk Before Maintenance Activities at Nuilear Power Plants."This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management actionthresholds, and risk management action up to and including plantshutdown. The missed Surveillance should be treated as an emergentcondition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importanceof the component. Missed Surveillances for important componentsshould be analyzed quantitatively. lf the results of the risk evaluationdetermine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the Corrective Action Program.lf a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is consideredoutside the specified limits and the Completion Times of the RequiredActions for the applicable LCO Conditions begin immediately uponexpiration of the delay period. lf a Surveillance is failed within the delay Beaver Valley Units 1 and 2B 3 0 - 19 Revision 14 SR ApplicabilityB 3.0 BASESSR 3.0.3 (continued) period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.Completion of the Surveillance within the delay period allowed by thisSpecification, or within the Completion Time of the ACTIONS, restorescompliance with SR 3.0.1.sR 3.0.4SR 3.0.4 establishes the requirement that all applicable SRs must be metbefore entry into a MODE or other specified condition in the Applicability.This Specification ensures that system and component OPERABILIry requirements and variable limits are met before entry into MODES orother specified conditions in the Applicability for which these systems andcomponents ensure safe operation of the unit. The provisions of thisSpecification should not be interpreted as endorsing the failure toexercise the good practice of restoring systems or components toOPERABLE status before entering an associated MODE or otherspecified condition in the Applicability. A provision is included to allow entry into a MODE or other specifiedcondition in the Applicability when an LCO is not met due to a Surveillance not being met in accordance with LCO 3.0.4.However, in certain circumstances, failing to meet an SR will not result inSR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1 , which states that Surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does notresult in an SR 3.0.4 restriction to changing MODES or other specifiedconditions of the Applicability. However, since the LCO is not met in thisinstance, LCO 3.0.4 will govern any restrictions that may (or may not)apply to MODE or other specified condition changes. SR 3.0.4 does notrestrict changing MODES or other specified conditions of the Applicabilitywhen a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met hasbeen delayed in accordance with SR 3.0,3.Beaver Valley Units 1 and 2 83.0-20 Revision 2 SR ApplicabilityB 3.0 BASESSR 3.0.4 (continued) The provisions of SR 3.0.4 shall not prevent entry into MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not preventchanges in MODES or other specified conditions in the Applicability thatresult from any unit shutdown. In this context, a unit shutdown is definedas a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE2to MODE 3, MODE 3 to MODE 4, and MODE 4 to MODE 5. The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames andconditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completionof a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability, would have lts Frequency specified suchthat it is not "due" until the specific conditions needed are met.Alternately, the Surveillance may be stated in the form of a Note, as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs'annotation is found in Section 1.4, Frequency. Beaver Valley Units 1 and 2 83.0-21 Revislon 2 SDM B 3.1 .1 B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.1 Shutdown Margin (SDM)BASES BACKGROUND According to GDC 26, as discussed in Reference 1, the reactivity controlsystems must be redundant and capable of holding the reactor coresubcritical when shut down under cold conditions. Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel.SDM requirements provide sufficient reactivity margin to ensure that acceptable fuel design limits will not be exceeded for normal shutdownand anticipated operational occurrences (AOOs). As such, the SDM defines the degree of subcriticality that would be obtained immediatelyfollowing the insertion or scram of all shutdown and control rods,assuming that the single rod cluster assembly of highest reactivity worthis fully withdrawn. The system design requires that two independent reactivity controlsystems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. Theserequirements are provided by the use of movable control assemblies andsoluble boric acid in the Reactor Coolant System (RCS). The Control Rod System can compensate for the reactivity effects of the fuel andwater temperature changes accompanying power level changes over therange from full load to no load. ln addition, the Control Rod System,together with the boration system, provides the SDM during poweroperation and is capable of making the core subcritical rapidly enough to prevent exceeding acceptable fuel damage limits, assuming that the rodof highest reactivity worth remains fully withdrawn. The soluble boronsystem can compensate for fuel depletion during operation and all xenonburnout reactivity changes and maintain the reactor subcritical under cold conditions. During power operation, SDM control is ensured by operating with theshutdown banks fully withdrawn and the control banks within the limits ofLCO 3.1.6, "Control Bank lnsertion Limits." When the unit is in theshutdown and refueling modes, the SDM requirements are met by meansof adjustments to the RCS boron concentration.Beaver Valley Units 1 and 2 83.1 .1 -1 Revision 0 SDMB 3.1 .1 BASES APPLICABLE SAFETY ANALYSESThe minimum required SDM is assumed as an initial condition in safety analyses. The safety analysis (Ref. 2) establishes an SDM that ensuresspecified acceptable fuel design limits are not exceeded for normal operation and AOOs, with the assumption of the highest worth rod stuckout on scram. The acceptance criteria for the SDM requirements are that specified acceptable fuel design limits are maintained. This is done by ensuring that:The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events,The reactivity transients associated with postulated accident conditions are controllable within acceptable limits (departure from nucleate boiling ratio (DNBR), fuel centerline temperature limits for AOOs, and < 280 callgm energy deposition for the rod ejection accident), and The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.A limiting accident for the SDM requirements is the main steam line break (MSLB), as described in the accident analysis (Ref. 2). The increasedsteam flow resulting from a pipe break in the main steam system causesan increased energy removal from the affected steam generator (SG), and consequently the RCS. This results in a reduction of the reactorcoolant temperature. The resultant coolant shrinkage causes a reduction in pressure. ln the presence'of a negative moderator temperature coefficient, this cooldown causes an increase in core reactivity. The mostlimiting MSLB, with respect to potential fuef damage before a reactor trip occurs, is a guillotine break of a main steam line inside containment initiated at the end of core life. The positive reactivity addition from the moderator temperature decrease will terminate when the affected SGboils dry, thus terminating RCS heat removal and cooldown. Followingthe MSLB, a post trip return to power may occur; however, no fuel damage occurs as a result of the post trip return to power, and THERMAL POWER does not violate the Safety Limit (SL) requirement of SL 2.1.1.The SDM required in MODES 3 and 4 below P-11, with safety injection (Sl) blocked, is greater than the SDM required in MODES 3 and 4 belowP-11, with Sl unblocked. This SDM requirement ensures that the limiting steamline break (SLB) analyzed at the end of core life with RCS Tuusequal to 547"F would bound a SLB at lower RCS pressures and temperatures. In addition to the limiting MSLB transient, the SDM requirement must also protect against: a.b.c.Beaver Valley Units 1 and 2 83.1 .1 -2 Revision 0 SDMB 3.1 .1 BASES APPLICABLE SAFEW ANALYSIS (continued)a. Inadvertent boron dilution.An uncontrolled rod withdrawal from subcritical or low powercondition, and Rod ejection.Each of these events is discussed below.ln the boron dilution analysis, the required SDM defines the reactivitydifference between an initial subcritical boron concentration and the corresponding critical boron concentration. These values, in conjunctionwith the configuration of the RCS and the assumed dilution flow rate,directly affect the results of the analysis. This event is most limiting at thebeginning of core life, when critical boron concentrations are highest.Depending on the system initial conditions and reactivity insertion rate,the uncontrolled rod withdrawal transient is terminated by either a high power level trip or a high pressurizer pressure trip. In all cases, powerlevel, RCS pressure, linear heat rate, and the DNBR do not exceed allowable limits.The ejection of a control rod rapidly adds reactivity to the reactor core,causing both the core power level and heat flux to increase with corresponding increases in reactor coolant temperatures and pressure.The ejection of a rod also produces a time dependent redistribution of core power.SDM satisfies Criterion 2 of 10 CFR 50.36(cX2xii). Even though it is notdirectly observed from the control room, SDM is considered an initial condition process variable because it is periodically monitored to ensurethat the unit is operating within the bounds of accident analysis assumptions. b.LCO SDM is a core design condition that can be ensured during operationthrough control r,od positioning (control and shutdown banks) and throughthe soluble boron concentration.The MSLB (Ref. 2) and the boron dilution (Ref. 3) accidents are the limiting accidents that establish the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed 10 CFR 50.67, "Accident Source Term," limits (Ref. a).For the boron dilution accident, if the LCO is violated, the minimumrequired time assumed for operator action to terminate dilution may nolonger be applicable. Beaver Valley Units 1 and 2 B 3.1.1 - 3 Revision 0 BASES APPLICABILIryIn MODE 2 with ker < 1.0 and in MODES 3, 4, and 5, the SDM requirements are applicable to provide sufficient negative reactivity to meetthe assumptions of the safety analyses discussed above. In MODE 6, the shutdown reactivity requirements are given in LCO 3.9.1, "Boron Concentration." In MODES 1 and 2, SDM is ensured by complying with LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "ControlBank Insertion Limits." ACTIONS A.1lf the SDM requirements are not met, boration must be initiated promptly.A Completion Time of 15 minutes is adequate for an operator to correctlyalign and start the required systems and components. lt is assumed that boration will be continued until the SDM requirements are met.In the determination of the required combination of boration flow rate andboron concentration, there is no unique requirement that must besatisfied. Since it is imperative to raise the boron concentration of theRCS as soon as possible, the boron concentration should be a highly concentrated solution, such as that normally found in the boric acid storage tank, or the refueling water storage tank. The operator shouldborate with the best source available for the plant conditions. In determining the boration flow rate, the time in core life must beconsidered. For example, assuming that a value of 1.77% Ak/k must berestored in MODE 4, the RCS boron concentration can be increased from 1526 ppm to 1747 ppm in approximately 100 minutes, utilizing a 30 gpmflow rate, with a source containing a boron concentration of 7,000 ppm. lfa boron worth of 8 pcm/ppm is assumed, this combination of parameterswill increase the SDM to 1.77o/o. These RCS boron concentrationsrepresent typical values for MODE 4 at beginning of life (BOL), and'are provided for the purpose of offering a specific example. SURVEILLANCE SR 3.1 .1 .1 REQUIREMENTS In MODES 1 and 2 with Ketr 2 1.0, SDM is verified by observing that the requirements of LCO 3.1.5 and LCO 3.1.6 are met. In the event that arod is known to be untrippable, however, SDM verification must accountfor the worth of the untrippable rod as well as another rod of maximum worth.ln MODES 3, 4, and 5, the SDM is verified by performing a reactivitybalance calculation, considering the listed reactivity effects:a. RCS boron concentration. Beaver Valley Units 1 and 2 83.1.1 -4Revision 0 BASES SURVEILLANCE REQUIREMENTS (continued)b, Control bank position, RCS average temperature, Fuel burnup based on gross thermal energy generation, Xenon concentration, Samarium concentration. and

g. lsothermal temperature coefficient (lTC).Using the ITC accounts for Doppler reactivity in this calculation becausethe reactor is subcritical, and the fuel temperature will be changing at the same rate as the RCS.The Frequency of 24 hours is based on the generally slow change inrequired boron concentration and the low probability of an accident occurring without the required SDM.

This allows time for the operator tocollect the required data, which includes performing a boron concentration analysis, and complete the calculation. c.d.e.f.REFERENCES 1.Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria." UFSAR, Section 14.2.5.1 (Unit 1 ) and Section 15.1 .5 (Unit 2).UFSAR, Section 14.1.4 (Unit 1) and Section 15.4.6 (Unit 2).10 cFR 50.67. 2.3.4.Beaver Valley Units 1 and 2B 3.1.1 - 5Revision 0 Core ReactivityB 3.1 .2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 BASESCore Reactivity BACKGROUND According to GDC 26, GDC 28, and GDC 29, as discussed in Reference 1, reactivity shall be controllable, such that subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that DesignBasis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel,control rod worth, or operation at conditions not consistent with thoseassumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") in ensuring the reactor can be brought safely to cold, subcritical conditions.When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers producingzero net reactivity.Excess reactivity can be inferred from the boron letdown curye (or criticalboron curve), which provides an indication of the soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup.Periodic measurement of the RCS boron concentration for comparison with,the predicted value with other variables fixed (such as rod height, temperature, pressure, and power), provides a convenient method of ensuring that core reactivity is within design expectations and that the calculational models used to generate the safety analysis are adequate.ln order to achieve the required fuel cycle energy output, the uranium enrichment, in the new fuel loading and in the fuel remaining from the previous cycle, provides excess positive reactivity beyond that required tosustain steady state operation throughout the cycle. When the reactor is critical at RTP and moderator temperature, the excess positive reactivity is compensated by burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concentration. Beaver Valley Units 1 and 283.1 .2-1 Revision 0 Core ReactivityB 3.1.2 BASES BACKG ROU N D (continued)When the core is producing THERMAL POWER, the fuel is beingdepleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER. The boron letdown curve isbased on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the designanalysis, deficiencies in the calculational models, or abnormal coreconditions, and must be evaluated. APPLICABLE SAFETY ANALYSESThe acceptance criteria for core reactivity are that the reactivity balance limit ensures plant operation is maintained within the assumptions of thesafety analyses Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis evaluations. Every accident evaluation (Ref. 2) is, therefore, dependent upon accurate evaluation ofcore reactivity. In particular, SDM and reactivity transients, such ascontrol rod withdrawal accidents or rod ejection accidents, are verysensitive to accurate prediction of core reactivity. These accidentanalysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analyticalbenchmarks. Monitoring reactivity balance additionally ensures that the nuclear methods provide an accurate representation of the core reactivity.Design calculations and safety analyses are performed for each fuel cycle for the purpose of predetermining reactivity behavior and the RCS boronconcentration requirements for reactivity control during fuel depletion. The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict corereactivity. lf the measured and predicted RCS boron concentrations foridentical core conditions at beginning of cycle (BOC) do not agree, then the assumptions used in the reload cycle design analysis or thecalculational models used to predict soluble boron requirements may notbe accurate. lf reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized tothe measured boron concentration. Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdowncurye that develop during fuel depletion may be an indication that thecalculational model is not adequate for core burnups beyond BOC, or thatan unexpected change in core conditions has occurred.Beaver Valley Units 1 and 2 83.1 .2-2 Revision 0 Core ReactivityB 3.1.2 BASES APPLICABLE SAFEry ANALYSIS (continued)The normalization of predicted RCS boron concentration to the measuredvalue is typically performed after reaching RTP following startup from arefueling outage, with the control rods in their normal positions for poweroperation. The normalization is performed at BOC conditions, so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.Core reactivity satisfies Criterion 2 of 10 CFR 50.36(cX2xii). LCOLong term core reactivity behavior is a result of the core physics designand cannot be easily controlled once the core design is fixed. Duringoperation, therefore, the LCO can only be ensured through measurementand tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate thatthe assumptions of the DBA and transient analyses are no longer valid, orthat the uncertainties in the Nuclear Design Methodology are larger thanexpected. A limit on the reactivity balance of + 1% Lklk has been established based on engineering judgment. A1% deviation in reactivityfrom that predicted is larger than expected for normal operation andshould therefore be evaluated.When measured core reactivity is within 1o/o Ldkof the predicted value atsteady state thermal conditions, the core is.considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between measured and predicted values would be approximately 100 ppm (depending on the boron worth) before the limit is reached. These values are well within the uncertainty limits for analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCSboron concentration are unlikely. APPLICABILITY Ihe limits on core reactivity must be maintained during MODES 1 and 2 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fuel depletes, core conditions are changing, and confirmation of the reactivity balance ensures the core is operating as designed. This Specification does not apply in MODES 3, 4,and 5 because the reactor is shut down and the reactivity balance is not changing.ln MODE 6, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO 3.9.1, "Boron Concentration")ensure that fuel movements are performed within the bounds of the safety analysis.Beaver Valley Units 1 and 2 B3.1 .2-3 Revision 0 Core ReactivityB 3.1.2 BASES ACTIONSA.1 and A.2Should an anomaly develop between measured and predicted core reactivity,an evaluation of the core design and safety analysis must be performed.Core conditions are evaluated to determine their consistency with input todesign calculations. Measured core and process parameters are evaluatedto determine that they are within the bounds of the safety analysis, and safety analysis calculational models are reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 7 days is based on the low probability of a DBA occurring during this period,and allows sufficient time to assess the physical condition of the reactor andcomplete the evaluation of the core design and safety analysis.Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. lf the cause of the reactivity anomaly is a mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirementsmay be performed to demonstrate that core reactivity is behaving asexpected. lf an unexpected physical change in the condition of the core hasoccurred, it must be evaluated and corrected, if possible. lf the cause of the reactivity anomaly is in the calculation technique, then the calculationalmodels must be revised to provide more accurate predictions. lf any of theseresults are demonstrated, and it is concluded that the reactor core isacceptable for continued operation, then the boron letdown curve may be renormalized and power operation may continue. lf operational restriction or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined. The required Completion Time of 7 days is adequate for preparing whatever operating restrictions or Surveillances that may be required toallow continued reactor operation. 8.1 lf the core reactivity cannot be restored to within the 1 % Lklklimit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within6 hours. lf the SDM for MODE 3 is not met, then the boration required bySR 3.1 .1 .1 would occur. The allowed Completion Time is reasonable,based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2 B3.1.2-4 Revision 0 Core ReactivityB 3.1.2 BASES SURVEILLANCE REQUIREMENTSsR 3.1.2.1Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made, considering that other core conditions are fixed or stable, including control rod position, moderator temperature, fuel temperature, fuel depletion,xenon concentration, and samarium concentration. The Surveillance is performed once prior to entering MODE 1 as an initial check on coreconditions and design calculations at BOC. The SR is modified by aNote. The Note indicates that the normalization of predicted core reactivity to the measured value, if required, must take place within the first 60 effective full power days (EFPD) after each fuel loading. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations. The requiredsubsequent Frequency of 31 EFPD, following the initial 60 EFPD afterentering MODE 1, is acceptable, based on the slow rate of core changesdue to fuel depletion and the presence of other indicators (QPTR, AFD, etc.) for prompt indication of an anomaly. REFERENCES 2.1.Unit 1 UFSAR Appendix 1A, "1971AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance withU.S. Nuclear Regulatory Commission General Design Criteria." UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2).Beaver Valley Units 1 and 2 83.1 .2-5Revision 0 MTC B 3.1 .3B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1 .3 BASES Moderator Temperature Coefficient (MTC)BACKGROUNDAccording to GDC 11, as discussed in Reference 1, the reactor core andits interaction with the Reactor Coolant System (RCS) must be designedfor inherently stable power operation, even in the possible event of an accident. In particular, the net reactivity feedback in the system mustcompensate for any unintended reactivity increases. The MTC relates a change in core reactivity to a change in reactorcoolant temperature (a positive MTC means that reactivity increases withincreasing moderator temperature; conversely, a negative MTC meansthat reactivity decreases with increasing moderator temperature). Thereactor is designed to operate with a negative MTC over the largest possible range of fuel cycle operation. Therefore, a coolant temperatureincrease will cause a reactivity decrease, so that the coolant temperaturetends to return toward its initial value. Reactivity increases that cause acoolant temperature increase will thus be self limiting, and stable poweroperation will result.MTC values are predicted at selected burnups during the safetyevaluation analysis and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that thebeginning of cycle (BOC) MTC is less than zero when THERMALPOWER is at RTP. The actual value of the MTC is dependent on corecharacteristics, such as fuel loading and reactor coolant soluble boronconcentration. The core design may require additional fixed distributed poisons to yield an MTC at BOC within the range analyzed in the plantaccident analysis. The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics areevaluated to ensure that the MTC does not exceed the EOC limit.The limitations on MTC are provided to ensure that the value of thiscoefficient remains within the limiting conditions assumed in the UFSARaccident and transient analyses.lf the LCO limits are not met, the unit response during transients may notbe as predicted. The core could violate criteria that prohibit a return tocriticality, or the departure from nucleate boiling ratio criteria of theapproved correlation may be violated, which could lead to a loss of thefuel cladding integrity. Beaver Valley Units 1 and 2 B 3.1.3 - 1Revision 0 BASES BACKGROU N D (continued )The SRs for measurement of the MTC at the beginning and near the endof the fuel cycle are adequate to confirm that the MTC remains within itslimits, since this coefficient changes slowly, due principally to thereduction in RCS boron concentration associated with fuel burnup. APPI-ICABLE SAFETY ANALYSES The acceptance criteria for the specified MTC are:The MTC values must remain within the bounds of those used in the accident analysis (Ref. 2) andThe MTC must be such that inherently stable power operationsresult during normal operation and accidents, such as overheatingand overcoolino events.The UFSAR (Ref. 2), contains analyses of accidents that result in bothoverheating and overcooling of the reactor core. MTC is one of the controlling parameters for core reactivity in these accidents. Both the most positive value and most negative value of the MTC are important tosafety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure that the accident results are bounding (Ref. 3). : The consequences of accidents that cause core overheating must beevaluated when MTC is positive. Such accidents include Rod Withdrawal from Subcrltical (Ref. 4), Rod Withdrawal at Power (Ref. 5), Loss ofNormal Feedwater Flow (Ref. 6), Loss of Offsite Power (Ref. 7), Loss ofElectrical Load (Ref. 8), RCS Depressurization (Ref. 9), Loss of Flow (Ref. 10), Locked Rotor (Ref. 1 1 ) and Rod Ejection (Ref . 12). The consequences of accidents that cause core overcooling must be evaluated when MTC is negative. Such accidents include FeedwaterFlow lncrease (Ref. 13), Feedwater Temperature Decrease (Ref. 14) andSteamline Break (Ref. 15).In order to ensure a bounding accident analysis, the MTC is assumed to be its most limiting value for the analysis conditions appropriate to each accident. The bounding value is determined by considering rodded andunrodded conditions, whether the reactor is at full or zera power, andwhether it is the BOC or EOC life. The most conservative combinationappropriate to the accident is then used for the analysis (Ref. 2).MTC values are bounded in reload safety evaluations assuming steadystate conditions at BOC and EOC. An EOC measurement is conducted when the RCS boron concentration reaches approximately 300 ppm. Themeasured value may be extrapolated to project the EOC value, in order to confirm reload design predictions. a.b.Beaver Valley Units 1 and 283.1 .3-2 Revision 0 BASES APPLICABLE SAFEry ANALYSES (continued) MTC satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). Even though it is not directly observed and controlled from the control room, MTC isconsidered an initial condition process variable because of itsdependence on boron concentration. LCO LCO 3.1.3 requires the MTC to be within specified limits of the COLR andFigure 3.1 .3-1 to ensure that the core operates within the assumptions ofthe accident analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its values remain within the bounds of theoriginal accident analysis during operation. Assumptions made in the safety analyses require that the MTC be less positive than a given upper bound and more positive than a given lowerbound. The maximum upper (most positive) MTC limit occurs near BOC, all rods out (ARO), hot zero power (HZP), no xenon (NoXe) conditions.Note that in cores containing substantial amounts of burnable absorber in the form of Integral Fuel Burnable Absorber (IFBA), the burnup of most positive MTC under the above conditions may not be at startup, but at some point up to 100 EFPD after startup. lf the core never returns toHZP conditions over this period of operations, this most positive MTCmay never be physically realized. At EOC the MTC takes on its mostnegative value, when the lower bound becomes important. This LCOexists to ensure that both the upper and lower bounds are not exceeded. During operation, therefore, the conditions of the LCO can only beensured through measurement. The Sufueillance checks at BOC andEOC on MTC provide confirmation that the MTC is behaving asanticipated so that the acceptance criteria are met.The LCO establishes a maximum positive value that cannot be exceeded.The BOC positive limit is established in Figure 3.1.3-1 and the EOCnegative limit is established in the COLR to allow specifying limits for each particular cycle. This permits the unit to take advantage of improvedfuel management and changes in unit operating schedule.APPLICABILITY Technical Specifications place both LCO and SR values on MTC, basedon the safety analysis assumptions described above.ln MODE 1, the limits on MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation will not violate the design assumptions of the accident analysrs" In MODE 2 with the reactor critical, the upper limit must also be maintained to ensure that startup andsubcritical accidents (such as the uncontrolled CONTROL ROD assemblyBeaver Valley Units 1 and 2B 3.1.3 - 3 Revision 0 MTCB 3.1.3 BASES APPLICAB I LITY (conti nued)or group withdrawal) will not violate the assumptions of the accidentanalysis. The lower MTC limit must be maintained in MODES 2 and 3, in addition to MODE 1, to ensure that cooldown accidents will not violate the assumptions of the accident analysis. In MODES 4, 5, and 6, this LCO is not applicable, since no Design Basis Accidents using the MTC as an analysis assumption are initiated from these MODES.ACTIONS 4.1 lf the BOC upper MTC limit is violated, administrative withdrawal limits forcontrol banks must be established to maintain the MTC within its limits.The MTC becomes more negative with control bank insertion and decreased boron concentration. A Completion Time of 24 hours providesenough time for evaluating the MTC measurement and computing the required bank withdrawal limits.As cycle burnup is increased, the RCS boron concentration will, in general, be reduced. Note that in cores contalning substantial amounts of burnable absorber in the form of IFBA, the core critical boronconcentration may actually slowly increase over the first 100 EFPD after startup because the increase in reactivity due to the burnout of the IFBA may be greater than the decrease in reactivity due to the depletion of the fuel. Using physics calculations, the times in cycle life at which the calculated MTC will meet the LCO requirements can be determined.Note that since the RCS boron concentration can increase over the first100 EFPD, the calculated MTC may meet the LCO requirement at startupand still not meet the LCO requirement later in the cycle. At the points incore life when the calculated MTC meets the LCO requirement, ConditionA no longer exists. The unit is no longer in the Required Action, so the administrative withdrawal limits are no longer in effect. 8.1 I lf the required administrative withdrawal limits at BOC are not established within 24 hours, the unit must be brought to MODE 2 with k"n < 1.0 to prevent operation with an MTC that is more positive than that assumed in safety analyses.The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required MODE from full powerconditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2B 3.1.3 - 4 Revision 0 BASESACTIONS (continued) c.1 Exceeding the EOC MTC limit means that the safety analysis assumptions for the EOC accidents that use a bounding negative MTCvalue may be invalid. lf the EOC MTC limit is exceeded, the plant mustbe brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at leastMODE 4 within 12 hours.The allowed Completion Time is reasonable, based on operatingexperience, for reaching the required MODE from full power conditions inan orderly manner and without challenging plant systems.SURVEILLANCE SR 3.1.3.1 REQUIREMENTS This SR requires measurement of the MTC at BOC prior to entering MODE 1 in order to demonstrate compliance with the most positive MTCLCO. Meeting the limit prior to entering MODE 1 ensures that the limit will also be met at higher power levels.The BOC MTC value for ARO will be inferred from isothermal temperature coefficient measurements obtained during the physics tests after refueling. The ARO value can be directly compared to the BOC MTC lirnit of the LCO. lf required, measurement results and predicted design values can be used to establish administrative withdrawal limits forcontrol banks.sR 3.1 .3.2 In similar fashion, the LCO demands that the MTC be less negative thanthe specified value for EOC full power conditions. This measurementmay be performed at any THERMAL POWER, but its results must be extrapolated andlor compensated to the conditions of RTP and all bankswithdrawn in order to make a proper comparison with the LCO value.Because the RTP MTC value will gradually become more negative withfurther core depletion and boron concentration reduction, a 300 ppm SR value of MTC should necessarily be less negative than the EOCLCO limit. The 300 ppm SR value is sufficiently less negative than theEOC LCO limit value to ensure that the LCO limit will be met when the 300 ppm Surveillance criterion is met.ln order to assure an accurate result SR 3.1.3.2 must be performed afterreaching the equivalent of an equilibrium RTP ARO boron concentrationof 300 ppm. SR 3.1.3.2 is modified by three Notes that include thefollowing requ i rements: Beaver Valley Units 1 and 2 B 3.1.3 - 5Revision 0 MTC B 3.1 .3 BASES SURVEILLANCE REQUIREMENTS (continued) a.b.c.The SR is not required to be performed until 7 effective full power days (EFPDs) after reaching the equivalent of an equilibrium RTPARO boron concentration of 300 ppm.lf the 300 ppm Surueillance limit is exceeded, it is possible that theEOC limit on MTC could be reached before the planned EOC.Because the MTC changes slowly with core depletion, the Frequency of 14 effective full power days is sufficient to avoid exceeding the EOC limit. The Surveillance limit for RTP boron concentration of 60 ppm isconservative. lf the measured MTC at 60 ppm is more positive than the 60 ppm Surveillance limit, the EOC limit will not be exceeded because of the gradual manner in which MTC changes with core burnup.REFERENCES 2.3.1.Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance withU.S. Nuclear Regulatory Commission General Design Criteria."UFSAR Chapter 14 (Unit 1) and Chapter 15 (Unit 2).WCAP 9273-NP-A, "Westinghouse Reload Safety Evaluation Methodology," July 1985.UFSAR Section 14.1.1 (Unit 1) and Section 15.4.1 (Unit 2).UFSAR Section 14.1.2 (Unit 1) and Section 15.4.2 (Unit 2).UFSAR Section 14.1.8 (Unit 1) and Section 15.2.7 (Unit 2).UFSAR Section 14.1.11 (Unit 1) and Segtion 15.2.6 (Unit 2).UFSAR Section 14.1 .7 (Unit 1 ) and Sections 15.2.2and 1 5.2.3 (Unit 2).UFSAR Section 14.1 .15 (Unit 1 ) and Section 15.6.1 (Unit 2).UFSAR Sections 14.1.5 and 1 4.2.g (Unit 1)and Sections 15.3.1 and 15.3.2 (Unit 2).UFSAR Section 14.2.7 (Unit 1)and Section 15.3.3 (Unit 2).UFSAR Section 14.2.6 (Unit 1) and Section 15.4.8 (Unit 2).4 5.6.7.8 9.10.11.12.Beaver Valley Units 1 and 2B 3.1.3 - 6Revision 0 MTCB 3.1 .3 BASESRE FERENCES (continued) 13.14.15.14.1 .9 (Unit 1) and Section 15.1.2 (Unit 2).14.1.g (Unit 1) and Section lS.t.l (Unit 2).14.2.5.1 (Unit 1) and Section 15.1.5 (Unit 2).UFSAR SectionUFSAR SectionUFSAR SectionBeaver Valley Units 1 and 2B 3.1 .3 -7 Revision 0 Rod Group Alignment LimitsB 3.1 .4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1 .4 BASES Rod Group Alignment Limits BACKGROUNDThe OPERABILITY (i.e., trippability) of the shutdown and control rods isan initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in thesafety analysis that directly affects core power distributions and assumptions of available SDM. The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and Capability" as discussed in Reference 1, and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants" (Ref. 2).Mechanical or electrical failures may cause a controf or shutdown rod to become inoperable or to become misaligned from its group. Rod inoperability or misalignment may cause increased power peaking, due tothe asymmetric reactivity distribution and a reduction in the total availablerod worth for reactor shutdown. Therefore, rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM. Limits on rod alignment have been established, and all rod positions aremonitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.Rod cluster control assemblies (RCCAs), or rods, are moved by theircontrol rod drive mechanisms (CRDMs). Each CRDM moves its RCCAone step (approximately 5/8 inch) at a time, but at varying rates (steps per minute) depending on the signal output from the Rod Control System.The RCCAs are divided among control banks and shutdown banks. Eachbank is further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups, the groups are moved in a staggered fashion, but always withinone step of each other. There are four control banks and two shutdown banks.The shutdown banks are maintained either in the fully inserted or fully withdrawn position. The control banks are moved in an overlap pattern, Beaver Valley Units 1 and 2 B3.1 .4-1Revision 0 Rod Group Alignment LimitsB 3.1 .4 BASES BACKG ROU N D (continued) using the following withdrawal sequence: When control bank A reaches a predetermined height in the core, control bank B begins to move out withcontrol bank A. Control bank A stops at the position of maximum withdrawal, and control bank B continues to move out. When control bank B reaches a predetermined height, control bank C begins to move out with control bank B. This sequence continues until control banks A,B, and C are at the fully withdrawn position, and control bank D is approximately halfway withdrawn. The insertion sequence is the oppositeof the withdrawal sequence. The control rods are arranged in a radially symmetric pattern, so that control bank motion does not introduce radial asymmetries in the core power distributions.The axial position of shutdown rods and control rods is indicated by two separate and independent systems, which are the Bank Demand Fosition lndication System (commonly called group step counters) and the Rod Position lndication (RPl) System for Unit 1 and the Digital Rod Position lndication (DRPI) System for Unit 2.The Bank Demand Position Indication System counts the pulses from the rod control system that moves the rods. There is one step counter for each group of rods. Individual rods in a group all receive the same signalto move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position lndication System is considered highly precise (t 1 step or + 5/8 inch). lf a rod does not move one step for each demand pulse, the step counter will still count the pulse and-incorrectly reflect the position of lhq rod The RPI and DRPI systems provide an accurate indication of actual rod position, but at a lower precision than the step counters. These systemsare based on inductive analog signafs from a series of coils spaced along a hollow tube. The RPI System is capable of monitoring rod position within ! 12 steps. To increase the rellability of the DRPI System, the inductive coils are connected alternately to data system A or B. Thus, if one data system fails, the DRPI will go on half accuracy. The DRPISystem is capable of monitoring rod position within + 4 steps, for full accuracy, and +4, -10 steps at half accuracy with data system A, and+10, -4 steps at half accuracy with data system B.APPLICABLE SAFETY ANALYSESControl rod misalignment accidents are analyzed in the safety analysis (Ref. 3). The acceptance criteria for addressing control rod inoperabilityor misalignment are that:a. There be no violations of:

1. Specified acceptable fuef designBeaver Valley Units 1 and 2 83.1 .4-2 Revision 0 Rod Group Alignment LimitsB 3.1.4 BASES APPLICABLE SAFETY ANALYSIS (continued)2. Reactor Coolant System (RCS) pressure boundary integrity and

b. The core remains subcritical after accident transients.

Two types of misalignment are distinguished. During movement of acontrol rod group, one rod may stop moving, while the other rods in the group continue. This condition may cause excessive power peaking.The second type of misalignment occurs if one rod fails to insert upon a reactor trip and remains stuck fully withdrawn. This condition requires an evaluation to determine that sufficient reactivity worth is held in the control rods to meet the SDM requirement, with the maximum worth rod stuckfully withdrawn. Two types of analysis are performed in regard to static rod misalignment (Ref. a). With control banks at their insertion limits, one type of analysis considers the case when any one rod is completely inserted into the core.The second type of analysis considers the case of a completely withdrawn single rod from a bank inserted to its insertion limit. Satisfying limits on departure from nucleate boiling ratio in both of these casesbounds the situation when a rod is misaligned from its group by 12 steps.The Required Actions in this LCO ensure that either deviations from thealignment limits will be corrected or that THERMAL POWER will be adjusted so that excessive local linear heat rates (LHRs) will not occur,and that the requirements on SDM and ejected rod worth are preserved. Continued operation of the reactor with a misaligned control rod is allowed if the heat flux hot channel factor ( Fo(Z)) and the nuclear enthalpy hot channel factor (Fl;,) are verified to be within their limits inthe COLR and the safety analysis is verified to remain valid. When acontrol rod is misaligned, the assumptions that are used to determlne the rod insertion limits, AFD limits, and quadrant power tilt limits are not preserved. Therefore, the limits may not preserve the design peaking factors, and F6(Z) and Fls must be verified directly by incore mapping. Bases Section 3.2 (Power Distribution Limits) contains more complete discussions of the relatlon of Fo(Z) and FIn to the operating limits.Shutdown and control rod OPERABILITY and alignment are directly related to power distributions and SDM, which are initial conditionsassumed in safety analyses. Therefore they satisfy Criterion 2 of 10 CFR 50.36(c)(2xii). Beaver Valfey Units 1 and 283.1 .4-3Revision 0 Rod Group Alignment LimitsB 3.1 .4 BASES LCO The limits on shutdown or control rod alignments ensure that theassumptions in the safety analysis will remain valid. The requirements on control rod OPERABILITY ensure that upon reactor trip, the assumedreactivity will be available and will be inserted. The control rod OPERABILIry requirements (i.e., trippability) are separate from thealignment requirements, which ensure that the RCCAs and banksmaintain the correct power distribution and rod alignment. The rod OPERABILITY requirement is satisfied provided the rod will fully insert inthe required rod drop time assumed in the safety analysis. Rod control malfunctions that result in the inability to move a rod (e.g., rod lift coil failures), but that do not impact trippability, do not result in rod inoperability.The requirement to maintain the rod alignment to within plus or minus 12 steps is conservative. The minimum misalignment assumed in safety analysis is 24 steps (15 inches), and in some cases a total misalignmentfrom fully withdrawn to fully inserted is assumed.Failure to meet the r.equirements of this LCO may produce unacceptable power peaking factors and LHRs, or unacceptable SDMs, all of whichmay constitute initial conditions inconsistent with the safety analysis.The rod alignment requirements of this LCO may be met by determining rod position in accordance with Rod Position Indication Specifications 3.1.7.1 (Unit 1)and 3.1.7.2 (Unit 2). The ACTIONS of the Rod Position Indication specifications provide alternate methods for determining rod position if a position indicator is inoperable. lf the ACTIONS of a RodPosition Indication specification are applicable, the alternate method(s)for determining rod position specified in the applicable ACTIONS may beused to meet the alignment requirements of this LCO The LCO requirements are modified by a Note that is only applicable to Unit 1. The Note provides an exception to verifying the LCO requirements are met during rod motion and for the first hour following rodmotion. The exception is necessary to accommodate the thermal. ,stabilization required after rod movement for the Unit 1 RPI System. The RPI System requires time to achieve thermal equilibrium after rodmovement in order to provide indication within the required accuracy.During rod motion and the time allowed for thermal soak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movementinformation. Therefore, comparison between the two indications to verify the LCO requirements are met is not required during the time specified inthis Note.Beaver Valley Units 1 and 2B3.1 .4-4 Revision 0 Rod Group Alignment LimitsB 3.1 .4 BASES APPLICABILITYThe requirements on RCCA OPERABILITY and alignment are applicablein MODES 1 and 2 because these are the only MODES in which the reactor is critical and power is generated, and the OPERABILITY (i.e., trippability) and alignment of rods have the potential to affect the safety of the plant. In MODES 3, 4,5, and 6, the alignment limits do not apply because the control rods are typically bottomed and the reactor is shutdown and not producing power. In the shutdown MODES, the OPERABILITY of the shutdown and control rods has the potential toaffect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS. See LCO 3.1.1,"SHUTDOWN MARGIN," for SDM in MODES 3, 4, and 5 and LCO 3.9.1,"Boron Concentration," for boron concentration requirements during refueling. ACTIONS 4.1.1 and A.1.2 When one or more rods are inoperable (i.e., untrippable), there is a possibility that the required SDM may be adversely affected. Under these conditions, it is important to determine the SDM, and if it is less than,the required value, initiate boration until the required SDM is recovered. The Completion Time of t hour is adequate for determining SDM and, if necessary, for initiating emergency boration and restoring SDMIn this situation, SDM verification must include the worth of the untrippable rod, as well as a rod of maximum worth.4.2lf the inoperable rod(s) cannot be restored to OPERABLE status, the plant must be brought to a MODE or condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours.The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems.8.1 When a rod becomes misaligned, it can usually be moved and is still trippable. lf the rod can be realigned within the Completion Time of t hour, local xenon redistribution during this short interval will not be significant, and operation may proceed without further restriction. Beaver Valley Units 1 and 283.1 .4-5Revision 0 Rod Group Alignment LimitsB 3.1 .4 BASES ACTIONS (continued) An alternative to realigning a single misaligned RCCA to the group average position is to align the remainder of the group to the position ofthe misaligned RCCA. However, this must be done without violating thebank sequence, overlap, and insertion limits specified in LCO 3.1.5,"Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank InsertionLimits," The Completion Time of t hour gives the operator sufficient time to adjust the rod positions in an orderly manner.8.2.1.1 and 8.2.1.2 With a misaligned rod, SDM must be verified to be within must be initiated to restore SDM to within limit. borationIn many cases, realigning the remainder of the group to the misaligned rod may not be desirable. For example, realigning control bank B to a rodthat is misaligned 15 steps from the top of the core would require a significant power reduction, since control bank D must be moved fully in and control bank C must be moved in to approximately 100 to 115 steps.Power operation may continue with one RCCA trippable but misaligned, provided that SDM is verified within t hour. The Completion Time oft hour represents the time necessary for determining the actual unit SDMand, if necessary, aligning and starting the necessary systems and components to initiate boration.8.2.2, 8.2.3, 8.2.4, 8.2.5, and 8.2.6For continued operation with a misaligned rod, THERMAL POWER must be reduced, SDM must periodically be verified within limits, hot channel factors (Fo(Z) and FIH) must be verified within limits, and the safetyanalyses must be re-evaluated to confirm continued operation is permissible. Reduction of power to <75% RTP ensures that local LHR increases dueto a misaligned RCCA will not cause the core design criteria to be exceeded. The Completion Time of 2 hours gives the operator sufficient time to accomplish an orderly power reduction without challenging the Reactor Protection System.When a rod is known to be misaligned, there is a potential to impact theSDM. Since the core conditions can change with time, periodic verification of SDM is required. A Frequency of 12 hours is sufficient to ensure this requirement continues to be met.Beaver Valley Units 1 and 2 B3.1.4-6 Revision 0 Rod Group Alignment LimitsB 3.1 .4 BASES ACTIONS (continued)Verifying that Fq(Z), as approximated nV f$(Z) and F[(Z), and FIH arewithin the required limits ensures that current operation at 375o/o RTP with a rod misaligned is not resulting in power distributions that mayinvalidate safety analysis assumptions at full power. The Completion Time of 72 hours allows sufficient time to obtain flux maps of the core power distribution using the incore flux mapping system and to calculateFo(Z) and Ftn.Once current conditions have been verified acceptable, time is available to perform evaluations of accident analysis to determine that core limits will not be exceeded during a Design Basis Event for the duration of ,operation under these conditions. The accident analyses presented in UFSAR Chapter 14 (Unit 1)and Chapter 15 (Unit 2) (Ref. 3) that may be adversely affected will be evaluated to ensure that the analysis resultsremain valid for the duration of continued operation under these conditions. A Completion Time of 5 days is sufficient time to obtain therequired input data and to perform the analysis. c.1When Required Actions cannot be completed within their CompletionTime, the unit must be brought to a MODE or Condition in which theLCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours, which obviatesconcerns about the development of undesirable xenon or powerdistributions. The allowed Completion Time of 6 hours is reasonable,based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging the plant systems.D,1 .1 and D.1 2 More than one rod becoming misaligned from its group average positionis not expected, and has the potential to reduce SDM. Therefore, SDMmust be evaluated. One hour allows the operator adequate time todetermine SDM. Restoration of the required SDM, if necessary, requires increasing the RCS boron concentration to provide negative reactivity, as described in the Bases of LCO 3.1.1. The required Completion Time oft hour for initiating boration is reasonable, based on the time required for potential xenon redistribution, the low probability of an accident occurring, and the steps required to complete the action. This allows the operatorsufficient time to align the required valves and start the boric acid pumps.Boration will continue until the required SDM is restored. Beaver Valley Units 1 and 2B 3.1 .4 -7 Revision 0 Rod Group Alignment LimitsB 3.1 .4 BASESACTIONS (continued) D.2lf more than one rod is found to be misaligned or becomes misaligned because of bank movement, the unit conditions fall outside of the accident analysis assumptions. Since automatic bank sequencing would continue to cause misalignment, the unit rnust be brought to a MODE inwhich the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours.The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE SR 3.1 .4.1 REQUIREMENTS Verification that individual rod positions are within alignment limits at a Frequency of 12 hours provides a history that allows the operator todetect a rod that is beginning to deviate from its expected position. Thespecified Frequency takes into account other rod position information that is continuously available to the operator in the control room, so that during actual rod motion, deviations can immediately be detected. The SR is modified by a Note that is only applicable to Unit 1. The Note provides an exception to performing the SR during rod motion and for thefirst hour following rod motion. The exception is consistent with the Unit 1LCO exception Note and is necessary to allow for thermal stabilizationand accurate rod position indication. During rod motion and the timeallowed for thermal soak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movement information. Therefore, comparison between the two indications to verify the LCO requirements are met is not required during the time specified in this Note. lf the SR comes due during the time allowed by the Note, and the RPI has not stabilized within the required accuracy, the SR should be performed assoon as possible after the time provided by the Note expires. ln order to facilitate the thermal stabilization of the RPI during the one-hour thermal soak, absolute rod motion should be limited to six steps.Beaver Valley Units 1 and 2 B 3.1.4 - 8 Revision 0 Rod Group Alignment Limits B 3.1 .4 BASES SURVEILLANCE REQUI REMENTS (continued)sR 3.1 .4.2 Verifying each rod is OPERABLE would require that each rod be tripped.However, in MODES 1 and2 with K"n> 1.0, tripping each rod would resultin radial or axial power tilts, or oscillations. Exercising each individual rod every 92 days provides increased confidence that all rods continue to beOPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each rod by 10 steps will not cause radial or axial power tilts, or oscillations, to occur. The 92 day Frequency takesinto consideration other information available to the operator in the control room and SR 3.1.4.1, which is performed more frequently and adds to the determination of OPERABILITY of the rods. Between required performances of SR 3.1.4.2 (determination of rod OPERABILITY by movement), if a rod(s) is discovered to be immovable, but remains trippable the rod(s) is considered to be OPERABLE. At any time, if a rod(s) is immovable, a determination of the trippability (OPERABILITY) of therod(s)mustbemade,andappropriateactiontaken'For Unit 1 only. The RPI System requires time to achieve thermal equilibrium after rod movement in order to provide accurate rod position indication. During rod motion and the time allowed for thermal soak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movement information. Considering the time it takes to stabilize the RPIand the relatively short time it takes to perform this SR, it is not requiredthat the RPI show a full 10 step movement in order to confirm freedom of movement. The 1O-step requirement of this SR is the minimumlequired change in demand counter indication that should result in a sufficientchange in the RPI to determine freedom of movement. sR 3.1 .4.3 Verification of rod drop times allows the operator to determine that the maximum rod drop time permitted is consistent with the assumed roddrop time used in the safety analysis. Measuring rod drop times prior to reactor criticality, after reactor vessel head removal, ensures that the reactor internals and rod drive mechanism will not interfere with rod motion or rod drop time, and that no degradation in these systems has occurred that would adversely affect rod motion or drop time. This testing is performed with all RCPs operating and the average moderator temperature > 500"F to simulate a reactor trip under actual conditions. Beaver Valley Units 1 and 2 83.1.4-9 Revision 0 Rod Group Alignment LimitsB 3.1 .4 BASES SURVEILLANCE REQU IREMENTS (continued)This Surveillance is performed during a plant outage, due to the plant conditions needed to perform the SR and the potential for an unplanned plant transient if the Surveillance were performed with the reactor at power.REFERENCES 1.Unit 1 UFSAR Appendix 1A, '1971 AEC General Design Criteria Confor:mance" and Unit 2 UFSAR Section 3.1, "Conformance withU.S. Nuclear Regulatory Commission General Design Criteria." 10 cFR 50.46.UFSAR, Chapter 14 (Unit 1)and Chapter 15 (Unit 2).UFSAR, Section 14.1.9 (Unit 1) and Section 15.4.3 (Unit 2).2.3.4.Beaver Valley Units 1 and 283.1 .4-10 Revision 0 Shutdown Bank Insertion LimitsB 3.1.5 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Shutdown Bank Insertion Limits BASES BACKGROUND The insertion limits of the shutdown and control rods are initial assumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions and assumptions of available ejected rod worth, SDM andinitial reactivity insertion rate.The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design,"GDC 26, "Reactivity Control System Redundancy and Protection,"GDC 28, "Reactivity Limits" as discussed in Reference 1, and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits oncontrol rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the powerdistribution and reactivity limits defined by the design power peaking and SDM limits are preserved. The rod cluster control assemblies (RCCAs) are divided among controlbanks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists oftwo or more RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four controlbanks and two shutdown banks. See LCO 3.1.4, "Rod Group Alignment Limits," for control and shutdown rod OPERABILITY and alignment requirements, and LCOs 3.1 .7.1 (Unit 1 ) and 3.1 .7 .2 (Unit 2), "RodPosition Indication," for position indication requirements. The control banks are used for precise reactivity control of the reactor.The positions of the control banks are normally automatically controlledby the Rod Control System, but they can also be manually controlled. They are capable of adding negative reactivity very quickly (compared toborating). The control banks must be maintained above designed insertion limits and are typically near the fully withdrawn position during normal full power operations.Hence, they are not capable of adding a large amount of positivereactivity. Boration or dilution of the Reactor Coolant System (RCS)compensates for the reactivity changes associated with large changes in RCS temperature. The design calculations are performed with theassumption that the shutdown banks are withdrawn first. The shutdownbanks can be fully withdrawn without the core going critical. ThisBeaver Valley Units 1 and 2 B 3.1.5 - 1Revision 0 Shutdown Bank lnsertion LimitsB 3.1 .5 BASES BACKG ROU N D (continued) provides available negative reactivity in the event of boration errors. The shutdown banks are controlled manually by the control room operator. During normal unit operation, the shutdown banks are either fully withdrawn or fully inserted. The shutdown banks must be completelywithdrawn from the core, prior to withdrawing any control banks during anapproach to criticality. The shutdown banks are then left in this positionuntil the reactor is shut down. They affect core power and burnup distribution, and add negative reactivity to shut down the reactor upon receipt of a reactor trip signal. APPLICABLE SAFETY ANALYSESOn a reactor trip, all RCCAs (shutdown banks and control banks), exceptthe most reactive RCCA, are assumed to insert into the core. Theshutdown banks shall be at or above their insertion limits and available to insert the maximum amount of negative reactivity on a reactor trip signal.The control banks may be partially inserted in the core, as allowed by LCo3.1.6,,.ControlBanklnsertionLimitsTheshutdownbankandcontrol bank insertion limits are established to ensure that a sufficientamount of negative reactivity is available to shut down the reactor and maintain the required SDM (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") following a reactor trip from full power. The combination ofcontrol banks and shutdown banks (less the most reactive RCCA, which is assumed to be fully withdrawn) is sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref. 3). The shutdown bank insertion limit also limits the reactivity worth of an ejected shutdown rod.The acceptance criteria for addressing shutdown and control rod bankinsertion limits and inoperability or misalignment is that: a. There be no violations of:Specified acceptable fuel design limits or RCS pressure boundary integrity andb. The core remains subcritical after accident transients. As such, the shutdown bank insertion limits affect safety analysisinvolving core reactivity and SDM (Ref. 3).The shutdown bank insertion limits preserve an initial condltion assumedin the safety analyses and, as such, satisfy Criterion 2 of10 CFR 50.36(c)(2Xii). 1.2.Beaver Valley Units 1 and 2 83.1 .5-2Revision 0 Shutdown Bank Insertion Limits B 3.1.5 BASES LCO The shutdown banks must be within their insertion limits any time the reactor is critical or approaching criticality. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip, The shutdown bank insertion limits are defined in the COLR.APPLICABILITY The shutdown banks must be within their insertion limits, with the reactor in MODES 1 and 2. This ensures that a sufflcient amount of negative reactivity is available to shut down the reactor and maintain the requiredSDM following a reactor trip. The shutdown banks do not have to be within their insertion limits in MODE 3, unless an approach to criticality isbeing made. ln MODE 3,4,5, or 6, the shutdown banks are typically fullyinserted in the core and contribute to the SDM. Refer to LCO 3.1.1 for SDM requirements in MODES 3, 4, and 5. LCO 3.9.1, "Boron Concentration," ensures adequate SDM in MODE 6.The Applicability requirements have been modified by a Note indicatingthe LCO requirement is suspended during SR 3.1.4.2. This SR verifiesthe freedom of the rods to move, and requires the shutdown banks to move below the LCO limits, which would normally violate the LCO. ACTIONS4.1.1, 4.1.2, and A.2When one or more shutdown banks is not within insertion limits, 2 hours is allowed to restore the shutdown banks to within the insertion limits.This is necessary because the available SDM may be significantly reduced, with one or more of the shutdown banks not within their insertion limits. Also, verification of SDM or initiation of boration within t hour is required, since the SDM in MODES 1 and 2 is ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1). lf shutdown banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1 .1 .1 .The allowed Completion Time of 2 hours provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.8.1lf the shutdown banks cannot be restored to within their insertion limits within 2 hours, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6 hours is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2 B 3.1.5 - 3Revision 0 Shutdown Bank lnsertion LimitsB 3.1 .5 BASES SURVEILLANCE SR 3.1.5.1 REQUIREMENTS Verification that the shutdown banks are within their insertion limits priorto an approach to criticality ensures that when the reactor is critical, orbeing taken critical, the shutdown banks will be available to shut down thereactor, and the required SDM will be maintained following a reactor trip.This SR and Frequency ensure that the shutdown banks are withdrawnbefore the control banks are withdrawn during a unit startup. The primary means for verifying that the insertion limits are met is the associated group demand position indicators. Variations in individual rod position indication from the demand position indication are acceptable. Specifications 3.1.4, "Rod Group Alignment Limits," 3.1.7.1 (Unit 1) and 3.1 .7 .2 (Unit 2), "Rod Position lndication" provide the appropriate limitsand Actions for individual rod position indicationSince the shutdown banks are positioned manually by the control roomoperator, a verification of shutdown bank position at a Frequency of12 hours, after the reactor is taken critical, is adequate to ensure that theyare within their insertion limits. Also, the 12 hour Frequency takes intoaccount other information available in the control room for the purpose of monitoring the status of shutdown rods.REFERENCES 2.3.1.Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance withU.S. Nuclear Regulatory Commission General Design Criteria."10 cFR 50.46.UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2).Beaver Valley Units 1 and 2 B3.1.s-4Revision 0 Control Bank Insertion LimitsB 3.1 .6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Control Bank Insertion Limits BASES BACKGROUNDThe insertion limits of the shutdown and control rods are initialassumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnupdistributions and assumptions of available SDM, and initial reactivityinsertion rate. The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design,"GDC 26, "Reactivity Control System Redundancy and Protection,"GDC 28, "Reactivity Limits" as discussed in Reference 1, and 10 CFR 50.46, "Acceptance Criteria for Emergency Core CoolingSystems for Light Water Nuclear Power Reactors" (Ref. 2). Limits oncontrol rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the powerdistribution and reactivity limits defined by the design power peaking and SDM limits are preserved.The rod cluster control assemblies (RCCAs) are divided among controlbanks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists oftwo or more RCCAs that are electrically paralleled to step simultaneously.A bank of RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four controlbanks and two shutdown banks. See LCO 3.1.4, "Rod Group AlignmentLimits," for control and shutdown rod OPERABILITY and alignment requirements, and LCOs 3.1.7.1 (Unit 1) and 3.1.7.2 (Unit 2), "RodPosition Indication," for position indication requirements. The control bank insertion limits are specified in the COLR. An example is provided for information only in Figure B 3.1.6-1. The control banks arerequired to be at or above the insertion limit lines.Figure B 3.1.6-1 also indicates how the control banks are moved in an overlap pattern. Overlap is the distance traveled together by two controlbanks. Overlap is a function of the fully withdrawn position defined in theCOLR, and the tip-to{ip relationship shown on the figure. On the figure,the tip-to-tip relationship is shown as the difference between control bank C and D positions at 8% power, or 130 steps.Beaver Valley Units 1 and 2B 3.1.6 - 1Revision 0 Control Bank lnsertion LimitsB 3.1 .6 BASES BACKGROUN D (continued) The control banks are used for precise reactivity control of the reactor.The positions of the control banks are normally controlled automaticallyby the Rod Control System, but can also be manually controlled. Theyare capable of adding reactivity very quickly (compared to borating or diluting). The power density at any point in the core must be limited, so that the fueldesign criteria are maintained. Together, LCO 3.1.4, LCO 3.1.5,"Shutdown Bank Insertion Limits," LCO 3.1.6, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD),' and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," provide limits on control component operation and on monitored process variables, which ensure that the core operates withinthe fuel design criteria.The shutdown and control bank insertion and alignment limits, AFD, and QPTR are process variables that together characterize and control thethree dimensional power distribution of the reactor core. Additionally, the control bank insertion limits control the reactivity that could be added in the event of a rod ejection accident, and the shutdown and control bankinsertion limits ensure the required SDM is maintained. Operation within the subject LCO limits will prevent fuet cladding failures that would breach the primary fission product barrier and release fission products to the reactor coolant in the event of a loss of coolant accident (LOCA), loss of flow, ejected rod, or other accident requiring terminationby a Reactor Trip System (RTS) trip function.APPLICABLE SAFETY ANALYSESThe shutdown and control bank insertion limits, AFD, and QPTR LCOs are required to prevent power distributions that could result in fuel cladding failures in the event of a LOCA, loss of flow, ejected rod, or otheraccident requiring termination by an RTS trip function.The acceptance criteria for addressing shutdown and control bankinsertion limits and inoperability or misalignment are that: a. There be no violations of: Specified acceptable fuel design limits or Reactor Coolant System pressure boundary integrity and b, The core remains subcritical afier accident transients. As such, the shutdown and control bank insertion limits affect safety analysis involving core reactivity and power distributions (Ref. 3).1.2.Beaver Valley Units 1 and 2 83.1.6-2Revision 0 Control Bank Insertion LimitsB 3.1 .6 BASES APPLICABLE SAFEry ANALYSES (continued)The SDM requirement is ensured by limiting the control and shutdown bank insertion limits so that the allowable inserted worth of the RCCAs issuch that sufficient reactivity is available in the rods to shut down thereactor to hot zero power with a reactivity margin that assumes themaximum worth RCCA remains fully withdrawn upon trip (Ref. 4).Operation at the insertion limits or AFD limits may approach the maximumallowable linear heat generation rate or peaking factor with the allowed QPTR present. Operation at the insertion limit may also indicate themaximum ejected RCCA worth could be equal to the limiting value in fuelcycles that have sufficiently high ejected RCCA worths.The control and shutdown bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and power distribution peaking factors are preserved (Ref. 5).The insertion limits satisfy Criterion 2 of 10 CFR 50.36(c)(2xii), in thatthey are initial conditions assumed in the safety analysis.LCOThe limits on control banks sequence, overlap, and physical insertion, asdefined in the COLR, must be maintained because they serve thefunction of preseruing power distribution, ensuring that the SDM is maintained, ensuring that ejected rod worth is maintained, and ensuring adequate negative reactivity insertion is available on trip- The overlapbetween control banks provides more uniform rates of reactivity insertion and withdrawal and is imposed to maintain acceptable power peakingduring control bank motion. APPLICABILITY The control bank sequence, overlap, and physical insertion limits shall be maintained with the reactor in MODES 1 and 2 with k"6 > 1.0. Theselimits must be maintained, since they preserve the assumed powerdistribution, ejected rod worth, SDM, and reactivity rate insertionassumptions. Applicability in MODES 3, 4, and 5 is not required, sinceneither the power distribution nor ejected rod worth assumptions would be exceeded in these MODES.The applicability requirements have been modified by a Note indicatingthe LCO requirements are suspended during the performance ofSR 3.1.4.2. This SR verifies the freedom of the rods to move, andrequires the control bank to move below the LCO limits, which would violate the LCO.Beaver Valley Units 1 and 2B 3.1.6 - 3 Revision 0 Control Bank lnsertion LimitsB 3.1.6 BASES ACTIONS4.1 .1 . 4.1.2, 4.2.8.1 .1 .8.1 .2. and B:2When the control banks are outside the acceptable insertion limits, they must be restored to within those limits. This restoration can occur in two ways: Reducing power to be consistent with rod position or Moving rods to be consistent with power.Also, verification of SDM or initiation of boration to regain SDM is requiredwithin t hour, since the SDM in MODES 1 and 2 normally ensured byadhering to the control and shutdown bank insertion limits (seeLCO 3.1.1, "SHUTDOWN MARGIN (SDM)") has been upset. lf controlbanks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the BASES for SR 3.1.1.1.Similarly, if the control banks are found to be out of sequence or in thewrong overlap configuration, they must be restored to meet the limits.Operation beyond the LCO limits is allowed for a short time period inorder to take conservative action because the simultaneous occurrence of either a LOCA, loss of flow accident, ejected rod accident, or otheraccident during this short time period, together with an inadequate powerdistribution or reactivity capability, has an acceptably low probability.The allowed Completion Time of 2 hours for restoring the banks to within the insertion, sequence, and overlaps limits provides an acceptable timefor evaluating and repairing minor problems without allowing the plant toremain in an unacceptable condition for an extended period of time.c.1lf Required Actions A.1 and A,2, or B.1 and B.2 cannot be completedwithin the associated Completion Times, the plant must be brought toMODE 2 with k"r < 1 .0, where the LCO is not applicable. The allowedCompletion Time of 6 hours is reasonable, based on operatingexperience, for reaching the required MODE from full power conditions inan orderly manner and without challenging plant systems.a.b.Beaver Valley Units 1 and 2 83.1 .6-4Revision 0 Control Bank Insertion Limits B 3.1.6 BASES SURVEILLANCE SR 3.1.6.1 REQUIREMENTSIlffi iffi ilfr ff ::'J:,x'it""1[;:ffi l[?1lff"fi il'*is:'f'."Jl""il]il:insertion limits are specified in the COLR.The prim ary means for verifying the required control bank position is the associated group demand position indicators. Variations in individual rod position indication from the demand position indication are acceptable. Specifications 3.1.4, "Rod Group Alignment Limits," 3.1.7.1 (Unit 1) and 3.1.7.2 (Unit 2), "Rod Position Indication" provide the appropriate limitsand Actions for individual rod position indication. The estimated critical position (ECP) depends upon a number of factors,one of which is xenon concentration. lf the ECP was calculated long before criticality, xenon concentration could change to make the ECP substantially in error. Conversely, determining the ECP immediatelybefore criticality could be an unnecessary burden. There are a number of unit parameters requiring operator attention at that point. Performing theECP calculation within 4 hours prior to criticality avoids a large error from: : fr : ff ;' il :"J3 [ ::ffi :ffi I ",i'i'i 11 'il : H il,? :ffi '"?,:: s o m e' ex i b i' i tv t osR 316.2 Verification of the control bank insertion limits at a Frequency of 12 hours f,":,T5i"J Ti ilffi ,T:[i i,ffi ?:: llxl,ff : :J, :J ii?T [ ffi i : e i n s e rt o n The primary means for verifying that the insertion limits are met is the associated group demand position indicators. Variations in individual rod position indication from the demand position indication are acceptable. Specifications 3.1.4, "Rod Group Alignment Limits," 3.1.7 .1 (Unit 1) and 3.1.7.2 (Unit 2), "Rod Position lndication" provide the appropriate limitsand Actions for individual rod position indication.sR 3.1 .6.Q When control banks are maintained within their insertion limits aschecked by SR 3.1 .6.2 above, it is unlikely that their sequence andoverlap will not be in accordance with requirements provided in theCOLR. A Frequency of 12 hours is consistent with the insertion limitcheck above in SR 3.1.6.2. Beaver Valley Units 1 and 2B 3.1.6 - 5Revision 0 Control Bank Insertion LimitsB 3.1 .6 BASES SURVEILLANCE REQU IREMENTS (continued) The prirnary means for verifying that the sequence and overlap limits are met is the associated group demand position indicators. Variations inindividual rod position indication from the demand position indication areacceptable. Specifications 3.1 .4, "Rod Group Alignment Limits," 3.1.7 .1 (Unit 1) and 3.1 .7 .2 (Unit 2), "Rod Position Indication" provide theappropriate limits and Actions for individual rod position indication. REFERENCES 1.Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria." 10 cFR 50.46. UFSAR, Chapter 14 (Unit 1)and Chapter 15 (Unit 2).UFSAR, Section 3.3.2.6 (Unit 1) and Section 4.3.2.5 (Unit 2).UFSAR, Section 3.3 2.5 (Unit 1) and Section 4"9.2.4 (Unit 2).2.3.4.5.Beaver Valley Units 1 and 2 B 3.1.6 - 6Revision 0 1 54.53.225 I'//,/,//I too, tsz I/7./-]lt KC ,/.///,//,///,/.//././/,/?i0 ,,1 4 ,/J lBr.l NK El*-7.//./,./,.////,/THIS FIGURE IS FOR ILLUSTRATION ONLY.DO NOT USE FOR OPERATION. ///B,C 0 20 40 60 B0 100Relative Power (Percent)Figure B 3.1 .6-1 (page 1 of 1 )Control Bank Insertion vs. Percent RTP 200 Control Bank Insertion LimitsB 3.1 .6 c BE 1sn E.ts a o_g g c* 1oo a o o--:<c o m-(f o E.50 Beaver Valley Units 1 and 2 B 3.1 .6 -7 Revision 0 Unit 1 Rod Position IndicationB 3.1.7 .1B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.7 Rod Position Indication 8.3.1.7.1 Unit 1 Rod Position Indication BASES BACKGROUND According to GDC 13, as discussed in Reference 1 , instrumentation tomonitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be OPERABLE. LCO 3.1.7.1 is required to ensure OPERABILITYof the control rod position indication system to determine control rod positions and thereby ensure compliance with the control rod alignmentand insertion limits. The OPERABILITY, including rod position, of the shutdown and controlrods is an initial assumption in all safety analyses that assume rod insertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available SDM. Rod position indicationis required to assess OPERABILITY and misalignment.Mechanical or electrical failures may cause a control rod to becomeinoperable or to become misaligned from its group. Control rod inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total availablerod worth for reactor shutdown. Therefore, control rod alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.Limits on control rod alignment and OPERABILITY have beenestabllshed, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limitsdefined by the design power peaking and SDM limits are preserved. Rod cluster control assemblies (RCCAs), or rods, are moved out of the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms. The RCCAs are divided among control banks and shutdown banks. Each bank is further subdivided into two groups to provide for precise reactivity controThe axial position of shutdown rods and control rods are determined by two separate and independent systems: the Bank Demand Position lndication System (commonly called group step counters) and the RodPosition lndication (RPl) System.Beaver Valley Units 1 and 2 B 3.1 .7.1 - 1 Revision 9 Unit 1 Rod Position Indication B 3.1.7 .1 BASES BACKGROUND (continued)The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods. There is one step counter for each group of rods. Individual rods in a group all receive the same signal to move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position lndication System is considered highly precise (t 1 step or t 5/8 inch). lf a rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the position of the rod.The RPI System provides an accurate indication of actuat control rod position, but at a lower precision than the step counters. This system isbased on inductive analog signals from coils spaced along a hollow tube.The maximum uncertainty is + 12 steps (x7.5 inches). With an indicateddeviation of 12 steps between the group step counter and RPl, the maximum deviation between actual rod position and the demand positioncould be 24 steps, or 15 inches. One method for determining each rod position is the indicators on the vertical board. A secondary method of determining rod position is the in-plant computer. Either the vertical board indicators or in-plant computer is sufficient to comply with this specification. The in-plant computerreceives the same inputs from ARPI as the vertical board indicators and provides resolution equivalent to or better than the vertical boardindicators. The in-plant computer also provides a digital readout of each rod position which eliminates interpolation and parallax errors inherent toanalog scales. When an IPC computer point(s) is used as the primarymeans of rod position indication, administrative controls require the control room staff to continuously display the IPC computer point(s) in the control room.Due to the need for the control rod drive shaft to reach thermal equilibrium for accurate individual rod position indication, the groupdemand counter is considered the primary indicator of,precise rod position information during rod movement and for the first hour followingrod motion. The RPI channels may only display general rod movementinformation during this time. A one-hour thermal soak is allowed before the RPI channels must perform within the required accuracy. ln order tofacilitate the thermal stabilization of the RPI during the one-hour thermalsoak, absolute rod motion should be limited to six steps. Beaver Valley Units 1 and 2 B31.7.1-2Revision 9 Unit 1 Rod Position lndicationB 3.1 .7.1 BASES APPLICABLE SAFETY ANALYSESControl and shutdown rod position accuracy is essential during poweroperation. Power peaking, ejected rod worth, or SDM limits may beviolated in the event of a Design Basis Accident (Ref. 2), with control or shutdown rods operating outside their limits undetected. Therefore, theacceptance criteria for rod position indication is that rod positions must beknown with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5, "Shutdown Bank InsertionLimits," and LCO 3.1.6, "Control Bank Insertion Limits"). The rod positions must also be known in order to verify the alignment limits are preserved (LCO 3.1.4, "Rod Group Alignment Limits"). Control rod positions are continuously monitored to provide operators with information that ensures the plant is operating within the bounds of the accidentanalysis assumptions. The control rod position indication system channels satisfy Criterion 2 of 10 CFR 50.36(c)(2xii). The control rod position indication system monitors control rod position, which is an initial condition of the accident analyses.LCO LCO 3.1.7.1 specifies that the RPI System and the Bank DemandPosition Indication System be OPERABLE. For the control rod position indication system to be OPERABLE requires meeting the SR of the LCO and the following:

a. The RPI System indicates within 12 steps of the group step counter demand position as required by LCO 3.1.4, "Rod Group Alignment Limits,"b. For the RPI System there are no failed coils, and c. The Bank Demand Indication System has been calibrated either inthe fully inserted position or to the RPI System.The 12 step agreement limit between the Bank Demand PositionIndication System and the RPI System indicates that the Bank DemandPosition Indication System is adequately calibrated, and can be used for indication of the measurement of control rod bank position.A deviation of fess than the allowable limit, given in LCO 3.1.4, in positionindication for a single control rod, ensures high confidence that the position uncertainty of the corresponding control rod group is within the assumed values used in the safety analysis (that specified control rod group insertion limits).Beaver Valley Units 1 and 2 B 3.1 .7.1 - 3 Revision 9 Unit 1 Rod Position IndicationB 3.1 .7.1 BASES LCO (continued)

These requirements ensure that rod position indication during power operation and PHYSICS TESTS is accurate, and that design assumptionsare not challenged. OPERABILITY of the position indicator channels ensures that inoperabfe, misaligned, or mispositioned control rods can be detected. Therefore,power peaking, ejected rod worth, and SDM can be controlled withinacceptable limits. APPLICABILITYThe requirements on the RPI and step counters are only applicable in MODES 1 and 2 (consistent with LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6),because these are the only MODES in which power is generated, and the OPERABILITY and alignment of rods have the potential to affect thesafety of the plant. In the shutdown MODES, the OPERABILITY of the shutdown and control banks has the potential to affect the required SDM,but this effect can be compensated for by an increase in the boron concentration of the Reactor Coolant System.ACTIONSThe ACTIONS Table is modified by a Note indicating that a separateCondition entry is allowed for each inoperable rod position indicator andeach demand position indicator. This is acceptable because theRequired Actions for each Condition provide appropriate compensatory actions for each inoperable position indicator.A.1. A.2.1, and A.2.2When the RPI System indicates one or more potentially misaligned rods, prompt action must be taken to determine if the rod is actually misaligned or if there is a problem with the RPI System. ln order to make the promptdetermination, Required Action A.1 specifies that the affected rod positionmust be verified by measuring the associated RPI channel primaryvoltage within 15 minutes. lf the results of the RPI channel primaryvoltage measurement indicate that the affected rod is misaligned,Required Action A.2.1 specifies that the applicable Conditions and Required Actions of LCO 3.1.4, "Rod Group Alignment Limits" be enteredwithin 15 minutes. lf the results of the RPI channel primary voltage measurement do not indicate a misaligned rod, Required Action 4.2.2specifies that the affected RPI is declared inoperable and the applicableConditions and Required Actions of LCO 3.1 .7.1, "Unit 1 Rod Position lndication" be entered within 15 minutes. Beaver Vatley Units 1 and 2B 3.1 .7.1 - 4 Revlsion 9 Unit 1 Rod Position IndicationB 3. 1 .7.1 BASES ACTIONS (continued)Condition A is modified by a Note that provides an exception to applyingCondition A to misalignment indications that occur during rod motion and for up to one hour following rod motion. The exception is necessary to accommodate the thermal stabilization required after rod movement forthe RPl. The RPI System requires time to achieve thermal equilibriumafter rod movement in order to provide indication within the requiredaccuracy. During rod motion and the time allowed for thermal soak afterrod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rodmovement information. Reliance on the demand counter indication for upto one hour following rod motion is acceptable for determining rod position and therefore, Condition A is not applicable until after the onehour thermal soak provided by the Note.8.1 When one RPI channel per group fails, the position of the rod may still bedetermined indirectly by use of the movable incore detectors or by measuring the rod position channel primary voltage. The Required Action may also be satisfied by using the movable incore detectors to ensure at least once per 8 hours that Fq(Z) satisfies LCO 3.2.1, Ftn satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the nonindicating rods have not been moved. Based onexperience, normal power operation does not require excessive movement of banks. lf a bank has been significantly moved, theRequired Actions of Condition D below are applicable. Therefore, verification of RCCA position within the Completion Time of B hours isadequate for allowing continued full power operation, since the probability of simultaneously having a rod significantly out of position and an eventsensitive to that rod position is small.B'2t Reduction of THERMAL POWER to < 50% RTP puts the core into a condition where rod position is not significantly affecting core peaking factors.The allowed Completion Time of 8 hours is reasonable, based on operating experience, for reducing power to < 50% RTP from full powerconditions without challenging plant systems and allowing for rod position determination by Required Action 8.1 above. Beaver Valley Units 1 and 2 B 3.1 .7.1 - 5 Revision 9 Unit 1 Rod Position Indication B 3.1.7.1 BASESACTIONS (continued)C.1, C.2. C.3. and C.4When more than one RPI per group fail, additional actions are necessaryto ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potential effects of rod misalignment on associated accident analyses are limited. Placing the Rod Control System in manual assures unplanned rod motion will notoccur. Placing the Rod Control System in manual together with the indirect position determination available via movable incore detectors orby measuring the rod position channel primary voltage will minimize the potential for rod misalignment. The immediate Completion Time for placing the Rod Control System in manual reflects the urgency with which unplanned rod motion must be prevented while in this Condition. Monitoring and recording Reactor Coolant System Tuun help assure thatsignificant changes in power distribution and SDM are avoided. The once per hour Completion Time is acceptable because only minor fluctuations in RCS temperature are expected at steady state plant operating conditions. The position of the rods may be determined indirectly by use of themovable incore detectors or by measuring the rod position channel primary voltage. The Required Action may also be satisfied by using themovable incore detectors to ensure at least once per 8 hours that Fq(Z)satisfies LCO 3.2.1, FX" satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the non-indicating rodshave not been moved. Verification of control rod position once per8 hours is adequate for allowing continued full power operation for alimited; 24 hour period, since the probability of simultaneously having a rod significantly out of position and an event sensitive to that rod position is small. The 24 haur Completion Time provides sufficient time to troubleshoot and restore the RPI system to operation while avoiding the plant challenges associated with the shutdown without full rod position indication. Based on operating experience, normal power operation does not requireexcessive rod movement. lf one or more rods has been significantly moved, the Required Actions of Condition D below is required. D,1 .1 , D.1 .2. and D.2 These Required Actions clarify that when one or more rods with inoperable position indicators have been moved in excess of 24 steps inone direction, since the position was last determined, the Required Actions of B.1 or C.3, as applicable are still appropriate but must beinitiated immediately under Required Action D.1.1 to begin verifying thatthese rods are still properly positioned, relative to their group positions. Beaver Valley Units 1 and 2 B 3.1 .7.1 - 6Revision I Unit 1 Rod Position IndicationB 3.1.7.1 BASES ACTIONS (continued)lf, within 8 hours, the rod positions have not been determined, THERMAL POWER must be reduced to < 50% RTP to avoid undesirable powerdistributions that could result from continued operation at > 5Ao/o RTP, ifone or more rods are misaligned by more than 24 steps. The allowed Completion Time of 8 hours provides an acceptable period of time toverify the rod positions or reduce power to < 50% RTP.E.1.1 and E.1.2 With one demand position indicator per bank inoperable, the rod positions can be determined by the RPI System. Since normal poweroperation does not require excessive movement of rods, verification by administrative means that the rod position indication system for eachcontrol and shutdown rod is OPERABLE and the most withdrawn rod andthe least withdrawn rod are < 12 steps apart within the allowedCompletion Time of once every 8 hours is adequate. E.2Reduction of THERMAL POWER to < 50% RTP puts the core into a condition where rod position is not significantly affecting core peakingfactor limits. The allowed Completion Time of 8 hours provides an acceptable period of time to verify the rod positions per Condition D or reduce power to < 50% RTP.F,1lf the Required Actions cannot be completed within the associated Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must bebrought to at least MODE 3 within 6 hours. The allowed Completion Timeis reasonable, based on operating experience, for reaching the requiredMODE from full power conditions in an orderly manner and without '\challenging plant systems.SURVEILLANCE REQUIREMENTSsR 3.1.7 .1 .1Verification that each control bank benchboard group step demandcounter agrees within +2 steps with the solid state indicators in the logic cabinet helps to assure that the benchboard demand counters areindicating correctly and that the demand counters may be relied on duringrod movement and for the first hour following rod movement for the primary indication of precise rod position.Beaver Valley Units 1 and 2 B 3.1 .7.1 - 7 Revision 9 Unit 1 Rod Position lndication B 3.1.7.1 BASES SURVEILLANCE REQUIREMENTS (continued)The verification is performed every 92 days. Operating experience hasshown that this surveillance interval is adequate to detect changes in demand counter accuracysR 3.1.7.1.2 Verification that the RPI agrees with the demand position within +12 stepsensures that the RPI is operating correctly. The verification of RPI and demand position indication within the required 12 steps over the full rangeof indicated rod travel is accomplished by comparisons of the indications at specific rod positions (identified in the applicable surveillance procedure) and calibrations as necessary to ensure the required accuracyis achieved. This Surveillance is performed prior to reactor criticality after each removal of the reactor head, as there is the potential for unnecessary plant transients if the SR were performed with the reactor at power.The SR is modified by a Note. The Note provides an exception to the SRduring rod motion and for the first hour following rod motion. Theexception is necessary to allow for thermal stabilization and accurate rod position indication. During rod motion and the time allowed for thermalsoak after rod motion, the group demand counters provide the primary indication of precise rod position with the RPI channels displaying general rod movement information. Therefore, comparison between the twoindications to verify the LCO requirements are met is not required duringthe time specified in this Note. lf the SR comes due during the timeallowed by the Note, and the RPI has not stabilized within the requiredaccuracy, the SR should be performed as soon as possible after the time provided by the Note expires. In order to facilitate the thermalstabilization of the RPI during the one-hour thermal soak, absolute rodmotion should be limited to six steps.REFERENCES 2.1.Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance."UFSAR, Chapter 14 (Unit 1).Beaver Valley Units 1 and 2B 3.1 .7.1 - 8 Revision 9 Unit 2 Rod Position IndicationB 3.1.7 .2B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Rod Position lndication 8.3.1.7.2 Unit 2 Rod Position Indication BASES BACKGROUNDAccording to GDC 13, as discussed in Reference 1, instrumentation tomonitor variables and systems over their operating ranges during normaloperation, anticipated operational occurrences, and accident conditionsmust be OPERABLE. LCO 3.1.7.2 is required to ensure OPERABILITYof the control rod position indicators to determine control rod positionsand thereby ensure compliance with the control rod alignment andinsertion limits.The OPERABILITY, including rod position, of the shutdown and controlrods is an initial assumption in all safety analyses that assume rodinsertion upon reactor trip. Maximum rod misalignment is an initial assumption in the safety analysis that directly affects core powerdistributions and assumptions of available SDM. Rod position indicationis required to assess OPERABILITY and misalignment.Mechanical or electrical failures may cause a control rod to become inoperable or to become misaligned from its group. Control rodinoperability or misalignment may cause increased power peaking, due tothe asymmetric reactivity distribution and a reduction in the total availablerod worth for reactor shutdown. Therefore, control rod alignment and OPERABILITY are related to core operation in design power peakinglimits and the core design requirement of a minimum SDM.Limits on control rod alignment and OPERABILITY have beenestablished, and all rod positions are monitor:ed and controlled during power operation to ensure that the power distribution and reactivity limitsdefined by the design power peaking and SDM limits are preserved.Rod cluster control assemblies (RCCAs), or rods, are moved out of the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms. The RCCAs are divided among control banks andshutdown banks. Each bank is further subdivided into two groups to provide for precise reactivity control.The axial position of shutdown rods and control rods are determined bytwo separate and independent systems: the Bank Demand Position lndication System (commonly called group step counters) and the DigitalRod Position lndication (DRPI) System.Beaver Valley Units 1 and 2 83.1.7.2-1Revision 0 Unit 2 Rod Position lndication B 3.',1.7.2 BASES BACKG ROU N D (continued) The Bank Demand Position Indication System counts the pulses from the Rod Control System that move the rods. There is one step counter for each group of rods. lndividual rods in a group all receive the same signalto move and should, therefore, all be at the same position indicated by the group step counter for that group. The Bank Demand Position Indication System is considered highly precise (t 1 step or t 5/8 inch). lfa rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the position of the rod.The DRPI System provides a highly accurate indication of actual control rod position, but at a lower precision than the step counters. This system is based on inductive analog signals frorn a series of coils spaced along a hollow tube with a center to center distance of 3.75 inches, which is6 steps. To increase the reliability of the system, the inductive coils areconnected alternately to data system A or B. Thus, if one system fails, the DRPI will go on half accuracy with an effective coil spacing of7.5 inches, which is 12 steps. Therefore, the normal indication accuracyof the DRPI System is + 4 steps, for full accuracy, and +4, -10 steps at half accuracy with data system A, and +10, -4 steps at half accuracy with data system B. As such, only one data system (A or B) is required for an OPERABLE DRPI System indicating within 12 steps of the group stepcounter demand position indicator. With an indicated deviation of 12 steps between the group step counter and DRPI, the maximumdeviation between actual rod position and the demand position could be 22 steps, or 13J5 inches. APPLICABLE SAFETY ANALYSESControl and shutdown rod position accuracy is essential during poweroperation. Power peaking, ejected rod worth, or SDM limits may beviolated in the event of a Design Basis Accident (Ref. 2), with control ot'shutdown rods operating outside their limits undetected. Therefore, theacceptance criteria for rod position indication is that rod positions must beknown with sufficient accuracy in order to verify the ccre is operating within the group sequence, overlap, design peaking limits, ejected rod worth, and with minimum SDM (LCO 3.1.5, "Shutdown Bank lnsertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits"). The rod positions must also be known in order to verify the alignment limits arepreserved (LCO 3.1 .4, "Rod Group Alignment Limits"). Control rod positions are continuously monitored to provide operators with informationthat ensures the plant is operating within the bounds of the accidentanalysis assumptions.The control rod position indicator channels satisfy Criterion 2 of 10 CFR 50.36(c)(2Xii). The control rod position indicators monitor control rod position, which is an initial condition of the accident analyses. Beaver Valley Units 1 and 2 8 3.1 .7.2 - 2Revision 0 Unit 2 Rod Position lndicationB 3.1.7.2 BASES LCOLCO 3.1.7.2 specifies thatthe DRPI System (data system A or B) and theBank Demand Position Indication System be OPERABLE. For the control rod position indicators to be OPERABLE requires meeting the SR of the LCO and the following:The required DRPI System indicates within 12 steps of the groupstep counter demand position as required by LCO 3.1.4, "RodGroup Alignment Limits," For the required DRPI System there are no failed coils, andThe Bank Demand Indication System has been calibrated either inthe fully inserted position or to the DRPI SystemThe 12 step agreement limit between the Bank Demand Position Indication System and the DRPI System indicates that the Bank DemandPosition Indication System is adequately calibrated, and can be used for indication of the measurement of control rod bank position.A deviation of less than the allowable limit, given in LCO 3.1.4, in positionindication for a single control rod, ensures high confidence that the position uncertainty of the corresponding control rod group is within the assumed values used in the safety analysis (that specified control rod group insertion limits).These requirements ensure that control rod position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged.OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositioned control rods can be detected. Therefore,power peaking, ejected rod worth, and SDM can be controlled within acceptable limits.a.b.c.APPLICABILlTYThe requirements on the DRPI and step counters are only applicable inMODES 1 and 2 (consistent with LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6),because these are the only MODES in which power is generated, and theOPERABILITY and alignment of rods have the potential to affect thesafety of the plant. In the shutdown MODES, the OPERABILITY of theshutdown and control banks has the potential to affect the required SDM,but this effect can be compensated for by an increase in the boronconcentration of the Reactor Coolant System.Beaver Valley Units 1 and 2 B 3.1 .7.2 - 3Revision 0 Unit2 Rod Position IndicationB 3.1.7.2 BASES ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each inoperable rod position indicator and each demand position indicator. This is acceptable because theRequired Actions for each Condition provide appropriate compensatoryactions for each inpperable position indicator. 4.1When one DRPI channel per group fails, the position of the rod may still be determined indirectly by use of the movable incore detectors. TheRequired Action may also be satisfied by using the movable incore detectors to ensure at least once per 8 hours that Fq(Z) satisfies LCO 3.2.1, FXr satisfies LCO 3.2.2, and SHUTDOWN MARGIN is within the limits provided in the COLR, provided the nonindicating rods have not been moved. Based on experience, normal power operation does not require excessive movement of banks. lf a bank has been significantlymoved, the Required Action of C.1 .1 and C.l.2 below is required.Therefore, verification of RCCA position within the Completion Time of 8 hours is adequate for allowing continued full power operation, since the probability of simultaneously having a rod significantly out of position andan event sensitive to that rod position is small.4.2Reduction of THERMAL POWER to < 50% RTP puts the core into acondition where rod position is not significantly affecting core peaking factors.The allowed Completion Time of 8 hours is reasonable, based onoperating experience, for reducing power to < 50% RTP from full power conditions without challenging plant systems and allowing for rod positiondetermination by Required Action A.1 above.8.1. 8.2, 8.3. and 8.4When more than one DRPI per group fail, additional actions arenecessary to ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potential effects of rodmisalignment on associated accident analyses are limited. Placing the Rod Control System in manual assures unplanned rod motion will not occur. Placing the Rod Controf System in manual together with the indirect position determination available via movable incore detectors willminimize the potential for rod misalignment. The immediate CompletionTime for placing the Rod Control System in manual reflects the urgencywith which unplanned rod motion must be prevented while in this Condition. Beaver Valley Units 1 and 2 B 3.1 .7.2 - 4Revision 0 Unit 2 Rod Position IndicationB 3.1.7.2 BASESACTIONS (continued) Monitoring and recording reactor coolant T"un help assure that significant changes in power distribution and SDM are avoided. The once per hour Completion Time is acceptable because only minor fluctuations in RCStemperature are expected at steady state plant operating conditions. The position of the rods may be determined indirectly by use of themovable incore detectors. The Required Action may also be satisfied byusing the movable incore detectors to ensure at least once per I hoursthat Fq(Z) satisfies LCO 3.2.1, FX, satisfies LCO 3.2.2, and SHUTDOWNMARGIN is within the limits provided in the COLR, provided thenonindicating rods have not been moved. Verification of control rod position once per 8 hours is adequate for allowing continued full power operation for a limited, 24 hour period, since the probability of simultaneously having a rod signiflcantly out of position and an eventsensitive to that rod position is small. The 24 hour Completion Time provides sufficient time to troubleshoot and restore the DRPI system to operation while avoiding the plant challenges associated with theshutdown without full rod position indication.

Based on operating experience, normal power operation does not require excessive rod movement. lf one or more rods has been significantlymoved, the Required Action of C.1.1 and C.1.2 below is required.

C.1.1. C.1.2, and C.2These Required Actions clarify that when one or more rods with inoperable position indicators have been moved in excess of 24 steps inone direction, since the position was last determined, the RequiredActions of A.1 or B.3, as applicable are still appropriate but must beinitiated immediately under Required Action C.1.1 to begin verifying that these rods are still properly positioned, relative to their group positions.lf, within 8 hours, the rod positions have not been determined, THERMAL POWER must be reduced to < 50% RTP to avoid undesirable powerdistributions that could result from continued operation at > 50oh RTP, if one or more rods are misaligned by more than 24 steps. The allowed Completion Time of 8 hours provides an acceptable period of time to verify the rod positions or reduce power to < 50% RTP.Beaver Valley Units 1 and 2 8 3.1 .7.2 - 5Revision 0 Unit 2 Rod Position IndicationB 3.1.7.2 BASES ACTIONS (continued)D.1 .1 and D.1 .2 With one demand position indicator per bank inoperable, the rod positions can be determined by the DRPI System. Since normal poweroperation does not require excessive movement of rods, verification byadministrative means that the rod position indicators are OPERABLE andthe most withdrawn rod and the least withdrawn rod are < 12 steps apart within the allowed Completion Time of once every 8 hours is adequate. D.2 Reduction of THERMAL POWER to < 50% RTP puts the core into acondition where rod position is not significantly affecting core peakingfactor limits. The allowed Completion Time of 8 hours provides an acceptable period of time to verify the rod positions per RequiredAction A.1 or reduce power to < 50% RTP.E.1 lf the Required Actions cannot be completed within the associatedCompletion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must bebrought to at least MODE 3 within 6 hours. The allowed Completion Timeis reasonable, based on operating experience, for reaching the requiredMODE from full power conditions in an orderly manner and without challenging pfant systems.SURVEILLANCE REQUIREMENTS sR 3.1 .7.2.1 Verification that the DRPI agrees with the demand position within+12 steps ensures that the DRPI is operating correctly. Since the DRPIdoes not display the actual shutdown rod positions between 1B and 210 steps, only points within the indicated ranges are required in comparison. This Surveillance is performed prior to reactor cr:iticality after each removal of the reactor head, as there is the potential for unnecessary plant transients if the SR were performed with the reactor at power.REFERENCES 2.1.Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."UFSAR, Chapter 15. Beaver Valley Units 1 and 2B 3.1 .7.2 - 6Revision 0 Unborated Water Source lsolation ValvesB 3.1 .8 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Unborated Water Source lsolation Valves BASES BACKGROUNDDuring MODES 4,5, and 6 isolation valves for flow paths from thePrimary Grade Water System to the charging system must be closed to prevent unplanned boron dilution of the reactor coolant. The isolationvalves must be secured in the closed position.The Chemical and Volume Control System is capable of supplyingborated and unborated water to the Reactor Coolant System (RCS)through various flow paths. Since an unplanned positive reactivityaddition made by reducing the boron concentration is inappropriate during MODES 4, 5, and 6, isolation of the required unborated water sources prevents an unplanned boron dilution. APPLICABLE SAFETY ANALYSES The possibility of an inadvertent boron dilution event (Ref. 1) occurringin MODES 4, 5, and 6 is precluded by adherence to this LCO, which requires that potential dilution sources be isolated. Closing the required valves prevents the flow of unborated water to the RCS. The valves areused to isolate unborated water sources. These valves have the potentialto indirectly allow dilution of the RCS boron concentration. By isolating unborated water sources, a safety analysis for an uncontrolled borondilution accident in accordance with the Standard Review Plan (Ref. 2) isnot required for MODES 4, 5, and 6.The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCOThis LCO requires that flow paths from the Primary Grade Water System to the RCS (via the charging system) be isolated to prevent unplannedboron dilution during MODES 4,5, and 6 and thus avoid a reduction in SDM.ln order to meet the requirements of the LCO, the following valves must be isolated:For Unit 1 either a) 1CH-90 or b) 1CH-g1 and 1CH-93.For Unit 2 either a) 2CHS-37 and 2CHS-828 or b) 2CHS-91, 2CHS-96and 2CHS-138.Beaver Valley Units 1 and 2B 3.1.8 - 1Revision 0 Unborated Water Source lsolation ValvesB 3.1 .8 BASES LCO (continued)The LCO requirement to secure closed each valve used to isolate unborated water sources is modified by a Note. The Note provides anexception to the LCO requirement that allows unborated water source isolation valves to be opened under administrative control for plannedboron dilution or makeup activities. APPLICABILITYIn MODES 4, 5, and 6, this LCO is applicable to prevent an inadvertentboron dilution event by ensuring isolation of the required sources of unborated water to the RCS.For all other MODES, the boron dilution accident was analyzed and wasfound to be capable of being mitigated. ACTIONSThe ACTIONS Table has been modified by a Note that allows separateCondition entry for each unborated water source isolation valve.A.1Continuation of CORE ALTERATIONS and positive reactivity changes iscontingent upon maintaining the unit in compliance with this LCO. With any valve used to isolate unborated water sources not secured in the closed position, all operations involving CORE ALTERATIONS and positive reactivity changes must be suspended immediately. The Completion Time of "immediately" for performance of Required Action A.1shall not preclude completion of movement of a component to a safe position.Condition A has been modified by a Note to require that RequiredAction A.3 be completed whenever Condition A is entered. 4.2 r Preventing inadvertent dilution of the reactor coolant boron concentrationis dependent on maintaining the r:equired unborated water isolation valves secured closed. Securing the valves in the closed position ensures thatthe valves cannot be inadvertently opened. The Completion Time of"immediately" requires an operator to initiate actions to close an openvalve and secure the isolation valve in the closed position immediately. Once actions are initiated, they must be continued until the valves aresecured in the closed position.Beaver Valley Units 1 and 2 83.1 .8-2 Revisron 0 Unborated Water Source lsolation ValvesB 3.1 .B BASESACTIONS (continued) 4.3Due to the potential of having diluted the boron concentration of the reactor coolant, SR 3.1.1.1 (verification of SDM), or SR 3.9.1.1 (verification of boron concentration) must be performed whenever Condition A is entered to demonstrate that the required boron concentration or SDM exists. The Completion Time of 4 hours issufficient to obtain and analyze a reactor coolant sample for boronconcentration or to determine the SDM.SURVEILLANCE SR 3.1 .8.1 REQUIREMENTSThese valves are to be secured closed to isolate the Primary GradeWater System dilution paths. The llkelihood of a significant reduction in lffi i"T",?:iil"JHTfS:1"#;[iff"[J::,"i:':l;:iff

t-olwaterand precluding a dilution.

ln MODES 4 and 5, the SDM is verified every24 hours under SR 3.1.1.'l and in MODE 6 the boron concentration ischecked every 72 hours under SR 3.9.1.1. This Surveillancedemonstrates that the valves are secured closed by direct field observation. The surveillance must be performed within 15 minutes after a planned boron dilution or makeup activity. The requirement to performthis surveillance promptly after completing dilution or makeup activitiesprovides positive control over such activities and assures the affected valves are restored to the secured closed condition after use. The 31 dayFrequency is based on engineering judgment and is consideredreasonable in view of other administrative controls that will ensure that the valve opening is an unlikely possibility except when the valves areopened under administrative controls for planned dilution or makeup activities. ln order to meet the requirements of the SR, the condition of the followingvalves must be verified: For Unit 1 either a) 1CH-90 or b) 1CH-91 and l CH-93.For Unit 2 either a) 2CHS-37 and 2CHS-828 or b) 2CHS-91, 2CHS-96 and 2CHS-138.REFERENCES 2.1.UFSAR, Section 14.1.4 (Unit 1) and Section 15.4.6 (Unit 2).NUREG-0800. Section 1 5.4.6.Beaver Valley Units 1 and 2B 3.1.8 - 3Revision 0 PHYSICS TESTS Exceptions - MODE 2B 3.1 .9B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.9 PHYSICS TESTS Exceptions - MODE 2 BASES BACKGROUND The primary purpose of the MODE 2 PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain PHYSICS TESTS to be performed. Section Xl of 10 CFR 50, Appendix B (Ref. 1 ), requires that a test program be established to ensure that structures, systems, andcomponents will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded duringnormal operation and anticipated operational occurrences must betested. This testing is an integral part of the design, construction, andoperation of the plant. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in10 CFR 50.59 (Ref. 2).The requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1997 (Ref. 3). The PHYSICS TESTS requirements for reload fuel cycles ensure that the operating characteristics of the core areconsistent with the design predictions and that the core can be operated as designed (Ref. 3).PHYSICS TESTS procedures are written and approved in accordancewith established formats. The procedures include all information necessary to permit a detailed execution of the testing required to ensure that the design intent is met. PHYSICS TESTS are performed inaccordance with these procedures and test results are approved prior to continued power escalation and long term power operation.The MODE 2 PHYSICS TESTS required for reload fuel cycles (Ref. 3)are performed in accordance with the requirements described in Reference

3. The required MODE 2 tests are listed below:a. Critical Boron Concentration - Control Rods Withdrawn,b. Critical Boron Concentration - Reference Bank lnserted, c. Control Rod Worth.

andd. lsothermal Temperature Coefficient (lTC).Beaver Valley Units 1 and 2 B 3.1.9 - 1Revision 0 PHYSICS TESTS Exceptions - MODE 2B 3.1.9 BASES APPLICABLE SAFETY ANALYSES The fuel is protected by LCOs that preserve the initial conditions of thecore assumed during the safety analyses. The methods for developmentof the LCOs that are excepted by this LCO are described in the Westinghouse Reload Safety Evaluation Methodology Report (Ref. a).The above mentioned PHYSICS TESTS, and other tests that may be required to calibrate nuclear instrumentation or to diagnose operational problems, may require the operating control or process variables todeviate from their LCO limitations. Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-1997 (Ref. 3). Although these PHYSICS TESTS are generally accomplished within the limits for all LCOs, conditions may occurwhen one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as thefuel design criteria are not violated. When one or more of the requirements specified in LCO 3.1.3, "Moderator Temperature Coefficient (MTC),"LCO 3.1.4, "Rod Group Alignment Limits," LCO 3.1.5, "Shutdown Bank fnsertion Limit," LCO 3.1.6,'iControf Bank Inseftion Limits," and LCO 3.4.2,"RCS Minimum Temperature for Criticality" are suspended for PHYSICS TESTS, the fuel design criteria are preserved as long as the power level islimited to < 5% RTP, the reactor coolant temperature is kept > 531'F, andSDM is within the limits provided in the COLR.The PHYSICS TESTS include measurement of core nuclear parametersor the exercise of control components that affect process variables.Among the process variables involved are AFD and QPTR, which represent initial conditions of the unit safety analyses. Also involved arethe movable control components (control and shutdown rods), which are required to shut down the reactor. The limits for these variables arespecified for each fuel cycle in the COLR. As described in LCO 3.0.7, compliance with Test Exception LCOs is optional, and therefore no criteria of 10 CFR 50.36(c)(2xii) apply. Test Exception LCOs provide flexibility to perform certain operations by'eppropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.LCOThis LCO allows the reactor parameters of MTC and minimum temperature for criticality to be outside their specified limits. ln addition, itallows selected control and shutdown rods to be positioned outside of their specified alignment and insertion limits. One power range neutron flux channel may be bypassed, reducing the number of required channelsfrom 4 to 3. Operation beyond specified limits is permitted for the purpose of performing PHYSICS TESTS and poses no threat to fuel integrity, provided the SRs are met.Beaver Valley Units 1 and 2 83.1.9-2 Revision 0 PHYSICS TESTS Exceptions - MODE 2 B 3.1.9 BASES LCO (continued)The requirements of LCO 3.1.3, LCO 3.1.4, LCO 3.1.5, LCO 3.1.6, and LCO 3.4.2 may be suspended and the number of required channelsfor LCO 3.3.1,'RTS Instrumentation," Functions 2,3, and 17.e may bereduced to 3 required channels during the performance of PHYSICS TESTS provided:a. RCS lowest foop average temperature is > 531oF, b. SDM is within the limits provided in the COLR, andc. THERMAL POWER is < 5% RTP. In addition to the LCOs listed above the Test Exception provides thefollowing Unit 1 specific exception that may also be used duringPHYSICS TESTING: For Unit 1 only, primary detector voltage measurements may beused to determine the position of rods in shutdown banks A and Band control banks A and B in lieu of the benchboard indicators required by LCO 3.1.7.1.APPLICABILITYThis LCO is applicable when performing low power PHYSICS TESTS.The Applicability is stated as "during PHYSICS TESTS initiated inMODE 2" lo ensure that the 5% RTP maximum power level is notexceeded. Should the THERMAL POWER exceed 5% RTP, andconsequently the unit enter MODE 1, ihis Applicability statement preventsexiting this Specification and its Required Actions.ACTIONS A.1 and A.2lf the SDM requirement is not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctlyalign and start the required systems and components. The operatorshould begin boration with the best source available for the plant conditions. Boration will be continued until SDM is within limit.Suspension of PHYSICS TESTS exceptions requires restoration of eachof the applicable LCOs to within specification. Beaver Valley Units 1 and 2B 3.1.9 - 3 Revision 0 PHYSICS TESTS Exceptions - MODE 2B 3.1 .9 BASES ACTIONS (continued) 8.1When THERMAL POWER is > 5% RTP, the only acceptable action is toopen the reactor trip breakers (RTBs) to prevent operation of the reactor beyond its design limits. lmmediately opening the RTBs will shut downthe reactor and prevent operation of the reactor outside of its design limits.c.1 When the RCS lowest T"un is < 531"F, the appropriate action is to restore Tuun to within its specified limit. The allowed Completion Time of 15 minutes provides time for restoring T"un to within limits without allowing the plant to remain in an unacceptable condition for an extended period of time. Operation with the reactor critical and with temperature below 531"F could violate the assumptions for accidents analyzed in the safety analyses.D.1lf the Required Actions cannot be completed within the associated Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must be brought to at least MODE 3 within an additional 15 minutes. The Completion Time of 15 additional minutes is reasonable, based on operating experience, for reaching MODE 3 in an orderly manner and without challenging plant systems.SURVEILLANCE SR 3.1.9.1 REQUIREMENTS The power range and intermediate range neutron detectors are requiredto be OPERABLE in MODE 2in accordance with LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation.' A CHANNEL OPERATIONAL TEST is performed on each power range and intermediate range channel inaccordance with the frequency requirement of the referenced RTSsurveillances which ensures each channel is tested prior to the initiation of PHYSICS TESTS. The performance of the RTS CHANNEL OPERATIONAL TEST requirements referenced in this SR will ensure that the RTS is properly aligned to provide the required degree of core protection during the performance of the PHYSICS TESTS. Beaver Valley Units 1 and 2 83.1 .g-4 Revision 0 PHYSICS TESTS Exceptions - MODE 2 B 3.1 .9 BASESSU RVEI LLANCE REQUI REMENTS (continued)sR 3.1 .9.2Verification that the RCS lowest loop Tuun is > 531'F will ensure that the unit is not operating in a condition that could invalidate the safetyanalyses. Verification of the RCS temperature at a Frequency of 30 minutes during the performance of the PHYSICS TESTS will ensurethat the initial conditions of the safety analyses are not violated.sR 3.1 .9.3Verification that the THERMAL POWER is < 5% RTP will ensure that the plant is not operating in a condition that could invalidate the safety analyses. Verification of the THERMAL POWER at a Frequency of30 minutes during the performance of the PHYSICS TESTS will ensurethat the initial conditions of the safety analyses are not violated.sR 3.1 .9.4 The SDM is verified by performing a reactivity balance calculation,considering the following reactivity effects: RCS boron concentration,Control bank position, andRCS average temperature.The Frequency of 24 hours is based on the generally slow change inrequired boron concentration and on the low probability of an accidentoccurring without the required SDM. a.b.c.REFERENCES 2.3.4.1.10 CFR 50, Appendix B, Section Xl.10 cFR 50.59.ANSI/ANS-19.6. 1 - 1gg7, August 23, 1997.WCAP-9 272-P-A, "Westinghouse Reload Safety Evaluation Methodology Report," July 1985.Beaver Valley Units 1 and 2B 3.1.9 - 5 Revision 0 RCS Boron Limitations < 500"F B 3.1 .10B 3.1 REACTIVITY CONTROL SYSTEMSB 3.1.10 RCS Boron Limitations < 500"F BASES BACKGROUNDThe control rod drive mechanisms (CRDMs) are wired into pre-selected RCCA banks, such that the RCCA banks during normal operation (i.e.,not in bank select mode) can only be withdrawn in their proper withdrawafsequence. The control of the power supplied to the RCCA banks is suchthat no more than two RCCA banks can be withdrawn at any time.When the RCCA banks are capable of being withdrawn from the core, i.e., power supplied to the CRDMs during an approach to criticality for reactor startup, or during maintenance and surveillance testing, there is the potential for an inadvertent RCCA bank withdrawal due to a malfunction of the control rod drive system. Westinghouse NSAL-00-016 (Ref. 1) discussed the reactor trip functions associated with the Uncontrolled RCCA Bank Withdrawal from a Low Power or Subcritical Condition event (RWFS) (Ref. 2). The primary protection for a RWFS is provided by the Power Range Neutron Flux -l-ow trip Function. The Source Range Neutron Flux trip Function isimplicitly credited as the primary reactor trip function for a RWFS event inMODES 3, 4, or 5, since the Power Range Neutron Flux - Low trip Function is not required to be OPERABLE in these MODES. However,the Source Range Neutron Flux trip Function is not response time tested per SR 3.3.1.14, and therefore can not be considered to be fully OPERABLE to provide protection for a RWFS event in MODES 3, 4,and 5.NSAL-00-016 also identified that the Power Range Neutron Flux - Lowtrip Function may not be OPERABLE at RCS temperatures significantlybelow the hot zero power Tuun due to calibration issues associated with shielding caused by the cold water in the downcomer region of the reactorvessel. The low RCS temperature limit for Power Range Neutron FluxTrip Function OPERABILITY is 500'F. Therefore, the Power RangeNeutron Flux - Low trip Function may not provide the required protectionin and below MODE 3 when RCS temperatures are < 500'F due to the calibration issues described above.Borating the RCS to greater than an all rods out (ARO) critical boronconcentration when the RCCA banks are capable of rod withdrawal provides sufficient SHUTDOWN MARGIN in the event of an RWFS whenRCS temperatures are < 500'F.Beaver Valley Units 1 and 2 83.1.10-1Revision 0 RCS Boron Limitations < 500'F B 3.1 .10 BASES APPLICABLE SAFETY ANALYSES The RCCA bank withdrawal event addressed by this LCO is the RWFSevent. An RCCA bank withdrawal event at power is also analyzed, and is addressed by the requirements of other Specifications that are applicable]n MODE 1. The RWFS event assumes a positive reactivity insertion rate that is greater than the worth obtained from the simultaneous withdrawal of the combination of two sequential control banks with the highest combined worth at the maximum withdrawal speed. The event is assumed to be terminated by the Power Range Neutron Flux- Low trip Function. The Source Range Neutron Flux and Intermediate Range Neutron Flux trip Functions are also available to terminate an RWFS event, but are not explicitly credited in the safety analyses to terminate the event. The Power Range Neutron Flux - Low trip Function is considered OPERABLE to provide the required protection for an RWFS event when the RCS temperature is > 500'F. This temperature limitation is due to calibration issues associated with shielding caused by cold water in thedowncomer region of the reactor vessel. Additionally, although not explicitly analyzed, in MODES 3, 4, and 5, the Source Range Neutron Flux trip Function is implicitly credited to provide protection for an RWFS event.Since there is no explicit RCCA bank withdrawal analysis performed for MODE 3 when the RCS temperature is < 500"F and in MODES 4 and 5, and the Power Range Neutron Flux - Low trip Function can not be credited to mitigate an RWFS event at RCS temperatures below 500oF, LCO 3.1.10 requires that the RCS boron concentration be greater than the ARO critical boron concentration when the Rod Control System is capable of rod withdrawal in these MODES. This requirement provides sufficient SHUTDOWN MARGIN to prevent the undesirable consequences (i.e., criticality) that could result from an RWFS event.RCS Boron Limitations < 500"F satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCO This LCO requires that the boron concentration of the RCS be greater than the ARO critical boron concentration to provide adequateSHUIDOWN MARGIN in the event of an RWFS event.Beaver Valley Units 1 and 2B3.1 .10-2 Revision 0 RCS Boron Limitations < 500"FB 3.1 .10 BASES APPLICABILITYIn the event of an RWFS, the LCO must be applicable to provideadequate SHUTDOWN MARGIN in the following MODES and specified conditions: In MODE 2 with ketr < 1.0 with any RCS cold leg temperature < 500'F and with the Rod Control System capable of rod withdrawal.In MODE 3 with any RCS cold leg temperature < 500'F and with the Rod Control System capable of rod withdrawal; andIn MODES 4 and 5 with the Rod Control System capable of rod withdrawal.In MODE 6, the requirements of LCO 3.1.10 are not necessary because the rod control system is not capable of rod withdrawal.]n MODE 2 with ketr 2 1.0, in MODE 2 with ketr < 1 .0 and all RCS cold leg temperatures > 500'F and the Rod Control System capable of rod withdrawaf , and in MODE 3 with all RCS cold leg temperatures > 500'Fand the Rod Control System capable of rod withdrawal, LCO 3.3.1,"Reactor Trip System (RTS) Instrumentation," ensures that the PowerRange Neutron Flux-Low trip Function is OPERABLE to mitigate a potential RWFS event.In MODE 1, the requirements of LCO 3.1.10 are not applicable since an uncontrolled RCCA bank withdrawal event at power would be mitigatedby the Power Range Neutron Flux-High trip Function. This Function is required to be OPERABLE by LCO 3.3.1. ACTIONS A.1 lf the RCS boron concentration is not within limit, action must be taken immediately to restore the boron concentration to within limit. Boratingthe RCS to a concentration greater than the ARO critical boron , concentration provides sufficient SHUTDOWN MARGIN, if an RWFSevent should occur. Initiating action immediately to restore the boron concentration to within the limit provides assurance that the LCO requirement will be restored in a timely manner. The Completion Time is reasonable considering the low probability of an RWFS event occurringwhile restoring the boron concentration to within the limit. Additionally,although not explicitly credited as a primary trip, the Source RangeNeutron Flux trip Function would provide protection from an RWFS eventduring this period of time.Beaver Valley Units 1 and 2 B3.1.10-3 Revision 0 RCS Boron Limitations < 500"FB 3.1.10 BASES ACTIONS (continued) 4.2 lf the RCS boron concentration is not within limit, an alternate action is to make the Rod Control System incapable of rod withdrawal. This action precludes a RWFS event from occurring with an inadequate SHUTDOWNMARGIN. Initiating action immediately to make the rod control system incapable of rod withdrawal provides adequate assurance that the unit is promptly placed in a condition in which the boron concentration requirements of the LCO are no longer required to mitigate the consequences of a RWFS event.A.3 lf the RCS boron concentration is not within limit, another alternate actionis to restore all RCS cold leg temperatures to > 500"F. At this RCStemper.ature the Power Range Neutron Flux - Low trip Function would beOPERABLE and provide the necessary protection should a RWFS event occur. Initiating action irnmediately to restore all RCS cold legtemperatures to > 500"F provides adequate assurance that the unit ispromptly placed in a condition in which the boron concentration requirements of the LCO are no longer necessary. Additionally, although not credited as a primary trip, the Source Range Neutron Flux tripFunction would provide protection for a RWFS event while RCSTemperature is being increased. Required Action A.3 is modified by a Note that states it is not applicable in MODES 4 and 5. The Note provides assurance that this Required Actionwould only be taken in MODES 2 or 3 (i.e., during a unit startup) when the RCS temperature can readily be increased to > 500'F. After the RCS cold leg temperatures are increased to > 500"F, the requirements ofLCO 3.1 .10 are no longer applicable and protection during a RWFS event is provided by the Power Range Neutron Flux - Low trip Function, whichis required to be OPERABLE by LCO 3.3.1 SURVEILLANCE SR 3 1 .1 0. 1 REQUIREMENTS This SR ensures that the RCS boron concentration is within limit. Theboron concentration is determined periodically by chemical analysis.A Frequency of 24 hours is adequate based on the time required tosignificantly dilute the RCS, the various alarms available in the controlroom, and the heightened awareness in the control room when the rods are capable of being withdrawn. Beaver Valley Units 1 and 283.1 .10-4 Revision 0 RCS Boron Limitations < 500"FB 3.1 .10 BASES REFERENCES 1.Westinghouse Nuclear Safety Advisory Letter NSAL-00-016, "RodWithdrawal from Subcritical Protection in Lower Modes,"December 4, 2000.Unit 1 UFSAR, Chapter 14 and Unit 2 UFSAR Chapter 15.2.Beaver Valley Units 1 and 2 B 3.1.10 - 5 Revision 0 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Heat Flux Hot Channel Factor (Fo(Z))BASES BACKGROUND The purpose of the limits on the values of Fq(Z) is to limit the local (i.e., pellet) peak power density. The value of Fq(Z) varies along the axial height (Z) of the core.Fo(Z) is defined as the maximum local fuel rod linear power densitydivided by the average fuel rod linear power density, assuming nominal fuel pellet and fuel rod dimensions. Therefore, F6(Z) is a measure of the peak fuel pellet power within the reactor core.During power operation, the global power distribution is limited byLCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4,'QUADRANT POWER TILT RATIO (QPTR)," which are directly andcontinuously measured process variables. These LCOs, along withLCO 3.1.6, "Control Bank lnsertion Limits," maintain the core limits on power distributions on a continuous basis.Fo(Z) varies with fuel loading patterns, control bank insertion, fuel burnup,and changes in axial power distribution.Fo(Z) is measured periodically using the incore detector system. These measurements are generally taken with the core at or near equilibrium conditions.Using the measured three dimensionaf power distributions, it is possibleto derive a measured value for Fq(Z). However, because this value represents an equilibrium condition, it does not include the variations inthe value of Fq(Z) which are present during nonequilibrium situationssuch as load following or power ascension.To account for these possible variations, the equilibrium value of Fq(Z) is adjusted as f[12; by an elevation dependent factor that accounts for the calculated worst case transient conditions.Core monitoring and control under non-equilibrium conditions are accomplished by operating the core within the limits of the appropriateLCOs, including the limits on AFD, QPTR, and control rod insertion. Beaver Valley Units 1 and 2B 3.2.1 - 1 Revision 0 BASES APPLICABLE SAFETY ANALYSESThis LCO precludes core power distributions that violate the following fueldesign criteria: During a large or small break loss of coolant accident (LOCA), the peak cladding temperature must not exceed 2200"F (Ref. 1), During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hot fuel rod in the core does not experience a departure from nucleate boiling (DNB) condition, During an ejected rod accident, the energy deposition to the fuelmust not exceed 280 cal/gm (Ref. 2), and The control rods must be capable of shutting down the reactor witha minimum required SDM with the highest worth control rod stuckfully withdrawn (Ref. 3).Limits on Fq(Z) ensure that the value of the initiaf total peaking factorassumed in the accident analyses remains valid. Other criteria must alsobe met (e.9., maximum cladding oxidation, maximum hydrogen generation, coolable geometry, and long term cooling). However, the peak cladding temperature is typically most limiting.Fo(Z) satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). a.b.c.d.LCO The Heat Flux Hot Channel Factor, F6(Z) shall be limited by the following relationships: Fo(Z) < [CFQ / P] K(Z)Fo(Z) < ICFQ / 0.5] K(Z)for P > 0.5 for P < 0.5 where: CFQ is the Fo(Z) limit at RTP provided in the COLR,K(Z\ is the normalized Fq(Z) as a function of core height provided in the COLR, and P _ THERMAL POWER / RTPThe actual values of CFQ andK(Zl are given in the COLR; however, CFQis normally a number on the order of 2.40, and K(Z) is a function thatlooks like the one provided in Figure B 3.2.1-1 . Figure B 3.2.1-1 is for illustration purposes only. The actual unit specific K(Z) as a function of core height figures are contained in the COLR.Beaver Valley Units 1 and 2B 3.2.1 - 2Revision 0 BASES LCO (continued) For Relaxed Axial Offset Control operation, Fo(Z) is approximated by F8(Z) anO ft(Z). Thus, both F8(Z) and FH(Z) must meet the preceding limits on F6(Z).An ffi121 evaluation requires obtaining an incore flux map in MODE 1.From the incore flux map results we obtain the measured value (fH(Z)) of Fo(Z). Then, F8(z) = FH(z) 1'0815where 1 .0815 is a factor that accounts for fuel manufacturing tolerancesand flux map measurement uncertainty (Ref. a).F[(Z) is an excellent approximation for Fq(Z) when the reactor is at thesteady state power at which the incore flux map was taken. The expression for F[(Z) is: Ft(z) = r3(z) w(z)where W(Z) is a cycle dependent function that accounts for powerdistribution transients encountered during normal operation. W(Z) isincluded in the COLR. The F3(Z) is calculated at equilibrium conditions.The Fq(Z) limits define limiting values for core power peaking thatprecludes peak cladding temperatures above 2200"F during either a largeor small break LOCA.This LCO requires operation within the bounds assumed in the safety analyses. Calculations are performed in the core design process to confirm that the core can be controlled in such a manner during operationthat it can stay within the LOCA Fo(Z) limits. lf Ffi(Z) cannot bemaintained within the LCO limits, reduction of the core power is requiredand if FH(Z) cannot be maintained within the LCO limits, reduction of the AFD limits is required. Note that sufficient reduction of the AFD limits willalso result in a reduction of the core power.Violating the LCO limits for Fq(Z) produces unacceptable consequences ifa design basis event occurs while FaG) is outside its specified limits.APPLICABILITY The Fq(Z) limits must be maintained in MODE 1 to prevent core powerdistributions from exceeding the limits assumed in the safety analyses.Applicability in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy beingtransferred to the reactor coolant to require a limit on the distribution of core power.Beaver Valley Units 1 and 2B 3.2.1 - 3 Revision 0 BASES ACTIONS A.1 Reducing THERMAL POWER by > 1% RTP for each 1% by which F8(Z)exceeds its limit, maintains an acceptable absolute power density. Ffi(Z)is fH(Z) multiplied by a factor accounting for manufacturing tolerancesand measurement uncertainties. FH(Z) is the measured value of Fo(Z).The Completion Time of 15 minutes provides an acceptable time to reduce power in an orderly manner and without allowing the plant toremain in an unacceptable condition for an extended period of time. The maximum allowable power level initially determined by Required Action A.1 may be affected by subsequent determinations of F8(Z) and would require power reductions within 15 minutes of the F8(Z) determination, if necessary to comply with the decreased maximum allowable power level.Decreases in F8(Z) would allow increasing the maximum allowable power level and increasing power up to this revised limit. 4.2 A reduction of the Power Range Neutron Flux - High trip setpoints by> 1% for each 1o/o by which F8(Z) exceeds its limit, is a conservativeaction for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72 hours issufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER inaccordance with Required Action A.1. The maximum allowable Power Range Neutron Flux - High trip setpoints initially determined by Required Action A.2 may be affected by subsequent determinations of F8(Z) andwould require Power Range Neutron Flux - High trip setpoint reductionswithin 72 hours of the F8(Z) determination, if necessary to comply with the decreased maximum allowable Power Range Neutron Flux - High tripsetpoints. Decreases in F8(Z) would allow increasing the maximum allowable Power Range Neutron Flux - High trip setpoints. A.3 Reduction in the Overpower AT trip setpoints (value of Ka) by > 1o/o for each 1% by which F8(Z) exceeds its limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions, The Completion Time of 72 hours is sufficient considering the small likelihood of a severe transient in this time period, and the preceding prompt reduction in THERMAL POWER in accordance with Required Action A.1. The maximum allowable Overpower AT trip setpoints initially determined by Required Action A.3may be affected by subsequent determinations of f8(Z) and would require Overpower AT trip setpoint reductions within 72 hours of the Ffi(Z)determination, if necessary to comply with the decreased maximum allowable Overpower AT trip setpoints. Decreases in F3(Z) would allow increasing the maximum allowable Overpower AT trip setpoints.Beaver Valley Units 1 and 2 B 3.2.1 - 4 Revision 0 Fo(Z)B 3.2.1 BASESACTIONS (continued)

4.4 Verification

that F8(Z) has been restored to within its limit, by performingSR 3.2.1.1 and SR 3.2.1.2prior to increasing THERMAI- POWER above the limit imposed by Required Action A.1, ensures that core conditionsduring operation at higher power levels and future operation areconsistent with safety analyses assumptions.Condition A is modified by a Note that requires Required Action A.4 to be performed whenever the Condition is entered. This ensures thatSR 3.2.1.1 and SR 3.2.1.2 will be performed prior to increasingTHERMAL POWER above the limit of Required Action A.1, even whenCondition A is exited prior to performing Required Action A.4.Performance of SR 3.2.1.1 and SR 3.2.1.2 are necessary to assure Fo(Z)is properly evaluated prior to increasing THERMAL POWER.8.1lf it is found that the maximum calculated value of Fq(Z) that can occurduring normal maneuvers, f[12;, exceeds its specified ]imits, there exists a potential for Ffi(Z) to become excessively high if a normal operationaltransient occurs. Reducing the AFD limits by > 1 o/o for each 1% by which FH(Z) exceeds its limit within the allowed Completion Time of 4 hours, restricts the axial flux distribution such that even if a transient occurred, core peaking factors are not exceeded.The implicit assumption is that if W(Z) values were recalculated (consistent with the reduced AFD limits), then F$(Z) times the recalculated W(Z) values would meet the Fq(Z) limit. Note that complying with this action (of reducing AFD limits) may also result in a powerreduction. Hence the need for Required Actions B .2,8.3 and 8.4.8.2A reduction of the Power Range Neutron Flux-High trip setpoints by > 1%for each 1o/o by which the maximum allowable power is reduced, is aconservative action for protection against the consequences of severetransients with unanalyzed power distributions. The Completion Time of 72 hours is sufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER as a result of reducing AFD limits in accordance with RequiredAction 8.1 .Beaver Valley Units 1 and 2 B 3.2.1 - 5Revision 0 Fo(Z)B 3.2.1 BASES ACTIONS (continued)

8.3 Reduction

in the Overpower AT trip setpoints value of Ko, by > 1o/o far each 1% by which the maximum allowable power is reduced, is a conservative action for protection against the consequences of severetransients with unanalyzed power distributions. The Completion Time of72 hours is sufficient considering the small likelihood of a severe transient in this time period, and the preceding prompt reduction in THERMAL POWER as a result of reducing AFD limits in accordance with Required Action 8.1 .8.4Verification that FH(Z) has been restored to within its limit, by performing SR 3.2.1.1 and SR 3.2.1.2 prior to increasing THERMAL POWER abovethe maximum allowable power limit imposed by Required Action 8.1ensures that core conditions during operation at higher power levels and future operation are consistent with safety analyses assumptions.Condition B is modified by a Note that requires Required Action 8.4 to be performed whenever the Condition is entered. This ensures thatSR 3.2.1.1 and SR 3.2.1.2 will be performed prior to increasingTHERMAL POWER above the limit of Requlred Action B.1, even when Condition A is exited prior to performing Required Action 8.4.Performance of SR 3.2.1 .1 and SR 3.2.1.2 are necessary to assure Fo(Z)is properly evaluated prior to increasing THERMAL POWER.c.1lf Required Actions A.1 through A.4 or 8.1 through 8.4 are not met withintheir associated Completion Times, the plant must be placed in a MODEor condition in which the LCO requirements are not applicable. Thls is done by placing the plant in at least MODE 2 within 6 hours.This allowed Completion Time is reasonable based on operatingexperience regarding the amount of time it takes to reach MODE 2 from full power operation in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2 B 3.2.1 - 6Revision 0 Fo(Z)B 3.2.1 BASES SURVEILLANCE REQUIREMENTSSR 3.2.1.1 and SR 3.2.1.2are modified by a Note. The Note applies during the first power ascension after a refueling. lt states that THERMALPOWER may be increased until an equilibrium power level has beenachieved at which a power distribution map can be obtained. Thisallowance is modified, however, by one of the Frequency conditions thatrequires verification that Ffi(Z) and FH(Z) are within their: specified limits after a power rise of more than 10% RTP over the THERMAL POWER at whichthey were last verified to be within specified limits. Because Ffi@) and FH(Z) could not have previously been measured in this reload core, there isa second Frequency condition, applicable only for reload cores, that requires determination of these parameters before exceedingTS% RTP. This ensures that some determination of f8(Z) and FH(Z) are made at a lower power level at which adequate margin is available before going torc}% RTP. Also, this Frequency condition, together with the Frequency condition requiring verification of F8(Z) and FH(Z) following a power increase of more than 10o/o, ensures that they are verified as soon as RTP (or any other level for extended operation) is achieved. In the absence of these Frequency conditions, it is possible to increase power to RTP and operate for 31 days without verification of F8(Z) and FH(Z) The Frequency conditionis not intended to require verification of these parameters after every10% increase in power level above the last verification. lt only requires verification after a power level is achieved for extended operation that is10% higher than that power at which Fo(Z) was last measured.sR 3.2.1 .1 Verification that F8(Z) is within its specified limits involves increasingFX(Z) to allow for manufacturing tolerance and measurementuncertainties in order to obtain Ffi(Z) Specifically, FU(Z) is the measured value of Fq(Z) obtained from incore flux map results and Ffi(Z) = f[(Z)1 .0815 (Ref. 4) Ffi(Z) is then compared to its specified limits.The limit with which F3(Z) is compared varies inversely with power above5A% RTP and directly with a function called K(Z) provided,in the COLR.Performing this Surveillance in MODE 1 prior to exceedingTS% RTP ensures that the FlG) limit is met when RTP is achieved, because peaking factors generally decrease as power level is increased.lf THERMAL POWER has been increased by > 10% RTP since the last determination of f3(Z), another evaluation of this factor is required12 hours after actrieving equilibrium conditions at this higher power level (to ensure that Fb(Z) values are being reduced sufficiently with powerincrease to stay within the LCO limits).Beaver Valley Units 1 and 2B 3,2.1 - 7 Revision 0 BASES' SURVEILLANCE REQUIREMENTS (continued)The Frequency of 31 EFPD is adequate to monitor the change of power distribution with core burnup because such changes are slow and wellcontrolled when the plant is operated in accordance with the Technical Specifications (TS).sR 3.2.1 .2 The nuclear design process includes calculations performed to determine that the core can be operated within the Fq(Z) limits. Because flux mapsare taken in steady state conditions, the variations in power distributionresulting from normal operational maneuvers are not present in the fluxmap data. These variations are, however, conservatively calculated by considering a wide range of unit maneuvers in normal operation. The maximum peaking factor increase over steady state values, calculated as a function of core elevation , Z, is called W(Z). Multiplying the measured total peaking factor, Ffi1Z;, by W(Z) gives the maximum Fo(Z) calculated to occur in normal operation, ft(Z).The SR Note specifies in part "lf measurements indicate that themaximum over z of lFl(Z)t K(Z\l has increased ...". This statement in theNote refers to the fact that both FB and K are functions of the axial height.At each applicable core elevation the ratio of Fh(Z) l K(Z) is calculated todetermine the maximum ratio (maximum over z). lf this maximum ratio has increased since the last set of evaluations, then the Note modifyingthis SR specifies additional verifications that must be performed.The limit with which Ft(Z) is compared varies inversely with power above50% RTP and directly with the function K(Z) provided in the COLR.The W(Z) Table is provided in the COLR for discrete core elevations.Flux map data are typically taken for 30 to 75 core elevations. ft(Z)evaluations are not applicable for the following axial core regions, oreasured in percent of core height: a. Lower core region, from 0 to 10%o inclusive andb. Upper core region, from 90 to 1OO% inclusive. The top and bottom 10% of the core are excluded from the evaluation because of the low probability that these regions would be more limiting in the safety analyses and because of the difficulty of making a precisemeasurement in these regions.Beaver Valley Unlts 1 and 2B 3.2.1 - 8 Revision 0 Fo(Z)B 3.2.1 BASES SURVEILLANCE REQUI REM ENTS (continued) This Surveillance has been modified by a Note that may require more frequent surveillances be perfor:med. lf FX(Z) is evaluated, an evaluationof the expression below is required to account for any increase to FH(Z)that may occur and cause the FaV) limit to be exceeded before the nextrequired Fo(Z) evaluation. lf the two most recent Fo(Z) evaluations show an increase in the expression maximum over z of IFBG) l K(Z) l, it is required to meet the Fo(Z) limit with the last FH(Z) increased by the greater of a factor of 1.02 or by an appropriate factor specified in the COLR (Ref. 5) or to evaluate Fo(Z) more frequently, each 7 EFPD. These alternative requirements prevent FaG) from exceeding its limit for any significant period of time without detection. Performing the Surveillance in MODE 1 prior to exceeding 75% RTPensures that the Fo(Z) limit is met when RTP is achieved, because peaking factors are generally decreased as power level is increased. Fo(Z) is verified at power levels > 10% RTP above the THERMAL POWER of its last verification, 12 hours after achievinE equilibrium conditions to ensure that Fo(Z) is within its limit at higher power levels.The Surveillance Frequency of 31 EFPD is adequate to monitor thechange of power distribution with core burnup. The Surveillance may bedone more frequently if required by the results of Fo(Z) evaluations.The Frequency of 31 EFPD is adequate to monitor the change of powerdistribution because such a change is sufficiently slow, when'the plant isoperated in accordance with the TS, to preclude adverse peaking factors between 31 day surveillances. REFERENCES 2.3.4.5 1.10 cFR 50.46, 1974. Regulatory Guide 1.77, Rev. 0, May 1974.10 CFR 50, Appendix A, GDC 26.WCAP-7308-L-P-A, "Evaluation of Nuclear Hot Channel Factor Uncertainties," June 1 988.WCAP-10216-P-A, Rev. 1A, "Relaxation of Constant Axial Offset Control (and) Fq Surveillance Technical Specification," February 1 994.Beaver Valley Units 1 and 2 B 3.2.1 - IRevision 0 Y 06 FT.(.) %24b16 6 33.3 s0.0CORE HEIGHT

• For core height of 12 teet Figure B 3.2.1-1 (page 1 of 1)K(Zl - Normalized Fo(Z) as a Function of Core Height B 66.7 10 83.3 (12.0, 0.65)THIS FIGURE FOR ILLUSTRATION ONLY.DO NOT USE FOR OPERATlON.

ACTUAL UNIT SPECIFlC FIGURES ARECONTAINED IN THE COLR.Beaver Valley Units 1 and 2B 3.2.1 - 10 Revrsion 0 FXr B 3.2.2 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 Nuclear Enthalpy Rise Hot Channel Factor (F}11)BASES BACKGROUND The purpose of this LCO is to establish limits on the power density at any point in the core so that the fuel design criteria are not exceeded and theaccident analysis assumptions remain valid. The design limits on local (pellet) and integrated fuel rod peak power density are expressed in termsof hot channel factors. Control of the core power distribution with respectto these factors ensures that local conditions in the fuel rods and coolant channels do not challenge core integrity at any location during either normaf operation or a postulated accident analyzed in the safety analyses.FIH is defined as the ratio of the integral of the linear power along the fuel rod with the highest integrated power to the average integrated fuel rod power. Therefore, FIu is a measure of the maximum total power produced in a fuel rod.FIH is sensitive to fuel loading patterns, bank insertion, and fuel burnup.Flp typically increases with control bank insertion and typically decreaseswith fuel burnup.flH is not directly measurable but is inferred from a power distribution map obtained with the movable incore detector system. Specifically, the results of the three dimensional power distribution map are analyzed by acomputer to determine FIH. This factor is calculated at least every31 EFPD. However, during power operation, the global power distributionis monitored by LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," which addressdirectly and continuously measured process variables. The COLR provides peaking factor limits that ensure that the design basis value of the departure from nucleate boiling (DNB) is met for normal operation, operational transients, and any transient condition arising fromevents of moderate frequency. The DNB design basis ensures the probability that DNB will not occur on the most limiting fuel rod is at least 95% at a 95% confidence level. This is met by limiting the minimumDNBR to the 95/95 DNB criterion of 1.22 for typical and thimble cellsusing the WRB-2M Critical Heat Flux (CHF) correlation, and 1.23 for thetypicaf cell and 1.22for the thimble cell using the WRB-1 CHF correlation.All DNB limited transient events are assumed to begin with an Fls valuethat satisfies the LCO requirements.Operation outside the LCO limits may produce unacceptableconsequences if a DNB limiting event occurs. The DNB design basisensures that there is no overheating of the fuel that results in possible Beaver Valley Units 1 and 2 B 3.2.2 - 1 Revision 0 FIrB 3.2.2 BASES BACKG ROU N D (continued) cladding perforation with the release of fission products to the reactor coolant.APPLICABLE SAFETY ANALYSES Limits on FIH preclude core power distributions that exceed the following fuel design limits:a. There must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hottest fuel rod in the core does not experience a DNB condition,b. During a large or small break loss of coolant accident (LOCA), peak cladding temperature (PCT) must not exceed 2200"F (Ref. 3), c.Duringanejectedrodaccident,theenergydepositiontothefuelmust not exceed 280 cal/gm (Ref. 1), andd. Fuel design limits required by GDC 26 (Ref.2)for the conditionwhen control rods must be capable of shutting down the reactor witha minimum required SDM with the highest worth control rod stuckfully withdrawn.For transients that may be DNB limited, the Reactor Coolant System flow and FIu are the core parameters of most importance. The limits on FIHensure that the DNB design basis is met for normal operation, operational transients, and any transients arising from events of moderate frequency.The DNB design basis ensures the probability that DNB will not occur onthe most limiting fuel rod is at least 95% at a 95o/o confidence level. Thisis met by limiting the minimum DNBR to the 95i95 DNB criterion of 1.22for typical and thimble cells using the WRB-2M CHF correlation, and 1.23for the typical cell and 1.22for the thimble cell using the WRB-1 CHF correlation. These values provide a high degree of'assurance that the hottest fuel rod in the core does not experience a DNB.The allowable FIH limit increases with decreasrng power level. Thisfunctionality in Ft* is included in the analyses that provide the ReactorCore Safety Limits (SLs) of SL 2.1.1. Therefore, DNB events in which the core limits are modeled implicitly use this variable value of FXn in theanalyses. Likewise, all transients that may be DNB limited are assumedto begin with an initial FIH as a function of power level defined by the COLR limit equation.The LOCA safety analysis indirectly models FIu as an input parameter.The Nuclear Heat Flux Hot Channel Factor (Fq(Z)) and the axial peaking factors are also indirectly modeled in the LOCA safety analyses that verifythe acceptability of the resulting peak cladding temperature (Ref. 3).Beaver Valley Units 1 and 2B 3.2.2 - 2 Revision 0 FX"B 3.2.2 BASES APPLICABLE SAFETY ANALYSES (continued)The fuel is protected in part by Technical Speeifications, which ensurethat the initial conditions assumed in the safety and accident analysesremain valid. The following LCOs ensure this: LCO 3.2.3, 'AXIAL FLUXDf FFERENCE (AFD)," LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)," LCO 3.1.6, "Control Bank lnsertion Limits," LCO 3.2.2, "NuclearEnthalpy Rise Hot Channel Factor (FI")," and LCO 3.2.1, "Heat Flux HotChannel Factor (Fo(Z))." FXH and Fo(Z) are measured periodically using the movable incore detector system. Measurements are generally taken with the core at, or near, steady state conditions. Core monitoring and control undertransient conditions (Condition 1 events) are accomplished by operating the core within the limits of the LCOs on AFD, QPTR, and Bank Insertion Limits.FIH satisfies Crite rion 2of 10 CFR 50.36(c)(2xii). LCO FIH shalt be maintained within the limits of the relationship provided in the COLR.The FIH limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has the highest probability for a DNB.The limiting value of FIH, described by the equation contained in the COLR, is a design radial peaking factor (nuclear enthalpy rise hot channelfactor) used in the unit safety analyses. A power multiplication factor in this equation includes an additionalmargin for higher radial peaking from reduced thermal feedback and greater control rod insertion at low power levels. The limiting value of Ftn is allowed to increase by the value for PF,1p specified in the COLR for every 1% RTP reduction in THERMAL POWER.APPLICABIL}TYThe FXr limits must be maintained in MODE 1 to preclude core power distributions from exceeding the fuel design limits for DNBR and PCT.Applicability in other MODES is not required because there is eitherinsufficient stored energy in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power. Specifically, the design bases events that are sensitive to FXH inother MODES (MODES 2 through 5) have significant margin to the DNBR limit, and therefore, there is no need to restrict FIn in these MODES.Beaver Valley Units 1 and 2B 3.2.2 - 3Revision 0 FI'B 3.2.2 BASES ACTIONS A.1.1With Flx exceeding its limit, the unit is allowed 4 hours to restore FIn towithin its limits. This restoration may, for example, involve realigning anymisaligned rods or reducing power enough to bring FXu within its power dependent limit. When the FXH limit is exceeded, the DNBR limits are notlikely violated in steady state operation, because events that could significantly perturb the FIn value (e.g., static control rod misalignment)are considered in the safety analyses. However, the DNBR limits may beviolated if a DNB limiting event occurs. Thus, the allowed Completion Time of 4 hours provides an acceptable time to restore FX" to within itslimits without allowing the plant to remain in an unacceptable condition foran extended period of time.Condition A is modified by a Note that requires that Required Actions A.2and A.3 must be completed whenever Condition A is entered. Thus, if power is not reduced because this Required Action is completed withinthe 4 hour time period, Required Action A.2 nevertheless requires another measurement and calculation of Fln within 24 hours in accordance withsR 3.2.2.1 .However, if power is reduced below SAYo RTP, Required Action A.3 requires that another determination of FXn must be performed prior toexceeding 50% RTP, prior to exceedingTS% RTP, and within 24 hours after reaching or exceeding 95% RTP. In addition, Required Action A.2 is performed if power ascension is delayed past 24 hours.4.1.2.1 and A.1.2.2lf the value of FIH is not restored to within its specified limit either by adjusting a misaligned rod or by reducing THERMAL POWER, thealternative option is to reduce THERMAL POWER to < 50% RTP in accordance with Required Action A.1.2.1 and reduce the Power RangeNeutron Flux - High to s 55% RTP in accordance with Required Action A.1.2.2. Reducing RTP to < 50% RTP increases the DNB margin and does not likely cause the DNBR limit to be violated in steady state operatlon. The reduction in trip setpoints ensures that continuing operation remains at an acceptable low power level with adequate DNBRmargin. The allowed Completion Time of 4 hours for Required Action A.1.2.1 is consistent with those allowed for in RequiredAction A.1.1 and provides an acceptable time to reach the required power level from full power operation without allowing the plant to remain in anunacceptable condition for an extended period of time. The Completion Times of 4 hours for Required Actions A.1.1 and A.1.2.1 are not additive.Beaver Valley Units 1 and 2 B 3.2.2 - 4Revision 0 BASES ACTIONS (continued) The allowed Completion Time of 72 hours to reset the trip setpoints perRequired Action A.1.2.2 recognizes that, once power is reduced, thesafety analysis assumptions are bounding and there is no urgent need toreduce the trip setpoints. This is a sensitive operation that may inadvertently trip the Reactor Protection System. 4.2 Once the power level has been reduced to < 50% RTP per Required Action A.1.2.1, an incore flux map (SR 3.2.2.1)must be obtained and the measured value of FIH verified not to exceed the allowed limit at the lower power level. The unit is provided 20 additional hours to perform this taskover and above the 4 hours allowed by either Action A.1.1 orAction A.1.2.1. The Completion Time of 24 hours is acceptable becauseof the increase in the DNB margin, which is obtained at lower power levels, and the low probability of having a DNB limiting event within this24 hour period. Additionally, operating experience has indicated that this Completion Time is sufficient to obtain the incore flux ffiap, perform the required calculations, and evaluate FIn.A.3Verification that fIH is within its specified limits after an out of limit occurrence ensures that the cause that led to the FIH exceeding its limit iscorrected, and that subsequent operation proceeds within the LCO limit.N" limit is withi.n the LCO li imits prior toThis Action demonstrates that the FIH limit is wiexceeding 50% RTP, again prior to exceeding 75% RTP, and within24 hours after THERMAL POWER is > 95% RTP.This Required Action is modified by a Note that states that THERMALPOWER does not have to be reduced prior to performing this Action.8.1 ,When Required Actions A.1.1 through A.3 cannot be completed withintheir required Completion Times, the plant must be placed in a MODE inwhich the LCO requirements are not applicable. This is done by placing the plant in at least MODE 2 within 6 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience regardingthe time required to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2 B 3.2.2 - 5Revision 0 BASES SURVEILLANCE SR 3.2.2.1 REQUIREMENTSThe value of FIH is determined by using the movable incore detectorsystem to obtain a flux distribution map. A data reduction computer program then calculates the maximum value of FXH from the measuredflux distributions. The measured value of FIH must be multiplied by 1.04to account for measurement uncertainty before making comparisons tothe FIH timit.After each refueling, FX" must be determined in MODE 1 prior to exceedingTS% RTP. This requirement ensures that FIn limits are met atthe beginning of each fuel cycle.The 31 EFPD Frequency is acceptable because the power distribution changes relatively slowly over this amount of fuel burnup. Accordingly,this Frequency is short enough that the FIn timlt cannot be exceeded forany significant period of operation. REFERENCES 2.3.1.Regulatory Guide 1.77, Rev. 0, May 1974.10 CFR 50, Appendix A, GDC 26.10 cFR 50.46.Beaver Valley Units 1 and 2 B 3.2.2 - 6 Revision 0 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 AXIAL FLUX DIFFERENCE (AFD)BASES BACKGROUND The purpose of this LCO is to establish limits on the values of the AFD inorder to limit the amount of axial power distribution skewing to either the top or bottom of the core. By limiting the amount of power distributionskewing, core peaking factors are consistent with the assumptions used in the safety analyses. Limiting power distribution skewing over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution control.Relaxed Axial Offset Control (RAOC) is a calculational procedure thatdefines the allowed operational space of the AFD versus THERMALPOWER. The AFD limits are selected by considering a range of axialxenon distributions that may occur as a result of large variations of the AFD. Subsequently, power peaking factors and power distributions areexamined to ensure that the loss of coolant accident (LOCA), loss of flowaccident, and anticipated transient limits are met. Violation of the AFDlimits invalidate the conclusions of the accident and transient analyseswith regard to fuel cladding integrity.The AFD is monitored on an automatic basis using the unit process computer, which has an AFD monitor alarm. The computer determinesthe 1 minute average of each of the OPERABLE excore detector outputs and provides an alarm message immediately if the AFD for two or moreOPERABLE excore channels is outside its specified limits. lf the AFDmonitor is out of service, indicated AFD for each OPERABLE excorechannel is manually monitored in accordance with the requirements specified in the Licensing Requirements Manual (Ref. 1).Although the RAOC defines limits that must be met to satisfy safetyanalyses, typically an operating scheme, Constant Axial Offset Control (CAOC) is used to control axial power distribution in day to day operation (Ref. 2). CAOC requires that the AFD be controlled within a narrowtolerance band around a burnup dependent target to minimize thevariation of axial peaking factors and axial xenon distribution during unit maneuvers.The CAOC operating space is typically smaller and lies within the RAOCoperating space. Control within the CAOC operating space constrainsthe variation of axial xenon distributions and axial power distributions.RAOC calculations assume a wide range of xenon distributions and then confirm that the resulting power distributions satisfy the requirements of the accident analyses.Beaver Valley Units 1 and 2 B 3.2.3 - 1Revision 0 AFDB 3.2.3 BASES APPLICABLE SAFETY ANALYSESThe AFD is a measure of the axial power distribution skewing to either the top or bottom half of the core. The AFD is sensitive to many core related parameters such as control bank positions, core power level, axialburnup, axial xenon distribution, and, to a lesser extent, reactor coolant temperature and boron concentration. The allowed range of the AFD is used in the nuclear design process toconfirm that operation within these limits produces core peaking factors and axial power distributions that meet safety analysis requirements.The RAOC methodology (Ref. 3) establishes a xenon distribution library with tentatively wide AFD limits. One dimensional axial power distribution calculations are then performed to demonstrate that normal operation power shapes are acceptable for the LOCA and loss of flow accident, andfor initial conditions of anticipated transients. The tentative limits areadjusted as necessary to meet the safety analysis requirements.The limits on the AFD ensure that the Heat Flux Hot Channel Factor (Fo(Z)) is not exceeded during either normal operation or in the event ofxenon redistribution following power changes. The limits on the AFD also restrict the range of power distributions that are used as initial conditions in the analyses of Condition 2, 3, or 4 events. This ensures that the fuel cladding integrity is maintained for these postulated accidents. The most limiting Condition 4 event with respect to the AFD limits is the LOCA. Themost limiting Condition 3 event with respect to the AFD limits is the loss of flow accident. The most limiting Condition 2 events with respect to the AFD limits include the uncontrolled RCCA bank withdrawal at power,dropped RCCA, and boron dilution accidents. Condition2 accidentssimulated to begin from within the AFD limits are used to confirm theadequacy of the Overpower AT and Overtemperature AT trip setpoints.The linrits on the AFD satisfy Criterion 2 of 10 CFR 50.36(c)(2xii). LCOThe shape of the power profile in the axial (i.e., the vertical) direction islargely under the control of the operator through the manual operation of the control banks or automatic motion of control banks. The automatic motion of the control banks is in response to temperature deviationsresulting from manual operation of the Chemical and Volume ControlSystem to change boron concentration or from power level changes.Signals are available to the operator from the Nuclear lnstrumentation System (NlS) excore neutron detectors (Ref. a). Separate signals aretaken from the top and bottom detectors. The AFD is defined as the difference in normahzed flux signals between the top and bottom excore detectors in each detector well. For convenience, this flux difference isconverted to provide flux difference units expressed as a percentage andlabeled as %A flux or %Ll.Beaver Valley Units 1 and 2B 3.2.3 - 2Revision 0 AFDB 3.2.3 BASES LCO (continued) The AFD limits are provided in the COLR. Figure B 3.2.3-1 shows typicalRAOC AFD limits. The AFD limits for RAOC do not depend on the target flux difference. However, the target flux difference may be used to minimize changes in the axial power distribution. Violating this LCO on the AFD could produce unacceptable consequences if a Condition 2, 3, or 4 event occurs while the AFD isoutside its specified limits.The LCO is modified by a Note which states that AFD shall be considered outside its limit when two or more OPERABLE excore channels indicateAFD to be outside its limit. APPLICABILITY The AFD requirements are applicable in MODE 1 greater than or equal to50% RTP when the combination of THERMAL POWER and core peakingfactors are of primary importance in safety analysis.For AFD limits developed using RAOC methodology, the value of the AFD does not affect the limiting accident consequences with THERMAL POWER < 50% RTP and for lower operating power MODES.ACTIONS A.1 As an alternative to restoring the AFD to within its specified limits,Required Action A.1 requires a THERMAL POWER reduction to < 50% RTP. This places the core in a condition for which the value of theAFD is not important in the applicable safety analyses. A Completion Time of 30 minutes is reasonable, based on operating experience, to reach 50% RTP without challenging plant systems.SURVEILLANCE SR 3.2.3.1 REQUIREMENTSThis Surveillance verifies that the AFD, as indicated by the NIS excorechannel, is within its specified limits. The Surveillance Frequency of 7 days is adequate considering that the AFD is monitored by a computerand any deviation from requirements is alarmed or the indicated AFD ismanually monitored as required in Reference 1. Beaver Valley Units 1 and 2 B 3.2.3 - 3 Revision 0 BASES REFERENCES 1.2.Licensing Requirements Manual (LRM).WCAP-8403 (nonproprietary), "Power Distribution Control and Load Following Procedures," Westinghouse Electric Corporation, September 1974.WCAP-10216-P-A, Rev. 1A, "Relaxation of Constant Axial Offset Control: Fo Surveillance Technical Specification," February 1994.UFSAR, Chapter 7 (Unit 1) and UFSAR Chapter a (Unit 2).3.4.Beaver Valley Units 1 and 2 B 3.2.3 - 4Revision 0 d.t!=-Rn-vv_J=d.l-LJ L F a60 l' I F d.(+-o o\o 40 AFDB 3.2.3 2A-50 10-40 -?0 10 30 50 20 40AXIAL FLUX DIFFERENCE (%)Figure B 3.2.3-1 (page 1 of 1)AXIAL FLUX DIFFERENCE Acceptable Operatlon Limitsas a Function of RATED THERMAL POWER 100 (-15, 100)(6, 00)UNACCEPTABI OPERATIOt\l E/\UN c qCCEPT IPERAT: qBLE ON/50F ACCEPTABLE OPE RAT I ON I I I)-(20, {{-31 o)-THIS FIGURE IS FOR ILLUSTRATION ONLY.DO NOT USE FOR OPERATION. Beaver Valley Units 1 and 2B 3.2.3 - 5Revision 0 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.4 QUADRANT POWER TILT RATTO (OPTR)BASES BACKGROUND The QPTR limit ensures that the gross radial power distribution remainsconsistent with the design values used in the safety analyses. Precise radial power distribution measurements are made during startup testing, after refueling, and periodically during power operation. The power density at any point in the core must be limited so that the fueldesign criteria are maintained. Together, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO 3.2.4, and LCO 3.1.6, "Control Rod Insertion Limits," provide limits on process variables that characterize and controlthe three dimensional power distribution of the reactor core. Control of these variables ensures that the core operates within the fuel designcriteria and that the power distribution remains within the bounds used inthe safety analyses. APPLICABLE SAFETY ANALYSESThis LCO precludes core power distributions that violate the following fuel design criteria: During a large or small break loss of coolant accident, the peak cladding temperature must not exceed 2200"F (Ref. 1), During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% confidence level (the 95i95 departure from nucleate boiling (DNB) criterion) that the hot fuel rod in the core does not experience a DNB condition, During an ejected rod accident, the energy deposition to the fuelmust not exceed 280 cal/gm (Ref. 2), and The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuckfully withdrawn (Ref. 3).The LCO limits on the AFD, the QPTR, the Heat Flux Hot Channel Factor (Fo(Z)), the Nuclear Enthalpy Rise Hot Channel Factor (FX"), and control bank insertion are established to preclude core power distributions that exceed the safety analyses limits.The QPTR limits ensure that FIH and Fq(Z) remain below their limlting values by preventing an undetected change in the gross radial power distribution. a.b.c.d.Beaver Valley Units 1 and 2 B 3.2.4 - 1Revision 0 QPTRB 3.2.4 BASES APPLICABLE SAFEry ANALYSES (continued) In MODE 1, the FXn and Fo(Z) limits must be maintained to preclude core power distributions from exceeding design limits assumed in the safety analyses.The QPTR satisfies Criterio n 2 of 10 CFR 50.36(c)(2Xii). LCO The QPTR limit of 1.02, at which corrective action is required, provides a margin of protection for both the DNB ratio and linear heat generation ratecontributing to excessive power peaks resulting from X-Y plane powertilts. A limiting QPTR of 1.02 can be tolerated before the margin foruncertainty in F6(Z) and (FI*) is possibly challenged. APPLICABILITY The QPTR limit must be maintained in MODE 1 with THERMAL POWER> 50o/o RTP to prevent core power distributions from exceeding the design limits.Applicability in MODE 1 = 50% RTP and in other MODES is not requiredbecause there is either insufficient stored energy in the fuel or insufficientenergy being transferred to the reactor coolant to require the implementation of a QPTR limit on the distribution of core power. The QPTR limit in these conditions is, therefore, not important. Note that the FIu and Fo(Z) LCOs still apply, but allow progressively higher peakingfactors at 50% RTP or lower.ACTIONS A.1With the QPTR exceeding its limit, a power level reduction of >3o/o from RTP for each 1% by which the QPTR exceeds 1 .00 is a conservative tradeoff of total core power with peak linear power. The Completion Timeof 2 hours allows sufficient time to identify the cause and correct the tilt.Note that the power reduction itself may cause a change in the tilted condition.The maximum allowable power level initially determined by Required Action A.1 may be affected by subsequent determinations of QPTR.lncreases in QPTR would require power reduction within 2 hours of QPTR determination, if necessary to comply with the decreased maximum allowable power level. Decreases in QPTR would allow increasing the maximum allowable power level and increasing power up to this revised limit. Beaver Valley Units 1 and 2B 3.2.4 - 2Revision 0 QPTRB 3.2.4 BASES ACTIONS (continued) 4.2After completion of Required Action A.1, the QPTR alarm may still be in its alarmed state. As such, any additional changes in the QPTR are detected by requiring a check of the QPTR once per 12 hours thereafter.A 12 hour Completion Time is sufficient because any additional change in QPTR would be relatively slow. A.3 The peaking factors Fq(Z), as approximated Uy ffi(Z) and FH(Z), and FXHare of primary importance in ensuring that the power distribution remains consistent with the initial conditions used in the safety analyses.Performing SRs on FIn and Fq(Z) within the Completion Time of 24 hoursafter achieving equilibrium conditions from a Thermal Power reduction per Required Action A.1 ensures that these primary indicators of power distribution are within their respective limits. Equilibrium conditions areachieved when the core is sufficiently stable at intended operating conditions to support flux mapping. A Completion Time of 24 hours after achieving equilibrium conditions from Thermal Power reduction per Required Action A.1 takes into consideration the rate at which peaking factors are likely to change, and the time required to stabilize the plant and perform a flux map. lf these peaking factors are not within theirlimits, the applicable Required Actions provide an appropriate responsefor the abnormal condition. lf the QPTR remains above its specified limit, the peaking factor surveillances are required each 7 days thereafter to evaluate FIH and Fo(Z) with changes in power distribution. Relativelysmall changes are expected due to either burnup and xenon redistributionor correction of the cause for exceeding the QPTR limit.4.4 Although FIH and Fo(Z) are of primary importance as initial conditions inthe safety analyses, other changes in the power distribution may occur as the QPTR limit is exceeded and may have an impact on the validity of the safety analysis. A change in the power distribution can affect such reactor parameters as bank worths and peaking factors for rod malfunction accidents. When the QPTR exceeds its limit, it does not necessarily mean a safety concern exists. lt does mean that there is an indication of a change in the gross radial power distribution that requiresan investigation and evaluation that is accomplished by examining the incore power distribution. Specifically, the core peaking factors and the quadrant tilt must be evaluated because they are the factors that best Beaver Valley Units 1 and 2B 3.2.4 - 3 Revision 0 QPTR B 3.2.4 BASES ACTIONS (continued)characterize the core power distribution. This re-evaluation is required toensure that, before increasing THERMAL POWER to above the limit of Required Action A.1, the reactor core conditions are consistent with the assumptions in the safety analyses. 4.5lf the QPTR has exceeded the 1.02 limit and a re-evaluation of the safety analysis is completed and shows that safety requirements are met, theexcore detectors are normalized to restore QPTR to within limits prior to increasing THERMAL POWER to above the limit of Required Action A.1.Normalization is accomplished in such a manner that the indicated QPTR following normalization is near 1.00. This is done to detect anysubsequent significant changes in QPTR.Required Action A.5 is modified by two Notes. Note 1 states that the QPTR is not restored to within limits until after the re-evaluation of thesafety analysis has determined that core conditions at RTP are within thesafety analysis assumptions (i.e., Required Action A.4). Note 2 states that if Required Action A.5 is performed, then Required Action 4.6 shall be performed. Required Action A.5 normalizes the excore detectors to restore QPTR to within limits, which restores compliance with LCO 3.2.4.Thus, Note 2 prevents exiting the Actions prior to completing flux mappingto verify peaking factors, per Required Action

4.6. These

Notes areintended to prevent any ambiguity about the required sequence of actions.A.6Once the flux tilt is restored to within limits (i.e., Required Action A.5 is performed), it is acceptable to return to full power operation. However, asan added check that the core power distribution is consistent with thesafety analysis assumptions, Required Action A.6 requires verificationthat Fq(Z), as approximated OV f8(Z) and FH(Z), and FXH are within theirspecified limits within 24 hours of achieving equilibrium conditions at RTP.As an added precaution, if the core power does not reach equilibrium conditions at RTP within 24 hours, but is increased slowly, then the peaking factor surveillances must be performed within 48 hours afterincreasing THERMAL POWER above the limit of Required Action A.1. These Completion Times are intended to allow adequate time to increaseTHERMAL POWER to above the limit of Required Action A.1, while not permitting the core to remain with unconfirmed power distributions for extended periods of time.Beaver Valley Units 1 and 2B 3.2.4 - 4 QPTRB 3.2.4 BASES ACTIONS (continued) Required Action A.6 is modified by a Note that states that the peaking factor surueillances may only be done after the excore detectors havebeen normalized to restore QPTR to within limits (i.e., Required Action A.5). The intent of this Note is to have the peaking factor surveillances performed at operating power levels, which can only be accomplished after the excore detectors are normalized to restore QPTR to within limits and the core returned to power.8.1lf Required Actions A.1 through A,6 are not completed within their associated Completion Times, the unit must be brought to a MODE or condition in which the requirements do not apply. To achieve this status, THERMAL POWER must be reduced to s 50o/o RTP within 4 hours. The allowed Completion Time of 4 hours is reasonable, based on operating experience regarding the amount of time required to reach the reduced power level without challenging plant systems.SURVEILLANCE SR 3.2.4.1 REQUIREMENTS SR 3.2.4.1 is modified bytwo Notes. Note 1 allows QPTR to be calculated with three power range channels if THERMAL POWER is=75% RTP and the input from one Power Range Neutron Flux channel inoperable. Note 2 allows performance of SR 3.2.4.2 in lieu of sR 3.2.4.1 This Surveillance verifies that the QPTR, as indicated by the Nuclear lnstrumentation System (NlS) excore channels, is within its limits. The Frequency of 7 days takes into account other information and alarms available to the operator in the control room.For those causes of power tilt that occur qu,ickly (e.g., a dropped rod), there typically are other indications of abnormality that prompt a verification of core power tilt.SR 3 2;4.2 This Surveillance is modified by a Note, which states that it is not requireduntil 12 hours after the input from one or more Power Range Neutron Flux channels are inoperable and the THERMAL POWER is > 75% RTP.Beaver Valley Units 1 and 2B 3.2.4 - 5Revision 0 BASES SURVEILLANCE REQUIREMENTS (continued)With an NIS power range channel inoperable, tilt monitoring for a portionof the reactor core becomes degraded. Large tilts are likely detected with the remaining channels, but the capability for detection of small power tilts in some quadrants is decreased. Performing SR 3.2.4.2 at a Frequencyof 12 hours provides an accurate alternative means for ensuring that anytilt remains within its limits. For purposes of monitoring the QPTR when one power range channel is inoperable, the moveable incore detectors are used to confirm that the normalized symmetric power distribution is consistent with the indicated QPTR and any previous data indicating a tilt. The incore detector monitoring is performed with a full incore flux map or two sets of fourthimble locations with quarter core symmetry. The two sets of four symmetric thimbles is a set of eight unique detector locations. These locations are C-8, E-5, E-1 1, H-3, H-13, L-5, L-11, and N-8.The symmetric thimble flux map can be used to generate symmetric thimble 'tilt.' This can be compared to a reference symmetric thimble tilt, from the most recent full core flux map, to generate an incore QPTR.Therefore, incore monitoring of QPTR can be used to confirm that QPTRis within limits.With one NIS channel inoperable, the indicated tilt may be changed fromthe value indicated with all four channels OPERABLE. To confirm that no change in tilt has actually occurred, which might cause the QPTR limit tobe exceeded, the incore result may be compared against previous flux maps either using the symmetric thimbles as described above or a complete flux map. Nominally, quadrant tilt from the Surveillance should be within 2% of the tilt shown by the most recent flux map data.REFERENCES 1.2.310 cFR 50.46. Regulatory Guide 1.77, Rev 0, May 1974.10 CFR 50, Appendix A, GDC 26.Beaver Valley Units 1 and 2B 3.2.4 - 6 Revlsion 0 RTS InstrumentationB 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Trip System (RTS) Instrumentation BASES BACKGROUNDThe RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents. The protection and monitoring systems have been designed to assuresafe operation of the reactor. This is achieved by specifying limitingsafety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance. Technical Specifications are required by 10 CFR 50.36 to contain LSSSdefined by the regulation as "...settings for automatic protectivedevices...so chosen that automatic protective action will correct theabnormal situation before a Safety Limit (SL) is exceeded." TheAnalytical Limit is the limit of the process variable at which a safety actionis initiated, as established by the safety analysis, to ensure that a SL isnot exceeded. Any automatic protection action that occurs when reaching the Analytical Limit therefore ensures that the SL is notexceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than theAnalytical Limit to account for instrument loop uncertainties related to thesetting at which the automatic protective action may actually occur.The nominal trip setpoint is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variablereaching the Analytical Limit and thus ensuring that the SL would not be exceeded.Technical Specifications contain values related to the OPERABILITY ofequipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing itssafety function(s)." For each automatic protective device there is a setting beyond which thedevice would not be able to perform its function due, for example, to greater than expected drift. The value of this setting is specified in theTechnical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value.Beaver Valley Units 1 and 2B 3.3.1 - 1Revision 0 RTS lnstrumentationB 3.3.1 BASES BACKG ROU N D (continued)The Allowable Value specified in Table 3.3.1-1 serves as theOPERABILITY limit such that a channel is OPERABLE if the trip setpointis found not to exceed the Allowable Value. Note that, although thechannel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpoint calibration tolerance band, in accordance with the assumptions stated inthe BVPS Unit 1 and Unit 2 setpoint methodology for protection systems (Ref. 1). lf the actual setting of the device is found to have exceeded theAllowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required.In addition to the channel OPERABILITY guidance discussed above, theCHANNEL OPERATIONAL TEST (COT) and CHANNEL CALIBRATIONSurveillance Requirements (SRs) specified on Table 3.3.1-1 for certainRTS Functions are modified by Notes (k) and (l) that specify additional Technical Specification requirements. The applicable Notes are specified directly on Table 3.3.1-1 next to the numerical SR designations for theaffected RTS Functions. The additional Technical Specificationrequirements for these RTS Functions include OPERABILITY evaluations for setpoints found outside the as-found acceptance criteria band and the requirement to reset the setpoint to within the as-left tolerance of the nominal trip setpoint or a value that is more conservative than the nominaltrip setpoint or declare the affected channel inoperable. These additional Technical Specification requirements are only applicable to the RTSFunctions with the Notes modifying their COT and CHANNEL CALIBRAT]ON SR numbers on Table 3.3.1-1.During AOOs, which are those events expected to occur one or moretimes during the unit life, the acceptable limits are:

1. The Departure frorn Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value,2. Fuel centerline melt shall not occur, and3. The RCS pressure of 2748.5 psia shall not be exceeded.Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be withinthe 10 CFR 50.67 limits during AOOs.Beaver Valley Units 1 and 2 B 3.3.1 - 2Revision 0 RTS InstrumentationB 3.3.1 BASES BACKGROU N D (continued)

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within the 10 CFR 50.67 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event. The RTS instrumentation is segmented into four distinct but interconnected modules as described in UFSAR, Chapter 7 (Ref.as identified below: and 1.2.3.4.Field transmitters or process sensors: provide a measurabfeelectronic signal based upon the physical characteristics of the parameter being measured,Signal Process Control and Protection System, including Analog Protection System, Nuclear Instrumentation System (NlS), fieldcontacts, and protection channel sets: provides signal conditioning,trip device setpoint comparison, process algorithm actuation,compatible electrical signal output to protection system devices, andcontrol boa rd/control room/m iscella neous i nd ications,Solid State Protection System (SSPS), including input, logic, andoutput bays: initiates proper unit shutdown and/or ESF actuation inaccordance with the defined logic, which is based on the trip device outputs from the signal process control and protection system, and Reactor trip switchgear, including reactor trip breakers (RTBs) andbypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shutdown the reactor. The bypass breakers allow testing of the RTBs at power.Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more thanone, and in some cases as many as four, field transmitters or sensors areused to measure unit parameters. To account for the calibrationtolerances and instrument drift, which are assumed to occur betweencalibrations, statistical allowances are provided in the nominal tripsetpoint and Allowable Values. The OPERABILITY of each transmitter orsensor is determined by either "as-found" calibration data evaluatedduring the CHANNEL CALIBRATION or by qualitative assessrnent of fieldtransmitter or sensor as related to the channel behavior observed during performance of the CHANNEL CHECK. Beaver Valley Units 1 and 2 B 3.3.1 - 3 Revision 0 RTS Instrumentation B 3.3.1 BASES BACKGROU N D (continued) Siqnal Process Control and Protection System Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning,comparable output signals for instruments located on the main controlboard, and comparison of measured input signals with setpointsestablished by safety analyses. The safety analyses and associated RTS Functions are discussed in UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2) (Ref. 3). lf the measured value of a unit parameterexceeds the predetermined setpoint, an output from a trip device isforwarded to the SSPS for decision evaluation. Channel separation ismaintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unitcomputer, and one or more control systems.Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide therequired reliability and redundancy. lf one channel fails in a direction thatwould not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. lf one channel fails, such that a partialFunction trip occurs, a trip will not occur and the Function is stillOPERABLE with a one-out-of-two logic.Generally , if a parameter is used for input to the SSPS and a controlfunction, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able towithstand both an input failure to the controf system, which may thenrequire the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a single failure will neither cause nor prevent the protection function actuation. These requirements are described in IEEE-279-1971 (Ref. a). However,exceptions to the requirement for four channels are part of the design andlicensing basis of the RTS (e g , steam generator level instrumentation). The actual number of channels required for each unit parameter is specified in Technicaf Specification Table 3.3.1-1 .Two logic trains are required to ensure no single random failure of a logictraln will disable the RTS. The logic trains are designed such that testingrequired while the reactor is at power may be accomplished withoutcausing trip. Provisions to allow removing logic trains from service during maintenance are unnecessary because of the logic system's designed reliability. Beaver Valley Units 1 and 2B 3.3.1 - 4 Revision 0 RTS InstrumentationB 3.3.1 BASES BACKG ROU N D (continued)Allowable Values. RTS Setpoints. and LSSS The nominal trip setpoints used in trip devices are based on the analytical limits stated in Reference 1. The selection of these nominal trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. The nominal trip setpointsaccount for calibration tolerances, instrument uncertainties, instrument drift, and severe environment errors for those RTS channels that mustfunction in harsh environments as defined by 10 CFR 50.49 (Ref. 5).The nominal trip setpoints are specified in the Licensing Requirements Manual (LRM). The Allowable Values specified in the Technical Specifications are determined by adding (or subtracting) the calibrationaccuracy of the trip device to the nominal trip setpoint in the non-conservative direction (i.e., toward or closer to the safety analysis limit)for the application. The Allowable Values remain conservative withrespect to the analytical limits. For those channels that provide trip actuation via a bistable in the process racks, the calibration accuracy isdefined by the rack calibration accuracy term. For a limited number ofchannels that provide trip actuation without being processed via the process racks (e.9., undervoltage relay or turbine trip channels) theAllowable Value is defined by device drifi or repeatability (Ref. 1). Theapplication of the calibration accuracy term (or device drift as applicable)to each RTS setpoint results in a "calibration tolerance band." Thus, thetrip setpoint value is considered a "nominal" value (i.e., expressed as avalue with a calibration tolerance) for the purposes of the COT andCHANNEL CALIBRATION. The callbration tolerance band for each RTS setpoint is specified in plant procedures. A detailed description of themethodology used to calculate the Allowable Values and nominal tripsetpoints, including their explicit uncertainties, is provided in Reference 1 which incorporates all of the known uncertainties applicable to eachchannel. The magnitudes of these uncertainties are factored into thedetermination of each nominal trip setpoint and corresponding AllowableValue. The nominal trip setpoint entered into the trip device is moreconservative than that specified by the Allowable Value to account formeasurement errors detectable by the COT. fhe Allowable Value servesas the Technical Specification OPERABILITY limit. One example of sucha change in measurement error is drift during the surveillance interval. lf the measured setpoint does not exceed the Allowable Value, the channelis considered OPERABLE. As discussed earlier, for certain RTS Functions, the COT and CHANNEL CALIBRATION SR numbers specified on Table 3.3.1 -1 are modified by Notes that impose additional Technical Specification requirements for channel OPERABILITY. Beaver Valley Units 1 and 2B 3.3.1 - 5Revision 0 RTS Instrumentation B 3.3.1 BASES BACKG ROU N D (continued)The nominal trip setpoint is the value at which the trip device is set and isthe expected value to be achieved during calibration. The nominal tripsetpoint value ensures the LSSS and the safety analysis limits are met forsurveillance interval selected when a channel is adjusted to be within the calibration tolerance. Any trip device with a nominal trip setpoint is considered to be properly adjusted when the "as left" setpoint value iswithin the calibration tolerance.The nominal trip setpoint is based on the calculated total loop uncertainty per the plant specific methodology documented in the Licensing Requirements Manual. The setpoint methodology, used to derive the nominal trip setpoints, is based upon combining all of the uncertainties inthe channels. Inherent in the determination of the nominal trip setpoints are the magnitudes of these channel uncertainties. Sensors and other instrumentation utifized in these channels should be capable of operating within the allowances of these uncertainty magnitudes. Occasional drift in excess of the allowance may be determined to be acceptable based onthe other device performance characteristics. Device drift in excess of the allowance that is more than occasional, may be indicative of more serious problems and would warrant further investigation.Operable RTS Functions with setpoints maintained within the Allowable Values specified in the Technical Specifications ensure that SLs are not violated during AOOs (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at theonset of the AOO or DBA and the equipment functions as designed). For most RTS Functions the Allowable Value specified on Table 3.3.1-1 the LSSS required by 10 CFR 50.36. However, for certain RTS Functions, the COT and CHANNEL CALl BRATION SR numbers specified on Table 3.3.1-1 are modified by Notes (k) and (l) that impose additional Technical Specification Requirements for channel OPERABILITY and change the LSSS for the affected Functions. For each RTS Function in Table 3.3.1-1 with Notes modifying the required COT and CHANNEL CALIBRATION SR numbers, the nominal trip setpoint specified in the Licensing Requirements Manual is the LSSS. This definition of the LSSS is consistent with the guidance issued to the lndustry through correspondence with Nuclear Energy lnstitute (NEl)(Reference NRC-NEl Letter dated September 7,2005). The definition of LSSS values continues to be discussed between the industry and the NRC, and further modifications to these Bases will be implemented as guidance is provided.Beaver Valley Units 1 and 2 B 3.3.1 - 6 Revision 0 RTS Instrumentation B 3.3.1 BASESBACKG ROU N D (continued)Table 3.3.1-1 Notes (k) and (l) are applicable tothe COT and CHANNELCALIBRATION SRs for specific instrument functions since changes toAllowable Values associated with these instrument functions were already under review by the NRC at the time the revised NRC setpoint criteria were documented and made available to the industry in an NRC letter toNEl. Changes to the remaining instrument functions may be pursued after guidance endorsed by both the NRC and NEI is issued.Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the nominal tripsetpoint calibration tolerance specified in plant procedures. Once adesignated channel is taken out of service for testing, a simulated signalis injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for thechannels are specified in the SRs section.Solid State Protection SvstemThe SSPS equipment i,s used for the decision logic processing of inputsfrom field contacts, control board switches and the signal processlngequipment bistables. To meet the redundancy requirements, two trains ofSSPS, each performing the same functions, are provided. lf one train istaken out of seryice for test purposes, the second train will provide reactortrip and/or ESF actuation for the unit. lf both trains are taken out ofservice or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfyseparation and independence requirements. The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate therequired trip or actuation, and provides the status, permissive, andannunciator output signals to the main control room of the unit.The input signals from field contacts, control board switches and bistable outputs from the signal processing equipment are sensed by the SSPSequipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. lf a required logicmatrix combination is completed, the system will initiate a reactor trip orsend actuation signals via master and slave relays to those componentswhose aggregate Function best serves to alleviate the condition andrestore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.Beaver Valley Units I and 2B 3.3.1 - 7 Revision 0 RTS lnstrumentationB 3.3.1 BASES BACKGROU N D (continued)Reactor Trip SwitchqearTwo RTBs are connected in series in the electrical power supply line fromthe control rod drive motor generator set power supply to the CRDMs.Opening either of the RTBs interrupts power to the CRDMS, which allowsthe shutdown rods and control rods to fall into the core by gravity. EachRTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power.During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils arede-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open.This allows the shutdown rods and control rods to fall into the core. Inaddition to the de-energization of the undervoltage coils, each RTB is alsoequipped with a shunt trip device that is energized to trip the breakeropen upon r:eceipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt trip mechanism is sufficient by itself, thus providing a diverse trip mechanism. The RTB bypass breakers are alsoequipped with a shunt trip device; however, manual actuation (local or remote) is required to energize this trip mechanism on the bypass breakers.The decision logic matrix Functions are contained in the functionaldiagrams included in Reference 2. ln addition to the reactor trip or ESF, these diagrams also illustrate the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing devicethat can automatically test the selected decision logic matrix Functionswhile the unit is at power. When any one train is taken out of service fortesting, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device issemiautomatic to minimize testing time.APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITYThe RTS functions to maintain the SLs during all AOOs and mitigates theconsequences of DBAs in all MODES in which the Rod Control System iscapable of rod withdrawal or one or more rods are not fully inserted.Each of the analyzed accidents and transients can be detected by one ormore RTS Functions. The accident analysis described in Reference 3takes credit for most RTS trip Functions. RTS trip Functions not explicitlycredited in the accident analysis may be implicitly credited in the safety Beaver Valley Units 1 and 2B 3.3.1 - 8 Revision 0 RTS lnstrumentationB 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued)analysis and the NRC staff approved licensing basis for the unit. TheseRTS trip Functions may provide protection for conditions not explicitlyanalyzed and may be anticipatory in nature or serve as backups to RTStrip Functions that are explicitly credited in the accident analysis to provide defense in depth.The LCO requires all instrumentation performing an RTS Function, listedin Table 3.3.1-1 in the accompanying LCO, to be OPERABLE. A channel is OPERABLE provided the trip setpoint "as-found" value does notexceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within the "as-left" calibration toleranceband of the nominal trip setpoint. A trip setpoint may be set moreconservative than the nominal trip setpoint as necessary in response to plant conditions provided that the + calibration tolerance band remains the same and the Allowable Value is administratively controlledaccordingly in the conservative direction to meet the assumptions of the setpoint methodology. The conservative direction is established by thedirection of the inequality applied to the Allowable Value. Failure of anyinstrument may render the affected channel(s) inoperable and reduce the reliability of the affected Functions. In addition to the channel OPERABILITY guidance dtscussed above, theCOT and CHANNEL CALIBRATION SRs specified on Table 3.3.3-1 for certain RTS Functions are modified by Notes (k) and (l) that specify additional Technical Specification requirements. The applicable Notesare specified directly on Table 3.3.1-1 next to the numerical SR designations for the affected RTS Functions. The additional Technical Specification requirements for these RTS Functions includeOPERABILITY evaluations for setpoints found outside the as-foundacceptance criteria band and the requirement to reset the setpoint to within the as-left tolerance of the nominal trip setpoint or a value that ismore conservative than the nominal trip setpoint or declare the affected channel inoperable. These additional Technical Specificationrequirements are only applicable to the RTS Functions with the Notesmodifying their COT and CHANNEL CALIBRATION SR numbers onTable 3.3.1-1.The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function, Four OPERABLE instrumentation channels in a two-out-of-four configuration may be required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of theshared channel failing in such a manner that it creates a transient thatrequires RTS action. ln this case, the RTS will still provide protection, Beaver Valley Units 1 and 2B 3.3.1 - IRevision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) even with random failure of one of the other three protection channels.Three OPERABLE instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for controlsystem and protection system interaction that could simultaneously createa need for RTS trip and disable one RTS channel. The two-out-of-threeand two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip. However,exceptions to these requirements are part of the current licensing anddesign basis (e.9., in the steam generator level instrumentation a medianselector switch is utilized to provide functional separation between the protection and control systems instead of a fourth level instrumentchannel). The specific exceptions to the above general philosophy arediscussed below.Reactor Trip Svstem Functions The safety analyses and OPERABILITY requirements applicable to eachRTS Function are discussed below:1. Manual Reactor TripThe Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor tripswitches in the control room. A Manual Reactor Trip accomplishesthe same results as any one of the automatic trip Functions. TheManual Reactor Trip feature is not credited by any safety analyses.It is used by the reactor operator to manually shut down the reactor.The LCO requires two Manual Reactor Trip channels to beOPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel activates the reactor trip breaker in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.ln MODE 1 or 2, manual initiation of a reactortrip must be OPERABLE.These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, themanual initiation Function must also be OPERABLE if one or moreshutdown rods or control rods are withdrawn or the Rod Control Systemis capable of withdrawing the shutdown rods or the control rods. In thiscondition, inadvertent control rod withdrawal is possible. In MODE 3,4,or 5, manual initiation of a reactor trip does not have to be OPERABLE ifthe Rod Control System is not capable of withdrawing the shutdown rodsor control rods and if all rods are fully inserted. lf the rods cannot bewithdrawn from the core, or all of the rods are inserted, there is no need Beaver Valley Units 1 and 2B 3.3.1 - 10 Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)to be able to trip the reactor. In MODE 6, neither the shutdown rods nor 'the control rods are permitted to be withdrawn, except for specific activities such as drag testing performed under administrative controls,and the CRDMs are typically disconnected from the control rods andshutdown rods. Therefore, the manual initiation Function is not required.2. Power Range Neutron FluxThe NIS power range detectors are located external to the reactor vessel and measure neutrons leaking from the core. One NIS power range detector provides input to the Rod Control System and (for Unit 2 only) the Steam Generator (SG) Water Level Control System. Therefore, the actuation logic must be able to withstand aninput failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. As such, the power range instrument channels are combined in a two-out-of-four trip logic. Note that this Function also provides a signal to prevent automatic (for Unit 2) and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.a. Power Ranqe Neutron Flux - HiqhThe Power Range Neutron Flux - High trip Function ensures that protection is provided, from all power levels, against a fast positive reactivity excursion that could potentially lead to a violation of the safety analysis limit DNBR during poweroperation. These can be caused by rod withdrawal orreductions in RCS temperature. The LCO requires all four of the Power Range Neutron Flux -High channels to be OPERABLE.In MODE 1 or 2, when a positive reactivity excursion couldoccur, the Power Range Neutron Flux - High trip must be OPERABLE. This Function will terminate the reactivityexcursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3,4,5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux - Highdoes not have to be OPERABLE because the reactor is shutdown and reactivity excursions into the power range areextremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.Beaver Valley Units 1 and 2 B 3.3.1 - 11 Revislon 0 RTS lnstrumentationB 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued) b.The LCO requirement for the Power Range Neutron Flux - Lowtrip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions. The LCO requires all four of the Power Range Neutron Flux -Low channels to be OPERABLE.In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2 with ker ) 1.0, MODE 2 with k*x < 1.0, and all RCS cold leg temperatures > 500oF, and RCS boron concentration < the ARO critical boron concentration when the Rod Control System is capable of rod withdrawal, or one ormore rods not fully inserted, and in MODE 3 with all RCS coldleg temperatures > 500"F, and the RCS boron concentration is< the ARO critical boron concentration when the Rod ControlSystem is capable of rod withdrawal, or one or more rods arenot fully inserted, the Power Range Neutron Flux - Low trip mustbe OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greaterthan the P-10 setpoint specified in the LRM. This Function isautomatically unblocked when three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity additions are mitigated by the Power RangeNeutron Flux - High trip Function. In MODE 3, with an RCS cold leg temperature < 500"F, 4,5,or 6, the Power Range Neutron Flux - Low trip Function doesnot have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levelsin this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, with an RCS cold leg temperature < 500"F, 4, 5, or 6.3. Power Ranqe Neutron Flux - Hiqh Positive RateThe Power Range Neutron Flux Rate trip uses the same channelsas discussed for Function 2 above.The Power Range Neutron Flux - High Positive Rate trip Functionensures that protection is provided against rapid increases inneutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA. Although thisBeaver Valley Units 1 and 2 B 3.3.1 - 12Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued)Function is not explicitly credited in the safety analyses as a primary reactor trip, this Function compliments the Power Range Neutron Flux - High and Low Setpoint trip Functions to ensure that theapplicable acceptance criteria are met for a rod ejection from the power range.The LCO requires all four of the Power Range Neutron Flux - High Positive Rate channels to be OPERABLE.In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA), the PowerRange Neutron Ffux - High Positive Rate trip must be OPERABLE.In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - High Positive Rate trip Function does not have to be OPERABLEbecause other RTS trip Functions and administrative controls willprovide protection against positive reactivity additions. Also, sinceonly the shutdown banks are fully withdrawn in MODE 3 for reactorstartup, the remaining complement of control bank worth ensures asufficient degree of SDM in the event of an REA. In MODE 6, no rods are withdrawn, except for specific activities such as drag testing performed under administrative controls, and the SDM is increased during refueling operations. For the majority of the time the plant is in MODE 6 the reactor vessel head is also removed orthe closure bolts are detensioned preventing any pressure buildup.In addition, the NIS power range detectors cannot detect neutron levels present in this MODE.4. Intermediate Ranqe Neutron FluxThe Intermediate Range Neutron Flux trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This, trip Function provides redundant protection to the Power RangeNeutron Flux - Low Setpoint trip Function. The lntermediate RangeNeutron Flux trip is not credited in the safety analyses as a primary reactor trip. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking fromthe core. The NIS intermediate range detectors do not provide any input to control systems. Note that this Function also provides asignal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal mayterminate the transient and eliminate the need to trip the reactor.Beaver Valley Units 1 and 2 B 3.3.1 - 13 Revision 0 RTS lnstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)The LCO requires two channels of Intermediate Range Neutron Fluxto be OPERABLE. Two OPERABLE channels are sufficient toensure no single random failure will disable this trip Function. The trip Function is accomplished by a one-out-of-two trip logic.Because this trip Function is important only during startup, there is generally no need to disable channels for testing while the Functionis required to be OPERABLE. Therefore, a third channel is unnecessary.ln MODE 1 below the P-10 setpoint, and in MODE 2 above the P-6 setpoint, when there is a potential for an uncontrolled RCCA bankrod withdrawal accident during reactor startup, the IntermediateRange Neutron Flux trip must be OPERABLE. Above the P-10setpoint, the Power Range Neutron Flux - High Setpoint trip and thePower Range Neutron Flux - High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE 2 below the P-6setpoint, the Source Range Neutron Flux Trip provides the primary core protection for reactivity accidents. ln MODE 3, 4, or 5, thelntermediate Range Neutron Flux trip does not have to beOPERABLE. In MODE 3 with the RCS temperature > 500"F, thePower Range Neutron Flux - Low trip Function provides the protection for an uncontrolled RCCA bank withdrawal event from low power or subcritical conditions. ln MODE 3 with any RCS cold leg temperature < 500oF, and in MODES 4 and 5, LCO 3.1.10,"RCS Boron Limitations < 500'F," requires that the RCS boronconcentration be greater than the all-rods-out (ARO) critical boronconcentration to ensure that sufficient SHUTDOWN MARGIN is available if an uncontrolled RCCA bank withdrawal event were tooccur. In MODE 6, all rods are fully inserted, except for specificactivities such as drag testing performed under administrative controls, and the core has an increased SDM. Also, the NIS intermediate range detectors cannot detect neutron levels present inthis MODE.5. Source Ranqe Neutron FluxThe LCO requirement for the Source Range Neutron Flux tripFunction ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux - Low trip Function. ln MODES 3,4,and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are locatedBeaver Valley Units 1 and 2 B 3.3.1 - 14Revision 0 RTS lnstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)external to the reactor vessel and measure neutrons leaking fromthe core. The NIS source range detectors do not provide any inputsto control systems. The source range trip is the only RTS automatic protection function required in MODES 3 (with any RCS cold leg temperature < 500'F), 4, and 5 when rods are capable of withdrawal or one or more rods are not fully inserted.In MODE 3 with the RCS temperature > 500oF, the Power RangeNeutron Flux - Low trip Function provides protection for an uncontrolled RCCA bank withdrawal or control rod ejection eventfrom low power or subcritical conditions.In MODE 3 with any RCS cold leg temperature < 500oF, and in MODES 4 and 5, LCO 3.1.10 requires that the RCS be borated to greater than the ARO critical boron concentration to ensure that sufficient SHUTDOWN MARGIN is available to mitigate an uncontrolled RCCA bank withdrawal event or control rod ejection event. Therefore, the safety analyses do not take explicit credit forthe Source Range Neutron Flux trip Function as a primary trip to mitigate an uRcontrolled RCCA bank withdrawal or control rod ejection event. LCO 3.1.10 ensures that sufficient SHUTDOWN MARGIN is available if an uncontrolled RCCA bank withdrawal orcontrol rod ejection event were to occur.The reliance on the boron limitation of LCO 3.1.10 when the RCS temperature is below 500"F in MODES 3, 4, and 5 and the Power Range Neutron Ffux - Low trip Function when the RCS temperature is > 500"F in MODE 3, to address an uncontrolled RCCA bank withdrawal accident, is consistent with the guidance of Westinghouse Nuclear Safety Advisory Letter 00-016 (Ref. 6).The Source Range Neutron Flux Function provides protection for control rod withdrawal from subcritical: boron dilution (during startup) and control rod ejection events. The trip Function is accomplished by a one-out-of-two trip logic.Alternate source range neutron flux detectors may be used in placeof the primary NIS source range neutron flux detectors as long asthe required source range indication and trip functions are provided by the alternate detectors.Beaver Valley Units 1 and 2 B 3.3.1 - 15Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) In MODE 2 below the P-6 setpoint and in MODES 3, 4, and 5 whenthere is a potential for an uneontrolled RCCA bank rod withdrawal accident, the Source Range Neutron Flux trip must be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux - Low trip will provide core protection for reactivity accidents.Above the P-6 setpoint, the NIS source range detectors are de-energized. In MODES 3,4, and 5 with all rods fufly inserted and the RodControl System not capable of rod withdrawal, and in MODE 6, theoutputs of the Function to the RTS logic are not requiredOPERABLE. The requirements for the NIS source range detectors to monitor core neutron levels and provide indication of reactivity changes that may occur as a result of events like a boron dilutionore addressed in LCO 3.3.8 "Boron Dilution Detection lnstrumentation,'f for MODE 3,4, or 5 and LCO 3.9.2, "Nuclearlnstrumentation," for MODE

6.6. Overtemperature

AT The Overtemperature AT trip Function ls provided to ensure that thedesign limit DNBR is met. This trip Function also limits the range over which the Overpower AT trip Function must provide protection.The inputs to the Overtemperature AT trip include pressure, coolant temperature, axial power distribution, and reactor power as indicated by foop AT assuming full reactor coolant flow. Protectionfrom violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurementsystem. The Function monitors both variation in power and flowsince a decrease in flow has the same effect on AT as a powerincrease. The Overtemperature AT trip Function uses each loop's AT as a measure of reactor power and is compared with a setpointthat is automatically varied with the following parameters: reactor coolant average temperature - the nominal trip setpointis varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature,pressurizer pressure - the nominal trip setpoint is varied to correct for changes in system pressure, andBeaver Valley Units 1 and 2 B 3.3.1 - 16Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued). axial power distribution - f(Al), the nominal trip setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors. lf axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power rangedetectors, the trip setpoint is reduced in accordance with Note 1 (Unit 1) and Note 3 (Unit 2'1 of Table 3.3.1-1.Dynamic compensation is included for system piping delays fromthe core to the temperature measurement system.The Overtemperature AT trip Function is calculated for each loop as described in Note 1 (Unit 1 ) and Note 3 (Unit 2) in Table 3.3.1-1 . Trip occurs if Overtemperature AT is indicated in two loops. The pressure and temperature signals are used for other control functions. The actuation logic can withstand an input failure to thecontrol system, which may then require the protection functionactuation, and a single failure in the other channels providing the protection function actuation. In order to meet this requirement withthree channels of T"un and AT, functional separation between the protection and control systems is accomplished by the use of a median signal selector switch. Note that this Function also providesa signal to generate a turbine runback prior to reaching the tripsetpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate theOvertemperature AT condition and may prevent a reactor trip.The LCO requires three channels of the Overtemperature AT trip Function to be OPERABLE. An OPERABLE hot leg channelconsists of:

1) three RTDs per hot leg, or 2) two RTDs per hot legwith the failed RTD disconnected and the required bias applied.

Thetrip Function is accomplished by a two-out-of-three trip logic. Note that the Overtemperature AT Function receives input from channelsshared with other RTS Functions. Failures that affect multipleFunctions require entry into the Conditions applicable to all affected Functions.ln MODE 1 or 2,the Overtemperature AT trip must be OPERABLE to prevent a violation of the safety limit DNBR. 1n MODE 3, 4, 5,or 6, this trip Function does not have to be OPERABLE because thereactor is not operating and there is insufficient heat production tobe concerned about DNB. Beaver Valley Units 1 and 2B 3.3.1 - 17 Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

7. Overpower AT The Overpower AT trip Function ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and lessthan 1% cladding strain) under all possible overpower conditions.This trip Function also limits the required range of theOvertemperature AT trip Function and provides a backup to thePower Range Neutron Flux - High Setpoint trip. The Overpower AT trip Function ensures that the allowable heat generation rate (kw/ft)of the fuel is not exceeded. lt uses the AT of each loop as ameasure of reactor power with a setpoint that is automatically variedwith the following parameters:. reactor coolant average temperature - the nominal Trip Setpointis varied to correct for changes in coolant density and specificheat capacity with changes in coolant temperature, and o rote of change of reactor coolant average temperature

-including dynamic compensation for the delays between thecore and the temperature measurement system.The Overpower AT trip Function is calculated for each loop as perNote 2 (Unit 1) and Note 4 (Unit 2) in Table 3.3.1-1. Trip occurs ifOverpower AT is indicated in two loops. The temperature signalsare used for other control functions. The actuation logic can withstand an input failure to the control system, which may then require the protection function actuation and a single failure in theremaining channels providing the protection function actuation. ln order to meet this requirement with three channels of Tuun and AT, functional separation between the protection and control systems isaccomplished by the use of a median signal selector switch. Notethat this Function also provides a signal to generate a turbine runback prior to repching the nominal Trip Setpoint. A turbinerunback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overpower AT condition and may prevent a reactor trip.The LCO requires three channels of the Overpower AT trip Functionto be OPERABLE. An OPERABLE hot leg channel consists of: 1) three RTDs per hot leg, or 2) two RTDs per hot leg with the failedRTD disconnected and the required bias applied. Note that theOverpower AT trip Function receives input from channels sharedwith other RTS Functions, Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.The trip Function is accomplished by a two-out-of-three trip logic.Beaver Valley Units 1 and 2B 3.3.1 - 18Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued) ln MODE 1 or 2, the Overpower AT trip Function must beOPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel: In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.

8. Pressurizer Pressure The same sensors provide input to the Pressurizer Pressure - High and - Low trips and the Overtemperature AT trip. A separatecontrol channel provides input to the Pressurizer Pressure ControlSystem. Therefore, the actuation logic can withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.a. Pressurizer Pressure - LowThe Pressurizer Pressure - Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.The LCO requires three channels of Pressurizer Pressure - Lowto be OPERABLE.

The trip Function is accomplished by a two-out-of-three trip logic.ln MODE 1, when DNB is a major concern, the Pressurizer Pressure - Low trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock(NlS power range P-10 or turbine First Stage pressure greaterthan P-13). On decreasing power, this trip Function isautomatically blocked befow P-7. Below the P-7 setpoint, no conceivable power distributions can occur that would cause DNB concerns.b. Pressurizer Pressure - HiqhThe Pressurizer Pressure - High trip Function ensures that protection is provided against overpressurizing the RCS. Thistrip Function operates in conjunction with the pressurizer reliefand safety valves to prevent RCS overpressure conditions. Beaver Valley Units 1 and 2B 3.3.1 - 19Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABf LITY (continued) The LCO requires three channels of the Pressurizer Pressure -High to be OPERABLE. The trip Function is accomplished by atwo-out-of-three trip logicThe Pressurizer Pressure - High LSSS is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting minimizes challenges to safety valves while avoiding anunnecessary reactor trip for those pressure increases that canbe controlled by the PORVS.In MODE 1 or 2, the Pressurizer Pressure - High trip must beOPERABLE to help prevent RCS overpressurization and minimize challenges to the relief and safety valves. In MODE 3, 4,5, or 6, the Pressurizer Pressure - High trip Function does nothave to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit conditions andtake corrective actions. Additionally, the Overpressure Protection System (OPPS) provides overpressure protection inMODE 4 and below when any RCS cold leg temperature is L Pressurizer Water Level - HiqhThe Pressurizer Water Level - High trip Allowable Value in Table 3.3.1-1 is specified in oh of instrument span. The PressurizerWater Level - High trip Function provides a backup signal for the Pressurizer Pressure - High trip and also provides protection againstwater relief through the pressurizer safety valves. These valves aredesigned to pass steam in order to achieve their design energyremoval rate. A reactor trip is actuated prior to the pressurizerbecoming water solid. The Pressurizer Water Level - High,trip Function is not credited in any safety analyses as the primary reactor trip. The LCO requires three channels of Pressurizer Water Level - High to be OPERABLE. The trip Function is accomplishedby a two-out-of-three trip logic. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection interactionconcerns. The level channels do not actuate the safety valves, andthe high pressure reactor trip is set below the safety valve setting.Therefore, with the slow rate of charging available, pressureovershoot due to level channel failure cannot cause the safety valve to lift before a reactor high pressure trip.Beaver Valley Units 1 and 2 B 3.3.1 - 2ARevision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 10.In MODE 1 , when there is a potential for overfilling the pressurizer, the Pressurizer Water Level - High trip must be OPERABLE. Thistrip Function is automatically enabled on increasing power by theP-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transientsthat could raise the pressurizer water level will be slow and theoperator will have sufficient time to evaluate unit conditions and takecorrective actions The Reactor Coolant Flow - Low trip Allowable Value inTabf e 3.3.1-1 is specified in oh of indicated loop flow. The ReactorCoolant Flow - Low trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCSloops, while avoiding reactor trips due to normal variations in loopflow. Above the P-7 setpoint, the reactor trip on low flow in two orrnore RCS loops is automatically enabled. Above the P-8 setpoint, specified in the LRM, a foss of flow in any RCS loop will actuate areactor trip. Each RCS loop has three flow detectors to monitorflow. The flow signals are not used for any control system input.The LCO requires three Reactor Coolant Flow - Low channels per loop to be OPERABLE in MODE 1 above P-7. The trip Function is accomplished by a two-out-of-three trip logic in each loop.In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core because of the higher power level. In MODE 1 below the P-8 setpoint and above the P-7setpoint, a loss of flow in two or more loops is required to actuate areactor trip because of the lower power level and the greater margin to the design limit DNBR. Below the P-7 setpoint, all reactor trips on ,low flow are automatically blocked since there is insufficient heat production to generate DNB conditions. Reactor Coolant Pump (RCP) Breaker PositionThe RCP Breaker Position trip Function consists of one set ofauxiliary contacts on each RCP breaker. The Function anticipates the Reactor Coolant Flow - Low trips to avoid RCS heatup that would occur before the low flow trip actuates. The RCP BreakerPosition trip Function is not credited in any safety analyses as the primary reactor trip.11.Beaver Valley Units 1 and 2B 3.3.1 - 21Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued)The RCP Breaker Position trip Function ensures that protection is Brovided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The position of each RCP breaker is monitored. Above the P-7 setpoint, a loss of flow in two or moreloops will initiate a reactor trip. As such, the trip Function is accomplished by a two-out-of-three trip logic. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached.The LCO requires one RCP Breaker Position channel per RCP tobe OPERABLE. One OPERABLE channel is sufficient for this Function because the RCS Flow - Low trip alone provides sufficient protection of the DNBR limit for loss of flow events. The RCPBreaker Position trip serves only to anticipate the low flow trip,minimizing the thermal transient associated with loss of two RCPs.This Function measures only the discrete position (open or closed) of the RCP breaker, using a position switch. Therefore, theFunction has no adjustable trip setpoint with which to associate an LSSS.ln MODE 1 above the P-7 setpoint, the RCP Breaker Position tripmust be OPERABLE. Below the P-7 setpoint, all reactor trips onloss of flow are automatically blocked since no conceivable powerdistributions could occur that would cause a DNB concern at this fow power level. Above the P-7 setpoint, the reactor trip on loss offlow in two RCS loops is automatically enabled.12. Undervoltaqe Reactor Coolant PumpsThe Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored. Above the P-7 setpoint, a loss of voltage detected ontwo or more RCP buses will initiate a reactor trip. As such, the trip Function is accomplished by a two-out-of-three trip logic. This tripFunction will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached. Time delays are incorporated into the Undervoltage RCP channels to prevent reactortrips due to momentary electrical power transients. The Undervoltage RCP Bus trip Function is not credited in any safetyanalyses as the primary reactor trip.The LCO requires three Undervoltage RCP channels one per bus tobe OPERABLE. Beaver Valley Units 1 and 2B 3.3.1 - 22 Revision 0 RTS lnstrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip mustbe OPERABLE. Below the P-7 setpoint, all reactor trips sn loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled. This Function uses the same relays as the ESFAS Function,"Undervoltage Reactor Coolant Pump (RCP)" start of the auxiliary feedwater (AFW) pumps.13. Underfrequency Reactor Coolant Pumps The Underfrequency RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a lossof flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will sfow down the pumps, thereby reducing their coastdown time following a pump trip.The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCPbus is monitored. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip. As. -such, the trip Function is accomplished by a two-out-of-three trip logic. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached. Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients. The Underfrequency RCP Bus trip Function is notcredited in any safety analyses as the primary reactor trip.The LCO requires three Underfrequency RCPs channels, one per bus, to be OPERABLE. ln MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled.Beaver Valley Units 1 and 2 B 3 3.1 -23 Revision 0 RTS lnstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 14.Steam Generator Water Level - Low Low The SG Water level - Low Low trip Function Allowable Value in Table 3.3.1-1 is specified in o/o of narrow range instrument span foreach SG. The SG Water Level - Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are theheat sink for the reactor. ln order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low lowlevel in any SG is indicative of a loss of heat sink for the reactor.The level transmitters provide input to the SG Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Functional separation between the protection and control systems is accomplished by theuse of a median selector switch. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level.The LCO requires three channels of SG Water Level - Low Low perSG to be OPERABLE. The trip Function is accomplished by a two-out-of-three trip logic on any SG.ln,MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level - Low Low trip must be OPERABLE. ln MODE 3, 4, 5,or 6, the SG Water Level - Low Low Function does not have to be OPERABLE because the reactor is not operating or even critical.Turbine Trip a. Turbine Trip - Low Fluid Oil Pressure The Turbine Trip - Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-9 setpoint, specified in the LRM, will not actuate a reactor trip. Three pressure switches monitor the Unit 1 Auto Stop oil pressure and three pressure switches monitor the Unit 2 Emergency Trip Header pressure. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not 15.Beaver Valley Units 1 and 2 B 3.3.1 - 24 Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFEIY ANALYSES, LCO, and APPLICABILITY (continued) sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function and RCS integrity is ensured by the pressurizersafety valves. The Turbine Trip Function is not credited in any safety analyses as the primary reactor trip.The LCO requires three channels of Turbine Trip - Low Fluid Oil Pressure to be OPERABLE in MODE 1 above P-9.Below the P-9 setpoint, a turbine trip does not actuate a reactor trip. ln MODE 2,3,4,5, or 6, there is no potential for a turbine trip, and the Turbine Trip - Low Fluid Oil Pressure trip Function does not need to be OPERABLE.

b. Turbine Trip - Turbine Stop Valve ClosureThe Turbine Trip - Turbine Stop Valve Closure trip Functionanticipates the loss of heat removal capabilities of the secondarysystem following a turbine trip from a power level above the P-9setpoint specified in the LRM. Below the P-9 setpoint, theTurbine Trip Function will not actuate a reactor trip. The trip Function anticipates the loss of secondary heat removalcapability that occurs when the stop valves close. Tripping thereactor in anticipation of loss of secondary heat removal acts tominimize the pressure and temperature transient on the reactor.This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damageor challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function, andRCS integrity is ensured by the pressurizer safety valves. Thistrip Function is diverse to the Turbine Trip - Low Fluid Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS.

lf all four limit switchesindicate that the stop valves are all closed, a reactor trip is initiated. The Turbine Trip Function is not credited in any safetyanalyses as the primary reactor trip.The LSSS for this Function is set to assure channel trip occurswhen the associated stop valve is completely closed. The setpoint for the Turbine Trip - Turbine Stop Valve Closurechannels is the only RTS setpoint that is not a nominal trip setpoint with a calibration tolerance. The setpoint for this Function contains an inequality similar to the Allowable Value in Beaver Valley Units 1 and 2 B 3.3.1 - 25 Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)the Technical Specification. The trip setpoint is adjusted to beconsistent with the trip setpoint value specified in the LRM in lieuof adjusting the setpoint to be within an established calibrationtolerance band.The LCO requires four Turbine Trip - Turbine Stop ValveClosure channels, one per valve, to be OPERABLE in MODE 1above P-9. All four channels must trip to cause reactor trip.Below the P-9 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2,3,4,5, or 6, there is no potential for a load rejection, and the Turbine Trip - Stop Valve Closure trip Function does not need to be OPERABLE.16. Safetv Injection Input from Enqineered Safetv Feature Actuation Svstem The Sl lnput from ESFAS ensures that if a reactor trip has notalready been generated by the RTS, the ESFAS automaticactuation logic will initiate a reactor trip upon any signal that initiates Sl. Typically, transients and accidents take credit for varying levelsof ESF performance and rely upon rod insertion, except for the mostreactive rod that is assumed to be fully withdrawn, to ensure reactorshutdown. The large break LOCA analysis does not rely upon rod insertion and credits the voiding of the core to shutdown the reactor.Therefore, a reactor trip is initiated every time an Sl signal is present.As the requirements for the ESFAS instrument channels, includingactuation logic and Allowable Values are specified separately in LCO 3.3.2, there are no trip setpoint and Allowable Valuesapplicable to this RTS Function. The Sl lnput is provided by theESFAS logic. Therefore, there is no measurement signal with whichto associate an LSSS.The LCO requires two trains of Sl lnput from ESFAS to beOPERABLE in MODE 1 or 2.A reactor trip is initiated every time an Sl signal is present.Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical, and must be shut down in the event ofan accident. 1n MODE 3,4,5, or 6, the reactor is not critical, andthis trip Function does not need to be OPERABLE. Beaver Valley Units 1 and 2 B 3.3.1 - 26Revision 0 RTS InstrumentationB 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued)17. Reactor Trip Svstem lnterlocks Reactor protection interlocks are provided to ensure reactor trips arein the correct configuration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysisassumes the Functions are not bypassed. Therefore, the interlockFunctions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:a. fntermediate Ranqe Neutron Flux. P-6The lntermediate Range Neutron Flux, P-6 interlock is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. lf both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed: on increasing power, the P-6 interlock allows the manualblock of the NIS Source Range, Neutron Flux reactor trip.This prevents a premature block of the source range trip andallows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range. When thesource range trip is blocked, the high voltage to thedetectors is also removed, andon decreasing power, the P-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor trip. The LCO requires two channels of lntermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below theP-6 interlock setpoint.Above the P-6 interlock setpoint, the NIS Source Range Neutron Flux reactor trip will be blocked, and this Function will no longerbe necessary.ln MODE 3, 4, 5, or 6, the P-6 interlock does not have to beOPERABLE because the NIS Source Range is providing core protection. Beaver Valley Units 1 and 2 B 3.3.1 - 27Revision 0 RTS lnstrumentationB 3.3.1 BASES APPLICABLE SAFEW ANALYSES, LCO, and APPLICABILITY (continued)b. Low Power Reactor Trips Block. P-7The Low Power Reactor Trips Block, P-7 interlock is actuated byinput from either the Power Range Neutron Flux, P-10, or theTurbine First Stage Pressure , P-13 interlock. The LCOrequirement for the P-7 interlock ensures that the following Functions are performed: (1) on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:Pressurizer Pressure - Low, Pressurizer Water Level - High,Reactor Coolant Flow - Low (low flow in two or moreRCS loops), r RCPs Breaker Open (two or more RCPs),' Undervoltage RCPs (two or more RCP buses), and Underfrequency RCPs (two or more RCP buses).These reactor trips are only required when operatingabove the P-7 setpoint (as specified in the LRM for the P-10 and P-13 inputs to P-7). The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficientnatural circufation without any RCP running.on decreasing power, the P-7 interlock automaticallyblocks reactor trips on the following Functions: ,Pressurizer Pressure - Low, Pressurizer Water Level - High,Reactor Coolant Flow - Low (low flow in two or moreRCS loops),. RCP Breaker Position (two or more RCPs),. Undervoltage RCPs (two or more RCP buses), and. Underfrequency RCPs (two or more RCP buses). (2)Beaver Valley Units 1 and 2 B 3.3.1 - 28 Revision 0 RTS lnstrumentationB 3.3.1 BASES APPLIGABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) d.Trip Setpoint and Allowable Value are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.The P-7 interlock is a logic Function with train and not channelidentity. Therefore, the LCO requires one channel per train ofLow Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.The low power tr:ips are blocked below the P-7 setpoint andunbfocked above the P-7 setpoint. In MODE 2,3, 4, 5, or 6,this Function does not have to be OPERABLE because the interlock performs its Function when power level drops belowthe P-7 setpoint, which is in MODE 1. Power Ranqe Neutron Flux. P-8The Power Range Neutron Flux, P-8 interlock setpoint is specified in the LRM and is actuated by two-out-of-four NIS power rangedetectors. The P-8 interlock automatically enables the Reactor Coolant Flow - Low (Single Loop) reactor trip on low flow in one or more RCS loops on increasing power. The LCO requirementfor this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core when greater than the P-8 setpoint. On decreasing power, the reactor trip on low flow in any loop is automatically blocked.The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.ln MODE 1 , a loss of flow in one RCS loop could result in DNBconditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4,5, or 6, this Functiondoes not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.Power Ranqe Neutron Flux, P-9The Power Range Neutron Flux, P-9 interlock setpoint isspecified in the LRM and is actuated by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip - Low Fluid Oil Pressure (Auto Stop (Unit 1) and Emergency Trip Header (Unit 2)) and TurbineBeaver Valley Units 1 and 2 B 3.3.1 - 29Revision 0 RTS B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) Trip - Turbine Stop Valve Closure reactor trips are enabledabove the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize thetransient on the reactor. The LCO requires four channels of Power Range Neutron Flux,P-9 interlock to be OPERABLE in MODE 1.In MODE 1, a turbine trip could cause a load rejection beyond the capacity of the Steam Dump System, so the Power Range Neutron Flux interlock must be OPERABLE. ln MODE 2,3, 4,5, or 6, this Function does not have to be OPERABLE becausethe reactor is not at a power level sufficient to have a load rejection beyond the capacity of the Steam Dump System. e.The Power Range Neutron Flux, P-10 interlock setpoint isspecified in the LRM and is actuated by two-out-of-four NIS power range detectors. lf power level falls below the P-10 setpoint on 3 of 4 channels, the nuclear instrument trips will be automaticallyunblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed: on increasing power, the P-10 interlock allows the operatorto manually block the lntermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic (for Unit 2) and manual rod withdrawal,on increasing power, the P-10 interlock allows the operator to manually block the Power Range Neutron Flux - Low reactor trip,on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range NeutronFlux reactor trip, and also to de-energize the NIS source range detectors,the P-10 interlock provides one of the two inputs to the P-7 interlock, andon decreasing power, the P-10 interlock automaticallyenables the Power Range Neutron Flux - Low reactor tripand the lntermediate Range Neutron Flux reactor trip (and rod stop).Beaver Valley Units 1 and 2B 3.3.1 - 30Revision 0 RTS lnstrumentationB 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued) The LCO requires four channels of Power Range Neutron Flux,P-10 interlock to be OPERABLE in MODE 1 or 2.OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux - Lowand lntermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to beOPERABLE because the reactor is not at power and theSource Range Neutron Flux reactor trip provides core protection.f. Turbine First Stage Pressure, P-13The turbine power (P-13) Allowable Value in Table 3.3.1-1 is specified in % RTP turbine fir,st stage pressure equivalent. TheTurbine First Stage Pressure, P-13 interlock is actuated when the pressure in the first stage of the high pressure turbine is greater than the P-13 setpoint specified in the LRM. This isdetermined by one-out-of-two pressure detectors. TheLCO requirement for this Function ensures that one of the inputsto the P-7 interlock is available.The LCO requires two channels of Turbine First Stage Pressure,P-13 interlock to be OPERABLE in MODE 1 .The Turbine First Stage Pressure, P-13 interlock must beOPERABLE when the turbine Eenerator is operating: The interlock Function is not required OPERABLE in MODE 2,3,4,5, or 6 because the turbine generator is not operating.18. Reactor Trip BreakersThis trip Function applies to the RTBs exclusive of individual tripmechanisms. The LCO requires two OPERABLE trains of tripbreakers. A trip breaker train consists of an OPERABLE RTB.When an RTB bypass breaker is racked in and closed to bypass an RTB, the RTB is no longer capable of performing its safety functionand the bypassed RTB is inoperable. The Action Condition for an inoperable RTB contains Notes that provide additional time forbypassing the RTB for surveillance testing and maintenance. Aracked in and closed bypass breaker and the remaining operable RTB are actuated from the same train of RTS actuation logic.Beaver Valley Units 1 and 2 B3.3 1-31Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued) 19.Therefore, when bypassing an RTB, the RTB trip Function is no longer single failure proof and the time an RTB can be bypassed islimited in accordance with the applicable RTB Action ConditionNote. ln addition, the bypass breaker is required to-be OPERABLE prior to being placed in service in accordance with SR 3.3.1.4. TwoOPERABLE trains ensure no single random failure can disable theRTS trip capability. These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE3,4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable ofrod withdrawal or one or more rods are not fully inserted.Reactor Trip Breaker Undervoltage and Shunt Trip MechanismsThe LCO requires both the Undervoltage and Shunt TripMechanisms to be OPERABLE for each RTB that is in service. Thetrip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function 18 above. OPERABILITY of both trip mechanisms on each breaker ensuresthat no single trip mechanism failure will prevent opening anybreaker on a valid signal.These trip Functions must be OPERABLE in MODE 1 or2 when thereactor is critical. In MODE 3, 4, or 5, these RTS trip Functionsmust be OPERABLE when the Rod Cdntrol System is capable ofrod withdrawal or one or more rods are not fully inserted.Automatic Trip LoqicThe LCO requirement for the RTBs (Functions 18 and 19) andAutomatic Trip Logic (Function

20) ensures that means are providedto automatically interrupt the power to allow the rods to fall into the reactor core. Each RTB is equipped with an undervoltage coil and ashunt trip coil to trip the breaker open when needed. Each RTB isequipped with a bypass breaker to allow testing of the trip breakerwhile the unit is at power. The reactor trip signals generated by theRTS Automatic Trip Logic cause the RTBs and associated bypassbreakers to open and shut down the reactor.The LCO requires two trains of RTS Automatic Trip Logic to beOPERABLE. Having two OPERABLE trains ensures that random failure of a single logic train will not prevent reactor trip.

20.Beaver Valley Units 1 and 2 B 3.3.1 - 32 Revision 0 RTS Instrumentation B 3.3.1 BASES APPLICABLE SAFEry ANALYSES, LCO, and APPLICABILITY (continued)These trip Functions must be OPERABLE in MODE 1or2 when thereactor is critical. ln MODE 3,4, or 5, these RTS trip Functions must be OPERABLE when the Rod Control System is capable ofrod withdrawal or one or more rods are not fully inserted.The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2xii). ACTIONSA Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1. Whenthe required channels in Table 3.3.1 -1 are specified (e.9., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate. In the event a channel's trip setpoint is found nonconservative withrespect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or trip device is found inoperable, then all affected Functions provided by that channel must be declared inoperable and theLCO Condition(s) entered for the protection Function(s) affected. When the number of inoperable channels in a trip Function exceed thosespecified in one or other related Conditions associated with a tripFunction, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODEof operation. A.1 Condition A applies to all RTS protection Functions. Condition Aaddresses the situation where one or more required channels or trains forone or more Functions are inoperable at the same time. The RequiredAction is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.8.1 and 8.2Condition B applies to the Manual Reactor Trip in MODE 1 or 2. Thisaction addresses the train orientation of the SSPS for this Function. Withone channel inoperable, the inoperable channel must be restored toOPERABLE status within 48 hours. ln this Condition, the remainingOPERABLE channel is adequate to perform the safety function.Beaver Valley Units 1 and 2 B 3.3.1 - 33 Revision 0 RTS InstrumentationB 3.3.1 BASES ACTIONS (continued) The Compfetion Time of 48 hours is reasonable considering that there aretwo automatic actuation trains and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.lf the Manual Reactor Trip Function cannot be restored to OPERABLEstatus within the allowed 48 hour Completion Time, the unit must bebrought to a MODE in which the requirement does not apply. To achievethis status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours total time). The 6 additional hours to reachMODE 3 is reasonable, based on operating experience, to reach MODE 3from full power operation in an orderly manner and without challenging unit systems. With the unit in MODE 3, ACTION C would apply to any inoperable Manual Reactor Tr:ip Function if the Rod Control System is capable of rod withdrawal or one or more rods are not fully inserted. C.1, C.2:1. and C.2.2 Condition C applies to the following reactor trip Functions in MODE 3,4, or 5 with the Rod Control System capable of rod withdrawal or one ormore rods not fully inserted: Manual Reactor Trip, RTBs, RTB Undervoltage and Shunt Trip Mechanisms, and Automatic Trip Logic. This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours. lf theaffected Function(s) cannot'be restored to OPERABLE status within theallowed 48 hour Completion Time, the unit must be placed in a MODE inwhich the requirement does not apply. To achieve this status, action must be initiated within the same 48 hours to ensure that all rods are fully inserted, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner.With rods fully inserted and the Rod Control System incapable of rod withdrawal, these Functions are no longer required.The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.Beaver Valley Units 1 and 2B 3.3.1 - 34 Revision 0 RTS lnstrumentationB 3.3.1 BASES ACTIONS (continued)D.1 .1, D.1 .2. D.2.1. D.2.2, and D.3 Condition D applies to the Power Range Neutron Flux - High Function.One NIS power range detector provides input to the Rod Control System and (for Unit 2 only) the SG Water Level Control System and, therefore, a two-out-of-four trip logic is used. A known inoperable channel must be ,placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours allowed to place the inoperable channel in the tripped condition is justified in WCAP-14333-P-A, Rev. 1 (Reference 7).In addition to placing the inoperable channel in the tripped condition, THERMAL POWER must be reduced to <75% RTP within 78 hours.Reducing the power level prevents operation of the core with radial power distributlons beyond the design limits. With one of the NIS power range detectors inoperable, 114 of the radial power distribution monitoringcapability is lost. As an alternative to the above actions, the inoperable channel can be placed in the tripped condition within 72 hours and the QPTR monitored once every 12 hours as per SR 3.2.4.2, QPTR verification. Calculating QPTR every 12 hours compensates for the lost monitoring capability due to the inoperable NIS power range channel and allows continued unit operation at power levels >75% RTP. The 12 hour Frequency is consistent with LCO 3.2.4, 'QUADRANT POWER TILT RATIO (QPTR).'As an alternative to the above Actions, the plant must be placed in aMODE where this Function is no longer required OPERABLE. Seventy-eight hours are allowed to place the plant in MODE 3. The 78 hours Completion Time includes 72 hours for channel corrective maintenance, and an additional 6 hours for the MODE reduction required by RequiredAction D.3. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. lf Required Actions cannot be completedwithin their allowed Completion Times, LCO 3.0.3 must be entered.The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypass condition for up to 12 hours while performing routine surveillance testing of other channels. The Note also allows placing the inoperable channel in the bypass condition to allowsetpoint adjustments of other channels when required to reduce thesetpoint in accordance with other Technical Specifications. The 12 hourtime limit is justified in Reference 7.Beaver Valley Units 1 and 2B 3.3.1 - 35 Revision 10 RTS InstrumentationB 3.3.1 BASES ACTIONS (continued) Required Action D.2.2 has been modified by a Note which only requires SR 3.2.4.2 to be performed if the Power Range Neutron Flux input to QPTR becomes inoperable. Failure of a component in the Power Range Neutron Flux Channel which renders the High Flux Trip Function inoperable may not affect the capability to monitor QPTR. As such, determining QPTR using the movable incore detectors once per 12 hours may not be necessary. E.1 and E.2 Condition E applies to the following reactor trip Functions:. Power Range Neutron Flux - Low,. Overtemperature AT,Overpower AT,Power Range Neutron Pressurizer Pressure -Flux - High Positive Rate, High, and. SG Water Levef - Low Low.A known inoperable channel must be placed in the tripped condition within 72 hours. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours allowed to place the inoperablechannel in the tripped condition is justified in Reference 7.lf the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours ts allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.The Required Actions have been modified by a Note that allows placingthe inoperable channel in the bypassed condition for up lo 12 hours while performing routine surveillance testing of the other channels. The 12 hour time limit is justified in Reference 7.Beaver Valley Units 1 and 2 B 3.3.1 - 36 Revision 10 RTS lnstrumentationB 3.3.1 BASESACTIONS (continued)F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip whenTHERMAL POWER is above the P-6 setpoint and below the F-10setpoint and one channel is inoperable. Above the P-6 setpoint andbelow the P-10 setpoint, the NIS intermediate range detector performsthe monitoring Functions. lf THERMAL POWER is greater than the P-6setpoint but less than the P-10 setpoint, 24 hours is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMALPOWER above the P-10 setpoint. The NIS lntermediate Range Neutron Flux channels must be OPERABLE when the power level is above thecapability of the source range, P-6, and below the capability of the powerrange, P-10. lf THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failureduring this period. This action does not require the inoperable channel tobe tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified inthis Condition are only applicable when channel failure does not result inreactor trip.G.1 and G.2 Condition G applies to two inoperable Intermediate Range Neutron Fluxtrip channels when THERMAL POWER is above the P-6 setpoint andbelow the P-10 setpoint. Required Actions specified in this Condition areonly applicable when channel failures do not result in reactor trip. Abovethe P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. With no intermediate range channels OPERABLE, the Required Actions are to suspend operations involving positive reactivity additions immediately. This will preclude any power level increase since there are no OPERABLE lntermediate RangeNeutron Flux channels. The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours. Below P-6, the SourceRange Neutron Flux channels will be able to monitor the core power level.The Completion Time of 2 hours will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS lntermediate Range Neutron Flux trip.Beaver Valley Units 1 and 2B 3.3.1 - 37Revision 0 RTS InstrumentationB 3.3.1 BASES ACTIONS (continued) Required Action G.1 is modified by a Note to indicate that normal plantcontrol operations that individually add limited positive reactivity (e.9.,temperature or boron fluctuations associated with RCS inventory management, temperature control or plant cooldown to exit the MODE of Applicability and place the plant in a safer condition) are not precluded bythis Action, provided they are accounted for in the calculated SDM.H.1Condition H applies to one inoperable Source Range Neutron Ffux tripchannel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additionsshall be suspended immediately.This will preclude any power escalation. With only one source rangechannel OPERABLE, core protection is severely reduced and any actionsthat add positive reactivity to the core must be suspended immediately. Required Action H.1 is modified by a Note to indicate that normal plantcontrol operations that individually add limited positive reactivity (e.9.,temperature or boron fluctuations associated with RCS inventory management, temperature control or plant cooldown to exit the MODE of Applicability and place the plant in a safer condition) are not precluded bythis Action, provided they are accounted for in the calculated SDM. t.1Condition I applies to two inoperable Source Range Neutron Flux tripchannels when in MODE 2, below the P-6 setpoint, and in MODE 3,4,or 5 with the Rod Control System capable of rod withdrawal or one ormore rods not fully inserted. With the unit in this Condition, below P-6,the NIS source range performs the monitoring and protection functions.With both source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition.J.1. J.2.1. and J.2.2Condition J applies to one inoperable source range channel in MODE 3, 4, or 5 with the Rod Control System capable of rod withdrawal or one ormore rods not fully inserled. With the unit in this Condition, below P-6,the NIS source range performs the monitoring and protection functions.With one of the source range channels inoperable, 48 hours is allowed torestore it to an OPERABLE status. lf the channel cannot be returned to Beaver Valley Units 1 and 2B 3.3.1 - 38Revision 0 RTS InstrumentationB 3.3.1 BASES ACTIONS (continued) an OPERABLE status, action must be initiated within the same 48 hours to ensure that all rods are fully inserted, and the Rod Control System must be placed in a condition incapable of rod withdrawal within the next hour.K.1 and K.2 Condition K applies to the following reactor trip Functions:Pressurizer Pressure - Low.Pressurizer Water Level - High,Reactor Coolant Flow - Low.RCP Breaker Position,Undervoltage RCPs, and Underfrequency RCPs. With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours. For the Pressurizer Pressure - Low, Pressurizer Water Level - High, Undervoltage RCPs, Underfrequency RCPs, and RCP Breaker Position trip Functions, placing the channel inthe tripped condition when above the P-7 setpoint results in a partial trip condition requiring only one additional channel to initiate a reactor trip. For the Reactor Coolant Flow - Low (Two Loop) trip Function, placing thechannel in the tripped condition when above the P-B setpoint results in a partial trip condition in one loop requiring only one additional channel inthe same loop to initiate a low flow signal for that loop. For the latter trip Function, two tripped channels in two RCS loops are required to initiate areactor trip when below the P-8 setpoint and above the P-7 setpoint. Thepressurizer pressure low Function and RCS flow related Functions do nothave to be OPERABLE below the P-7 setpoint because there isinsufficient heat production to generate DNB conditions below the P-7setpoint. The pressurizer water level Function is not requiredOPERABLE below the P-7 setpoint, because transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions. The72 hours allowed to place the channel in the tripped condition is justifiedin Reference 7. An additional 6 hours is allowed to reduce THERMAL POWER to below P-7 tf the inoperable channel cannot be restored toOPERABLE status or placed in trip within the specified Completion Time.Beaver Valley Units 1 and 2 B 3.3.1 - 39 Revision 10 RTS InstrumentationB 3.3.1 BASES ACTIONS (continued) Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, andthe low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated withCondition K. The Required Actions have been modified by a Note that allows placingthe inoperable channel in the bypassed condition for up ta 12 hours while performing routine surveillance testing of the other channels. The12 hour time limit is justified in Reference 7.L.1 and L.2 Condition L applies to Turbine Trip on Low Fluid Oil Pressure or on Turbine Stop Valve Closure. With one channel inoperable, the inoperable channel must be placed in the trip condition withinT2 hours. lf placed inthe tripped condition, this results in a partial trip condition. lf the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next4 hours. The 72 hours allowed to place the inoperable channel in thetripped condition and the 4 hours allowed for reducing power are justifiedin Reference 7 for Turbine Trip on Low Fluid Oil Pressure. Reference 8 justifies the72 hour Completion Time allowed to place an inoperable channel in the tripped condition for Turbine Trip on Turbine Stop Valve Closure.The Required Actions have been modified by a Note that allows placingthe inoperable channel in the bypassed condition for up to 12 hours while performing routine surveillance testing of the other channels. The 12hour time limit is justified in Reference 7 for Turbine Trip on Low Fluid Oil Pressure, and Reference 8 for Turbine Trip on Turbine Stop Valve Closure.M.1 and M.2Condition M applies to the Sl lnput from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24 hours are allowed to restore the train to OPERABLE status (Required Action M.1)or the unit must be placed in MODE 3 within the next 6 hours. The Completion Time of 24 hours (Required Action M.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours allowed to restore the inoperable RTS Automatic Trip Logic Train to OPERABLE status is justified in Reference 7.Beaver Valley Units 1 and 2B 3.3.1 - 40 Revision 10 RTS lnstrumentation B 3.3.1 BASES ACTIONS (continued)The Completion Time of 6 hours (Required Action M.2) is reasonable,based on operating experience, to reach MODE 3 from full power in anorderly manner and without challenging unit systems.The Required Actions have been modified by a Note that allowsbypassing one train up to 4 hours for surveillance testing, provided theother train is OPERABLE.Planned Maintenance and Tier 2 Restrictions Consistent with the NRC Safety Evaluation (SE) requirements for WCAP-14333-P-A, Rev. 1 (Reference 7), Tier 2 insights must be included in thedecision making process before removing an RTS logic train from service and implementing the extended (risk-informed) Completion Time for anRTS logic train approved in Reference 10. These "Tier 2 restrictions" areconsidered to be necessary to avoid risk significant plant configurationsduring the time an RTS logic train is inoperable.Entry into Condition M for an inoperable RTS logic train is not a typical, pre-planned evolution.during the MODES of Appticability for thisequipment, other than when necessary for surveillance testing. SinceCondition M may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Condition Mentry. In addition, it is possible that equipment failure may occur after theRTS logic train is removed from service for surveillance testing or planned maintenance, such that one or more of the required fier 2 restrictions areno longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10 CFR 50.65(a)(a)require assessment of the emergent condition with appropriate actionstaken to manage risk. Depending on the specific situation, these actionscould include activities to restore the inoperable logic train and exit theCondition, or to fully implement the Tier 2 restrictions, or to perform a unitshutdown, as appropriate from a risk rnanagement perspective.The following fier 2 restrictions on concurrent removal of certainequipment will be implemented as described above when entering Condition M when an RTS logic train is inoperable:. To preserve ATWS mitigation capability, activities that degrade theavailability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbinetrip should not be scheduled when a logic train is inoperable. Beaver Valley Units 1 and 2 B 3.3.1 - 41Revision 10 RTS lnstrumentationB 3.3.1 BASESACTIONS (continued) To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained. Note that Technical Specification 3.5.2, ECCS Operating, ensures that thisrestriction is met. Therefore, this restriction does not have to be implemented by a separate procedure or program.To preserve reactor trip and safeguards actuation capability, activitiesthat cause master relays or slave relays in the available train andactivities that cause analog channels to be unavailable should not bescheduled when a logic train is inoperable. Activities on electrical systems (AC and DC power) and cooling systems (service water and component cooling water) that support thesystems or functions listed in the first three bullets should not bescheduled when a logic train is inoperable. That is, one completetrain of a function that supports a complete train of a function notedabove must be available.N.1 and N.2Condition N applies to the RTBs in MODES 1 and 2. These actionsaddress the train orientation of the RTS for the RTBs. With one train inoperable,24 hours are allowed to restore the train to OPERABLE statusor the unit must be placed in MODE 3 within the next 6 hours. The24 hour Completion Time is justified in Reference 9. The Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challengingunit systems. Placing the unit in MODE 3 results in ACTION C entrywhile RTB(s) are inoperable.The Required Actions have been modified by a Note. The Note allowsone train to be bypassed for up to 4 hours for surveillance testing, provided the other train is OPERABLE. The 4 hours allowed to bypass atrain is justified in Reference 9. Planned Maintenance and Tier 2 Restrictions Consistent with the NRC Safety Evaluation (SE) requirements in WCAP-15376-P-A, Rev. 1 (Reference 9), Tier 2 insights must be included in thedecision making process before removing an RTB train from service and implementing the extended (risk-informed) Completion Time for an RTB train approved in Reference 10. These "Tier 2 restrictions" areconsidered to be necessary to avoid risk significant plant configurationsduring the time an RTB train is inoperable.Beaver Valley Units 1 and 2 8 3.3.1 - 42 Revision 10 RTS Instrumentation B 3.3.1 BASES ACTIONS (continued)Entry into Condition N for an inoperable RTB train is not a typical, pre-planned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since Condition Nmay be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of Condition N entry. Inaddition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions areno longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10 CFR 50.65(aXa) require assessment of the emergent condition with appropriate actions taken to manage risk. Depending on the specific situation, these actionscould include activities to restore the inoperable RTB train and exit theCondition, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective. The following Tier 2 restrictions on concurrent removal of certainequipment will be implemented as described above when entering Condition N when an RTB train is inoperable: The probability of failing to trip the reactor on demand will increasewhen a RTB is removed from service; therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief (pressurizer PORVs and safety valves), auxiliary feedwater flow (for RCS heat removal), AMSAC, and turbine trip areimportant to ATWS mitigation. Therefore, activities that degrade theavailability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbinetrip should not be scheduled when a RTB is inoperable. Due to the increased dependence on the available reactor trip trainwhen one logic train is unavailable, activities that degrade othercomponents of the RTS, including master relays or slave relays, andactivities that cause analog channels to be unavailable, should not be scheduled when a logic train is inoperable. Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable. Beaver Valley Units 1 and 2B 3.3.1 - 43Revision 10 RTS lnstrumentationB 3.3.1 BASES ACTIONS (continued)O.1 and O.2Condition O applies to the P-6 and P-10 interlocks. With one or more cha n nels i nopera ble for one-out-of-two or two-out-of-fou r coi ncidence logic, the associated interlock must be verified to be in its required statefor the existing unit condition within t hour or the unit must be placed in MODE 3 within the next 6 hours. Verifying the interlock status manuallyaccomplishes the interlock's Function. The interlock status may be verified by observation of the associated permissive annunciator/statuswindow(s). The Completion Time of t hour is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours is reasonable, based onoperating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The t hour and 6 hour Completion Times are equal to the time allowed by LCO 3.0.3 forshutdown actions in the event of a complete loss of RTS Function.P.1 and P.2 Condition P applies to the P-7, P-8, P-9, and P-13 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in itsrequired state for the existing unit condition within t hour or the unit must be placed in MODE 2 within the next 6 hours. These actions are conservative for the case where power level is being raised. Verifying theinterlock status manually accomplishes the interlock's Function. The interlock status may be verified by observation of the associated permissiveannunciator/status window(s). The Completion Time of t hour is based onoperating experience and the minimum amount of time allowed formanual operator actions. The Completion Time of 6 hours is reasonable,based on operating experience, to reach MODE 2lrom full power in anorderly manner and without challenging unit systems.Q.1 and Q.2 Condition Q applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours or the unit must be placed in a MODE where the requirement does not apply. This is accomplished by placing the unit inMODE 3 within the next 6 hours (54 hours total time). The Completion Time of 6 hours is a reasonable time, based on operating experience, toreach MODE 3 from full power in an orderly manner and withoutchallenging unit systems. With the unit in MODE 3, ACTION C wouldapply to any inoperable RTB trip mechanism. The affected RTB shall notbe bypassed while one of the diverse features is inoperable except for theBeaver Valley Units 1 and 2B 3.3.1 - 44 Revision 10 RTS InstrumentationB 3.3.1 BASES ACTIONS (continued) time required to perform maintenance to one of the diverse features. Theallowable time for performing maintenance of the diverse features is2 hours for the reasons stated under Condition N.The Completion Time of 48 hours for Required Action Q.1 is reasonableconsidering that in this Condition there is one remaining diverse featurefor the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurringduring this interval.R.1 Condition R applies to one inoperable Power Range Neutron Flux - Low channel in MODE 2 with ker< 1.0, and all RCS cold leg temperatures > 500oF, and RCS boron concentration < the ARO critical boron concentration when the Rod Contr:ol System is capable of rod withdrawal,or one or more rods not fully inserted, and in MODE 3 with all RCS coldleg temperatures > 500"F, and the RCS boron concentration is < the AROcritical boron concentration when the Rod Control System is capable ofrod withdrawal, or one or more rods are not fully inserted. The inoperable channel must be placed in the tripped condition within 72 hours. Placingthe channel in the tripped condition results in a partial trip conditionrequiring only a one-out-of-three logic for actuation of this reactor tripfunction. The 72 hours to place the inoperable channel in the tripped condition is justified in Reference 7.The Required Action is modified by a Note. The Note allows placing an inoperable channel in the bypassed condition for up to 12 hours while performing routine surveillance testing of the other channels. The12 hour time limit is justified in Reference 7.and S.2lf the inoperable channel can not be placed in the tripped condition withinthe specified Completion Time, or if two or more channels are inoperable,action must be initiated immediately to fully insert all rods, and to makethe rods incapable of rod withdrawal. This action will preclude an uncontrolled RCCA bank withdrawal accident from occurringRequired Action S.2 provides an alternative to Required Actions S.1.1and S.1.2. lf the inoperable channel can not be placed in the tripped condition within the specified Completion Time, or if two or more channelsare inoperable, action must be initiated to borate the RCS to > the ARO critical boron concentration. Borating the RCS to > the ARO critical boronconcentration would provide sufficient SHUTDOWN MARGIN, if anuncontrolled RCCA bank withdrawal accident were to occur. s.1 s.1Beaver Valley Units 1 and 2 B 3.3.1 - 45 Revision 10 RTS InstrumentationB 3.3.1 BASES SURVEILLANCE REQUIREMENTS The SRs for each RTS Function are identified by the SRs column ofTable 3.3.1-1 for that Function.A Note h,as been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.Note that each channel of process protection supplies both trains of the RTS. When testing Channel l, Train A and Train B must be examined.Similarly, Train A and Train B must be examined when testing ChannelChannel lll, and Channel lV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.sR 3.3.1 .1Performance of the CHANNEL CHECK once every 12 hours ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECKis normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. lt is based on the assumption that instrument channels monitoring the same parameter should readapproximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift inone of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying thatthe lnstrumentation continues to operate properly between each CHANNEL CALIBRATION.Agreement criteria are determined by the unit staff based on acombination of the channel instrument uncertainties, including indication and readability. lf a channel is outside the criteria, it may be an indicationthat the sensor or the signal processing equipment has drifted outside its limit.The Frequency is based on operating experience that demonstrates channelfailure is rare. The CHANNEL CHECK supplements less formal,but more frequent, checks of channels during normal operational use ofthe displays associated with the LCO required channels,sR 3.3.1 ,2SR 3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output every 24 hours. lf the calorimetric heatbalance calculation results exceed the power range channel output bymore than + 2o/o RTP, the power range is not declared inoperable, but must be adjusted. The power range channel output shall be adjusted consistent with the calorimetric heat balance calculation results if the Beaver Valley Units 1 and 2B 3.3.1 - 46 Revision 10 RTS lnstrumentationB 3.3.1 BASES SURVEIl-LANCE REQUIREMENTS (continued) calorimetric calculation exceed the power range channel output by more than + 2o/o RTP. lf the power range. channel output cannot be properly adjusted, the channel is declared inoperable.lf the calorimetric is performed at part power (< 7oo/o RTP); adjusting the power range channel indication in the increasing power direction willassure a reactor trip below the safety analysis lirnit. Making noadjustment to the power range channel in the decreasing power directiondue to a part power calorimetric assures a reactor trip consistent with thesafety analyses. This allowance does not preclude making indicated power adjustments, if desired, when the calorimetric heat balance calculation is less than the power range channel output. To provide closeagreement between indicated power and to preserve operating margin, the power range channels are normally adjusted when operating at ornear full power during steady-state conditions. However, discretion must be exercised if the power range channel output is adjusted in the decreasing power direction due to a part power calorimetric (< 70% RTP).This action may introduce a non-conservative bias at higher power levelsthat may result in a Power Range Neutron Flux - High reactor trip abovethe safety analysis limit. The cause of the potential non-conservative bias is the decreased accuracy of the calorimetric at reduced power conditions. The primary error contributor to the instrument uncertainty fora secondary side power calorirnetric measurement is the feedwater flow measurement, which is typically a AP measurement across a feedwaterventuri. While the measurement uncertainty remains constant in AP as power decreases, when translated into flow, the uncertainty increases asa square term. Thus a 1o/o flow error at 100% power can-approach a fi%flow error at 30% RTP even though the AP error has not changed. Thisbias error is not present when using the leading edge flow meter (LEFM)to determine feedwater flow for performing the secondary side power calorimetric. However, when using the LEFM for performing thesecondary side power calorimetric, the requirements of thls SR assure a power range channel output and reactor trip funciion that are conservative with respect to the assumptions of the safety analysesdesgibed above. An evaluation of extended operation at part power conditions wouldconclude that it is prudent to administratively adjust the setpoint of thePower Range Neutron Flux - High bistables to < 85% RTP when: 1) the power range channel output is adjusted in the decreasing power directiondue to a part power calorimetric below 70Yo RTP; or 2) for a post refuelingstartup. The evaluation of extended operation at part power conditionswould also conclude that the potential need to adjust the indication of thePower Range Neutron Flux in the decreasing power direction is quite Beaver Valley Units 1 and 2 B 3.3.1 - 47 Revision 10 RTS lnstrumentationB 3.3.1 BASESSURVEI LLANCE REQU I REMENTS (continued) small, primarily to address operation in the intermediate range about P-10 (nominally 10oh RTP) to allow enabling of the Power Range Neutron Flux- Low setpoint and the Intermediate Range Neutron Flux reactor trips.Before the Power Range Neutron Flux - High bistables are reset to anominal value specified in the LRM, the power range channel adjustmentmust be confirmed based on a calorimetric performed at>-70o/o RTP.The Note clarifies that this Surveillance is required only if reactor power is> 15% RTP and that 24 hours are allowed for performing thefirst Surveif lance after reaching 15% RTP. A power level of 15% RTP ischosen based on plant stability, i.e., automatic rod control capability and turbine generator synchronized to the grid.The Frequency of every 24 hours is adeqUate. lt is based on unitoperating experience, considering instrument reliability and operatinghistory data for instrument drift. Together these factors demonstrate thata difference between the calorimetric heat balance calculation and the power range channel output of more than + Za/o RTP is not expected in any 24 hours period.In addition, control room operators periodically monitor redundantindications and alarms to detect deviations in channel outputs.sR 3.3.1 .3SR 3.3.1 .3 compares the incore system to the NIS channel output every 31 EFPD. lf the absolute difference is > 3%, the NIS channel is still OPERABLE, but must be readjusted (normalized) based on the incore surveillance data. The excore NIS channel shall be adjusted if the absolute difference between the incore and excore AFD is > 3%.lf the NIS channel cannot be properly readjusted, the channel is declaredinoperable. This Surveillance is performed to periodically verify the f(Al)input to the overtemperature AT Function. The Surveillance is assigned to both the Power Range Neutron Flux High and OTAT RTS Functions toassure all 4 NIS channels are verified and adjusted, if necessary.A Note clarifies that the Surveillance is required when reactor power is>- 5Ao/o RTP and that 7 days are allowed to perform the Surveillance and channel adjustment, if necessary, after reaching 5A% RTP. A power level of > 50% RTP is consistent with the requirements of SR 3.3.1.9. The performance of SR 3.3.1.9 may be used to satisfy the requirements ofSR 3.3.1.3. SR 3.3.1.9 may be performed in lieu of SR 3.3.1.3 sinceSR 3.3.1.9 calibrates (i.e., requires adjustment of) the excore channelsbased on incore surveillance data and therefore envelopes the performance of SR 3.3.1 .3.Beaver Valley Units 1B 3.3.1 - 48 Revision 10 RTS lnstrumentationB 3.3.1 BASES SURVEILLANCE REQUI REM ENTS (continued)For each operating cycle, the initial channel normalization is performed inaccordance with SR 3.3.1.9. Subsequent periodic verification at aFrequency of every 31 EFPD is adequate to ensure the NIS channels remain calibrated. lt is based on unit operating experience, consideringinstrument reliability and operating history data for instrument drift. Also,the slow changes in neutron flux during the fuel cycle can be detectedduring this interval.sR 3.3.1 .4SR 3.3.1.4 is the performance of a TADOT every 62 days on aSTAGGERED TEST BASIS. This test shall verify OPERABILITY by actuation of the end devices. A successful test of any required contact(s)of a channel relay may be performed by the verification of the change ofstate of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveil lance Requ irements.The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltageand shunt trip Function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independent test for bypass breakers is included in SR 3.3.1.12. Thebypass breaker test shall include a local manual shunt trip. A Note hasbeen added to indicate that this test must be performed on the bypass breaker prior to placing it in service.The Frequency of every 62 days on a STAGGERED TEST BASIS is justified in Reference 9.sR 3.3.1 .5SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST. TheSSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypasscondition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function, including operation of the P-7 permissive which is a logic function only. TheFrequency of every 92 days on a STAGGERED TEST BASIS is justifiedin Reference 9.Beaver Valley Units 1 and 2B 3.3.1 - 49 Revision 10 RTS lnstrumentationB 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)sR 3.3.1 .6SR 3.3.1.6 is the performaRce of a COT every 184 days.A COT is performed on each required channel to ensure the entirechannel will perform the intended Function. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay. This is acceptablebecause all of the other required contacts of the relay are verified by otherTechnical Specification Surveillance Requirements Setpoints must be within the Allowable Values specified in Table 3.3.1-1 (excluding time constants which are verified during CHANNEL cALTBRATTONS).The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in thesetpoint methodology. The setpoint shall be feft set consistent with the assumptions of the current unit specific setpoint methodology. For certain RTS Functions the required COT (SR 3.3.1.6 specified in Table 3,3.1-1 ) is modified by Notes (k) and (l). These Notes specify additional requirements for the affected instrument channels.Note (k) specifies the following: lf the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptancecriteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service, andlf the "as-found" instrument channel setpoint is not conservativewith respect to the Allowable Value, the channel shall be declared inoperable.The evaluation of channel performance required by Note (k) involves anassessment to verify the channel will continue to behave in accordance with design basis assumptions, and to ensure confidence in the channelperformance prior to returning the channel to service. In addition, if the"as found" trip setpoint value is non-conservative with respect to theAllowable Value, or is found to be outside of the two sided predefinedacceptance criteria band on either side of the nominal trip setpoint, theaffected channel will be evaluated under the corrective action program.Beaver ValleyB 3.3.1 - 50 Revision 10 RTS InstrumentationB 3.3.1 BASESSURVEI LLANCE REQUI REMENTS (continued) Note (l) specifies the following: The instrument channel setpoint shall be reset to a value that is within the as-left tolerance of the nominal trip setpoint, or a valuethat is more conservative than the nominal trip setpoint; othenruise, the channel shall be declared inoperable, andThe nominal trip setpoint and the methodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance band are specifieda document incorporated by reference into the Updated Final Safety Analysis Report.For BVPS, the document containing the nominal trip setpoint, the -methodology used to determine the nominal trip setpoint, the predefinedas-found acceptance criteria band, and the as-left setpoint tolerance band-is the LRM. For the RTS Functions with a COT modified by Note (l), the Note requiresthat the instrument channel setpoint be reset to a value within the "as left"setpoint tolerance band on either side of the nominal trip setpoint or to a value that is more conservative than the nominal trip setpoint. Theconservative direction is established by the direction of the inequality signapplied to the associated Allowable Value. Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology are satisfied in order to protect the safety analysis limits. lf the channel can not be reset to a value within the required "as left"setpoint tolerance band on either side of the nominal trip setpoint, or to a value that is more conservative than the nominal trip setpoint (if requiredbased on plant conditions) the channel is declared inoperable and theapplicable ACTION is entered.For the RTS Functions with a COT modified by Notes (k) and (l), the "as found" and "as left" setpoint data obtained during COTs or CHANNEL CALIBRATIONS are programmatically trended to demonstrate that therack drift assumptions used in the plant setpoint methodology are valid. lfthe trending evaluation determines that a channel 1s performing inconsistent with the uncertainty allowances applicable to the periodic surveillance test being performed, the channel is evaluated under thecorrective action program. lf the channel is not capable of performingspecified safety function, it is declared inoperable. Beaver Valley Units 1 and 2B 3.3.1 - 51Revision 10 RTS lnstrumentationB 3.3.1 BASESSU RVEI LLANCE REQU IREMENTS (continued)SR 3.3.1.6 is modified by a Note that provides a 12 hour delay in therequirement to perform this Surveillance for source range instrumentationafter decreasing power below the P-6 interlock setpoint. This Note allowsa normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.6 is nolonger required to be performed. lf the unit is to be in MODE 2 below the P-6 setpoint or in MODE 3 with the RTBs closed for > 12 hours this Surveillance must be performed prior to 12 hours after decreasing power below the P-6 setpoint.The Frequency of 184 days is justified in Reference 9.sR 3.3.1 .7SR 3.3.1.7 is the performance of a COT as described in SR 3.3.1.6, except it is modified by a Note that this test shall include verification thatthe P-6 and P-10 interlocks are in their required state for the existing unitcondition. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within 184 days of the Frequencies prior to reactor startup and 12 hours after reducing powerbelow P-10. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the intermediate and power range low instrument channels. The Frequency of 12 hours after reducing power below P-10 (applicable to intermediate and power range low channels) allows a normal shutdown to be completed and theunit removed from the MODE of Applicability for this surveillance withouta delay to perform the testing required by this surveillance. The Frequency of every 184 days thereafter appfies if the plant remains in the MODE of Applicability after the initial performances of prior to reactorstartup and 12 hours after reducing power befow P-10. The MODE of Applicability for this surveillance is < P-10 for the power range low andintermediate range channels. Once the unit is in MODE 3, this surveillance is no longer required. lf power is to be maintained < P-10 formore than 12 hours, then the testing required by this surveillance must beperformed prior to the expiration of the time limit. Twelve hours is a reasonable time to complete the required testing or place the unit in aMODE where this surveillance is no longer required. This test ensuresthat the NIS intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (. p-t 0) for periods > 12 hours.The Frequency of 184 days is justified in Reference 9. Beaver Valley Units 1 B 3.3.1 - 52Revision 10 RTS InstrumentationB 3.3.1 BASES SURVEILLANCE REQU I REM ENTS (continued)sR 3.3.1 .8SR 3.3.1.8 is the performance of a TADOT and is perfornred every184 days, as justified in Reference 10. A successful test of any requiredcontact(s) of a channel relay may be performed by the verification of thechange of state of a single contact of the relay. This clarifies what is anacceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveil lance Requirements. The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.sR 3.3.1 .9SR 3.3.1.9 is a calibration of the excore channels to the incore channels. lf the measurements do not agree, the excore channels are not declaredinoperable but must be calibrated to agree with the incore detectormeasurements. lf the excore channels cannot be adjusted (normalized),the channels are declared inoperable. This Surveillance is performed at BOL to normalize the excore channel (Al) input to the overtemperatureAT Function for each new operating cycle. The Surveillance is assignedto both the Power Range Neutron Flux High and OTAT RTS Functions toassure all 4 NIS channels are initially normalized to the new core.A Note modifies SR 3.3.1.9. The Note states that this Surveillance isrequired only if reactor power is > 50% RTP and that 7 days are allowed for performing the Surveillance after reaching 50% RTP.The Frequency of once per fuel cycle is adequate to establish the initialcycle-specific calibration of the excore channels. lt is based on industryoperating experience, considering instrument reliability and the perlormance of SR 3.3.1.3 every 31 EFPD which verifies the excore channels remain within the required calibration toferance.sR 3.3.1 .10 A CHANNEL CALIBRATION is performed every 1B months, or approximately at every refueling. CHANNEL CALIBRATION is acomplete check of the instrument loop, including the sensor. The testverifies that the channel responds to a measured parameter within thenecessary range and accuracy.Beaver Valley Units 1 and 2 B 3.3.1 - 53 Revision 10 RTS lnstrumentationB 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)CHANNEL CALIBRATIONS must be performed consistent with theassumptions of the unit specific setpoint methodology. The differencebetween the current "as found" values and the previous test "as left"values must be consistent with the drift allowance used in the setpoint methodology.Whenever a sensing element is replaced, the next required CHANNELCALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.For certain RTS Functions the required CHANNEL CALIBRATION (SR 3.3.1 .1 0 specified in Table 3.3.1 -1 ) is modified by Notes (k) and (l).These Notes specify additional requirements for the affected instrument channels.Note (k) specifies the following:. lf the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptancecriteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service, and. lf the "as-found" instrument channel setpoint is not conservativewith respect to the Allowable Value, the channel shall be declared inoperable.The evaluation of channel performance required by Note (k) involves an assessment to verify the channel will continue to behave in accordancewith design basis assumptions, and to ensure confidence in the channelperformance prior to returning the channel to service. In addition, if the"as found" trip setpoint value is non-conservative with respect to the Allowable Value, or is found to be outside of the two sided predefined acceptance criteria band on either side of the nominal trip setpoint, theaffected channel will be evaluated under the corrective action program.Note (l) specifies the following:. The instrument channel setpoint shall be reset to a value that iswithin the as-left tolerance of the nominal trip setpoint, or a value that is more conservative than the nominal trip setpoint; otherutrise,the channel shall be declared inoperable, andBeaver Valley Units 1 and 2B 3.3.1 - 54 Revision 10 RTS Instrumentation B 3.3.1 BASES SURVEI LLANCE REQU I REMENTS (continued). The nominal trip setpoint and the methodology used to determinethe nominal trip setpoint, the pr,edefined as-found acceptancecriteria band, and the as-left setpoint tolerance band are specified ina document incorporated by reference into the Updated Final Safety Analysis Report.For BVPS, the document containing the nominal trip setpoint, themethodology used to determine the nominal trip setpoint, the predefinedas-found acceptance criteria band, and the as-left setpoint tolerance band is the LRM.For the RTS Functions with a CHANNEL CALIBRATION modified by Note (l), the Note requires that the instrument channel setpoint be reset to a value within the "as left" setpoint tolerance band on either side of the nominal trip setpoint or to a value that is more conservative than thenominal trip setpoint. The conservative direction is established by thedirection of the inequality sign applied to the associated Allowable Value.Setpoint restoration and post-test verification assure that the assumptionsin the plant setpoint methodology are satisfied in order to protect thesafety analysis limits. lf the channel can not be reset to a value within the required "as left" setpoint tolerance band on either side of the nominal trlp setpoint, or to a value that is more conservative than the nominal trip setpoint (if required based on plant conditions) the channel is declared inoperable and the applicable ACTION is entered.For the RTS Functions with a CHANNEL CALIBRATl ON modified by Notes (k) and (l), the "as found" and "as left" setpoint data obtained duringCOTs or CHANNEL CALIBRATIONS are programmatically trended to demonstrate that the rack drift assumptions used in the plant setpointmethodology are valid. lf the trending evaluation determines that a channel is performing inconsistent with the uncertainty allowances applicable to the periodic surveillance test being performed, the channelis evaluated under the corrective action program. lf the channel is notcapable of performing its specified safety function, it is declared inoperable.The Frequency of 18 months is based on the assumption of an 1B month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.SR 3.3.1 .10 is modified by Note 1 stating that this test shall includeverification that the time constants are adjusted to the prescribed valueswhere applicable. ln addition, this SR is modified by Note 2 stating thatneutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors consists Beaver Valley Units 1 and 2B 3.3.1 - 55 Revision 10 RTS InstrumentationB 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)of a normalization of the detectors based on a power calorimetric and flux map performed above 15o/o RTP. The CHANNEL CALIBRATION for the source range and intermediate range neutron detectors consists ofobtaining the detector calibration data and establishing detector operating conditions in accordance with approved plant procedures. This Surveillance is not required for the NIS power range detectors for entryinto MODE 2 or 1 , and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at leastMODE 2 to perform the test for the intermediate range detectors andMODE 1 for the power range detectors.sR 3.3.1 .1 1SR 3.3.1.11 is the performance of a COT of RTS interlocks every18 months. A successful test of any required contact(s) of a channelrelay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptabte COT of arelay. This is acceptable because all of the other required contacts of therelay are verified by other Technical Specification Surveillance Requirements.The Frequency is based on the known reliability of the interlocks and themultichannel redundancy available, and has been shown to beacceptable through operatinE experience.sR 3.3.1 .1 2SR 3.3.1.12 is the performance of a TADOT of the Manual Reactor Trip,RCP Breaker Position, and the Sl Input from ESFAS. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptablebecause all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. This TADOT is performed every 18 months. The test shall independently verify the OPERABILITY of the undervoltage and shunt trip mechanisms for theManual Reactor Trip Function for the Reactor Trip Breakers and ReactorTrip Bypass Breakers. The Reactor Trip Bypass Breaker test shallinclude testing of the automatic undervoltage trip. For the Sl input fromESFAS, this test verifies the Sl logic output to the reactor trip system.The Frequency is based on the known reliability of the Functions and themultichannel redundancy available, and has been shown to beacceptable through operating experience.Beaver Valley Units 1 and 2B 3.3.1 - 56 Revision 10 RTS Instrumentation B 3.3.1 BASESSURVEILLANCE REQUIREMENTS (continued)The SR is modified by a Note that excludes verification of setpoints fromthe TADOT. As the requirements for the ESFAS instrument channels, including actuation logic and Allowable Values are specified separately inLCO 3.3.2, the Functions affected by this SR have no setpoints associated with them.sR 3.3.1.13SR 3,3.1.13 is the performance of a TADOT of Turbine Trip Functions.This TADOT is as described in SR 3.3.1.4, except that this test isperformed prior to exceeding the P-9 interlock whenever the unit has been in MODE 3. This Surveillance is not required if it has been performed within the previous 31 days. Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of thistest will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-9 interlock.sR 3.3.1.14SR 3.3.1.14 verifies that the individual channel/train actuation responsetimes are less than or equal to the maximum values assumed in theaccident analysis. Response time testing acceptance criteria are included in the LRM. lndividual component response times are notmodeled in the analyses. This Surveillance is only required for instrument channels with response times that are assumed in the safety analyses.The LRM identifies instrument channels for which no rebponse time is assumed in the safety analyses by indicating that the response time is not applicable. The analyses model the overall or total elapsed time, from the point atwhich the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e.,control and shutdown rods fully inserted in the reactor core).For channels that include dynamic transfer Functions (e.9., lrg, lead/fag,rate/lag, etc.), the response time test may be performed with the transferFunction set to one, or by such means as utilizing a step change input signal, with the resulting measured response time compared to theresponse time specified in the LRM. Alternately, the response time testcan be performed with the time constants set to their nominal value, provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.Beaver Valley Units 1 and 2B 3.3.1 - 57 Revision 10 RTS InstrumentationB 3.3.1 BASES SURVEILLANCE REQUI REMENTS (continued)- NOTE .The following alternate means for verifying response times summation of allocated times) is only applicable to Unit 2.Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic,noise, or power interrupt tests), (2) in place, onsite, or offsite (e.9.,vendor) test measurements, or (3) utilizing vendor engineeringspecifications. WCAP-1 3632-P-A, Revision 2, "Elimination of PressureSensor Response Time Testing Requirements," provides the basis andmethodology for using allocated sensor response times in the overallverification of the channel response time for specific sensors identified inthe WCAP. Response time verification for other sensor types must bedemonstrated by test.WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," and WCAP-15413, "Westinghouse7300A ASIC-Based Replacement Module Licensing Summary Report" provide the basis and methodology for using allocated signal processingand actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verifiedfollowing maintenance that may adversely affect response time. ln general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WGAP may be replaced without verificationtesting. One example where response time could be affected is replacingthe sensing assembly of a transmitter. WCAP-1 5413 provides boundingresponse times where 7300 cards have been replaced with ASICs cards.As appropriate, each channel's response must be verified every18 months on a STAGGERED TEST BASIS. Each verification shall include at least one logic train such that both logic trains are verified atleast once per 36 months. Response times cannot be determined duringunit operation because equipment operation is required to measureresponse times. Experience has shown that these components usually pass this surveillance when performed at the 18 months Frequency.Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. Beaver Valley Units 1 and 2 B 3.3.1 - 58Revision 10 RTS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUI REMENTS (continued) SR 3.3.1.14 is modified by a Note stating that neutron detectors areexcluded from RTS RESPONSE TIME testing. This Note is necessarybecause of the difficulty in generating an appropriate detector inputsignal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.REFERENCES 4.2.3.5.6.1.Westinghouse Setpoint Methodology for Protection Systems, WCAP-1 1419, Rev.6 (Unit 1)and WCAP-11366, Rev.7 (Unit 2).UFSAR, Chapter 7 (Unit 1 and Unit 2).UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2).IEEE-279-1971 .10 cFR 50.49.Westinghouse Nuclear Safety Advisory Letter NSAL-00-016, Rod Withdrawal from Subcritical Protection in Lower Modes,December 4,2000.WCAP-14333-P-A, Rev. 1 , "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," October 1998.WOG-06 -17, "WCAP-1 0271-P-A Justification for Bypass Test Timeand Completion Time Technical Specification Changes for Reactor Trip on Turbine Trip," June 24,2046.WCAP-15376-P-A, Rev. 1, "Risk-lnformed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003.10. Amendment No. 282 (Unit 1) and Amendment No. 166 (Unit 2),December 29.2008. 7.8 9.Beaver Valley Units 1 and 2 B33.1 -59 Revision 11 ESFAS InstrumentationB 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation BASES BACKGROUNDThe ESFAS initiates necessary safety systems, based on the values ofselected unit parameters, to protect against violating core design limitsand the Reactor Coolant System (RCS) pressure boundary, and tomitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS as well as specifying LCOs on other system parameters and equipment performance.Technical Specifications are required by 10 CFR 50.36 to contain LSSSdefined by the regulation as "...settings for automatic protectivedevices...so chosen that automatic protective action will correct the abnormal situation before a Safety Limit (SL) is exceeded." TheAnalytical Limit is the limit of the process variable at which a safety actionis initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs when reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protective devices must be chosen to be more conservative than theAnalytical Limit to account for instrument loop uncertainties related to thesetting at which the automatic protective action may actually occur.The nominal trip setpoint is a predetermined setting for a protectivedevice chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded.Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." For each automatic protective device there is a , setting beyond which the device would not be able to perform its function due, for example, to greater than expected drift. The value of this setting is specified in the Technical Specifications in order to define OPERABILITY of the devices and is designated as the Allowable Value. The Allowable Value specified in Tabl e 3.3.2-l serves as theOPERABILITY limit such that a channel is OPERABLE if the trip setpointis found not to exceed the Allowable Value. Note that, although the channel is "OPERABLE" under these circumstances, the trip setpoint should be left adjusted to a value within the established trip setpointcalibration tolerance band, in accordance with the assumptions stated inBeaver Valley Units 1 and 2 B3.32-1 Revision 0 ESFAS Instrumentation B 3.3.2 BASES BACKG ROU N D (continued) the BVPS Unit 1 and Unit 2 setpoint methodology for protection systems (Ref. 3). lf the actual setting of the device is found to have exceeded the Allowable Value the device would be considered inoperable from a Technical Specification perspective. This requires corrective action including those actions required by 10 CFR 50.36 when automatic protective devices do not function as required. In addition to the channel OPERABILITY guidance discussed above, the CHANNEL OPERATIONAL TEST (COT) and CHANNEL CALIBRATION Surveillance Requirements (SRs) specified on Table 3.3.2-1 for certainESFAS Functions are modified by Notes (e) and (f) that specify additional Technical Specification requirements. The applicable Notes are specified directly on Table 3.3.2-1 next to the numerical SR designations for theaffected ESFAS Functions. The additional Technical Specification requirements for these ESFAS Functions include OPERABILITYevaluations for setpoints found outside the as-found acceptance criteria band and the requirement to reset the setpoint to within the as-lefttolerance of the nominal trip setpoint or a value that is more conservativethan the nominal trip setpoint or declare the affected channel inoperable. These additional Technical Specification requirements are only applicable to the ESFAS Functions with the Notes modifying their COT and CHANNEL CALIBRATION SR numbers on Table 3.3.2-1. The ESFAS instrumentation is segmented into three distinct but interconnected modules as identified below.Field transmitters or process sensors and instrumentation: provide ameasurable electronic signal based on the physical characteristics of the parameter being measured,. Signal processing equipment including analog protection system, fieldcontacts, and protection channel sets: provide signal conditioning,bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system devices, and control board/control room/miscellaneous indications, and' Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic andbased on the bistable outputs from the signal process control and protection system.Beaver Valfey Units 1 and 2 B 3.3.2 - 2Revision 0 ESFAS Instrumentation B 3.3.2 BASES BACKG ROU N D (continued)Field Transmitters or SensorsTo meet the design demands for redundancy and reliability, more thanone, and in some cases as many as four, field transmitters or sensors areused to measure unit parameters. In many cases, field transmitters orsensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control systeminputs. To account for calibration tolerances and instrument drift, whichare assumed to occur between calibrations, statistical allowances are provided in the nominal trip setpoint. The OPERABILITY of eachtransmitter or sensor is determined by either "as-found" calibration data evaluated during the CHANNEL CALIBRATION or by qualitativeassessment of field transmitter or sensor, as related to the channelbehavior observed during performance of the CHANNEL CHECK.Siqnal Processing EquipmentGenerally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning,comparable output signals for instruments located on the main controlboard, and comparison of measured input signals with setpointsestablished by safety analyses. The safety analyses and associated ESFAS Functions are discussed in UFSAR Chapter 14 (Unit 1)andUFSAR Chapter 15 (Unit 2) (Ref. 1). lf the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistableor other trip device is fonruarded to the SSPS for decision evaluatioh.Channel separation is maintained up to and through the input bays.However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the maincontrol board, the unit computer, and one or more control systems.Generally, if a parameter is used only for input to the protection circuits,three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. lf one channel fails in a direction thatwould not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. lf one channef fails such that a partialFunction trip occurs, a trip will not occur and the Function is stillOPERABLE with a one-out-of-two logic.Generally, if a parameter is used for input to the SSPS and a controlfunction, four channels with a two-out-of-four logic are sufficient to providethe required reliability and redundancy. The circuit must be able towithstand both an input failure to the control system, which may then Beaver Valley Units 1 and 2B 3.3.2 - 3Revision 0 ESFAS InstrumentationB 3.3.2 BASES BACKGROUN D (continued)require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Again, a singlefailure will neither cause nor prevent the protection function actuation.These requirements are described in IEEE-279-1971 (Ref. 2). However,exceptions to the requirement for four channels are part of the design andlicensing basis of the ESFAS (e.g., steam generator level instrumentation). The number of channels required for each unit parameter is specified in Technical Specification Table 3.3.2-1.Allowable Values. ESFAS Setpoints. and LSSS The nominal trip setpoints used in the bistables and other trip devices arebased on the analytical limits stated in the BVPS Unit 1 and Unit 2 setpoint methodology for protection systems (Ref. 3). The selection of these nominal trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account. Thenominal trip setpoints account for calibration tolerances, instrument uncertainties, instrument drift, and severe environment errors for thoseESFAS channels that must function in harsh environments as defined by10 CFR 50.49 (Ref.4): The nominal trip setpoints are specified in theLicensing Requirements Manual (LRM). The Allowable Values specifiedin the Technical Specifications are determined by adding (or subtracting)the calibration accuracy of the trip device to the nominal trip setpoint inthe non-conservative direction (i.e., toward or closer to the safety analysis limit) for the application. The Allowable-Values remain conservative withrespect to the analytical limits. For those channels that provide trip actuation via a bistable in the process racks, the calibration accuracy is defined by the rack calibration accuracy term. For a limited number ofchannels that provide trip actuation without being processed vla the process racks (e g , undervoltage relay channels) the Allowable Value isdefined by device drift or repeatability (Ref. 3). The application of thecallbration accuracy term (or device drift as applicable) to each ESFAS setpoint results in a "calibration tolerance band" for each setpoint. Thus,the trip setpoint value is considered a "nominal" value (i.e., expressed asa value with a calibration tolerance) for the purposes of the COT andCHANNEL CALIBRATION. The calibration tolerance band for eachESFAS setpoint is specified in plant procedures. A detailed description ofthe methodology used to calculate the Allowable Values and nominal trip setpoints including their explicit uncertainties, is provided in Reference 3which incorporates all of the known uncertainties applicable to each channel. The magnitudes of these uncertainties are factored into the determination of each nominal trip setpoint and corresponding AllowableValue. The nominal trip setpoint entered into the trip device is moreconservative than that specified by the Allowable Value to account forBeaver Valley Units 1 and 2 B 3.3.2 - 4 ESFAS InstrumentationB 3.3.2 BASESBACKG ROU N D (continued)measurement errors detectable by the COT. The Allowable Value servesas the Technical Specification OPERABILITY limit. One example of sucha change in measurement error is drift during the surveillance interval. lf the measured setpoint does not exceed the Allowable Value, the channelis considered OPERABLE. As discussed earlier, for certain ESFAS Functions, the COT and CHANNEL CALIBRATION SR numbers specifiedon Table 3.3.2-1 are modified by Notes that impose additional Technical Specification requ irements for channel OP E RAB I LITY.fhe nominal trip setpoints are the values at which the trip devices are setand are the expected values to be achieved during calibration. Thenominal trip setpoint value ensures the safety analysis limits are met for the surveillance interval selected when a channelris adjusted to be within the calibration tolerance. Any trip device with a nominal trip setpoint isconsidered to be properly adjusted when the "as-left" setpoint value iswithin the calibration toleranceThe nominaf trip setpoint is based on the calculated total loop uncertainty per the plant specific methodology documented in the LRM. The setpointmethodology, used to derive the nominal trip setpoints, is based uponcombining all of the uncertainties in the channels. lnherent in the determination of the nominal trip setpoints are the magnitudes of these channel uncertainties. Sensors and other instrumentation utilized inthese channels should be capable of operating within the allowances ofthese uncertainty magnitudes. Occasional drift in excess of the allowance may be determined to be acceptable based on the other device performance characteristics. Device drift in excess of the allowance thatis more than occasional, may be indrcative of more serious problems andwould warrant further investigation. OPERABLE ESFAS Functions with setpoints maintained within theAllowable Values specified in the Technical Specifications ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed. Each channel can be tested on line except for manual initiation channelsand the trip of all main feedwater pump channels, to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Reference 3. Once a designated channel istaken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in testis then tested, verified, and calibrated. SRs for the channels are specifiedin the SR section.Beaver ValleyB 3.3.2 - 5 Revision 0 ESFAS lnstrumentationB 3.3.2 BASES BACKG ROU N D (continued)For most ESFAS Functions the Allowable Value specified on Tabfe 3.3.2-1 is the LSSS required by 10 CFR 50.36. However, forcertain ESFAS Functions, the COT and CHANNEL CALIBRATION SRnumbers specified on Table 3.3.2-1 are modified by Notes (e) and (f) thatimpose additional Technical Specification Requirements for channelOPERABILITY and change the LSSS for the affected Functions. Foreach ESFAS Function in Table 3.3.2-1 with Notes modifying the requiredCOT and CHANNEL CALIBRATION SR numbers, the nominal trip setpoint specified in the LRM is the LSSS.This definition of the LSSS is consistent with the guidance issued to theindustry through correspondence with Nuclear Energy Institute (NEl)(Reference NRC-NEl Letter dated September 7 ,2005). The definition of LSSS values continues to be discussed between the industry and the NRC, and further modifications to these Technical Specification Baseswill be implemented as guidance is provided.Table 3.3.2-1 Notes (e) and (f) are applicable to the COT and CHANNEL CALIBRATION SRs for specific instrument functions since changes to Allowable Values associated with these instrument functions were already under review by the NRC at the time the revised NRC setpoint criteria were documented and made available to the industry in an NRC letter tothe NEl. Changes to the remaining instrument functions may be pursued after guidance endorsed by both the NRC and NEI is issued.Solid State Protection SvstemThe SSPS equipment is used for the decision logic processing of inputsfrom field contacts, control board switches, and the signal processing equipment bistables. To meet the redundancy requirements, two trains ofSSPS, each performing the same functions, are provided. lf one train istaken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. lf both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfyseparation and independence requrrements. The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to themain control room of the unit.The input signals from field contacts, control board switches, and bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations Beaver Valley Units 1 and 2 B 3.3.2 - 6Revision 0 ESFAS Instrumentation B 3.3.2 BASES BACKG ROU N D (continued) indicative of various transients. lf a required logic matrix combination iscompleted, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves toalleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicabilitysections of this Bases.Each SSPS train has a built in testing device that can automatically testthe selected decision logic matrix functions and partially test the actuation relays while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device issemiautomatic to minimize testing time.The actuation of ESF components is accomplished through master andslave relays. The SSPS energizes the master r:elays appropriate for thecondition of the unit. Each master relay then energizes one or more slaverelays, which then cause actuation of the end devices. The master andslave relays that provide actuation signals to ESF components are routinely tested to ensure operation. The test of the master relaysenergizes the relay, which then operates the contacts and applies a lowvoltage to the associated slave relays. The low voltage is not sufficient toactuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will notinterfere with continued unit operation. For the latter case, actualcomponent operation is prevented and slave relay contact operation isverified by a continuity check of the circuit containing the slave relay.APPLlCABLE SAFETY ANALYSES, LCO,and APPLICABILITY Each of the analyzed accidents can be detected by one or more ESFASFunctions. One of the ESFAS Functions is the primary actuation signalfor that accident. An ESFAS Function may be the primary actuationsignal for more than one type of accident. An ESFAS Function may alsobe a secondary, or backup, actuation signal for one or more other accidents. Functions not explicitly credited in the safety analysis, may be implicitly credited in the safety analysis and the NRC staff approvedlicensing basis for the unit. These Functions may provide protection for conditions not explicitly analyzed and may be anticipatory in nature orserve as backups to Functions that are explicitly credited in the accident analysis to provide defense in depth (Ref. 1).Beaver Valley Units 1 and 2 B 3.3.2 - 7Revision 0 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) The LCO requires all instrumentation performing an ESFAS Function tobe OPERABLE. A channel is OPERABLE provided the trip setpoint "as-found" value does not exceed its associated Allowable Value and provided the trip setpoint "as-left" value is adjusted to a value within thecalibration tolerance band of the nominal trip setpoint. A trip setpoint maybe set more conservative than the nominal trip setpoint as necessary in response to plant conditions provided that the + calibration tolerance band remains the same and the Allowable Value is administratively controlled accordingly in the conservative direction to meet theassumptions of the setpoint methodology. The conservative direction is established by the direction of the inequality applied to the Allowable Value, Failure of any instrument may render the affected channel(s) inoperable and reduces the reliability of the affected Functions. In addition to the channel OPERABILITY guidance discussed above, theCOT and CHANNEL CALIBRATION SRs specified on Table 3.3.2-1 for certain ESFAS Functions are modified by Notes (e) and (f) that specify additional Technical Specification requirements. The applicable Notesare specified directly on Table 3.3.2-1 next to the numerical SR designations for the affected RTS Functions. The additional Technical Specification requirements for these ESFAS Functions includeOPERABILITY evaluations for setpoints found outside the as-found acceptance criteria band and the requirement to reset the setpoint towithin the as-left tolerance of the nominal trip setpoint or a value that is more conservative than the nominal trip setpoint or declare the affected channel inoperable. These additional Technical Specificationrequirements are only applicable to the ESFAS Functions with the Notes modifying their COT and CHANNEL CALIBRATION SR numbers onTable 3.3.2-1.The LCO generally requires OPERABILITY of four or three channels in each instrumentation function and two channels in each logic and manualinitiation function. The two-out-of-three and the two-out-of-fourconfigurations allow one channel to be tripped during maintenance ortesting without causing an ESFAS initiation. Two logic or manualinitiation channels are required to ensure no single random failuredisables the ESFAS.The required channels of ESFAS instrumentation provide unit protectionin the event of any of the analyzed accidents. ESFAS protectionfunctions are as follows: Beaver Valley Units 1 and 2B 3.3.2 - 8Revision 0 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO; ?fld APPLICABILITY (continued)1. Safety Injection Safety Injection (Sl) provides two prrmary functions:1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to< 2200"F ), and2. Boration to ensure recovery and maintenance of SDM (k"n' 1'0)'These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The Sl signal is also used to initiate other Functions such as:. Phase A lsolation,. Reactor Trip,. Turbine Trip,. Feedwater lsolation.Start of auxiliary feedwater (AFW) pumps, and Enabling automatic switchover of Emergency Core Cooling Systems (ECCS) suction to containment sump.These other functions ensure: lsolation of nonessential systems through containment penetrations, Trip of the turbine and reactor to limit power generation, lsolation of main feedwater (MFW) to limit secondary side mass losses,Start of AFW to ensure secondary side cooling capability, and Enabling ECCS suction switchover from the refueling water storage tank (RWST) to the contalnment sump on RWST Level Extreme Low to ensure continued cooling via use of the containment sump.Beaver Valley Units 1 and 2 B 3.3.2 - 9Revision 3 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)a. Safety Injection - Manual Initiation The LCO requires one channel per train to be OPERABLE. The operator can initiate Sl at any time by using either of two switches in the control room. This action will cause actuation ofall components in the same manner as any of the automatic actuation signals except for the Unit 1 automatic high head safety injection (HHSI) flow path isolation valves when LCO 3.4.12, "Overpressure Protection System," is applicable.Consistent with the requirements of LCO 3.4.12, in MODE 4 when any RCS cold leg temperature is < the enable temperature specified in the PTLR, the Unit 1 automatic HHSI flow path must be isolated with power removed from the isolation valves.Therefore, when operating in the MODE 4 Applicability of LCO 3.4.12, the manual initiation of Unit 1 Sl will require additional manual valve operation to establish an Sl injection flow path.The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation circuitry to ensure the operator has manual ESFAS initiation capa bil ity.Each channel consists of one switch and the interconnecting wiring to the actuation logic cabinet. Each switch actuates bothtrains. This configuration does not allow testing at power.b. Safetv Iniection - Automatic Actuation Loqic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, inclu,ding the initiating relay contacts responsible for actuating the ESF equipment.In the event an inadvertent Sl is initiated, the block of the automatic actuation logic introduced by a reset of safety injection must be removed by resetting (closure) of the reactor trip breakers after the inadvertent initiation providing that all trip input signals have reset due to stable plant conditions. When the Automatic Actuation Logic is required OPERABLE and is blocked after an inadvertent Sl, the affected train(s) of Automatlc Actuation Logic are considered inoperable and the Technical Specification ACTIONS are applicable until the Automatic Actuation Logic is restored to OPERABLE status.Beaver Valley Units 1 and 2B 3.3.2 - 10 Revision 0 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABf LITY (continued) Manual and automatic initiation of Sl must be OPERABLE in MODES 1,2, and 3. In these MODES, there is sufficient energyin the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE 4 even though automatic actuation is not required. Inthis MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the farge number of components actuated on a Sl, actuation is simplified by the use of the manual actuation switches.Automatic actuation logic and actuation relays must be OPERABLE in MODE 4; however, only the actuation relays are required to support system level manual initiation. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident.Unit pressure and temperature are very low and many ESF components are administratively locked out or othenrvise prevented from actuating to prevent inadvertent overpressurization of unit systems.c. Safetv lniection - Containment Pressure - Hiqh This signal provides protection against the following accidents: SLB inside containment. and Feed line break inside containment.Containment Pressure - High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.The high pressure Function will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties. Containment Pressure - High must be OPERABLE in MODES 1,2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. ln MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.Beaver Valley UnitsB 3.3.2 - 11 Revision 0 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES; LCO, and APPLICABILITY (continued)d. Safetv Injection - Pressurizer Pressure - Low This signal provides protection against the following accidents: Inadvertent opening of a steam generator (SG) relief or safety valve, SLB, A spectrum of rod cluster control assembly ejection accidents (rod ejection), Inadvertent opening of a pressurizer relief or safety valve, LOCAs, andSG Tube Rupture. The Pressurizer Pressure - Low protection Function provides no input to any control functions. Pressurizer pressure control is accomplished by two separate channels independent of thepressurizer pressure protection channels used for ESFAS. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic.The transmitters could experience adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the Trip Setpoint reflects the inclusion of both steady state and adverse environmental instrument uncertainties. This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may be manually blocked by the operator below the P-1 1 setpoint. Automatic Sl actuation below this pressure setpoint is then performed by the Containment Pressure - High signal.This Function is not required to be OPERABLE in MODE 3 below the P-11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE.ln MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation. Beaver Valley Units 1 and 2B 3.3.2 - 12Revision 0 ESFAS Instrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)e. Safety Injection - Steam Line Pressure - LowSteam Line Pressure - Low provides protection against the following accidents: SLB,Feed line break, and Inadvertent opening of an SG relief or an SG safety valve.Steam Line Pressure - Low also provides input to steam generator level control; however, only three OPERABLE channels per steam line are provided. lf a steam pressure sensor fails high or low, the steam generator level control system would eventually recover based upon the level input "alone, assuming that a high level or low fevel trip setpoint is not reached. lf the steam generator level setpoint is reached and protective action is required, a reactor trip (on low steam generator level) or turbine trip (on high steam generator level)occurs automatically. ln this case, steam generator level is usedto mitigate the event and not steam pressure. A single failure ina steam generator level channel could be assumed; however, the reactor trip would still occur on steam generator level. A second failure in another steam pressure transmitter would not preclude a trip from occurring on steam generator fevel. Thus,three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logicon any steam line.The Unit 1 transmitters will not experience adverse environmental conditions during a secondary side break. TheUnit 2 transmitters are located where they may experience adverse environmental conditions during a secondary side breakoutside containment. However, for Unit 2, the safety analysis limit for the steam line break inside containment 1s more limitingthan the safety analysis limit for the steam line break outsidecontainment. As such, the Unit 2Trip Setpoint is based on themore limiting result of the safety analysis for a steam line breakinside containment which does not require an adverse environmental uncertainty. The magnitude of the difference between the inside and outside safety analysis limits is greaterthan or equal to the potential error that could result from an adverse environment. Therefore, the trip setpoints for both units only reflect steady state instrument uncertainties. Beaver Valley B 3.3.2 - 13Revision 0 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)This Function is anticipatory in nature and has a lead/lag ratio of 50/5.Steam Line Pressure - Low must be OPERABLE in MODES 1, 2,and 3 (above P-11) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines.This signal may be manually blocked by the operator below the P-11 setpoint. Below P-11, feed line break is not a concern.Inside containment SLB will be terminated by automatic steamline isolation via Containment Pressure-lntermediate High High,and outside containment SLB will be terminated by the SteamLine Pressure - Negative Rate - High signal for steam line isolation. This Function is not required to be OPERABLE inMODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.2. Containment Sprav Svstems Containment Spray provides five primary functions:

1. Lowers containment pressure and temperature after an HELB in containment,2. Reduces the amount of radioactive iodine atmosphere, Minimize corrosion of the components and containment following a LOCA, Control subcompartment and general areaconcentrations to less than 4% by volume, the containment

4.5.3. Adjusts

the pH of the water in the containment recirculationsump after a large break LOCA,Mixes the containment atmosphere and minimizes the amount of hydrogen accumulation, and Removes containment heat.These functions are necessary Ensure the pressure boundary integrity of the containment structure,Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure. systems inside hydrogen and Beaver Valley Units 1 and 2 B 3.3.2 - 14Revision 3 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) o Remove decay heat to ensure that the containment gas and sump water temperatures are within the containment liner and piping thermal stress limits.The containment spray actuation signal starts the Quench Spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is drawn from the RWST by the Quench Spray pumps. The Quench Spray pumps are manually stopped following receipt of a low RWSTlevel alarm. The Recirculation Spray pumps are started automatically and take suction from the containment sump tocontinue containment spray. Sodium tetraborate is added to the recirculation spray solution as the sodium tetraborate storagebaskets are submerged by water accumulating in the containment sump. Recirculation spray is actuated manually or by Containment Pressure - High High coincident with RWST Level Low.a (1) Quench Sprav - Manual lnitiation The operator can initiate quench spray at any time from the control room by simultaneously actuating two containment spray actuation switches in the same train. Because an inadvertent actuation of quench spray could have undesirable consequences, two switches must be actuated simultaneouslyto initiate quench spray. There are two sets of two switches each in the control room. Simultaneously actuating the two switches in either set will actuate quench spray in both trains inUnit 2 and one train in Unit 1. Two Manual lnitiation switches in each train are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Manual lnitiation of quench spray also actuates Phase B containment isolation. Note that manual initiation of containment spray will initiate a recirculation spray pump,start if an RWST Level Low signal is present. Alternatively, an operator can individually start each recirculation spray pump using the control board pump switches.a.(2) Quench Sprav - Automatic Actuation Logic and Actuation Relavs This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment. Manual and automatic initiation of quenchspray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficlent energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual initiation is Beaver Valley Units 1 and 2 B3.32-15Revision 20 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) also required in MODE 4, even though automatic actuation isnot required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA.However, because of the large number of components actuated on a quench spray, actuation is simplified by the use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4; however,only the actuation relays are required to support manual initiation of quench spray. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. ln MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components. a (3) Quench Soray - Containment Pressure - High High This signal provides protection against a LOCA or an SLB inside containment. The transmitters will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.This is one of two Functions that require the bistable output to energize to perform its required action. lt is not desirable to have a loss of power actuate the containment spray systems. Note that this Function afso has the inoperable channel placed in bypass rather than trip to decrease the probability of ani nadvertent actuation.This Function uses four channels ln a two-out-of-four logicconfiguration. Additional redundancy is warranted because this Function is energized to trip. Containment Pressure - High High must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4,5, and 6, there is insufficient energy in the primaryand secondary sides to pressurize the containment and reachthe Containment Pressure - High High setpoints.b.(1) Recirculation Sprav - Automatic Actuation LogicThis LCO requires two trains to be OPERABLE. The trains consist of the actuation logic and associated master relays for this Function. The actuation logic consists of all circuitry housed within the actuation subsystems. The LCO for this Function Beaver Valley Units 1 and 2 B332 - 16 Revision 6 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) does not include requirements for slave relay OPERABILITY.The SRs for this Function do not include a SLAVE RELAY TESTdue to equipment safety concerns (inadvertent pump start) ifsuch a test was performed at power. The verification of requiredslave relay OPERABILITY for this Function is included in LCO

3.6.7 Recirculation

Spray System (SR 3.6.7.3.b). The Recirculation Spray System SR is an 18 month Surveillance that allows the required SLAVE RELAY TEST to be performedsafefy. Therefore, LCO 3.6.7 addresses the OPERABILITY ofthe slave relays for this Function. b.(2) Recirculation Spray - RWST Level Low coincident withContainment Pressure-Hiqh HiqhThis LCO requires three RWST Level Low channels and fourContainment Pressure High High channels to be OPERABLE.A Level Low in the RWST coincident with a Containment Pressure-High High signaf automaticafly initiates recirculation spray. Recirculation spray is the primary method of heat removal from the containment environment following a LOCA.The RWST Level Low Allowable Value has both upper andlower limits. The lower limit is selected to ensure that containment temperatures remain within safety analysis limitsand that adequate NPSH is available to the Ll-{Sl pumps. The upper limit ensures adequate NPSH to the recirculation spray pumps.The RWST Level Low Function uses three RWST leveltransmitters in a two out of three coincident logic. These transmitters provide no control functions. The transmitters will not experience any adverse environmental conditions and, therefore, the trip setpoint reflects only steady state instrument uncertainties. The RWST level logic is configured in ade-energize to trip configuration. The Containment Pressure-High High signal is described in Quench Spray, Containment Pressure-High High (item 2.a(3)).The RWST Level Low and Containment Pressure High High Functions must be OPERABLE in MODES 1, 2 and 3 when there is a potential for a LOCA to occur, to ensure a continued supply of water for the recirculation spray pumps. These Functions are not required to be OPERABLE in MODES 4, 5and 6 because there is insufficient energy in the primary and secondary sides to pressurize the containment and reach theContainment Pressure - High High setpoints.Beaver Valley Units 1 and 2 B 3.3.2 - 17 Revision 6 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

3. Containment lsolationContainment lsolation provides isolation of the containmentatmosphere, and all process systems that penetrate containment,from the environment. This Function is necessary to prevent or limit the release of radioactivity to the environment in the event of a largebreak LOCA.There are two separate Containment lsolation signals, Phase A and Phase B. Phase A isolation isolates all automatically isolable process lines, except component cooling water (CCW) and coolingwater to the containment air recirculation fan cooling coifs, and the Unit 1 containment instrument air, at a relatively low containment pressure indicative of primary or secondary system leaks. For thesetypes of events, forced circulation cooling using the reactor coolant pumps (RCPs) and SGs is the preferred (but not required) methodof decay heat removal. Since CCW is required to support RCP operation, not isolating CCW on the low pressure Phase A signalenhances unit safety by allowing operators to use forced RCS circulation to cool the unit.

lsolating CCW on the low pressure signal may force the use of feed and bleed cooling, which could prove more difficult to control. Phase A containment isolation is actuated automatically by Sl, ormanually via the automatic actuation relays. CCW is not isolated atthis time to permit continued operation of the RCPs with coolingwater flow to the thermal barrier heat exchangers and motors. The cooling water to the containment air recirculation fan cooling coils isnot isolated by a Phase A signal to allow contrnued containment cooling. The Unit 1 containment instrument air is not isolated by aPhase A signal to allow instrument air to be available to supportvalve operation inside containment (e.9., CCW valves). All processlines requirod to be isolated under accident conditions and notequipped with automatic isolation valves are manually closed, or othenryise isolated, prior to reaching MODE 4 (except when openunder administrative controls).Manual Phase A Containment lsolation is accomplished by either oftwo switches in the control room. Either switch actuates both trains.The Phase B signal isolates CCW and coofing water to the containment air recirculation fan cooling coils and containment instrument air (for Unit 1 only). This occurs at a relatively high containment pressure that is indicative of a large break LOCA or an Beaver Valley Units 1 and 2B 3.3.2 - 18Revision 6 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)SLB. For these events, forced circulation using the RCPs is no longer desirable. lsolating these additional systems at the higher pressure does not pose a challenge to the containment boundarybecause the systems are closed loops inside containment. The systems are continuously pressurized to a pressure greater than thePhase B setpoint. Thus, routine operation demonstrates theintegrity of the system pressure boundary for pressures exceeding the Phase B setpoint. Furthermore, because system pressureexceeds the Phase B setpoint, any system leakage prior to initiationof Phase B isolation would be into containment. Therefore, thecombination of system design and Phase B isolation ensures thesystems are not a potential path for radioactive release from containment. Phase B containment isolation is actuated by Containment Pressure- High High, or manually, via the automatic actuation relays, as previously discussed. For containment pressure to reach a valuehigh enough to actuate Containment Pressure - High High, a LOCAor SLB must have occurred and containment spray must have beenactuated. RCP operation will no longer be required and CCW to theRCPs is, therefore, no longer necessary.Manual Phase B Containment lsolation is accomplished by thesame switches that actuate Containment Spray. When the two switches in either set are actuated simultaneously, Phase B Containment lsolation and Containment Spray will be actuated inboth trains in Unit 2 and one train in Unit 1.a. Containment lsolation - Phase A lsolation (1) Phase A lsolation - Manual lnitiationManual Phase A Containment lsolation is actuated byeither of two switches in the control room. Either switchactuates both trains.(2) Phase A lsolation - Automatic Actuation Loqic andActuation RelaysThis LCO requires two trains to be OPERABLE.Actuation logic consists of all circuitry housed within theactuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment.Beaver Valley Units 1 and 2B 3 3.2 - 19 Revision 6 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) Manual and automatic initiation of Phase A Containment lsolation must be OPERABLE in MODES 1, 2, and 3, whenthere is a potential for an accident to occur. Manual initiation isalso required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manuafly actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment lsolation, actuation is simplified by the use of the manual actuation switches. Automatic actuation logicand actuation relays must be OPERABLE in MODE 4; however, only the actuation relays are required to support system levelmanual initiation. ln MODES 5 and 6, there is insufficientenergy in the primary or secondary systems to pressurize the containment to require Phase A Containment lsolation. There also is adequate time for the operator to evaluate unit conditionsand manually actuate individual isolation valves in response to abnormal or accident conditions. (3) Phase A lsolation - Safetv Injection Phase A Containment lsolation is also initiated by all Functions that initiate Sl. The Phase A Containment lsolation requirements for these Functions are the sameas the requirements for their Sl function. Therefore, the requirements are not repeated in Table 3.3,2-1. Instead,Function 1, Sl, is referenced for all initiating Functionsand requirements.b. Containment lsolation - Phase B lsolation Phase B Containment lsolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, andby Containrnent Pressure channels (the samq channels that actuate Containment Spray, Function 2.a(3). The Containment Pressure actuation of Phase B Containment lsolation is energized to actuate in order to minimize the potential of spurious actuations that may damage the RCPs.(1) Phase B lsolation - Manual lnitiation The manual Phase B Containment lsolation is accomplished by the manual Containment Sprayswitches described in Function 2.a(1).Beaver Valley Units 1 and 2 B33.2-20Revision 6 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) (2) Phase B lsolation - Automatic Actuation Loqic and Actuation Relavs This LCO requires two trains to be OPERABLE.Actuation logic consists of all circuitry housed within theactuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment. Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3,when there is a potential for an accident to occur.Manual initiation is also required in MODE 4 even thoughautomatic actuation is not required. In this MO'DE,adequate time is available to manually actuate required components in the event of a DBA. However, becauseof the large number of components actuated on.a Phase B containment isolation, actuation is simplified bythe use of the manual actuation switches. Automatic actuation logic and actuation relays must be OPERABLEin MODE 4; however, only the actuation relays arerequired to support system level manual initiation. InMODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase B containment isolation.There also is adequate time for the operator to evaluate unit conditions and manually.actuate individual isolationvalves in response to abnormal or accident conditions. (3) Phase B lsolation - Containment Pressure - Hiqh HishThe basis for containment pressure MODE applicabilityis as discussed for ESFAS Function 2.a(3) above.4. Steam Line lsolation lsolation of the main steam lines provides protection in the event ofan SLB inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from oneSG, at most. For an SLB upstream of the main steam isolation valves (MSlVs), inside or outside of containment, closure of theMSIVs limits the accident to the blowdown from only the affected SG.For an SLB downstream of the MSlVs, closure of the MSIVs terminates the accident as soon as the steam lines depressurize.For Unit 2 which does not have steam line check valves, Steam Line lsolation also mitigates the effects of a feed line break and ensures asource of steam for the turbine driven AFW pump during a feed line break.Beaver Valley Units 1 and 2 B 3.3.2 - 21 Revision 6 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) a.Steam Line lsolation - Manual Initiation (Unit 2 only)Manual initiation of Steam Line lsolation can be accomplishedfrom the control room. There are two switches per train in the control room and simultaneous actuation of both switches in atrain can initiate a system level action to immediately close all MSlVs. The LCO requires two channels per train to be OPERABLE. The Unit 1 design does not include a system level manual steam line isolation capability. Unit 1 manual isolation ofthe MSIVs can be accomplished via the individual manual control switches for each MSIV. The capability to manually actuate each MSIV is an OPERABILITY requirement of Technical Specification 3.7 .2, "MSlVs." Steam Line lsolation - Automatic Actuation Loqic and Actuation RelavsThis LCO requires two trains to be OPERABLE. Actuation logic b.consists of all circuitry housed within including the initiating relay contactsthe ESF equipment.the actuation subsystems, responsible fo_r actuating Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is.sufficient energy inthe RCS and SGs to have an SLB or other accident. This couldresult in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line lsofation Functionis required in MODES 2 and 3 unless all MSIVs are closed and de-activated. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.c. Steam Line lsolation - Containment Pressure - lntermediateHiqh HiqhThis Function actuates closure of the MSIVs in the event of a LOCA or an SLB inside containment to maintain at least two unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release to containment. Containment Pressure - Intermediate High High provides no input to anycontrol functions. Thus, three OPERABLE channels aresufficient to satisfy protective req u irements with two-out-of-three logic. The transmitters and electronics will not experience any adverse environmental conditions, and the Trip Setpoint reflects only steady state instrument uncertainties.Beaver Valley Units 1 and 2 B 3.3.2 - 22 Revision 6 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Containment Pressure - Intermediate High High must beOPERABLE in MODES 1 , 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSlVs. The Steam Line lsolation Function must be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. ln MODES 4, 5, and 6,there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure -Intermediate High High setpoint.d. Steam Line lsolation - Steam Line Pressure (1) Steam Line Pressure - LowSteam Line Pressure - Low provides closure of theMSIVs in the event of an SLB to maintain two unfaultedSGs as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump. Steam Line Pressure - Low was discussed previously under Sl Function 1.e. The Steam Line Pressure - Low Function must be OPERABLE in MODES 1,2, and 3 (above P-11), withany main steam valve open, when a secondary sidebreak or stuck open valve could result in the rapid depressurization of the steam lines. This signal may bemanually blocked by the operator below the P-1 1 setpoint. Below P-11, an inside containment SLB will beterminated by automatic actuation via Containment Pressure - lntermediate High High. Stuck valvetransients and outside containment SLBs will beterminated by the Steam Line Pressure - Negative Rate -High signal for Steam Line lsolation below P-11 when Slhas been manually blocked. The Steam Line lsolation Function is required in MODES 2 and 3 unless all MSIVsare closed and de-activated. This Function is notrequired to be OPERABLE in MODES 4,5, and 6because there is insufficient energy in the secondaryside of the unit to have an accident.Beaver Valley Units 1 and 2B 3.3.2 - 23 Revision 6 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) (2) Stearn Line Pressure - Neoative Rate - HighSteam Line Pressure - Negative Rate - High provides cfosure of the MSIVs for an SLB when less than the P-11 setpoint, to maintain two unfaulted SGs as a heat sink for the reactor, and to limit the mass and energy release tocontainment. When the operator manually blocks theSteam Line Pressure - Low main steam isolation signalwhen less than the P-1 1 setpoint, the Steam Line Pressure - Negative Rate - High signal is automaticallyenabled. Steam Line Pressure - Negative Rate - High provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy requirements with a two-out-of-three logic on any steam line.Steam Line Pressure - Negative Rate - High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in the rapid depressurization of thesteam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically disabled and the Steam Line Pressure - Low signal isautomatically enabled. The Steam Line lsolationFunction is required to be OPERABLE in MODES 2 and 3 unless all MSIVs are closed and de-activated. ln MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or otheraccident that would result in a release of significant quantities of energy to cause a cooldown of the RCS.While the transmitters may experience elevated ambient temperatures due to an SLB, the Function is based on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the Trip Setpoint reflects only steady state instrument uncertainties.

5. Turbine Trip and Feedwater lsolation The primary functions of the Turbine Trip and Feedwater lsolationsignals are to prevent damage to the turbine due to water in the steam lines, and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of ahigh water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system.The SG high water level is due to excessive feedwater flows.Beaver Valley Units 1 and 2 B 3.3.2 - 24 Revision 6 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) a.The Function is actuated by an Sl signal or when the level in anySG exceeds the high high setpoint, and performs the following functions:

Trips the main turbine, Trips the MFW pumps, andInitiates feedwater isolation.Turbine Trip and Feedwater lsolation - Automatic Actuation Logic and Actuation Relavs This LCO requires two trains to be OPERABLE. Actuation logicconsists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment. Turbine Trip and Feedwater lsolation - Steam Generator Water Level - Hiqh Hiqh (P-14)The Allowable Value for this Function is specified in percent ofnarrow range instrument span. This signal provides protectionagainst excessive feedwater flow. The ESFAS SG water level instruments provide input to the SG Water Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system (which maythen require the protection function actuation) and a singlefailure in the other channels providing the protection functionactuation. Three OPERABLE channels on each SG satisfy the requirements with a two-out-of-three fogic on any SG. Three channels are acceptable in this application because functional separation between the protectron and control systems is accomplished by the use of a median signal selector switch.The transmitters do not experience a severe environment andtherefore, the trip setpoint reflects only steady state instrument uncertainties.

c. Turbine Trip and Feedwater lsolation - Safetv lniectionTurbine Trip and Feedwater lsolation is also initiated by all Functions that initiate Sl. The Feedwater lsolation Function requirements for these Functions are the same as the requirements for their Sl function. Therefore, the requirementsare not repeated in Table 3.3.2-1. lnstead, Function 1, Sl, is referenced for all initiating functions and requirements.

b.Beaver Valley Units 1 and 2 B3.32-25 Revision 6 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)Turbine Trip and Feedwater lsolation Functions must be OPERABLE in MODES 1, 2, and 3 except when all Main Feedwater l-ines are isolated by either closed and deactivated MFlVs, or MFRVs andassociated bypass valves, or closed manual valves. In theseMODES the MFW System and turbine generator may be in service.In MODES 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.6. Auxiliarv FeedwaterThe AFW System is designed to provide a secondary side heat sink for the reactor in the event that the MFW System is not avallable. The system has two motor driven pumps and a turbine driven pump, making it available during normal unit operation, during a loss of AC power, a loss of MFW, and during a Feedwater System pipe break.The normal source of water for the AFW System is the Primary Plant Demineralized Water Storage Tank. The River Water (Unit 1) and Service Water (Unit 2) systems provide a backup source of water forthe AFW System. The AFW System is aligned so that upon a pumpstart, flow is initiated to the SGs immediately. Auxiliary Feedwater - Automatic Actuation Loqic and Actuation RelavsThis LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment. Auxiliarv Feedwater - Steam Generator Water Level - Low LowThe Allowable Value for this Function is specified in percent ofnarrow range instrument span. SG Water Level - Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of MFW, wouldresult in a loss of SG water level. The actuation of two-out-of-three channels of SG Low-Low Level on any one SG will startthe turbine-driven AFW pump. The actuation of two-out-of-three channels of SG Low-Low Level on any two SGs will start the motor-driven AFW pumps. SG Water Level - Low Low providesinput to the SG Level Control System. Therefore, the actuationlogic must be able to withstand both an input failure to thecontrol system which may then require a protection function actuation and a single failure in the other channels providing the a.b.Beaver Valtey Units 1 and 2 B3.32-26Revision 6 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) protection function actuation. Three OPERABLE channels perSG are required to satisfy the requirements with two-out-of{hreelogic. Three channels are acceptable in this application because functional separation between the protection andcontrol systems is accomplished by the use of a median signal selector switch.With the transmitters possibly experiencing adverse environmental conditions (feed line break), the Trip Setpoint reflects the inclusion of both steady state and adverseenvironmental instrument uncertainties.c. Auxiliarv Feedwater - Safetv lnjectionAn Sl signal starts the motor driven and turbine driven AFW pumps. The AFW initiation functions are the same as the requirements for their Sl function. Therefore, the requirementsare not repeated in Table 3.3.2-1. Instead, Function 1, Sl, is referenced for all initiating functions and requirements.Functions 6.a through 6.c must be OPERABLE in MODES 1, 2,and 3 to ensure that the SGs remain the heat sink for the reactor.AFW pump start is described on previous page. These Functions donot have to be OPERABLE in MODES 5 and 6 because there is notenough heat being generated in the reactor to require the SGs as aheat sink. In MODE 4, AFW actuation does not need to be OPERABLE because *ither AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time isavailable to manually place either system in operation. Auxiliary Feedwater - Undervoltaqe Reactor Coolant PumpA loss of power on the buses that provide power to the RCPs provides indication of a pending loss of RCP forced flow in the RCS. A loss of power on two or more RCPs, wifl start the turbine driven AFW pump to ensure that two SGs containenough water to serve as the heat sink for reactor decay heatand sensible heat removal following the reactor trip.Auxiliarv Feedwater - Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat andsensible heat removal to bring the reactor back to no load temperature and pressure. The MFW pumps are equipped with d.e.Beaver Valley Units 1 and 2 B3.32-27 Revision 6 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)a breaker position sensing device. An open supply breaker indicates that the pump is not running. A trip of all running MFVV 'pumps (two-out-of-two MFW pump breakers open with either pump control switch in the after-start position) starts the motor driven AFW pumps to ensure that two SGs are available with water to act as the heat sink for the reactor.For Unit 1 only, the "A" and "B" MFW pumps each have tandemelectric motors. The circuits that accomplish starting of both motor driven AFW pumps upon the tripping of both MFW pumps include a cell switch contact on each of the four tandem motor pump breakers. Actuation of the MFW pump motor breakerscell switches results in the closure of two series contacts in the start circuit for each motor driven AFW pump. The motor driven AFW pump start signals are then generated provided that either MFW pump control switch is in the after-start position. Although there are two actuation channels per MFW pump, Table 3.3.2-1 Function 6.e r.equires one channel per MFW pump to be OPERABLE. The combination of these cell switches and associated circuitry that comprise the required channels of "oneper pump" must be capable of initiating a start signal to at least one of the two motor driven AFW pumps upon the tripping of both MFW pumps. Therefore, a Table 3.3.2-1 Function 6.e required channel consists of a motor breaker cell switch on oneof the tandem motors breakers and the required circuitry (including MFW pump control switches contacts) up to and including the series contact in the motor driven AFW pump actuation circuit. lf one or both MFW pump trip channelsassociated with the start of the same train of motor driven AFW pump are inoperable, the required channels of "one per pump" continues to be met provided that the remaining trip channels are OPERABLE and capable of generating a sta5t signal for theother motor driven AFW pump train.For Unit 2only, the "A" and "B" MFW pumps each have tandem electric motors. The circuits that accomplish starting of both motor driven AFW pumps upon the tripping of both MFW pumps consist of a pump motor breaker cell switch contact on the designated "A" MFW pump motor and a breaker cell switch contact on the designated "B" MFW pump motor. The other "A" and "B" MFW pump motor cell switches are not utilized to directly start the motor driven AFW pumps. Actuation of the "A" and "B" MFW pump motor breakers cell switches results in the closure of two series contacts and the generation of a startsignal for the "A" and "8" motor driven AFW pumps provided thateither MFW pump control switch is in the after-start position.Beaver Valley Units 1 and 2B 3.3.2 - 28Revision 22 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)There is a "one per pump" actuation channel associated with the designated "A" MFW pump motor breaker cell switch and a "oneper pump" actuation channel associated with the designated "8" MFW pump motor breaker cell switch. Therefore, in order to meet the "one per pump" requirement specified in Table 3.3.2-1,a channel consisting of a motor breaker cell switch for "A" MFW pump motor and a motor breaker cell switch for the "B" MFW pump motor and the required circuitry (including MFW pump control switches contacts) up to and including the seriescontacts in the motor driven AFW pumps actuation circuits mustbe OPERABLE. Functions 6.d and 6.e must be OPERABLE in MODES 1 and 2. This ensures that two SGs are provided with water to serve as the heatsink to remove reactor decay heat and sensible heat in the event ofan accident. In MODES 3, 4, and 5, the RCPs and MFW pumps maybe normally shut down, and thus neither pump trip is indicative of acondition requiring automatic AFW initiation.

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearlyempty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is automatically switched to the containment recirculation sump.

ln Unit 1, the low head Sl (LHSI) pumps and containment recirculation spray (RS) pumps draw water from the containment sump. The RSpumps pump the water through the RS heat exchanger to the recirculation spray headers. The LHSI pumps circulate the waterback to the reactor and provide suction to the High Head Sl (HHSI)pumps. In Unit 2, during the recirculation phase, one RS pump per train provides the low head injection function and suction to the HHSI pump and one RS pump per train provrdes the recirculation spray function. Both the Unit 2 RS pumps on each train draw water from the containment sump and pump water through an RS heat exchanger. Switchover from the RWST to the containment sumpmust occur before the RWST empties to prevent damage to the pumps and a loss of core cooling capability. For similar reasons,switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, earlyswitchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shutdown in the recirculation mode.Beaver Valley Units 1 and 2 B33.2-29 Revision 22 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) a.Automatic Switchover to Containment Sump - Automatic Actuation Loqic This LCO requires two trains to be OPERABLE. The trains consist of the actuation logic and associated master relays for this Function. The actuation logic consists of all circuitry housedwithin the actuation subsystems. The LCO for this Function does not include requirements for slave relay OPERABILITY. The SRs for this Function do not include a SLAVE RELAY TESTdue to equipment safety concerns if such a test was performed at power. The verification of required slave relay OPERABILITYfor this Function is included in LCO 3.5.2, ECCS - Operating (SRs 3.5.2.5 and 3.5.2.6). These ECCS SRs are 18 monthSurveillances that allow the required SLAVE RELAY TEST to be performed safely. Therefore, LCO 3.5.2 addresses the OPERABILITY of the slave relays for this Function.Automatic Switchover to Containment Sump - Refuelinq WaterStoraqe Tank (RWST) Level Extreme Low Coincident With Safety lnjection During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A Level Extreme Low in the RWST coincident with an Sl signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The Sl interlock is maintained by latching relays until reset manually. The RWST is equipped withfour level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection functron actuation. Although only threechannels would be sufficient, a fourth channel has been addedfor increased reliability due to the energize to trip design of these channels.The RWST Level Extreme Low Allowable Value has both upperand lower limits. The lower limit is selected to ensure switchover occurs before the RWST empties, to prevent ECCS pump damage. The upper limit is selected to ensure enough borated water is injected to ensure the reactor remains shutdown. The upper limit also ensures adequate water inventory inthe containment sump to provide ECCS pump suction.The transmitters will not experience any adverse environmental conditions and, therefore, the trip setpoint reflects only steadystate instrument uncertainties. b.Beaver Valley Units 1 and 2 B 3.3.2 - 30 Revision 22 ESFAS lnstrumentation B 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) Automatic switchover occurs only if the RWST Level ExtremeLow signal is coincident with Sl. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the Sl Functions are the same as the requirements for their Sl function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, Sl, is referenced for all initiating Functions and requirements.These Functions must be OPERABLE in MODES 1, 2; 3, and 4when there is a potential for a LOCA to occur, to ensure a continued supply of water for the ECCS pumps. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps,and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented fromactuating to prevent inadvertent overpressurization of unit systems.B. Enqineered Safetv Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operatorto block some signals, automatically enable other signals, preventsome actions from occurring, and cause other actions to occur. Theinterlock Functions back up manual actions to ensure bypassable functions are in operation under the conditlons assumed in thesafety analyses

a. Enqineered Safety Feature Actuation System lnterlocks

-Reactor Trip, P-4The P-4 interlock is enabled when a reactor trip breaker (RTB)and its associated bypass breaker is open. Although Slactuation may be manually reset after a75 second delay, tf P-4is enabled, subseguent automatic Sl initiation is blocked untilP-4 is reset (RTBs closed). This Function allows operators to take manual control of Sl systems after the initial phase of injection is complete without further automatic Sl actuations taking place. The functions of the P-4 interlock are: Beaver Valtey Units 1 and 2 B 3.3.2 - 31 Revision 22 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) Trip the main turbine, lsolate MFW Regulating Valves with coincident low Tuun, Prevent automatic reactuation of Sl after a manual reset ofSl, and Prevent opening of the MFW isolation valves if they were closed on Sl or SG Water Level - High High with low Tron.Each of the above Functions is interlocked with P-4 to avert orreduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor tripcould cause an insertion of positive reactivity with a subsequent increase in generated power or could result in an Sl actuation.To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip and isolation of the MFW Regulating Valves coincident with low Tuun Functions are explicitly assumed since they are an immediate consequence of the reactor trip Function. However, none of theP-4 Functions listed above associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance crrteria are not exceeded.The RTB position switches that provide input to the P-4 interlockonly function to energrze or de-energize or open or closecontacts. Therefore, this Function has no adjustable trip setpoint with which to associate a trip setpoint and Allowable Value.This Function must be OPERABLE in MODES 1, 2, and 3 whenthe reactor may be critical or approaching criticality. This Function does not have to be OPERABLE in MODE 4, 5, or 6because there is insufficient energy in the secondary side of the unit to cause an excessive cooldown transient.

b. Enqineered Safety Feature Actuation System lnterlocks

-Pressurizer Pressure, P-1 1 The P-1 1 interlock permits a normal unit cooldown anddepressurization without actuation of Sl or main steam line isolation. With two-out-of-three pressurizer pressure channels Beaver Valley Units 1 and 2 B3.32-32 Revision 22 ESFAS lnstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)(discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure - Low and SteamLine Pressure - Low Sl signals and the Steam Line Pressure -Low steam line isolation signal (previously discussed). Whenthe Steam Line Pressure - Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure - Negative Rate - High is enabled. This provides protection for an SLB by closure of the MSlVs. With two-out-of{hree pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure - Low and Steam Line Pressure - Low Sf signals and the Steam Line Pressure - Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respectivemanual reset switches. When the Steam Line Pressure - Low steam line isolation signal is enabled, the main steam isolationon Steam Line Pressure - Negative Rate - High is disabled. TheTrip Setpoint reflects only steady state instrument uncertainties.This Function must be OPERABLE in MODES 1 , 2, and 3 toallow an orderly cooldown and depressurization of the unitwithout the actuation of Sl or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11setpoint for the requirements of the heatup and cooldown curvesto be met.

c. Enqineered Safetv Feature Actuation System lnterlocks

-T"uo - Low Low, P-12 On increasing reactor coolant temperature, the P-l2interlock provides an arming signal to the Steam Dump System. On adecreasing temperature, the P-12 interlock removes the armingsignal to the Steam Dump System to prevent an excessivecooldown of the RCS due to a malfunctioning Steam DumpSystem. Although the P-12 interlock Function provides protection that helps prevent an excessive cooldown event, it isnot credited in any safety analysis as the primary actuationinstrumentation necessary to mitigate a design basis accident.Since T,un is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLEchannel in each loop. These channels are used intwo-out-of-three logic. Although Tuun is used for control systeminput, three channels are acceptable in this application because functional separation between the protection and controlsystems is accomplished by the use of a median signal selector.Beaver Valley Units 22B 3.3.2 - 33 ESFAS InstrumentationB 3.3.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)This Function must be OPERABLE in MODES 1, 2, and 3 when a malfunction of the Steam Dump System could result in an excessive cooldown of the RCS. This Function does not have tobe OPERABLE in MODE 4,5, or 6 because there is insufficientenergy in the secondary side of the unit to cause an excessiveRCS cooldown event.The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2Xii). ACTIONSA Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1. When the Required Channels in Table 3.3.2-1 are specified (e.9., on a persteam line, per loop, per SG, etc., basis), then the Condition may beentered separately for each steam line, loop, SG, etc., as appropriate. In the event a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected.When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function,then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation. A.1Condition A applies to all ESFAS protection functions. Condition A addresses the situation where one or more channels or trainsfor one or more Functions are inoperable at the same time. TheRequired Action is to refer to Table 3.3.2-1 and to take the RequiredActions for the protection functions affected. The Completion Times arethose from the referenced Conditions and Required Actions.8.1,8.2.1, and 8.2.2Condition B applies to manual initiation of. SI, Containment Spray, Beaver Valley Units 1 and 2B 3.3.2 - 34 Revision 22 ESFAS InstrumentationB 3.3.2 BASESACTIONS (continued)Phase A lsolation, andPhase B lsolation. In addition, Condition B applies to the Automatic Actuation Logic for theAutomatic Switchover to the Containment Sump Function. This actionaddresses the train orientation of the SSPS for the functions listed above. lf a channel or train is inoperable, 48 hours is allowed to return it to anOPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the traininoperable. Condition B, therefore, encompasses both situations. Thespecified Completion Time is reasonable considering that there are twoautomatic actuation trains and another manual initiation train OPERABLE for each manual Function, and the low probability of an event occurring during this interval. In the case of the Automatic Actuation Logic for theContainment sump switchover, the Completion Time is reasonable considering that the other automatic actuation logic train is OPERABLEand that manual actions may be taken to align the required equipment tothe containment sump. lf the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which the LCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours (54 hours total time) and in MODE 5 within an additional 30 hours (84 hours total time). The allowable CompletionTimes are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly mannerand without challenging unit systems:C.1, C.2.1, and C.2.2Condition C applies to the automatic actuation logic and actuatron relaysfor the following functions: SI,Containment Spray, Phase A lsolation, andPhase B lsolation.This Action Condition is intended to address an inoperability of the actuation logic or relays associated with an ESFAS traln that affects theintegrated ESFAS response to an actuation signal. The Completion Timeof this ACTION (24 hours) is based on the assumption that rnultiple ESFBeaver Valley Units 1 and 2 B 3.3.2 - 35 Revision 22 ESFAS lnstrumentationB 3.3.2 BASESACTIONS (continued) components within a train are affected by the failure of the actuation logic or relays. Therefore, the Completion Time of this Action is appropriate and applicable whenever more than one ESF System is affected by the inoperable train of logic or relaysHowever, if one or more inoperable actuation relays in an ESFAS train only affect a single ESF component or system, the applicable Actions Condition for the affected ESF component or system should be entered and the Completion Time of this Action Condition is not appropriate or applicable. This action addresses the train orientation of the SSPS and the master and slave relays. lf one train is inoperable, 24 hours are allowed to restore the train to OPERABLE status. The 24 hours allowed for restoring the inoperable train to OPERABLE status is justified in Reference 7. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. lf the train cannot be restored to OPERABLE status, the unit must be placed in a MODE in which theLCO does not apply. This is done by placing the unit in at least MODE 3 within an additional 6 hours (30 hours total time) and in MODE 5 within an additional 30 hours (60 hours total time). The Completion Times are reasonable, based on operating experience, to reach the required unitconditrons from full power conditions in an orderly manner and without challenging unit systems. The Required Actions are modified by a Note that allows one train to bebypassed for up to 4 hours for surveillance testing, provided the othertrain is OPERABLE. This allowance is based on the reliability analysisassumption of WCAP-10271-P-A (Reference

5) that 4 hours is the average time required to perform train surveillance.

Planned Maintenance and Tier 2 RestrictionsConsistent with the NRC Safety Evaluation (SE) requirements for WCAP-14333-P-A, Rev. 1 (Reference 7), lier 2 insights must be included in thedecision making process before removing a logic train from service and implementing the extended (risk-informed) Completion Time for a logic train approved in Reference

9. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time a logic train is inoperable.

Beaver Valley Units 1 and 2 B3.32-36Revision 22 ESFAS lnstrumentationB 3.3.2 BASESACTIONS (continued)Entry into Condition C for an inoperable logic train is not a typical, pre-planned evolution during the MODES of Applicability for this equipment, other than when necessary for surverllance testing. Since Condition C may be entered due to equipment failure, some of the Tier 2 restrictionsdiscussed below may not be met at the time of Condition C entry. In addition, it is possible that equipment failure may occur after the logic train is removed from service for surveillance testing or plannedmaintenance, such that one or more of the required Tier 2 restrictions areno longer met. In cases of equipment failure, the programs and procedures in place to address the requirements of 10 CFR 50.65(aX4) require assessment of the emergent condition with appropriate actionstaken to manage risk. Depending on the specific situation, these actions could include activities to restore the inoperable logic train and exit theCondition, or to fully implement the Tier 2 restrictions, or to perform a unitshutdown, as appropriate from a risk management perspective. The following Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when enteringCondition C when a logic train is inoperable: To preserve ATWS mitigation capability, activities that degrade theavailability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbinetrip should not be scheduled when a logic train is inoperable. To preserve LOCA mitigation capability, one complete ECCS trainthat can be actuated automatically must be maintained. Note that Technical Specification 3.5.2, ECCS Operating, ensures that this restriction is met. Therefore, this restriction does not have to be implemented by a separate procedure or program.To preserve reactor trip and safeguards actuation capability, activitiesthat cause master relays or slave relays in the available train andactivrties that cause analog channels to be unavallable should not be scheduled when a logic train is inoperable.Activities on electrical systems (AC and DC power) and cooling systems (service water and component cooling water) that support thesystems or functions listed in the first three bullets should not be schedufed when a logic train is inoperable, That is, one complete train of a function that supports a complete train of a function noted above must be available. Beaver Valley Units 1 and 2 B332-37 Revision 22 ESFAS InstrumentationB 3.3.2 BASES ACTIONS (continued) D.1 , D.2.1 . and D.2.2Condition D applies to:. Containment Pressure - High,' Pressurizer Pressure - Low.. Steam Line Pressure - Low, Containment Pressure - lntermediate - High High, Steam Line Pressure - Negative Rate - High, SG Water level - Low Low.SG Water level - High High (P-14), andRWST Level Low.lf one channel is inoperable, 72 hours are allowed to restore the channelto OPERABLE status or to place it in the tripped condition. Generally thisCondition applies to functions that operate on two-out-of-three logic.Therefore, failure of one channel places the Function in a two-out-of{woconfiguration. One channel must be tripped to place the Function in aone-out-of-two configuration that satisfies redundancy requirements. Forthe Functions listed above, other than RWST Level Low, Ihe72 hoursallowed to restore the channel to OPERABLE status or to place it in thetripped condition is justified in Reference 7. For RWST Level Low, the72 hours allowed to restore the channel to OPERABLE status or to placeit in the tripped condition is justified in Reference 9.Failure to restore the inoperable channel to OPERABLE status or place itin the tripped condition within 72 hours requires the unit be placed in MODE 3 within the following 6 hours and MODE 4 within the next 6 hours.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. InMODE 4, these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours for surveillance testing of other channels. The 12 hours allowed for testing, are justified in References 7and 9.Beaver Valley Units 1 and 2B 3.3.2 - 38 Revision 22 ESFAS lnstrumentationB 3.3.2 BASESACTIONS (continued)E.1, E.2.1, and E.2.2 Condition E applies to: Containment Spray Containment Pressure - High High, and Containment Phase B lsolation Containment Pressure - High None of these signals has input to a control function. Thus, two-out-ofthree logic is necessary to meet acceptable protective requirements. However, a two-out-of-three design would require tripping a failed channel. This is undesirable because a single failure would then cause spurious containment spray initiation. Spurious spray actuation is undesirable because of the cleanup problems presented. Therefore, these channels are designed with two-out-of-four logic so that a failedchannel may be bypassed rather than tripped. Note that one channel may be bypassed and still satisfy the single failure criterion. Furthermore, with one channel bypassed, a single instrumentation channel failure willnot spuriously initiate containment spray.To avoid the inadvertent actuation of containment spray and Phase B containment isolation, the inoperable channel should not be placed in the tripped condition. Instead it is bypassed. Restoring the channel to OPERABLE status, or placing the inoperable channel in the bypass condition within 72 hours, is sufficient to assure that the Function remains OPERABLE and minimizes the time that the Function may be in a partial trip condition (assuming the inoperable channel has failed high). The 72 hours allowed to restore the channel to OPERABLE status or to placeit in the bypassed condition is justified in Reference 7. The CompletionTime is further justified based on the low probability of an event occurringduring this interval. Failure to restore the inoperable channel to OPERABLE status, or place it in the pypassed condition within 72 hours,requires the unit be placed in MODE 3 within the following 6 hours andMODE 4 within the next 6 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unitcondrtions from full power conditions in an orderly manner and without challenging unit systems. In MODE 4, these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows one channel tobe bypassed for up to 12 hours for surveillance testing. Placing a second channel in the bypass condition for up to 12 hours fortesting purposes is acceptable based on the results of Reference 7. Beaver Valley Units 1 and 2 B 3.3.2 - 39 Revision 22 ESFAS lnstrurnentationB 3.3.2 BASESACTIONS (continued) F.2and F.2.2Condition F applies to:The Unit 2 Manual Initiation of Steam Line lsolation, andP-4 Interlock.For the Manual lnitiation and the P-4 Interlock Functions, this actionaddresses the train orientation of the SSPS. lf a train or channel isinoperable, 48 hours is allowed to return it to OPERABLE status. Thespecified Completion Time is reasonable considering the nature of these Functions, the available redundancy, and the low probability of an eventoccurring during this interval. lf the Function cannot be returned toOPERABLE status, the unit must be placed in MODE 3 within the next6 hours and MODE 4 within the following 6 hours. The allowed Completion Times are reasonable, based on operating experience, toreach the required unit conditions from full power in an orderly manner and without challenging unit systems. In MODE 4, the unit does not haveany analyzed transients or conditions that require the explicit use of the protection functions noted above. G.2 and G.2.2 Condition G applies to the automatic actuation logic and actuation relays for the Steam Line lsolation, Turbine Trip and Feedwater lsolation, and AFW actuation Functions.This Action Condition is intended to address an inoperability of the actuation logic or relays associated with an ESFAS train that affects theintegrated ESFAS response to an actuation signal. The Completion Timeof this ACTION (24 hours) is based on the assumption that multiple ESF components within a train are affected by the failure of the actuation logicor relays. Therefore, the Completion Time of this Action is appropriateand applicable whenever more than one ESF System is affected by theinoperable train of logic or relays.However, if one or more inoperable actuation relays in an ESFAS train only affect a single ESF component or system, the applicable Actions Condition for the affected ESF component or system should be entered and the Completion Time of this Action Condition is not appropriate or applicable. G.1 Beaver Valley Units 1 B33.2-40Revision 22 ESFAS lnstrumentationB 3.3.2 BASESACTIONS (continued) The action addresses the train orientation of the SSPS and the masterand slave relays for these functions. lf one train is inoperable, 24 hoursare allowed to restore the train to OPERABLE status. The 24 hours allowed for restoring the inoperable train to OPERABLE status is justified in Reference 7. The Completion Time for restoring a train to OPERABLE status is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. lf thetrain cannot be returned to OPERABLE status, the unit must be broughtto MODE 3 within the next 6 hours and MODE 4 within the following 6 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.Placing the unit in MODE 4 removes all requirements for OPERABILITYof the protection channels and actuation functions. In this MODE, the unit does not have analyzed transients or conditions that require the explicituse of the protection functions noted above.The Required Actions are modified by a Note that allows one train to be bypassed for up to 4 hours for surveillance testing provided the other train is OPERABLE. This allowance rs based on the reliability analysis (Reference 5) assumption that 4 hours is the average time required to pedorm train surveillance. Planned Maintenance and Tier 2 Restrictions Consistent with the NRC Safety Evaluation (SE) requirements for WCAP-14333-P-A, Rev. 1 (Reference 7), Tier 2 insights must be included in the decision making process before removing a logic train from service andimplementing the extended (risk-informed) Completion Time for a logictrain approved in Reference 9. These "Tier 2 restrictions" are consideredto be necessary to avoid risk significant plant confrgurations during thetime a logic train is inoperable.Entry into Condition G for an inoperable logic train is not a typical, pre-planned evolution during the MODES of Appticability for this equipment, other than when necessary for surveillance testing. Since Condition G may be entered due to equipment failure, some of the Tter 2 restrictionsdiscussed below may not be met at the time of Condition G entry. ln addition, it is possible that equipment failure may occur after the logic train is removed from service for surveillance testing or plannedmaintenance, such that one or more of the required Tier 2 restrictions areno longer met. In cases of unplanned equipment failure, the programs and procedures in place to address the requirements of 10 CFR 50.65(a)(4) require assessment of the emergent condition with Beaver Valley Units 1 and 2 B 3.3.2 - 41 Revision 22 ESFAS InstrumentationB 3.3.2 BASES ACTIONS (continued)appropriate actions taken to manage risk. Depending on the specificsituation, these actions could include activities to restore the inoperable logic train and exit the Condition, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.The following Tier 2 restrictions on concurrent removal of certainequipment will be implemented as described above when enteringCondition G when a logic train is inoperable: o To preserve ATWS mitigation capability, activities that degrade theavailability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbinetrip should not be scheduled when a logic train is inoperable.. To preserve LOCA mitigation capability, one complete ECCS trainthat can be actuated automatically must be maintained. Note that Technical Specification 3.5.2, ECCS Operating, ensures that thisrestriction is met. Therefore, this restriction does not have to be implemented by a separate procedure or program.r To preserve reactor trip and safeguards actuation capability, activitiesthat cause master relays or slave relays in the available train andactivities that cause analog channels to be unavailable should not bescheduled when a logic train is inoperable. o Activities on electrical systems (AC and DC power) and cooling systems (service water and component cooling water) that support thesystems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable. That is, one complete train of a function that supports a complete train of a function noted above must be available. H.1 and H.2Condition H applies to:. Undervoltage Reactor Coolant Pump.lf one channel is inoperable, 72 hours are allowed to restore one channel to OPERABLE status or to place it in the tripped condition. lf placed in the tripped condition, the Function is then in a partial trip condition where one-out-of-two logic will result in actuation. Failure to restore theinoperable channel to OPERABLE status or place it in the tripped condition within 72 hours requires the unit to be placed in MODE 3 withinBeaver Valley Units 1 and 2 B 3.3.2 - 42Revision 22 ESFAS I nstrurnentationB 3.3.2 BASES ACTIONS (continued)the following 6 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, these Functions are no longer required OPERABLE.The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours for surveillance testing of other channels. The 72 hours allowed to place the inoperable channel in thetripped condition, and the 12 hours allowed for a second channel to be inthe bypassed condition for testing, are justified in Reference 7.1.1 and 1.2 Condition I applies to the motor driven AFW pump start on trip of all MFW pumps. The OPERABILITY of the AFW System must be assured byallowing automatic start of the motor driven AFW System pumps.For Unit 1 only, the Required Action for Condition I to restore the channel to OPERABLE status is applicable when (three out of the four MFW pumps trip channels are inoperable) or (two out of four channels not associated with the same motor driven AFW pump are inoperable). Inthese two cases, a start of either motor driven AFW pump can no longerbe initiated due to a trip of all MFW pumps. A detailed description of theactuation circuit(s) is provided in the Bases for Function 6.e of this Specification.For Unit 2 only, the Required Action for Condition I to restore the channelto OPERABLE status is applicable when one MFW pump's trip channel is inoperable. ln this case, a start of either motor driven AFW pump can nolonger be initiated due to a trip of all MFW pumps. A detailed descriptionof the actuation circuit is provided in the Bases for Function 6.e of this Specification. lf a channel is inoperable, 48 hours are allowed to return it to anOPERABLE status. lf the function cannot be returned to an OPERABLEstatus, 6 hours are allowed to place the unit in MODE 3. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderlymanner and without challenging unit systems. ln MODE 3, the unit doesnot have any analyzed transients or conditions that require the explicituse of the protection function noted above. The allowance of 48 hours toreturn the train to an OPERABLE status is justified in Reference 5.Beaver Valley Units 1 and 2 B 3.3.2 - 43Revision 22 ESFAS lnstrumentationB 3.3.2 BASESACTIONS (continued) J.2and J.2.2Condition J applies to.RWST Level Extreme Low Coincident with Safety lnjection.RWST Level Extreme Low Coincident with Sl provides actuation ofswitchover to the containment sump. Note that this Function requires the bistables to energize to perform their required action. The failure of up totwo channels will not prevent the operation of this Function. However, placing a failed channel in the tripped condition could result in a premature switchover to the sump, prior to the injection of the minimumvolume from the RWST. Placing the inoperable channel in bypass results in a two-out-of-three logic configuration, which satisfies the requirement toallow another failure without disabling actuation of the switchover whenrequired. Restoring the channel to OPERABLE status or placing theinoperable channel in the bypass condition within 72 hours is sufficient to ensure that the Function remains OPERABLE, and minimizes the timethat the Function may be in a partial trip condition (assuming theinoperable channel has failed low). lf the channel cannot be returned to OPERABLE status or placed in the bypass condition within 72 hours, theunit must be brought to MODE 3 within the following 6 hours and MODE 5 within the next 30 hours. The allowed Completion Times are reasonable,based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 5, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted above.The Required Actions are modified by a Note that allows placing a channel in the bypass condition for up to 12 hours for surveillancetesting. The 72 hours to place a channel in bypass and the total of78 hours to reach MODE 3 and 12 hours for a second chdnnel to bebypassed are justified in Reference 9. K1 , K.2.1. and K.2.2 Condition K applies to the P-11and P-12 interlocks. With one or more channels inoperable, the operator must verify that theinterlock is in the required state for the existing unit condition. This action manually accomplishes the function of the interlock. Beaver Valley UnitsB 3.3.2 - 44 Revision 22 ESFAS lnstrumentationB 3.3.2 BASESACTIONS (continued) Determination must be made within t hour and may be made byobservation of the associated permissive annunciator window(s)(bistable status lights or computer checks). The t hour Completion Time is equal to the time allowed by LCO 3.0.3 to initiate shutdown actions in the event of a complete loss of ESFAS function. lf the interlock is not inthe required state (or placed in the required state) for the existing unit condition, the unit must be placed in MODE 3 within the next 6 hours andMODE 4 within the following 6 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the requiredunit conditions from full power conditions in an orderly manner and without challenging unit systems. Placing the unit in MODE 4 removesall requirements for OPERABILITY of these interlocks. SURVEILLANCE REQUIREMENTS The SRs for each ESFAS Function are identified by the SRs column ofTable 3.3.2-1. A Note has been added to the SR Table stating that Table 3.3.2-1 determines which SRs apply to which ESFAS Functions. Note that each channel of process protection supplies both trains of theESFAS. When testing Channel l, Train A and Train B must be examined.Similarly, Train A and Train B must be examined when testing Channel ll, Channel lll, and Channel lV (if applicable). The CHANNELCALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.sR 3.3.2.1Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is performed only on those channels that have channel parameterdisplays available. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. lt is based on the assumption that instrument channelsmonitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels couldbe an indication of excessive instrument drift in one of the channels or ofsomething even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Beaver Valley Units 1 and 2 B332-45Revisron 22 ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUI REMENTS (continued) Agreement criteria are determined by the unit staff, based on acombination of the channel instrument uncertainties, including indicationand readability. lf a channel is outside the criteria, it may be an indicationthat the sensor or the signal processing equipment has drifted outside its limit.The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal,but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.sR 3.3.2.2SR 3.3.2.2 is the performance of an ACTUATION LOGIC TEST. The SSPS is tested every 92 days on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypasscondition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable perrnissives, are tested for each protection function. lnaddition, the master relay coil is pulse tested for continuity. This verifiesthat the logic modules are OPERABLE and that there is an intact voltage signal path to the master relay coils. The Frequency of every 92 days ona STAGGERED TEST BASIS is justified in Reference 8.sR 3.3.2.3SR 3.3.2.3 is the performance of a MASTER RELAY TEST. TheMASTER RELAY TEST is the energizing of the master relay, verifyingcontact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, butlarge enough to demonstrate signal path continuity. This test is performed every 92 days on a STAGGERED TEST BASIS. TheFrequency of every 92 days on a STAGGERED TEST BASIS is justifiedin Reference 8. The time allowed for the testing (4 hours) is justified in Reference 5.Beaver Valley Units 1 and 2 B3.32-46Revision 22 ESFAS lnstrumentationB 3.3.2 BASES SURVEILLANCE REQU I REMENTS (continued)sR 3.3.2.4SR 3.3.2.4 is the performance of a COT.A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be foundwithin the Allowable Values specified in Table 3.3.2-1 (excluding time constants which are verified during CHANNEL CALIBRATIONS). Asuccessful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact ofthe relay. This clarifies what is an acceptable COT of a relay. This isacceptable because all of the other required contacts of the relay areverified by other Technical Specification Surveillance Requirements The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in thesetpoint methodology. The setpoint shall be left set consistent with theassumptions of the current unit specific setpoint methodology. For certain ESFAS Functions the required COT (SR 3.3.2.4 specified in Table 3.3.2-1) is modified by Notes (e) and (f). These Notes specifyadditional requirements for the affected instrument channels.Note (e) specifies the following:lf the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptancecriteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service, andlf the "as-found" instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.The evaluation of channel performance required by Note (e) involves anassessment to verify the channel will continue to behave in accordance with design basis assumptions, and to ensure confidence in the channelperformance prior to returning the channel to service. In addition, if the"as found" trip setpoint value is non-conservative with respect to theAllowable Value, or is found to be outside of the two sided predefined acceptance criteria band on either side of the nominal trip setpoint, theaffected channel will be evaluated under the corrective action program.Beaver Valley Units 1 and 2B 3.3.2 - 47Revision 22 ESFAS lnstrumentationB 3.3.2 BASES SURVEILLANCE REQUI REM ENTS (continued) Note (f) specifies the following:The instrument channel setpoint shall be reset to a value that iswithin the as-left tolerance of the nominal trip setpoint, or a value that is more conservative than the nominal trip setpoint; othenrise,the channel shall be declared inoperable, andThe nominal trip setpoint and the methodology used to determine the nominal trip setpoint, the predefined as-found acceptancecriteria band, and the as-left setpoint tolerance band are specified ina document incorporated by reference into the Updated Final Safety Analysis Report.For BVPS, the document containing the nominal trip setpoint, the methodology used to determine the nominal trip setpoint, the predefinedas-found acceptance criteria band, and the as-left setpoint tolerance band is the LRM.For the ESFAS Functions with a COT modified by Note (f), the Note requires that the instrument channel setpoint be reset to a value within the "as left" setpoint tolerance band on either side of the nominal tripsetpoint or to a value that is more conservative than the nominal trip setpoint. The conservative direction is established by the direction of the inequality sign applied to the associated Allowable Value. Setpoint restoration and post-test verification assure that the assumptions in the plant setpoint methodology are satisfied in order to protect the safety analysis limits. lf the channel can not be reset to a value within the required "as left" setpoint tolerance band on either side of the nominal tripsetpoint, or to a value that is more conservative than the nominal trip setpoint (if required based on plant conditions) the channel is declaredinoperable and the applicable ACTION is entered. For the ESFAS Functions with a COT modified by Notes (e) and (f), the"as found" and "as left" setpoint data obtained during COTs or CHANNELCALIBRATIONS are programmatically trended to demonstrate that the rack drift assumptions used in the plant setpoint methodology are valid. lfthe trending evaluation determines that a channel is performinginconsistent with the uncertainty allowances applicable to the periodicsurveillance test being performed, the channel is evaluated under thecorrective action program. lf the channel is not capable of performingspecified safety function, it is declared inoperable.The Frequency of 184 days is justified in Reference 8.Beaver Valley Units 1 and 2 B33.2-48Revision 22 ESFAS Instrumentation B 3.3.2 BASES SURVEILLANCE REQUI REMENTS (continued)sR 3.3.2.5SR 3.3.2.5 is the performance of a TADOT every 184 days. This test is acheck of the Undervoltage RCP Function. The Function is tested up to the SSPS logic circuit. A successful test of any required contact(s) of achannel relay may be performed by the verification of the change of stateof a single contact of the relay. This clarifies what is an acceptableTADOT of a relay. This is acceptable because all of the other requiredcontacts of the relay are verified by other Technical Specification Surveillance Requirements. The SR is modified by a Note that excludes verification of setpoints forrelays. Relay setpoints require elaborate bench calibration and are verified during CHANNEL CALIBRATION. The Frequency of 184 days is justified in Reference 9.sR 3.3.2.6SR 3.3.2.6 is the performance of a SLAVE RELAY TEST. The SLAVERELAY TEST is the energizing of the slave relays. Contact operation isverified in one of two ways. Actuation equipment that may be operated inthe design mitigation MODE is either allowed to function, or is placed in a condition where the relay contact operation can be verified withoutoperation of the equipment. For this latter mse, contact operation isverified by a continuity check of the circuit containing the slave relay.The Surveillance Frequency specifies the separate Unit 1 and Unit 2 testFrequencies. For Unit 1 slave relays, the surveillance is required to be performed every 18 months. For the Unit 2 slave relays, the surveillanceis required to be performed every 92 days, or if the conditions specified inthe Note are met, every 12 months. The specified Frequencies are adequate to verify relay OPERABILITY for both Units. For Unit 2 therequired Frequency is justified in Reference 6, and for Unit 1, the required Frequency is based on operating experience.sR 3.3.2.7SR 3.3.2.7 is the performance of a TADOT. This test is a check of theP-4 interlock, Manual Actuation Functions and AFW pump start on trip ofall MFW pumps. lt is performed every 18 months. Each ManualActuation Function is tested up to, and including, the master relay coils. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are Beaver Valley Units 1 and 2 B332-49Revision 22 ESFAS lnstrumentationB 3.3.2 BASES SURVEILLANCE REQUI REMENTS (continued) verified by other Technical Specifications Surveillance Requirements. Insome instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.). The Frequency is adequate, based on industryoperating experience and is consistent with the typical refueling cycle.The SR is modified by a Note that excludes verification of setpoints duringthe TADOT, since these Functions have no associated setpoints.sR 3.3.2.8SR 3.3.2.8 is the performance of a CHANNEL CALIBRATION. A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is acomplete check of the instrument loop, including the sensor. The testverifies that the channel responds to measured parameter within thenecessary range and accu'acy.CHANNEL CALIBRATIONS must be performed consistent with theassumptions of the unit specific setpoint methodology. The differencebetween the current "as found" values and the previous test "as left"values must be consistent with the drift allowance used in the setpoint methodology. For certain ESFAS Functions the required CHANNEL CALIBRATION (SR 3.3.2.8 specified in Table 3.3.2-1) is modified by Notes (e) and (f).These Notes specify additional requirements for the affected instrument channels.Note (e) specifies the following:. lf the as-found channel setpoint is conservative with respect to the Allowable Value but outside its predefined as-found acceptancecriteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service, and. lf the "as-found" instrument channel setpoint is not conservativewith respect to the Allowable Value, the channel shall be declared inoperable. The evaluation of channel performance required by Note (e) involves anassessment to verify the channel will continue to behave in accordance with design basis assumptions, and to ensure confidence in the channelperformance prior to returning the channel to service. ln addition, if the"as found" trip setpoint value is non-conservative with respect to the Beaver Valley Units 1 and 2 B 3.3.2 - 50Revision 22 ESFAS InstrumentationB 3.3.2 BASES SURVEILLANCE REQU I REMENTS (continued)Allowable Value, or is found to be outside of the two sided predefined acceptance criteria band on either side of the nominal trip setpoint, theaffected channel will be evaluated under the corrective action program.Note (f) specifies the following:The instrument channel setpoint shall be reset to a value that iswithin the as-left tolerance of the nominal trip setpoint, or a valuethat is more conservative than the nominal trip setpoint; othenarise,the channel shall be declared inoperable, andThe nominal trip setpoint and the methodology used to determlnethe nominal trip setpoint, the predefined as-found acceptancecriteria band, and the as-left setpoint tolerance band are specified ina document incorporated by reference into the Updated FinalSafety Analysis Report.For BVPS, the document containing the nominal trip setpoint, themethodology used to determine the nominal trip setpoint, the predefined as-found acceptance criteria band, and the as-left setpoint tolerance bandis the LRM.For the ESFAS Functions with a CHANNEL CALIBRATION modifled by Note (f), the Note requires that the instrument channel setpoint be reset to a value within the "as left" setpoint tolerance band on either side of thenominal trip setpoint or to a value that is more conservative than the nominal trip setpoint. The conservative direction is established by thedirection of the inequality sign applied to the associated Allowable Value.Setpoint restoration and post-test verification assure that the assumptionsin the plant setpoint methodology are satisfied in order to protect the safety analysis limits. lf the channel can not be reset to a value within the required "as left" setpoint tolerance band on either side of the nominal trip setpoint, or to a value that is more conservative than the nominal trip setpoint (if required based on plant conditions) the channel is declaredinoperable and the applicable ACTION is entered.For the ESFAS Functions with a CHANNEL CALIBRATION modified by Notes (e) and (f), the "as found" and "as left" setpoint data obtainedduring COTs or CHANNEL CALIBRATIONS are programmaticallytrended to demonstrate that the rack drift assumptions used in the plant setpoint methodology are valid. lf the trending evaluation determines that a channel is performing inconsistent with the uncertainty allowances applicable to the periodic surueillance test being performed, the channelis evaluated under the corrective action program. lf the channel is notcapable of performing its specified safety function, it is declared inoperable. Beaver Valley Units 1 and 2 B 3.3.2 - 51 Revision 22 ESFAS lnstrumentationB 3.3.2 BASES SURVEILLANCE REQU I REM ENTS (continued)The Frequency of 18 months is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint methodology.This SR is modified by a Note stating that this test should include verification that the time constants are adjusted to the prescribed valueswhere applicable.sR 3.3.2.9 This SR ensures the individuaf channel ESF RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.Response Time testing acceptance criteria ate included in the Licensing Requirements Manual. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpointvalue at the sensor, to the point at which the equiprnent in both trainsreaches the required functional state (e g , pumps at rated discharge pressure, valves in full open or closed position). Each verification shall include at least one logic train such that both logic trains are verified at least once per 36 months. For channels that include dynamic transfer functions (e.9., lag, lead/lag,rateilag, etc.), the response time test may be performed with the transferfunctions set to one or by such means as utilizing a step change inputwith the resulting measured response time compared to the responsetime specified in the LRM. Alternately, the response time test can be performed with the time constants set to their nominal value provided the required response time is analytically calculated assuming the time constants are set at their nominal values, The response time may be measured by a series of overlapping tests such that the entire response time is measured.. NOTE -The following alternate means for verifying response times summation of allocated times) is only applicable to Unit 2.Response time may be verified by actual response time tests in anyseries of sequential, overlapping or total channel measurements, or bythe summation of allocated sensor, signal processing and actuation logicresponse times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: Beaver Valley Units 1 and 2 B33.2-52 Revision 22 ESFAS InstrumentationB 3.3.2 BASES SURVEILLANCE REQUI REMENTS (continued) (1) historicaf records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.9., vendor) test measurements, or (3) utilizing vendor engineeringspecifications. WCAP-1 3632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," dated January 1996, provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for othersensor types must be demonstrated by test.WCAP-14036-P, Revision 1, "Elimination of Periodic Protection ChannelResponse Time Tests," and WCAP-15413, "Westinghouse 73004 ASIC-Based Replacement Module Licensing Summary Report" provide thebasis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signalconditioning, and actuation logic response times must be verified prior to placing the component in operational service and re-verified followingmaintenance that may adversely affect response time. ln general, electrical repair work does not impact response time provided the partsused for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. Oneexample where response time could be affected is replacing the sensingassembly of a transmitter. WCAP-15413 provides bounding responsetimes where 7300 cards have been replaced with ASICs cards.ESF RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of eachchannel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 18 months. The 18 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentationcomponents causing serious response time degradation, but not channelfailure, are infrequent occurrences. This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours after reaching 600 psig in the secondaryside of the SGs. Beaver Valley Units 1 and 2B 3.3.2 - 53 ESFAS InstrumentationB 3.3.2 BASES REFERENCES 1.2.3.UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2).\EEE-?79-1971 Westinghouse Setpoint Methodology for Protection Systems,WCAP-1 1419, Rev.6 (Unit 1) and WCAP-11366, Rev.7 (Unit 2).10 cFR 50.49.WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990. WCAP-15887, Revision 2, "Probabilistic Risk Analysis of the SlaveRelay Surveillance Test Interval Extension for Beaver Valley PowerStation, Unit 2," December 2002.WCAP-14333-P-A, Rev. 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," October 1998.WCAP-15376-P-A, Rev. 1 , "Risk-lnformed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip BreakerTest and Completion Times," March 2003.Amendment No. 282 (Unit 1) and Amendment No. 166 (Unit 2),December 29,2008. 4.5.6.7.8.LBeaver Valley Units 1 and 2B 3.3.2 - 54Revision 22 PAM lnstrumentationB 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display unit variables that provide information required by the control room operatorsduring accident situations. This information provides the necessary support for the operator to take the manual actions for which no automaticcontrol is provided and that are required for safety systems to accomplishtheir safety functions for Design Basis Accidents (DBAs).The OPERABILITY of the accident monitoring instrumentation ensuresthat there is sufficient information available on selected unit parameters tomonitor and to assess unit status and behavior following an accident.The availability of accident monitoring instrumentation is important so thatresponses to corrective actions can be observed and the need for, and magnitude of, further actions can be determined. These essential instruments are identified by unit specific documents (Ref. 1) addressing the recommendations of Regulatory Guide 1.97 (Ref . 2) as required by Supplement 1 to NUREG-0737 (Ref. 3).The instrument channels required to be OPERABLE by this LCO include Regulatory Guide 1.97 Type A and Category l variables as well as otherRegulatory Guide 1.97 variables that provide important information for post accident monitoring. Certain Regulatory Guide 1.97 Type A and Category 1 variables, as determined by the Unit specific RegulatoryGuide 1.97 analyses (Ref. 1), are not included in LCO 3.3.3 because other instrumentation required by this LCO provide the necessary information to the control room operators.Type A variables are included in this LCO because they provide the primary information required for the control room operator to take specificmanually controlled actions for which no automatic control is provided,and that are required for safety systems to accomplish their safetyfunctions for DBAs. Category I variables are the key variables deemed risk significantbecause they are needed to:Determine whether other systems important to safety are performing theirintended functions,Provide information to the operators that will enable them to determinethe likelihood of a gross breach of the barriers to radioactivity release, and Beaver Valley Units 1 and 2B 3.3.3 - 1 Revision 0 PAM InstrumentationB 3.3.3 BASES BACKGROU N D (continued )Provide information regarding the release of radioactive materials to allowfor early indication of the need to initiate action necessary to protect the public, and to estimate the magnitude of any impending threat.These key variables are identified by the unit specific Regulatory Guide 1.97 analyses (Ref. 1).The specific instrument Functions listed in Table 3.3.3-1 are discussed inthe LCO section. APPLICABLE SAFETY ANALYSES The PAM instrumentation ensures OPERABILITY of the requiredRegulatory Guide 1.97 variables so that the control room operating staff canlPerform the diagnosis specified in the emergency operating procedures (these variables are restricted to preplanned actions for the primary success path of DBAs), e.9., loss of coolant accident (LOCA),Take the specified, pre-planned, manually controlled actions, for which noautomatic control is provided, and that are required for safety systems toaccomplish their safety function,Determine whether systems important to safety are performing theirintended functions,Determine the likelihood of a gross breach of the barriers to radioactivity release,Determine if a gross breach of a barrier has occurred, and Initiate action necessary to protect the public and to estimate themagnitude of any impending threat.PAM instrumentation that meets the definition of Type A in Regulatory Guide 1.97 satisfies Criterion 3 of 10 CFR 50.36(c)(2xii). Category l, non-Type A, instrumentation must be retained in TS because it is intended to assist operators in minimizing the consequences of accidents.Therefore, Category l, non-Type A, variables are important for reducing public risk.Beaver Valley Units 1 and 2B 3.3.3 - 2Revision 0 PAM lnstrumentationB 3.3.3 BASES LCO The PAM instrumentation LCO provides OPERABILITY requirements forRegulatory Guide 1.97 Type A monitors, which provide information required by the control room operators to perform certain manual actions specified in the unit Emergency Operating Procedures. These manualactions ensure that a system can accomplish its safety function, and are credited in the safety analyses. Additionally, this LCO addressesRegulatory Guide 1.97 instruments that have been designated Category l,non-Type A and other Regulatory Guide 1.97 instruments that provideimportant information for post accident monitoring. The OPERABILITY of the PAM instrumentation ensures there is sufficient information available on selected unit parameters to monitor and assessunit status following an accident. This capability is consistent with the recommendations of Reference 1.LCO 3.3.3 requires two OPERABLE channels for most Functions. TwoOPERABLE channels ensure no single failure prevents operators from getting the information necessary for them to determine the safety statusof the unit, and to bring the unit to and maintain it in a safe conditionfollowing an accident. Therefore, where plant design permits, the two channefs required OPERABLE by the LCO should be supplied from different trains of electrical power.Furthermore, OPERABILIry of two channels allows a CHANNEL CHECKduring the post accident phase to confirm the validity of displayed information. For some PAM Functions, Table 3.3.3-1 specifies one or three required channels. The following are exceptions to the two-channel requirement: Three channels of steam generator (SG) wide range level instrumentation are required to be OPERABLE. Each SG has one installed wide rangechannel that assures the ability to monitor SG level during operating conditions when the level may not be in the normal range. In many accident analyses, two SGs are assumed to be available to provide thenecessary heat removal capacity. The requirement for three OPERABLEchannels of wide range level indication (one per SG) helps to assure adequate wide range SG level indication remains available (assuming one indication channel fails or a SG is faulted) to monitor SG level and supportmaintaining the necessary heat removal capacity.Only one channel of high head safety injection (HHSI) total automaticinjection header flow is required to be OPERABLE. The normal Slinjection flow path (automatically initiated on an Sf signal) has a singleinstalled Regulatory Guide 1.97 flow instrument that indicates total Sl flowin the control room. This indicator is used to confirm automatic Sl flowinitiation. The single HHSI total flow indication is adequate considering thealternate control room indications available to confirm the operation of the Beaver Valley Units 1 and 2 B33.3-3Revision 0 PAM lnstrumentation B 3.3.3 BASES LCO (continued)Sl System. An alternate method of verifying Sl initiation can be providedby the High Head Sl pump amperage indication, the High Head Sl header pressure indication, and the Sl automatic valve position indication. Another exception to the two channel requirement is the Penetration Flow Path Containment lsolation Valve (ClV) Position. In this case, the important information is the status of the containment penetrations. TheLCO requires one position indicator for each active ClV. Active ClVs arethose valves associated with an unisolated penetration and designed withcontrol room indication per the Tabfe 3.3.3-1 footnotes modifying therequired channels of CIV position indication. The active ClVs addressedby this LCO only include valves designed to close on a Phase A or Phase B containment isolation signal. Valves that open on a Phase A orPhase B containment isolation signal are not required to have their position verified to confirm adequate containment isolation. This issufficient to redundantly verify the isolation status of each required isolable penetration (required to be isolated during accident conditions) either via indicated status of the active valve or the reliability of ClVswithout control room indication (i.e., automatic check valves and relief valves that are not dependent on an external power source or closuresignal) or prior knowledge of a passive valve, or via closed systemboundary status. lf a normally active CIV is known to be closed and deactivated or open under administrative controls in accordance with the provisions of the CIV Technical Specification, position indication is notneeded to determine status. Therefore, the position indication for valvesin this state is not required to be OPERABLE.Type A and Category l variables are generally required to meet Regulatory Guide 1.97 Category I (Ref. 2) design and qualificationrequirements for seismic and environmental qualification, single failure criterion, utilization of emergency standby power, immediately accessibledisplay, continuous readout, and recording of display.The following are discussions of the specified instrument Functions listedin Tabfe 3.3.3-1.1,2,3. Power. Intermediate, and Source Ranqe Neutron Flux Neutron Flux indication is provided to verify reactor shutdown.The three ranges are necessary to cover the full range of flux that may occur post accident.The required channels of Source Range indication on Table 3.3.3-1 are modified by footnote (f) which provides an Beaver Valley Units 1 and 2 B3.33-4Revision 0 PAM lnstrumentationB 3.3.3 BASES LCO (continued) 4,5.exception that allows the source range neutron detectors to be de-energized above the P-6 Intermediate Range Neutron Flux lnterlock. Source Range channel OPERABILITY, when the associated detector is de-energized, consists of being capable of performing its intended function once power is restored to theassociated neutron detector. When the source range detectors are de-energized, the source range channels are also considered de-energized and SR 3.3.3.1 is not applicable. Similarly, the required channels for Intermediate and Power Range indication on Table 3.3.3-1 are modified by footnote (g) which provides anexception to the MODE 3 OPERABILITY requirement for this indication. In MODE 3, the Source Range channels are adequate to provide the required reactivity monitoring function. The Intermediate and Power Range indication channels serve to confirm reactor shutdown in a post reactor trip condition from power operation.Neutron flux is used for accident diagnosis, verification of subcriticality, and diagnosis of positive reactivity insertion.Neutron flux is classified as a Category 1 variable. Reactor Coolant System (RCS) Hot and Cold Leo Temperatures (Wide Ranqe)RCS Hot and Cold Leg Temperatures are Type A and Category lvariables provided for verification of core cooling and long term surveillance. RCS hot and cold leg temperatures are used to determine RCSsubcooling margin. RCS subcooling margin will allow terminationof safety injection (Sl), if still in progress, or reinitiation of Sl if ithas been stopped. RCS subcoolrng margin is also used for unitstabilization and cooldown control.In addition, RCS cold leg temperature is used in conjunctionRCS hot leg temperature to verify the unit conditions necessary to establish natural circulation in the RCS.Reactor Coolant Svstem Pressure (Wide Ranqe)RCS wide range pressure is a Type A and Category I variable provided for verification of core cooling and RCS integrity longterm surveillance.The LCO requirement for two OPERABLE indication channels canbe met by using any combination of the RCS Pressure (WideRange) indication channels or the RCS Pressure indication 6.Beaver Valley Units 1 and 2 B 3.3.3 - 5 Revision 0 PAM InstrumentationB 3.3.3 BASES LCO (continued)channels associated with the Reactor Vessel Water Level lndicating System which also provide a qualified wide range RCS pressure indication. RCS pressure can be used to verify delivery of Sl flow to RCS from at least one train when the RCS pressure is befow the pumpshutoff head. RCS pressure may also be used to verify closure of manually closed spray line valves and pressurizer power operatedrelief valves (PORVS).In addition to these verifications, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin willallow termination of Sl, if still in progress, or reinitiation of Sl if ithas been stopped. RCS pressure can also be used:. to determine whether to terminate actuated Sl or to reinitiate stopped Sl, r to determine when to reset Sl and shut off low. to manually restart low head Sl, o as reactor coolant pump (RCP) trip criteria, and I to make a determination on the nature of the accident in progress and where to go next in the procedure.RCS subcooling margin is also used for unit stabilization and cooldown control.RCS pressure is also related to three decisions aboutdepressurization. They are:. to determine whether to depressurization, proceed with primary systemto verify termination of depressurizatton, andto determine whether to close accumulator isolation valves during a controlled cooldownidepressurization.A final use of RCS pressure is to determine whether to operate the pressurizer heaters.Beaver Valley Units 1 and 2B 3.3.3 - 6 Revision 0 PAM lnstrumentationB 3.3.3 BASES LCO (continued) 7.RCS pressure is a Type A variable because the operator uses thisindication to monitor the cooldown of the RCS following a steam generator tube rupture (SGTR) or small break LOCA. Operatoractions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would use this indication.Furthermore, RCS pressure is one factor that may be used indecisions to terminate RCP operation.Reactor Vessel Water LevelReactor vessel water level is classified as a Category 1 variablefor Unit 1 and Category 2 variable for Unit 2.Reactor Vessel Water Level is provided for verification and long term surveillance of core cooling. lt is also used for accidentdiagnosis and to determine reactor coolant inventory adequacy.The Reactor Vessel Water Level Monitoring System provides adirect measurement of the collapsed liquid level above the fuel alignment plate. The collapsed fevel represents the amount ofliquid mass that is in the reactor vessel above the core. Measurement of the collapsed water level is selected because it isa direct indication of the water inventory. Containment Sump Water Level (Wide Ranqe)Containment Sump Water Level is provided for verification and long term surveillance of RCS integrity.Containment Sump Water Level is used to determine: containment sump level accident diagnosis, when to begin the recirculation procedure (to confirmautomatic initiation or if manual operation is necessary), and o whether to terminate Sl, if still in progress.Containment Pressure (Wide Ranqe)Containment Pressure (Wide Range)variable.classified as a CategoryContainment Pressure (Wide Range) is provided for verification ofRCS cooling and containment OPERABILITY (i.e., integrity). 8.9.Beaver Valley Units 1 and 2B 3.3.3 - 7 Revision 0 PAM Instrumentation B 3.3.3 BASES LCO (continued) 10.The significant post accident use of containment pressureindication is to indicate the potential loss of a fission productboundary for the Emergency Action Levels in the E-Plan.Containment pressure is a key indicator in the declaration of aGeneral Emergency level and the potential need for offsite protective action recommendations. The wide range containment pressure instrumentation provides an adequate range and sensitivity for this purpose.Containment Area Radiation (Hiqh Ranqe)Containment Area Radiation (High Range) is classified as aType A and Category 1 variable.Containment Area Radiation is provided to monitor for the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Containment radiation level is used to identify a loss of one or more fission product barriers.Pressurizer Level Pressurizer Level is classified as a Type A and Category 1 variable.Pressurizer Level is used to determine whether to terminate Sl, if still in progress, or to reinitiate Sl if it has been stopped.Knowledge of pressurizer water level is also used to verify the unitconditions necessary to establish natural circulation in the RCSand to verify that the unit is maintained in a safe shutdown condition,Steam Generator Water Level (Wide Ranqe)SG Water Level (Wide Range) is classified as a Category 1variable for Unit 1 and as a Type A and Category 1 variable forUnit 2.SG Water Level (Wide Range) indication is provided to monitor operation of decay heat removal via the SGs. SG Water Level (Wide Range) indication is used to: identify the faulted SG following a steam generator tube rupture, 11.12.Beaver Valley Units 1 and 2 B 3.3.3 - IRevision 0 PAM Instrumentation B 3.3.3 BASES LCO (continued) verify that the intact SGs are an adequate heat sink for the reactor, determine the nature of the accident in progress (e.9., verify a steam generator tube rupture), verify unit conditions for the termination of Sl during secondary side HELBs outside containment, and verify SG tubes are covered before terminating AFW to the faulted SG to assure iodine scrubbing and design basis iodine partitioning in the event of a steam generator tube rupture.Controlling SG level to maintain a heat sink and the diagnosis of a steam generator tube rupture based on SG level are operator actions assumed in the design basis accident analysis for which no automatic actuation is provided. In addition, the PRA showsthat SG Wide Range Level indication can be important to safety by providing information for the initiation of operator actions to establish bleed and feed for a loss of heat sink event.13 a), b), c). Steam Generator (SG) Pressure SG Pressure is classified as a Type A and Category 1 variable.SG Pressure provides a target indication for RCS depressurization for the steam generator tube rupture accident to terminate theRCS inventory loss. In the event of a steam generator tube rupture accident, the EOPs instruct the operators to depressurizethe RCS to a pressure below the secondary side pressure in the ruptured steam generator. RCS depressurization to a pressureless than the steam generator pressure terminates the RCS inventory loss and terminates tho steam generator inventory gain, preventing overfill of the steam generator. The termination of thebreak flow is an operator action assumed in the design basis steam generator tube rupture analysis for which no automaticaction is provided.14. Primarv Plant Demineralized Water Storaqe Tank (PPDWST)LevelThe PPDWST level is classified as a Category 1 variable for Unit 1 and a Type A and Category 1 variable for Unit 2.Beaver Valley Units 1 and 2 B 3.3.3 - 9Revision 0 PAM InstrumentationB 3.3.3 BASES LCO (continued)The PPDWST Level is provided to ensure water supply for auxiliary feedwater (AFW). The PPDWST provides the ensured safety grade water supply for the AFW System. The PPDWSTLevel indication is used for the diagnosis of the need to refill thetank to provide a long term steam generator heat sink for decayheat removal. PPDWST Level is considered a Type A variable (for Unit 2)because the control room meter and annunciator are considered the primary indication used by the operator.The PPDWST is the initial source of water for the AFW System. However, as the PPDWST is depleted, manual operator action necessary to replenish the PPDWST or align suction to thealternate AFW pump suction supply.

15. Refuelinq Water Storaqe Tank (RWST) Level (Wide Ranqe)The RWST Level is classified as a Type A and Category 1 variable for Unit 1 and a Category 2variable for Unit 2.RWST Level provides an indication of the water inventory remaining for use by containment spray and safety injection forcore cooling and containment cooling. No operator actions in thedesign basis accident analysis are based on the RWST Level indication. The switchover from the RWST to the containment sump is performed automatically.ln the event of an accident in which the RCS inventory losses are outside of containment (e.g., steam generator tube rupture or interfacing system LOCA), the remaining RWST level is animportant indication for choosing the appropriate operator actionsto maintain core cooling in the EOPs. The RWST Level is important in diagnosing the need for implementing RWST refill to maintain a sufficient inventory for long term core cooling followingthese events.16. Penetration Flow Path Containment lsolation Valve (ClV) Position Penetration Flow Path CIV Position indication is classified as aCategory 1 variable for Unit 1 and a Category 2variable for Unit 2.This indication is provided for verification of Containment Phase A and Phase B isolation. The E-Plan identifies that an elevated emergency action level should be declared following an accidentin the event of a failure of automatic containment isolation.Beaver Valley Units 1 and 2B 3.3.3 - 10 Revision 0 PAM InstrumentationB 3.3.3 BASES LCO (continued)This requirement only applies to containment isolation valveswhich receive a Phase A and Phase B containment isolationclosure signal. This requirement is not applicable to valves thatopen on receipt of a Containment Phase A or B signal. Whenused to verify Phase A and Phase B isolation, the important information is the isolation status of the containment penetrations.The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active CIV in a containment penetration flow path, i.e., two total channels of CIV position indication for a penetration flow path with two active valves that have control room position indication. For containment penetrations with only one active CIV having controf room indication, footnote (b) requires a single channel of valve positionindication to be OPERABLE.

This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve with control room indicationand the reliability of containment isolation valves without control room indication (i.e., automatic check valves and relief valves that are not dependent on an external power source or closure signal), or prior knowledge of a passive valve, or via closed system boundary status. lf a normally active CIV is known to be closedand deactivated or open under administrative controls in accordance with the provisions of the CIV Technical Specification, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to beOPERABLE. Footnote (a) to the Required Channels states thatthe Function is not required for isolation valves whose associated penetration is isolated by at least one closed and deactivatedautomatic valve, closed manual valve, blind flange, or check valvewith flow through the valve secured. Each penetration is treatedseparately and each penetration flow path is considered a separate function. Therefore, separate Condition entry is allowedfor each inoperable penetration flow path.17 a), b), c), d) Core Exit Temperature Core Exit Temperature is classified as a Category 1 variable for Unit 1 and a Type A and Category 1 variable for Unit 2.Core Exit Temperature indication is provided for verification andlong term surveillance of core cooling. The Core ExitTemperature indication provides information for the operators to initiate RCS depressurization following a steam generator tube rupture. Core Exit Temperature indication is important to safety because it provides information necessary to maintain subcooling Beaver Valley Units 1 and 2 B 3.3.3 - 11Revision 0 PAM lnstrumentation B 3.3.3 BASES LCO (continued) 18.for RCS cooldown and depressurization following steam generator tube rupture and other small break LOCA events. lt is also usedas an indication for the transfer from the EOPs to the Severe Accident Management Guidance, where a greater focus is maintained on preserving the remaining fission product barriers.Table 3.3.3-1 requires two OPERABLE channels of Core Exit Temperature per core quadrant. Footnote (c) to Table 3.3.3-1 requires a Core Exit Temperature channel to consist of two coreexit thermocouples. Two sets of two thermocouples ensure that asingle failure will not affect the ability to determine whether an inadequate core cooling condition exists. Secondary Heat Sink Indication Secondary Heat Sink Indication is comprised of two different typesof indications (instruments). Footnote (d) to this Function explains that the two required channels per SG can be satisfied by usingany combination of SG Water Level (Narrow Range) channels and Auxiliary Feedwater (AFW) Flow Channels such that two channelsare OPERABLE for each SG. SG Water Level (Narrow Range) is classified as a Type A andCategory 1 variable. AFW Flow is classified as a Category 2 variable for Unit 1 and a Type A and Category 1 variable forUnit 2.This indication provides confirmation of adequate SG inventory to ensure the required heat sink(s) are available. The availability ofSG(s) for heat removal is important to safety to ensure adequatecore cooling. This indication can also be used by the operator toconfirm that the AFW System is in operatlon and deliveringsufficient flow to,each SG. AFW System initiation is important to safety because it provides information necessary for operator action to initiate alternate feedwater sources in the event of a failure of the AFW System.19. Hiqh Head Safety Iniection (Sl) Flow High Head Safety Injection (Sl) Flow is classified as a Category 2 variable.High Head Sl Flow indication is used to confirm automatic safety injection initiation following a design basis accident. Therefore,the required flow indicator for this PAM Function is the total flow indicator installed in the automatic High Head Sl flow path.Beaver Valley Units 1 and 2 B 3.3.3 - 12Revision 0 PAM InstrumentationB 3.3.3 BASES LCO (continued) Failure to manually initiate Sl flow when the automatic initiationfails can lead to a significant increase in core damage frequency. Operator action is based on the ECCS flow indication in thecontrol room. Only high head safety injection is important for allaccident sequences except the unlikely double-ended guillotine rupture of the largest reactor coolant pipe. Therefore, only theHigh Head Sl Flow indication is required.This instrumentation was not designed to meet Regulatory Guide1.97 Category 1 or Type A requirements. Only a single channel is available and required OPERABLE for each unit. The requirement for a single OPERABLE channel of this indication is acceptable due to design requirements for this instrument (i.e., not Category 1) and the additional information available in the control room to confirm high head Sl initiation. For example, if the totalHigh Head Sl Flow indication is not available, alternate methods of verifying Sl initiation can be provided by the High Head Sl pump amperage indication, the High Head Sl header pressure indication, and the Sl automatic valve position indication. As only one channel of High Head Sl Flow indication is requiredOPERABLE, the information associated with this Function on Table 3,3.3-1 is modified by footnote (e). Footnote (e) clarifies that Action Condition B is the only applicable Action Condition for Functions with only one required channel that can not be restoredto OPERABLE status within the Completion Time specified in Action Condition A. As Footnote (e) and Condition B are in the Table column for Conditions referenced from Required Action D.1, this Table notation also clarifies that Action Conditions C, D, E, and F are not applicable to Functions that only require a single OPERABLE channel.APPLICABILITYThe PAM instrumentation LCO is applicable in MODES 1, 2, and 3.These variables are related to the diagnosis and pre-planned actionsrequired to mitigate DBAs. The applicable DBAs are assumed to occur inMODES 1, 2, and 3. ]n MODES 4, 5, and 6, unit conditions are such thatthe likelihood of an event that would require PAM instrumentation is low;therefore, the PAM instrumentation is not required to be OPERABLE inthese MODES. Beaver Valley Units 1 and 2 B 3.3.3 - 13 Revision 0 PAM InstrumentationB 3.3.3 BASES ACTIONSA Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will betracked separately for each Function starting from the time the Condition was entered for that Function. A.1Condition A applies when one or more Functions have one required channel that is inoperable. Required Action A.1 requires restoring the inoperable channel to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes intoaccount the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from theseinstruments), and the low probability of an event requiring PAM instrumentation during this interval.B.1Condition B applies when the Required Action and associated CompletionTime for Condition A are not met. This Required Action specifies theimmediate initiation of actions in Specification 5.6.5, which requires a written report to be submitted to the NRC within the following 14 days.This report discusses the results of the evaluation into the cause of the inoperability and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement since alternative actionsare identified before loss of functional capability, and given the likelihoodof unit conditions that would require information provided by this instrumentation. c.1 Condition C applies when one or more Functions have two inoperable required channels (i.e., two channels inoperable in the same Function).Required Action C.1 requires restoring one channel in the Function(s) toOPERABLE status within 7 days. The Completion Time of 7 days isbased on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain therequired information. Continuous operation with two required channelsinoperable in a Function is not acceptable because the alternateindications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration ofone inoperable channel of the Function limits the risk that the PAMFunction will be in a degraded condition should an accident occur.Beaver Valley Units 1 and 2 B 3.3.3 - 14 Revision 0 PAM lnstrumentationB 3.3.3 BASES ACTIONS (continued) D.1Condition D applies when the Required Action and associated Completion Time of Condition C are not met. Required Action D.1requires entering the appropriate Condition referenced in Table 3.3.3-1 for the channel immediately. The applicable Condition referenced in theTable is Function dependent. Each time an inoperable channel has not met the Required Action of Condition C and the associated CompletionTime has expired, Condition D is entered for that channel and providesfor transfer to the appropriate subsequent Condition.E.1 and E.2 lf the Required Action and associated Completion Time of Condition Care not met and Table 3.3.3-1 directs entry into Condition E, the unit mustbe brought to a MODE where the requirements of this LCO do not apply.To achieve this status, the unit must be brought to at least MODE 3 within6 hours and MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. F.1 Alternate means of monitoring Reactor Vessel Water Level andContainment Area Radiation have been developed and tested. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. lf these alternate means are used, the Required Action is not to shut down theunit but rather to follow the directions of Specification 5.6.5, in the Administrative Controls section of the TS. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedulefor restoring the normal PAM channels.The following are examples of acceptable alternate indication methods forReactor Vessel Water Level and Containment Area Radiation:Reactor Vessel Water provides information to indicate whether the core cooling safety function is being accomplished. As such, the core exit temperature and subcooling (RCS Pressure and Temperature) indicationsmay be used in lieu of Reactor Vessel Water indication. Beaver Valley Units 1 and 2B 3.3.3 - 15 Revision 0 PAM InstrumentationB 3.3.3 BASES ACTIONS (continued)Radiation monitor RM-1RM-201 (Unit 1) and 2RMR-RQ202B (Unit 2) or a portable radiation monitor (with appropriate multiplier if necessary) can be used as an alternate method of indication for Containment Area RadiationHigh Range. SURVEILLANCE REQUIREMENTS A Note has been added to the SR Table to clarify that SR 3.3.3.1 andSR 3.3.3 .2 apply to each PAM instrumentation Function in Table 3.3.3-1except as noted in SR 3.3.3.2.sR 3.3.3.1Performance of the CHANNEL CHECK once every 31 days ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. lt is based on the assumption thatinstrument channels monitoring the same parameter should readapproximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift inone of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRAT]ON. In addition, it is not necessary to place a system or cornponent in servicethat is not normally in service (e.g., initiate AFW flow to the SGs) in order to perform the required CHANNEL CHECK. In cases where the required instrumentation may be energized but only a single channel ls available (e.9., HHSI Flow) or where there may be no flow (e g , AFW Flow), theCHANNEL CHECK may be accomplished by comparing the indicated vaf ue to the known plant condition (e.9. , zero flow). In the case of ClVs,the CHANNEL CHECK may be accomplished by comparing the indicated valve position to the known or expected valve position based on current plant conditions.Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability as applicable. lf a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment hasdrifted outside its limit. lf the channels are within the criteria, it is anindication that the channels are OPERABLE.As specified in the SR, a CHANNEL CHECK is only required for thosechannels that are normally energized.Beaver Valley Units 1 and 2B 3.3.3 - 16Revision 0 PAM InstrumentationB 3.3.3 BASES SURVEILLANCE REQU I REMENTS (continued)The Frequency of 31 days is based on operating experience thatdemonstrates that channel failure is rare. The CHANNEL CHECKsupplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the LCO required channels.sR 3.3.3.2 A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is acomplete check of the instrument loop, including the sensor. The testverifies that the channel responds to measured parameter with thenecessary range and accuracy. This SR is modified by Note 1 thatexcludes neutron detectors. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS)Instrumentation." In addition, this SR is modified by Note 2 that states theCHANNEL CALIBRATION surveillance is not applicable to the Penetration Flow Path Containment lsolation Valve Position lndicationFunction. The required valve position indication channels are verified bya Trip Actuating Operational Test (TADOT) in lieu of a CHANNELCALIBRATION. Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the Core Exit thermocouple sensors is accomplished by an inplace cross calibration that comparesthe other sensing elements with the recently installed sensing element.The Frequency is based on operating experience and consistency withthe typical industry refueling cycle.sR 3.3.3 3 This Surveillance requires the performance of a TADOT. The TADOT is only required for the Penetration Flow Path Containment lsolation ValvePosition Function on Table 3.3.3-1, This SR is required to be performedat least once every 18 months, or approxirnately at every refueling. TheTADOT is adequate to verify the OPERABILITY of the requiredcontainment isolation valve position indication channels. A Note modifies the SRs to specify that SR 3.3.3.3 is only applicable tothe Penetration Flow Path Containment lsolation Valve Position Function. Due to the design of the instrument circuits involved, the TADOf, ratherthan the CHANNEL CALIBRATION, provides the more appropriatedefined test to verify the OPERABILITY of these indication channels.The Frequency of 1B months is consistent with the typical industry refueling cycle.Beaver Valley Units 1 and 2B 3.3.3 - 17Revision 0 PAM lnstrumentationB 3.3.3 BASES REFERENCES 1.Unit 1 Requlatorv Guide 1 .97 Submittals: (1) Duquesne Light Letter dated 10113186,

Subject:

Regulatory Guide 1.97, Revision 2,Supplemental Report (Complete RG 1.97 report attached), (2) Duquesne Light Letter dated 4122187,

Subject:

RG 1.97,Revision 2, Response to Interim Review Results, (ltem 10, Type Aclassification of the Primary Plant Demineralized Water StorageTank Level removed), (3) Duquesne Light Letter dated 12118189,

Subject:

Response to NRC RG 1.97 Concerns, (Page 4, A1 classification of AFW Flow removed). Unit 1 NRC Requlatorv Guide 1.97 Safetv Evaluation Reports (SERs): (1) NRC Letter dated 11120189,

Subject:

Completion ofReview of Regulatory Guide 1.97 Conformance (TAC No. 51071), (2) NRC Letter dated 12130191,

Subject:

Emergency Response Capability - Conformance to Regulatory Guide 1.97 (TAC No.M75944\, (3) NRC Letter dated 6115192,

Subject:

EmergencyResponse Capability - Conformance To Regulatory Guide 1.97 (TAC No. M75944), (4) NRC Letter dated 11117195,

Subject:

Conformance to Regulatory Guide 1.97, Revision 2, Post-AccidentNeutron Flux Monitoring lnstrumentation for BVPS Unit 1 (TAC No.M81201).Unit 2 Regulatory Guide 1.97 Submittal: UFSAR Table 7.5-1.Unit 2 NRC Requlatorv Guide 1.97 SER: NUREG 4A57, Supplement No. 1 , Section 7 .5, May 1986 (original Unit 2 SER).Regulatory Guide 1.97, Rev. 2, December 1980.NUREG-0737, Supplement 1, "TMl Action ltems." 2.3.Beaver Valley Units 1 and 2B 3.3.3 - 18 Revision 0 Remote Shutdown System B 3.3.4B 3.3 INSTRUMENTATION B 3.3.4 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator withsufficient indications and controls to maintain the unit in a safe shutdowncondition from a location other than the control room. This capability isnecessary to protect against the possibility that the control room becomes inaccessible. A safe shutdown condition is defined as MODE 3. With theunit in MODE 3, the Auxiliary Feedwater (AFW) System and the steam generator (SG) atmospheric dump valves (ADVs) can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the AFW System and the ability to borate the Reactor Coolant System (RCS) from outside the control room allows extended operation in MODE 3.lf the control room becomes inaccessible, the operators can establish control utilizing the Remote Shutdown System. The Remote Shutdown System indications and controls necessary to maintain the unit in a safeshutdown condition (MODE 3) are specified in Table B 3.3.4-1 and are physically located on the Emergency Shutdown Panels (PNL-SHUTDN for Unit 1 and PNL-2SHUTDN for Unit 2). The unit automatically reachesMODE 3 following a unit trip and can be maintained safely in MODE 3 foran extended period of time. Plant procedures assure the reactor ismanually tripped and safely shutdown prior to transferring control to theEmergency Shutdown Panel.The OPERABILITY of the remote shutdown control and indication functions ensures there is sufficient information available on selected unit parameters to maintain the unit in MODE 3 should the control room become inaccessible. APPLICABLE SAFETY ANALYSESThe Remote Shutdown System is required to provide equipment at appropriate locations outside the control room with a capability tomaintain the unit in a safe condition in MODE 3.There are no specific design basis accident safety analysis assumptions (i.e., single active failures) that would require redundant RemoteShutdown System indications or controls be maintained OPERABLE bythe Technical Specifications. Therefore, Table B 3.3.4-1 only specifiesthat a single channel of each indication and control function be OPERABLE in order to meet the requirements of the LCO.Beaver Valley Units 1 and 2 B 3.3.4 - 1Revision 0 Remote Shutdown System B 3.3.4 BASES APPLICABLE SAFEry ANALYSES (continued) The criteria governing the design and specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A,GDC 19 (Ref. 1).The Remote Shutdown System satisfies Criterion 4 of 10 cFR 50.36(c)(2xii). LCO The Remote Shutdown System LCO provides the OPERABILITY requirements for the indications and controls necessary to maintain the unit in MODE 3 from the Emergency Shutdown Panels (PNL-SHUTDN for Unit 1 and PNL-2SHUTDN for Unit 2). The indications and controls required are listed in Table B 3.3.4-1. Each control channel specified in Table B 3.3.4-1 consists of both the control switch and associatedtransfer switch if applicable. The controls, indications, and transfer switches are required for: Core reactivity control, RCS pressure control, Decay heat removal via the AFW System and the SG ADVs, RCS inventory control via charging flow, andSafety support systems for the above Functions, including ComponentCooling Water, Unit 1 River Water, and Unit 2 Service Water.A Function of a Remote Shutdown System is OPERABLE if all indication and control channels needed to support the Remote Shutdown System Function are OPERABLE. However, not all indication and control circuitsassociated with the systems identified in Table B 3.3.4-1 are requiredOPERABLE in order to support the required Remote Shutdown System Function. Table B 3.3.4-1 only specifies 1 required channel for each indication and control instrument associated with each Remote Shutdown System Function. For example, the capability to remotely operate a single AFW pump and control its flow and the control of one associated SG ADV provide the necessary control channels to accomplish the decayheat removal Function specified in Table B 3.3.4-1. All the AFW pumpand flow controls do not have to be OPERABLE to accomplish the decayheat removal Function required OPERABLE by the LCO. Similarly, the control for a single letdown orifice isolation valve is sufficient to meet the requirement of the RCS Inventory Function for 1 channel of letdown flow control.Beaver Valley Units 1 and 2 B 3.3.4 - 2Revision 0 Remote Shutdown SystemB 3.3.4 BASES LCO (continued)The remote shutdown indication and control channels covered by thisLCO do not need to be energized to be considered OPERABLE. ThisLCO is intended to ensure the indication and control channels will beOPERABLE if unit conditions require that the Remote Shutdown System be placed in operation. APPLICABILITYThe Remote Shutdown System LCO is applicable in MODES 1, 2, and 3.This is required so that the unit can be maintained in MODE 3 for an extended period of time from a location other than the control room.This LCO is not applicable in MODE 4,5, or 6. ln these MODES, thefacility is already subcritical and in a condition of reduced RCS energy.Under these conditions, considerable time is available to restorenecessary instrument control functions if control room instruments orcontrols become unavailable. ACTIONSA Remote Shutdown System Function is inoperable when 1 or more required channel(s) of indication or control are inoperable. The requiredchannels of indication and control for each Remote Shutdown System Function are specified on Table B 3.3.4-1.A Note has been added to the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for eachFunction. The Completion Time(s) of the inoperable channel(s) of aFunction will be tracked separately for each Function starting from thetime the Condition was entered for that Function. A.1Condition A addresses the situation where one or more required Functions of the Remote Shutdown System are inoperable. This includesthe control and transfer switches for any required Function.The Required Action is to restore the required Function to OPERABLEstatus within 30 days. The Completion Time is based on operatingexperience and the low probability of an event that would requireevacuation of the control room.Beaver Valley Units I and 2B 3.3.4 - 3 Revision 0 Remote Shutdown SystemB 3.3.4 BASES ACTIONS (continued) 8.1 and 8.2lf the Required Action and associated Completion Time of Condition A isnot met, the unit must be brought to a MODE in which the LCO does notapply. To achieve this status, the unit must be brought to at leastMODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderlymanner and without chalfenging unit systems. SURVEILLANCE SR 3.3.4.1 REQUIREMENTSPerformance of the CHANNEL CHECK once every 31 days ensures that a gross failure of indication instrumentation has not occurred. ACHANNEL CHECK is normally a comparison of the parameter indicatedon one channel to a similar parameter on other channels. lt is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviationsbetween the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious.CHANNEL CHECK will detect gross channel failure; thus, it is key toverifying that the instrumentation continues to operate properly betweeneach CHANNEL CALIBRATION. Agreement criteria are determined by the unit staff, based on acombination of the channel instrument uncertainties, including indicationand readability. lf the channels are within the criteria, it is an indicationthat the channels are OPERABLE. lf a channel is outside the criteria, itmay be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only nequired for those indication channels which are normally energized. In addition, it isnot necessary to place a system or component in service that is notnormally in service (e g , initiate AFW flow to the SGs) in order to perform the required CHANNEL CHECK of a Remote Shutdown Systemindication channel. ln cases where the required instrumentation may beenergized but only a single channel is available or where there may be no flow (e.9., AFW Flow), the CHANNEL CHECK may be accomplished by comparing the indicated value to the known plant condition (e.g. , zera flow).Beaver Valley Units 1 and 2B 3.3.4 - 4 Revision 0 Remote Shutdown SystemB 3.3.4 BASESSURVEI LLANCE REQUI REMENTS (continued)The Frequency of 31 days is based upon operating experience whichdemonstrates that channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels duringnormal operational use of the displays associated with the LCO required channels.sR 3.3.4.2CHANNEL CALIBRATION is a complete check of an indicationinstrument loop and the sensor. The test verifies that the channelresponds to a measured parameter within the necessary range and accuracy.Whenever a sensing element is replaced, the next required CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors isaccomplished by an inplace cross calibration that compares the othersensing elements with the recently installed sensing element.This SR is modified by a Note that excludes neutron detectors. The calibration method for neutron detectors is specified in the Bases ofLCO 3.3.1, "Reactor Trip System (RTS) Instrumentation."The Frequency of 18 months is based upon operating experience andconsistency with the typical industry refueling cycle.sR 3.3.4.3SR 3.3.4.3 verifies each required Remote Shutdown System controlcircuit and transfer switch performs the intended function. This verification is performed from the remote shutdown panel and locally, asappropriate. Operation of the equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performanceof a,continuity check. This will ensure that if the control room becomesinaccessible, the unit can be maintained in MODE 3 from the Emergency Shutdown Panels (PNL-SHUTDN for Unit 1 and PNL-2SHUTDN for Unit 2). The 36 month Frequency is based on the need to perform thisSurveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. (However, this Surveillance is not required to be performed only during a unit outage.)Operating experience demonstrates that remote shutdown controlchannels usually pass the Surveillance test when performed at the36 month Frequency. REFERENCES1. 10 CFR 50, Appendix A, GDC 19.Beaver Valley Units 1 and 2 B 3.3.4 - 5 Revision 0 Remote Shutdown SystemB 3.3.4 Table B 3.3.4-1 (page 1 of 1)Remote Shutdown System Indications and Controls Emergency Shutdown Panels PNL-SHUTDN (Unit 1) and PNL-2SHUTDN (Unit 2)REMOTE SHUTDOWN SYSTEM FUNCTION INDICATIONS AND CONTROLS REQUIREDNUMBER OF CHANNELS 1.2.Reactivity Control Functiona. Source Range Neutron Flux (indication)b. Boric Acid,Transfer Pump (control)Reactor Coolant System (RCS) Pressure Control Functiona. Pressurizer Pressure (indication) orRCS Wide Range Pressure (indication) (Unit 2 only)b. Pressurizer heater (control)Decay Heat Rernoval via Steam Generators (SGs) Function a. RCS Hot Leg Temperature (indication)b. RCS Cold Leg Temperature (indication)c. SG Pressure (indication)d. SG Level (indication)e. AFW Flow (indication)

f. SG Atmospheric Dump Valve (control)or Residual Heat Release Valve (control) (Unit 2 only)g. AFW pump (control)h. AFW Flow (control)RCS lnventory Control Function

a. Pressurizer Level (indication)b. Charging Pump (control)c. Charging Flow (control)d. Letdown Flow (control)Support Systemsa. Component Cooling Water pump (control)b. River Water pump (control) (Unit 1 only)c. Service Water pump (control) (Unit 2 only)1(a)1 3.1 1 lISG 1/SG 1/SG 1 4.5.(a)Source Range neutron detectors are not required to be energized above the P-6 Intermediate Range Neutron Flux lnterlock.

Beaver Valley Units 1 and 2B 3.3.4 - 6Revision 0 LOP DG Start and Bus Separation InstrumentationB 3.3.5 B 3.3 INSTRUMENTATIONB 3.3.5 Loss of Power (LOP) Diesel Generator (DG) Start and Bus Separation Instrumentation BASES BACKGROUNDThe DGs provide a source of emergency power when offsite power iseither unavailable or is insufficiently stable to allow safe unit operation.The LOP instrumentation ensures a reliable source of emergency power by providing the following Functions:

1) An automatic DG start onemergency bus undervoltage, and 2) Separation of the emergency buseson undervoltage and degraded voltage conditions.

Loss of Voltaqe Protection Unit 1The Unit 1 loss of voltage protection consists of two relays for each of the 4160 V emergency buses. One relay actuates to open the normal supply breakers for the associated emergency buses (bus separation). Theother loss of voltage relay provides a start signal for the DG associatedwith the bus. Both loss of voltage relays have the same nominal trip setpoint and Allowable Value (with different time delays).Unit 2 The Unit 2 loss of voltage protection consists of three relays for each4160 V emergency bus. Two relays on each bus actuate to open the normal supply breakers for the associated emergency buses (with a two-out-of-two logic per bus) to provide the bus separation function. The other loss of voltage relay provides a start signal for the associated DG.All three loss of voltage relays have the same nominal trip setpoint and Allowable Value (with different time delays). Degraded Voltaqe Protection , ln addition to the loss of voltage protection, degraded voltage protection for both Units is provided by two relays on each 4160 V emergency bus and two refays on each 480 V emergency bus. The two relays on eachbus actuate upon a reduced voltage condition that exists for an extended time. The relays actuate (in a two-out-of{wo logic per bus) to open the normal supply breakers and separate the affected emergency bus fromthe degraded voltage supply. The two-out-of-two logic helps prevent a spurious relay actuation from causing bus separation. The Unit 1 and Unit 2 LOP instrumentation is described in UFSARChapter B (Ref. 1)Beaver Valley Units 1 and 2 B 3.3.5 - 1 Revision 0 LOP DG Start and Bus Separation lnstrumentationB 3.3.5 BASESBACKG ROU N D (continued)The Allowable Value in conjunction with the nominal trip setpoint and LCO establishes the threshold for the LOP instrumentation capability to provide the required loss of voltage and degraded voltage protection that assures a reliable source of emergency power. The nominal tripsetpoints are specified in the Licensing Requirements Manual (LRM).The Allowable Value is considered a limiting value such that a channel is OPERABLE if the setpoint is found to satisfy the applicable Allowable Value requirements specified in Table 3.3.5-1 during the CHANNELCALIBRATION. Note that although a channel is OPERABLE under thesecircumstances, the setpoint must be left adjusted to within the establishedcalibration tolerance band of the setpoint in accordance with uncertaintyassumptions stated in the referenced setpoint methodology, (as-left-criteria) and confirmed to be operating within the statistical allowances of the uncertainty terms assigned.Allowable Values and LOP DG Start Instrumentation SetpointsThe allowances used to develop the nominal trip setpoints for the loss ofvoltage and degraded voltage relays are described in the unit specific setpoint methodology (Ref. 2). The selection of the nominal trip setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account.Setpoints adjusted consistent with the requirements of the AllowableValue ensure that the operation of the LOP Instrumentation will be acceptable, providing the unit is operated from within the LCOs at theonset of the accident and that the equipment functions as designed.Allowable Values are specified for each Function in Table 3.3.5-1.Nominal trip setpoints are specified in the LRM. The nominal trip setpoints are selected to ensure that the setpoint measured by the surveillance procedure does not exceed the Allowable Value if the relay is performing as required. lf the measured setpoint does not exceed theAllowable Value, the relay is considered OPERABLE. Operation with atrip setpoint less conservative than the nominal trip setpoint, but within theAllowable Value, is acceptable provided that operation and testing is consistent with the assumptions of the unit specific setpoint methodology (Ref. 2).APPLICABLE SAFETY ANALYSES The LOP instrumentation is required for the Engineered Safety Features (ESF) Systems to function in any accident with a loss of offsite power.Its design basis is that of the ESF Actuation System (ESFAS).Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident (LOCA). The actual DG start has Beaver Valley Units 1 and 2B 3,3.5 - 2 Revision 0 LOP DG Start and Bus Separation InstrumentationB 3.3.5 BASES APPLICABLE SAFEry ANALYSIS (continued)historically been associated with the ESFAS actuation. The DG loadinghas been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.The analyses assume a non-mechanistic DG loading, which does notexplicitly account for each individual component of loss of powerdetection and subsequent actions.The required channels of LOP instrumentation, in conjunction with the ESF systems powered from the DGs, provide unit protection in the eventof any of the analyzed accidents discussed in Reference 3, in which a loss of offsite power is assumed.The delay times assumed in the safety analysis for the ESF equipmentinclude the 10 second DG start delay, and the appropriate sequencing delay. The response times for ESFAS actuated equipment in LCO 3.3.2,"Engineered Safety Feature Actuation System (ESFAS) lnstrumentation,"include the appropriate DG loading and sequencing delay where applicable. The LOP instrumentation channels satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii). LCOThe LCO for LOP instrumentation requires that the loss of voltage and degraded voltage instrument channels specified in Table 3.3.5-1 be OPERABLE in MODES 1,2, 3, and 4 when the LOP instrumentationsupports safety systems associated with the ESFAS. In MODES 5, 6,and during fuel movement, the LOP instrumentation must be OPERABLE whenever the associated DG is required to be OPERABLE to ensure areliable source of emergency power is available when needed. A channel is OPERABLE provided the trip setpoint "as-found" value satisfies the applicable Allowable Value requirements specified in Table 3.3.5-1 and provided the trip setpoint "as-left" value is adjusted to a value within the"as-1eft" calibration tolerance band of the nominal trip setpoint. A trip setpoint may be set more conseryative than the nominal trip setpoint asnecessary in response to plant conditions provided that the + calibrationtolerance band remains the same and the Allowable Value is administratively controlled accordingly in the conservative direction tomeet the assumptions of the setpoint methodology. The conservative direction is established by the direction of the inequality applied to the Allowable Value. Loss of the LOP lnstrumentation Function could resultin the delay of safety systems initiation when required. This could lead to unacceptable consequences during accidents. For example, during the loss of offsite power the DG powers the motor driven auxiliary feedwater pumps. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased potential for a loss of decay heatremoval through the secondary system.Beaver Valley Units 1 and 2 B 3.3.5 - 3 Revision 0 LOP DG Start and Bus Separation InstrumentationB 3.3.5 BASES APPLICABILITYThe LOP Instrumentation Functions are required in MODES 1, 2, 3, and 4because ESF Functions are designed to provide protection in theseMODES. Actuation in MODE 5, 6, and during fuel movement is requiredwhenever the required DG must be OPERABLE so that it can perform itsfunction for a loss of voltage or degraded voltage condition on anemergency bus. ACTIONS In the event a channel's trip setpoint is found nonconservative withrespect to the Allowable Value, or the channel is found inoperable, thenthe function that channel provides must be declared inoperable and the LCO Condition entered for the particular protection function affected.Because the required channels are specified on a per bus basis, the Condition may be entered separately for each bus as appropriate.A Note has been added in the ACTIONS to clarify the application ofCompletion Time rules. The Cbnditions of this Specification may be entered independently for each Function specified in Table 3.3.5-1. TheCompletion Time(s) of the inoperable channel(s) of a Function will betracked separately for each Function starting from the time the Conditionwas entered for that Function. A.1 Condition A applies to all LOP instrument functions specified in Table 3.3.5-1. Condition A addresses the situation where one or more channels for one or more Functions are inoperable at the same time. TheRequired Action is to refer to Table 3.3.5-1 and to take the appficabfeRequired Actions for the LOP functions affected. The Completion Timesare those from the referenced Conditions and Required Actions.8.1 Condition B applies to the LOP Functions with one loss of voltage or one degraded voltage channel per bus inoperable. The Condition isapplicable to a single inoperable channel on one bus or a singleinoperable channel on each bus.lf one channel is inoperable, Required Action B.1 requires that channel to be placed in trip within 72 hours With a channel in trip, the LOP instrumentation channels are configured to provide a one-out-of-one logicto initiate the LOP protection function.A Note is added to allow bypassing an inoperable channel for up to12 hours for surveillance testing of other channels provided the corresponding instrument channels, electrical bus, and DG in the otherBeaver Valley Units 1 and 2B 3.3.5 - 4 Revision 10 LOP DG Start and Bus Separation Instrumentation B 3.3.5 BASES ACTIONS (continued)train are OPERABLE. This allowance is made where bypassing thechannel does not cause an actuation dnd where the other electrical train remains OPERABLE to supply emergency power if required.The specified Completion Time and time allowed for bypassing onechannel are justified in Reference 4.c.1 Condition C applies when more than one loss of voltage or more than onedegraded voltage channel per bus are inoperable. The Condition isapplicable to two inoperable channels on one bus or two inoperablechannels on each bus.Required Action C.1 requires restoring one channel per bus toOPERABLE status. The t hour Completion Time should allow ampletime to repair most failures and takes into account the low probability ofan event requiring an LOP instrument actuation during this lnterval.D.1 Condition D applies when one loss of voltage channel per bus isinoperable and is applicable only to those LOP Functions on Table 3.3.5-1 with a single loss of voltage channel per bus. TheCondition is applicable to a single inoperable channel on one bus or asingle inoperable channel on each bus.Required Action D.1 requires restoring the inoperable channel toOPERABLE status. The t hour Completion Time should allow ampletime to repair most failures and takes into account the low probability ofan event requiring a LOP instrument actuation during this interval.E.1 Condition E applies to each of the LOP instrument Functions when the Required Action and associated Completion Time for Condition A, B, C, or D are not met.ln these circumstances the Conditions specified in LCO 3.8.1, 'AC Sources - Operating," or LCO 3.8.2, "AC Sources - Shutdown," forthe DGmade inoperable by failure of the LOP instrumentation are required to be entered immediately. The actions of those LCOs provide for adequate compensatory actions to assure unit safety.Beaver Valley Units 1 and 2 B 3.3.5 - 5Revision 10 LOP DG Start and Bus Separation lnstrumentationB 3.3.5 BASES SURVEILLANCE SR 3.3.5.1 REQUIREMENTSSR 3.3.5.1 is the performance of a TADOT. A successful test of anyrequired contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable TADOT of a relay. This is acceptablebecause all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. This test is performed every 184 days. The test checks trip devices that provideactuation signals directly, bypassing the analog process control equipment. The Frequency is justified in Reference 4.The SR is modified by a Note that excludes verification of setpoint fromthe TADOT. The SR applies to the loss of voltage and degraded voltagerelays for the 4160 V and 480 V emergency buses and setpoint verification requires removal of the relay and a bench calibration. Therefore, relay calibration and setpoint verification are accomplishedduring the 18 month CHANNEL CALIBRATION. sR 3.3.5.2SR 3.3.5.2 is the performance of a CHANNEL CALIBRATION. The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay, as specified in the LRM.A CHANNEL CALIBRATION is performed every 18 months, orapproximately at every refueling. CHANNEL CALIBRATION is acomplete check of the instrument loop, including the sensor. The testverifies that the channel responds to a measured parameter within thenecessary range and accuracy. For Unit 1 only, the time delay specified for the 4160 V emergency bus loss of voltage DG start relay, includes auxiliary relay times.The Frequency of 18 months is based on operating experience and consistency with the typical industry refueling cycle and is justified by theassumption of an 1B month calibration interval in the determination of themagnitude of equipment drift in the setpoint analysis.Beaver Valfey Units 1 and 2B 3.3.5 - 6 Revision 10 LOP DG Start and Bus Separation lnstrumentationB 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)sR 3.3.5.3This SR ensures the individual channel ESF RESPONSE TIMES are lessthan or equal to the maximum values assumed in the accident analysis.The response time acceptance criteria for instrument channels with a required response time are specified in the LRM. lndividual componentresponse times are not modeled in the analyses. The analyses model theoverall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor, to the point at which the equipment reaches the required functional state. Response time may beverified by any series of sequential, overlapping or total channelmeasurement such that the entire response time is measured,The Bases for Surveillance Requirement 3.3.2.9 in LCO 3.3.2, "ESFAS lnstrumentation" contains a more detailed description of how the requiredresponse time verification may be accomplished. The SR 3.3.2.9 Bases is applicable to SR 3.3.5.3 including the Unit 2 option to use thesummation of allocated response times.ESF RESPONSE TIME verifications are conducted on an 18 month STAGGERED TEST BASIS. The final actuation device response time,which makes up the bulk of the total response time, is included in the verification of each channel. The 18 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causingserious response time degradation, but not channel failure, are infrequent occurrences. REFERENCES 4.2.3.1.Unit 1 and Unit 2 UFSAR, Chapter 8. Westinghouse Setpoint Methodology for Protection Systems, WCAP-1 1419, Rev. 6 (Unit 1)and WCAP-11366, Rev. 7 (Unit 2).UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2. Amendment No. 282 (Unit 1) and Amendment No. 166 (Unit 2), December 29, 2008.Beaver Valley Units 1 and 2 B 3.3.5 - 7 Revision 11 Unit 2 Containment Purge and Exhaust lsolation InstrumentationB 3.3.6 B 3.3 INSTRUMENTATION B 3.3.6 Unit 2 Containment Purge and Exhaust lsolation lnstrumentation BASES BACKGROUND The Unit 2 containment purge and exhaust isolation instrumentationcloses the 42 inch containment isolation valves in the Purge and ExhaustSystem. This action isolates the containment atmosphere from theenvironment to minimize releases of radioactivity in the event of a fuel handling accident involving recently irradiated fuel. Two gaseous (Xe-133) radiation monitoring channels (2HVR-RQ104A&B) are provided as input to the containment purge and exhaust isolation. The radiation monitors have a measurement range of 10-6 to 10-1 pCi/cc.The Purge and Exhaust System has inner and outer containment isolationvalves in its supply and exhaust ducts. A high radiation signal from the 2HVR-RQ104A gaseous radiation monitor closes the outer isolationvalves in each penetration and a high radiation signal from the 2HVR-RQ104B gaseous monitor closes the inner isolation valves in each penetration.ln addition to the automatic closure provided by the high radiation signaleach containment purge and exhaust isolation valve may be closedmanually by its individual control switch. APPLICABLE SAFETY ANALYSESDuring refueling operations, the postulated event that results in the most severe radiological consequences is a fuel handling accident (Ref. 1).The limiting fuel handling accident analyzed in Reference 1, includesdropping a single irradiated fuel assembly and handling tool (conservatively estimated at 2500 pounds) directly onto another irradiatedfuel assembly resulting in both assemblies being damaged. The analysis assumes a 1O0-hour decay time prior to moving irradiated fuel. The applicable limits for offsite and control room dose from a fuel handling accident are specified in 10 CFR 50.67. Standard Review Plan,Section 15.0.1, Rev 0 (Ref. 2) provides an additional offsite dose criteriaof 6.3 rem total effective dose equivalent (TEDE) for fuel handling accidents.The water level requirements of LCO 3.9.6, "Refueling Cavlty Water Level," in conjunction with a minimum decay time of 100 hours prior to irradiated fuel movement, ensure that the resulting offsite and control room dose from the limiting fuel handling accident is within the limitsrequired by 10 CFR 50.67 and within the acceptance criteria of Beaver Valley Units 1 and 2B 3.3.6 - 1Revision 0 Unit 2 Containment Purge and Exhaust lsolation lnstrumentation B 3.3.6 BASES APPLICABLE SAFEry ANALYSES (continued)Reference 2 without the need for containment purge and exhaust isolation.Therefore, the instrumentation requirements of LCO 3.3.6 "Containment Purge and Exhaust lsolation Instrumentation" are only applicable during refueling operations involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours).Current requirements based on the decay time of the fuel prevent the movement of recently irradiated fuel. However, the requirements for containment purge and exhaust isolation instrumentation are retained inthe Technical Specifications in case these requirements are necessary to support fuel movement involving recently irradiated fuel.The containment purge and exhaust isolation instrumentation satisfiesCriterion 3 of 10 CFR 50.36(c)(2xii). LCOThe LCO requirements ensure that the instrumentation necessary toinitiate Containment Purge and Exhaust lsolation, listed in Table 3.3.6-1, is OPERABLE for Unit 2.The LCO is modified by a Note that states "This specification is onlyapplicable to Unit 2." Unit 1 relies on filtration of the Containment Purgeand Exhaust System effluent by an OPERABLE train of SupplementalLeak Collection and Release System (SLCRS) instead of isolation. Unit 1must rely on filtration due to the des-ign of the Unit 1 Containment Purge and Exhaust System ductwork where the radiation monitors are located.The Unit 1 ductwork is not designed to withstand a seismic event (Ref. 3).Manual lnitiationThe LCO requires one manual initiation channel per Purge and Exhaust System isolation valve to be OPERABLE. Containment Purge and Exhaust lsolation may be initiated at any time by usingthe individual valve control switches in the control room. Eachchannel consists of a manual switch and interconnecting circuits to the valve actuator.Containment RadiationThe LCO specifies two required channels of gaseous radiation monitors to ensure that the radiation monitoring instrumentation necessary to initiate Containment Purge and Exhaust lsolation remains OPERABLE.1.2.Beaver Valley Units 1 and 2B 3.3.6 - 2 Revision 0 Unit 2 Containment Purge and Exhaust lsolation InstrumentationB 3.3.6 BASES LCO (continued)The required gaseous monitors are an in-line type and are mounted directly in the exhaust ductwork. An OPERABLE radiation monitorchannel consists of the monitor and includes any associated circuitrynecessary to provide the required isolation function.APPLICABILITYThe containment purge and exhaust isolation instrument requirementsare applicable during movement of recently ir:radiated fuel assemblies or the movement of fuel assemblies over recently irradiated fuel assemblies within containment because this is when there is a potential for thelimiting fuel handling accident. In MODES 1,2,3, and 4, containment penetration requirements (including the purge and exhaust isolationvalves) are addressed by LCO 3.6.3, "Containment lsolation Valves" andLCO 3.6.1, "Containment OPERABILITY." In MODES 5 and 6, whenmovement of irradiated fuel assemblies within containment is not beingconducted, the potential for a fuel handling accident does not exist.Additionally, due to radioactive decay, a fuel handling accident that doesnot involve recently irradiated fuel (i.e., fuel that has occupied part of acritical reactor core within the previous 100 hours) will result in doses that are well within the guideline values specified in 10 CFR 50.67 evenwithout containment closure capability. Therefore, under these conditionsno requirements are placed on the Containment Purge and Exhaust lsolation I nstrumentation.Although movement of recently irradiated fuel is not currently permitted, the requirements for containment purge and exhaust isolation instrumentation are retained in the Technical Specifications'in case theserequirements are necessary to support the assumptions of a safety analysis for fuel movement involving recently irradiated fuel consistentwith the guidance of Ref. 5.ACTIONS.lf the Trip Setpoint is less conservative than specified in Table 3.3.6-1, the channel must be declared inoperable immediately and the appropriateCondition entered. A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.6-1. The Completion Time(s) of the inoperable channel(s) of a Function will betracked separately for each Function starting from the time the Condition was entered for that Function.Beaver Valley Units 1 and 2 B 3.3.6 - 3Revision 0 Unit 2 Containment Purge and Exhaust lsolation InstrumentationB 3.3.6 BASESACTIONS (continued) A.1 Condition A applies to the failure of one containment purge isolationradiation monitor channel. The 4 hours allowed to restore the affected channel is justified by the low likelihood of events occurring during this interval, and recognition that the remaining channel will isolate the purgeand exhaust lines on high radiation. 8.1 and B.2 Condition B applies to all Containment Purge and Exhaust lsolationFunctions. lt addresses the failure of multiple radiation monitoring channels, or the inability to restore a single failed channel to OPERABLE status in the time allowed for Required Action A.1. lf one or more manual initiation channels are inoperable, or two radiation monitor channels are inoperable, or the Required Action and associated Completion Time of Condition A are not met, operation may continue as long as the RequiredAction to place and maintain containment purge and exhaust isolationvalves in their closed position is met or the applicable Conditions of LCO 3.9.3, "Containment Penetrations," are met for each valve made inoperable by failure of isolation instrumentation. The Completion Timefor these Required Actions is lmmediately. SURVEILLANCE REQUIREMENTSA Note has been added to the SR Table to clarify that Table 3.3.6-1determines which SRs apply to which Containment Purge and Exhaustlsolation Functions.sR 3.3.6.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECKis normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. lt is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift inone of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the unit staff, based on acombination of the channel instrument uncertainties, including indication and readability. lf a channel is outside the criteria, it may be an indicationthat the sensor or the signal processing equipment has drifted outside its limit.Beaver Valley Units 1 and 2B 3.3.6 - 4 Revision 0 Unit 2 Containment Purge and Exhaust lsolation Instrurnentation B 3.3.6 BASESSU RVEILLANCE REQU I REMENTS (continued) The Frequency is based on operating experience that demonstrateschannel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use ofthe displays associated with the LCO required channels.sR 3.3.6.2 A COT is performed every 92 days on each required channel to ensurethe entire channel will perform the intended Function. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. Thisclarifies what is an acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications Surveillance Requirements. The Frequency is based on the staff recommendation for increasing the availability of radiation monitors according to NUREG-1366 (Ref. a). This test verifies the capability of the instrumentation to provide the containment purge and exhaust system isolation. The setpoint shall be left consistent with the current unit specific calibration procedure tolerance.sR 3.3.6.3 SR 3.3.6.3 is the performance of a TADOT. This test is a check of the Manual Actuation Functions and is performed every 18 months. EachManual Actuation Function is tested for each valve. The test includes actuation of the end device (i.e., valve cycles). The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.The Frequency is based on the known reliability of the Function and the redundancy available, and has been shown to be acceptable through operating experience. sR 3.3.6.4 A CHANNEL CALIBRATION is performed every 1B months, orapproximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.The Frequency is based on operating experience and is consistent with the typical industry refueling cycle.Beaver Valley Units 1 and 2B 3.3.6 - 5Revision 0 Unit 2 Containment Purge and Exhaust lsolation InstrumentationB 3.3.6 BASES REFERENCES 1.2.3.4.5.Unit 2 UFSAR 15.7.4. NUREG-0800, Section 15.0.1, Rev. 0, July 2000.NRC Safety Evaluation Report for Unit 1 Amendment 23, 12112179.NUREG-1 366, tmprovements to Technical SpecificationsSurveillance Requirements, 121 1 I 1992.NUREG- 1 431, "Standard Technical Specifications for Westinghouse Plants," Rev. 2, April 2041.Beaver Valley Units 1 and 2B 3.3.6 - 6 Revision 0 CREVS Actuation InstrumentationB 3.3.7 B 3.3 INSTRUMENTATION B 3.3.7 Control Room Emergency Ventilation System (CREVS) Actuation Instrumentation BASES BACKGROUNDThe CREVS provides an enclosed common control room environmentfrom which both units can be operated following an uncontrolled releaseof radioactivity. During normal operation, the Control Room Ventilation System recirculates the control room air and provides unfiltered makeupair and cooling. Upon receipt of a CREVS actuation signal from eitherunit, the Unit 1 and2 control room ventilation intake and exhaust ducts are isolated to prevent unfiltered makeup air from entering the controlroom. In addition, the CREVS actuation signal from either unit will alsoautomatically start one Unit 2 CREVS fan to provide filtered makeup air to pressurize the control room. lf the preferred Unit 2 CREVS fan does notstart, the backup Unit 2fan will automatically start. Unit 1 may take creditfor the operation of one or both of the Unit 2 CREVS fans and filters. Oneof the two Unit 1 CREVS fans and single filter must be manually aligned and placed in service if required. Once the control room ventilation intakeand exhaust ducts are isolated, and the CREVS fan is providing filteredmakeup, control room ventilation is in the emergency pressurization modeof operation. The CREVS is described in the Bases for LCO 3.7.10,"Control Room Emergency Ventilation System."The CREVS actuation instrumentation consists of redundant control roomarea radiation monitors for each unit, Containment lsolation - Phase B (ClB) signal from each unit, and two train related manual switches (pushbuttons) in each unit's control room. A high radlation signal from theradiation monitors in either unit, a CIB from either unit, or manual switch actuation from either unit such that both trains of CREVS receive anactuation signal, will initiate the CREVS actuation sequence described above. The CIB Function is discussed in LCO 3.3.2, "Engineered SafetyFeature Actuation System (ESFAS) Instrumentation." APPLICABLE SAFETY ANALYSES The control room must be kept habitable for the operators stationed thereduring accident recovery and post accident operations. The CREVS actsto terminate the supply of unfiltered outside air to the control room, initiateintake air filtration, and pressurize the control room. These actions arenecessary to ensure the control room is kept habitable for the operatorsstationed there during accident recovery and post accident operations byminimizing the radiation exposure of control room personnel. The applicable safety analyses for all design basis accidents consideredin MODES 1 , 2, 3, and 4 (except LOCA) assume manual initiation of the emergency pressurization mode of operation of control room ventilation (i.e., control room ventilation isolation, filtered makeup, and Beaver Valley Units 1 and 2 B 3.3.7 - 1 Revision 0 CREVS Actuation I nstrumentationB 3.3.7 BASES APPLICABLE SAFETY ANALYSES (continued) pressurization). The LOCA accident analysis assumes an automaticControl Room Ventilation System isolation on a CIB signal andsubsequent manual initiation of a CREVS fan for filtered makeup and pressurization of the control room. Although the CIB signal will automatically start a CREVS fan and fiftered ffow path, a 30-minute delayto allow for manual initiation of a CREVS fan and filtered flow path isspecifically assumed in all analyses to permit the use of a Unit 1 CREVS fan and filtration flow path which require manual operator action to placein service (Ref. 1).The current safety analyses do not assume the control room area radiation monitors provide a CREVS actuation signal for any design basisaccident. However, requirements for the radiation monitors to be OPERABLE are retained in case the monitors are required to support the assumptions of a fuel handling accident analysis for the movement ofrecently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) or the movement of fuel over recentlyirradiated fuel consistent with the guidance of Ref. 2.The CREVS actuation instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2Xii). LCO The LCO requirements ensure that instrumentation necessary to initiatethe CREVS is OPERABLE.1. Manual InitiationThe LCO requires two trains OPERABLE. The operator can initiatethe CREVS at any time by using either of two switches (pushbuttons) in the control room. This action will cause actuationof all components in the same manner as a single train of the auiomatic actuation signals (i.e., isolate control room ventilation andstart one Unit 2 CREVS fan aligned for filtration and pressurization). However, when Unit 1 is relying on the Unit 1 CREVS train, as oneof the two required trains, only one of the Unit 1 manual pushbuttons is required to start a Unit 2 Fan, but both Unit 1 pushbuttons must be capable of isolating the control room. ln this case, the Unit 1 requirement (on Table 3.3.7-1) for two trains ofmanual initiation is met by one train of manual initiation that is capable of isolating the control room and starting a Unit 2 fan andone train of manual initiation that is capable of isolating the control room. The capability to manually place the Unit 1 CREVS fan and filtered flow path in service is addressed by the OPERABILITY requirements for the Unit 1 CREVS equipment contained in LCO 3.7.10, "Control Room Emergency Ventilation System." Beaver Valley Units 1 and 2B 3.3.7 - 2Revision 0 CREVS Actuation I nstrumentation B 3.3.7 BASES LCO (continued)The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to ensurethe operator has manual initiation capability.Each manual initiation train consists of a switch (pushbutton) in the control room, and the interconnecting wiring to the actuating relays.2. Control Room Radiation The LCO specifies two required Control Room Area Radiation Monitors to ensure that the radiation monitoring instrumentation necessary to initiate the CREVS remains OPERABLE.The required Unit 1 radiation monitors are designated RM-1RM-218A & B with a measurement range of 10-2 to 103 mR/hr. The requiredUnit 2 radiation monitors are designated 2RMC-RQ201 &202 with a measurement range of 10-2 to 103 mR/hr.Containment lsolation Phase B (ClB)3.Refer to LCO 3.3.2, Function 3.b, for all requirements. Functions and lf one or more of the CIB functions becomes inoperable in such a manner that only the CREVS function is affected, the Conditions applicable to their CIB function need not be entered. The less restrictive Actions specified for inoperability of the CREVS Functionsspecify sufficient compensatory measures for this case.APPLICABILITY The CREVS manual actuation instrumentation must be OPERABLE in MODES 1,2,3, and 4 to provide the required CREVS initiation assumed in the applicable safety analyses. ln MODES 5 and 6, when no fuelrnovement involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) is taking place, there are no requirements for CREVS instrumentation OPERABILITY consistent with the safety analyses assumptions applicable in these MODES. In addition, both manual and radiationmonitor instrument channels are required OPERABLE when movingrecently irradiated fuel or moving fuel over recently irradiated fuel.Although the movement of recently irradiated fuel is not currently permitted, these requirements are retained in the Technical Specifications in case the CREVS instrumentation is necessary to support the assumptions of a safety analysis for fuel movement involving recentlyirradiated fuel, consistent with the guidance of Reference 2.Beaver Valley Units I and 2B 3.3.7 - 3 Revision 0 CREVS Actuation InstrumentationB 3.3.7 BASES APPLICAB I LITY (continued) The Applicability for the CREVS actuation on the ESFAS CIB Functions are specified in LCO 3.3.2. Refer to the Bases for LCO 3.3.2 fordiscussion of the CIB Function Applicability. ACTIONSlf the Trip Setpoint is less conservative than required in Table 3.3.7-1, thechannel must be declared inoperable immediately and the appropriateCondition entered.A Note has been added to the ACTIONS indicating that separateCondition entry is allowed for each Function. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.7-1 in the accompanying LCO. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately foreach Function starting from the time the Condition was entered for that Function.A.1 Condition A applies to the radiation monitor channel Functions, and themanual initiation train Functions. lf one train is inoperable, or one radiation monitor channel is inoperable inone or more Functions, 7 days are permitted to restore it to OPERABLEstatus. The 7 day Completion Time is the same as is allowed if one trainof the mechanical portion of the system is inoperable. The basis for thisCompfetion Time is the same as provided in LCO 3.7.10. lf thechannel/train cannot be restored to OPERABLE status, one CREVS train must be placed in the emergency pressurization mode of operation as described in LCO 3.7.10 bases. This accomplishes the actuation instrumentation Function and places the unit in a conservative mode of operation.B.1 and B.2Condition B applies to the failure of two radiation monitor channels, or two manual trains. The first Required Action is to place one CREVS train inthe emergency pressurization mode of operation immediately. Thisaccomplishes the actuation instrumentation Function that may have been lost and places the unit in a conservative mode of operation. Theapplicable Conditions and Required Actions of LCO 3.7.10 must also beentered for the remaining CREVS train made inoperable by theinoperable actuation instrumentation. This ensures appropriate limits are placed upon train inoperability as discussed in the Bases for LCO 3.7.10.Beaver Valley Units 1 and 2B 3.3.7 - 4Revision 0 CREVS Actuation I nstrumentationB 3.3.7 BASES ACTIONS (continued) C.1 and C.2 Condition C applies when the Required Action and associatedCompletion Time for Condition A or B have not been met and the unit is in MODE 1, 2, 3, or 4. The unit must be brought to a MODE in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. D.1 and D.2Condition D applies when the Required Action and associatedCompletion Time for Condition A or B have not been met when moving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactorcore within the previous 100 hours) or fuel assemblies over recently irradiated fuel. Fuel movement involving recently irradiated fuelassembfies must be suspended immediately to reduce the risk ofaccidents that would require CREVS actuation. SURVEILLANCE REQUIREMENTSA Note has been added to the SR Table to clarify that Table 3.3.7-1determines which SRs apply to which CREVS Actuation Functions.sR 3.3.7.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. lt is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift inone of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying theinstrumentation continues to operate properly between each CHANNEL CALIBRATION.Agreement criteria are determined by the unit staff, based an a combination of the channel instrument uncertainties, including indicationand readability. lf a channel is outside the criteria, it may be an indicationthat the sensor or the signal processing equipment has drifted outside its limit.Beaver Valley Units 1 and 2B 3.3.7 - 5Revision 0 CREVS Actuation I nstrumentationB 3.3.7 BASES SU RVEILLANCE REQU I REMENTS (continued)The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use ofthe displays associated with the LCO required channels.sR 3.3.7.2 A COT is performed once every 92 days on each required channel to ensure the entire channel will perform the intended function. This test verifies the capability of the instrumentation to provide the CREVSactuation. A successful test of any required contact(s) of a channel relaymay be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable COT of a relay.This is acceptable because all of the other required contacts of the relayare verified by other Technical Specifications Surveillance Requirements.The setpoints shall be left consistent with the unit specific calibration procedure tolerance. The Frequency is based on the staff recommendation for increasing the availability of radiation monitorsaccording to NUREG-1366 (Ref. 3).sR 3.3.7.3 SR 3.3.7.3 is the performance of a TADOT. This test is a check of theManual Actuation Functions and is performed every 18 months. EachManual Actuation Function is tested. A successful test of any requiredcontact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clartfies what is anacceptable TADOT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other TechnicalSpecifications Surveillance Requirements. The test may either include actuation of the end device (i.e., dampers close, and fan starts, etc.), ortest up to the point of overlap with other tests that demonstrate actuationof the end devices.The Frequency is based on the known reliability of the Function and the redundancy available, and has been shown to be acceptable through operating experience. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have nosetpoints associated with them.Beaver Valley Units 1 and 2 B 3.3.7 - 6 Revision 0 CREVS Actuation InstrumentationB 3.3.7 BASES SURVEILLANCE REQU I REMENTS (continued) sR 3.3.7.4A CHANNEL CALIBRATION is performed every 18 months, or approximately at every refueling. CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within thenecessary range and accuracy.The Frequency is based on operating experience and is consistent with the typical industry refueling cycle. REFERENCES 1.2.Unit 1 UFSAR Table 14.1-1A and Unit 2 UFSAR Table 15.0-13.NUREG-1431, "Standard Technical Specifications for Westinghouse Plants," Rev. 2, April 2441.NUREG-1 366, lmprovements to Technical Specifications Surveillance Requirements, 121 1 I 1992.3.Beaver Valley Units 1 and 2 B 3.3.7 - 7Revision 26 Boron Dilution Detection InstrumentationB 3.3.8 B 3.3 INSTRUMENTATION B 3.3.8 Boron Dilution Detection lnstrumentation BASES BACKGROUND The purpose of the Boron Dilution Detection Instrumentation is to monitorcore reactivity and provide indication of a boron dilution event in the Reactor Coolant System (RCS) when the reactor is in a shutdown condition (i.e., MODES 3, 4, and 5) with all rods fully inserted and the Rod Control System incapable of rod withdrawal. The required Boron Dilution Detection Instrumentation consists of one ofthe two channels of OPERABLE source range instrumentation. The requirement for an OPERABLE source range channel ensures thecapability to monitor core reactivity and detect a boron dilution event. Inorder to promptly detect a boron dilution event in MODE 3, the required source range instrumentation"must provide both visual and audible (count rate) indication. The audible count rate helps to assure the promptdetection of an ongoing dilution event. In MODES 4 and 5, a borondilution event is prevented by the requirements of LCO 3.1.8, "Unborated Water Source lsolation Valves." LCO 3.1.8 requires that unborated water source isolation valves be verified closed which precludes a dilution event (Ref. 1). Therefore, in MODES 4 and 5 the single channel of sourcerange instrumentation required OPERABLE by this LCO is only used tomonitor core reactivity and is required to provide visual indication only.As the requirements of LCO 3.1 .8 preclude a boron dilution event inMODES 4 and 5, the audible count rate is not required for promptdetection of an inadvertent boron dilution in these MODES.For Unit 1, two spare source range detectors are installed (N-33 and N-34). These alternate detectors may be substituted for detectors (N-31 and N-32). For Unit 2, alternate detectors (i.e., Gamma-Metrics NE-52A and NE-528) may also be used to meet the requirements of the LCO.The alternate detectors must be capable of providing the required indication (described above) in order to be considered OPERABLE.APPLICABLE SAFETY ANALYSESThe Boron Dilution Detection Instrumentation specifies the OPERABILITYof instrumentation necessary to detect an inadvertent boron dilution eventand monitor core reactivity. The primary means of preventing an inadvertent boron dilution event during MODES 4 and 5 is the requirements of LCO 3.1.8. LCO 3.1 .8 provides assurance the unborated water sources are maintained isolated to prevent dilution of the RCS (Ref. 1). In MODES 4 and 5, therequirement for an OPERABLE source range channel only serves toBeaver Valley Units 1 and 2B 3.3.8 - 1 Revision 0 Boron Dilution Detection Instrumentation B 3.3.8 BASES APPLICABLE SAFEW ANALYSES (continued)ensure the capability to monitor changes in core reactivity is maintainedavailable. In MODES 4 and 5, no specific safety analysis assumptions are associated with the capability to monitor core reactivity. However, thecapability to directly monitor core reactivity with the source range instrumentation provides valuable assurance that the core continues to bemaintained in a safe condition.In MODE 3, the requirements of LCO 3.1.8 to maintain unborated water source valves isolated is not applicable. In addition, with all rods fullyinserted and the Rod Control System is incapable of rod withdrawal, the trip functions of LCO 3.3.1, "Reactor Trip System" are not required OPERABLE. Therefore, in this plant condition, an OPERABLE sourcerange channel that includes both visual and audible (count rate) indicationis required to ensure prompt indication of an inadvertent boron dilution.The prompt notification of a boron dilution event in progress (via an increasing audible count rate) allows time for operator action to stop the dilution prior to criticality.The Boron Dilution Detection Instrumentation satisfies Criterion 4 of 10 CFR 50.36(c)(2Xii). LCOLCO 3.3.8 specifies the OPERABILITY requirements for the instrumentation necessary to detect a boron dilution event and monitor core reactivity. In the applicable plant condition (all rods fully inserted andthe Rod Control System incapable of rod withdrawal) the specified instrumentation only provides a core reactivity monitoring function and isnot required to provide a reactor trip function. Therefore, in MODE 3, asingle OPERABLE source range channel with both visual and audible (count rate) indication is required to provide prompt indication of an inadvertent boron dilution. In MODES 4 and 5, a single OPERABLE source range channel with visual indication is required to provide thenecessary core reactivity monitoring function. In MODE 3 operation, withthe Rod Control System capable of rod withdrawal, the requirements ofLCO 3.3.1, "Reactor Trip System Instrumentation," are applicable and the requirements of LCO 3.3.8, including the audible count rate, are notappficable and no longer required to provide protection from aninadvertent boron dilution.An alternate source range detector may be used to meet the requirements of the LCO as long as it is capable of providing the required indication(s) described above.Beaver Valley Units 1 and 2B 3.3.8 - 2Revision 0 Boron Dilution Detection InstrumentationB 3.3.8 BASES APPLICABILITYThe Boron Dilution Detection Instrumentation must be OPERABLE in MODES 3, 4, and 5 with all rods fully inserted and the Rod Control System not capable of rod withdrawal. The requirements of this LCO ensure the capability to detect an inadvertent boron dilution of the RCS inMODE 3 and provide a means for monitoring core reactivity in MODES 4and 5.In MODES 3, 4, or 5 with the Rod Control System capable of rodwithdrawal or one or more rods not fully inserted the nuclearinstrumentation requirements of LCO 3.3.1, "Reactor Trip System lnstrumentation," are applicable and specify that two source rangechannels must be OPERABLE with reactor trip capability. In addition, inMODE 3, operation with the Rod Control System capable of rodwithdrawal is transitory in preparation for startup operations and manually controlled involving the close monitoring of core reactivity and dilutionoperations by the operating staff. Therefore, in MODE 3, with the RodControl System capable of rod withdrawal, the requirements of LCO3.3.8, including the audible count rate, are no longer applicable and notrequired to provide protection from an inadvertent boron dilution.ln MODES 4, 5, or 6 a dilution event is precluded by the requirements ofLCO 3.1.8, " Unborated Water Source lsolation Valves" (Ref. 1).Therefore, in MODES 4,5, and 6, the required source range instrumentation provides an indication of core reactivity. LCO 3.9.2,"Nuclear Instrumentation" addresses the source range instrumentrequirements in MODE 6.During MODE 1 operation, the source range instrumentation is normallyde-energized. ln MODE 1, the Overtemperature AT Trip Functionrequired OPERABLE in LCO 3.3.1, "Reactor Trip System," and the requirements of LCO 3.1.6, "Control Bank Insertion Limits" provide for the necessary protection from, and detection of, an inadvertent boron dilutionevent at power (Ref. 1).ln MODE 2, the RCS is intentionally diluted and the rods withdrawn inorder to achieve criticality and power operation. Operation in MODE 2 istransitory and manually controlled involving the close monitorlng of core reactivity and dilution operation by the operating staff. As such, an inadvertent dilution of the RCS in this mode of operation is unlikely.However, in order to increase power during startup, the source range TripFunction required OPERABLE by LCO 3.3.1, must be manually blocked to prevent a reactor trip upon power escalation. lf power escalation proceeds in an uncontrolled manner (due to inadvertent dilution) the Source Range Trip would not be bfocked and would cause a reactor shutdown and provide protection and detection of an inadvertent dilution (Ref. 1).Beaver Valley Units 1 and 2 B 3.3.8 - 3 Revision 0 Boron Dilution Detection InstrumentationB 3.3.8 BASES ACTIONS A.1 and A.2 With the required channel inoperable, the initial action is to suspend all operations involving positive reactivity additions immediately. Thisincludes withdrawal of control or shutdown rods and intentional boron dilution. A Completion Time of t hour is provided to restore the required channel to OPERABLE status.As an alternate to restoring the required channel to OPERABLE statusRequired Action A.2.2.1 requires valves addressed in LCO 3.1.8,"Unborated Water Source lsolation Valves" to be closed to prevent the flow of unborated water into the RCS. Once it is recognized that the required channel is inoperable, the operators will be aware of the possibility of a boron dilution, and the t hour Completion Time isadequate to complete the requirements of LCO 3.1.8. Required Action A.2.2.2 accompanies Required Action A.2.2.1 to verifythe SDM according to SR 3.1.1.1 within t hour and once per 12 hours thereafter. This backup action is intended to confirm that no unintendedboron dilution has occurred while the required channel was inoperable,and that the required SDM has been maintained. The specified Completion Time takes into consideration sufficient time for the initlaldetermination of SDM and other information available in the control room related to SDM.Required Action A.1 is modified by a Note which permits planttemperature changes provided the temperature change is accounted for in the calculated SDM. Introduction of temperature changes, including temperature increases when a positive MTC exists, must be evaluated to ensure they do not result in a loss of required SDM.SURVEILLANCE REQUIREMENTSThe required channel is subject to a CHANNEL CHECK and a CHANNELCALIBRATION. The Surveillance Requirements of this LCO need not be performed on alternate detectors until connected and required OPERABLE in order to meet this LCO.sR 3.3.8.1Performance of the CHANNEL CHECK once every 12 hours ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECKis normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. lt is based on the assumption thatinstrument channels monitoring the same parameter should readapproximately the same value. Significant deviations between the two Beaver Valley Units 1 and 2B 3.3.8 - 4 Revision 0 Boron Dilution Detection InstrumentationB 3.3.8 BASES SURVEILLANCE REQUIREMENTS (continued) instrument channels could be an indication of excessive instrument drift inone of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying thatthe instrumentation continues to operate properly between each CHANNEL CALIBRATION.Agreement criteria are determined by the unit staff based on acombination of the channel instrument uncertainties, including indicationand readability. lf a channel is outside the criteria, it may be an indicationthat the sensor or the signal processing equipment has drifted outside its limit.The Frequency is based on operating experience that demonstrateschannel failure is rare. The CHANNEL CHECK supplements less formal,but more frequent, checks of channels during normal operational use ofthe displays associated with the LCO required channelssR 3.3.8.2SR 3.3.8,2 is the performance of a CHANNEL CALIBRATION every18 months. CHANNEL CALIBRATION is a complete check of theinstrument loop, except for the source range neutron detectot's which are excluded from the CHANNEL CALIBRATION as stated in the Note thatmodifies the Surveillance. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS)Instrumentation." The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.The Frequency is based on operating experience and consistency withthe typical industry refueling cycle. REFERENCES

1. Unit 1 UFSAR Section 14.1.4 and Unit 2 UFSAR Section15.4.6.Beaver Valley Units 1 and 2 B 3.3.8 - 5 Revision 0 RCS Pressure, Temperature, and Flow DNB LimitsB 3.4.1B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.1 RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB)Limits BASES BACKGROUNDThese Bases address requirements for maintaining RCS pressure,temperature, and flow rate within limits assumed in the safety analyses.

The safety analyses (Ref. 1) of normal operating conditions and anticipated operational occurrences assume initial conditions within the normal steady state envelope. The limits placed on RCS pressure,temperature, and flow rate ensure that the minimum departure fromnucleate boiling ratio (DNBR) will be met for each of the transients analyzed The design method utilized to meet the DNB design criterion for theRobust Fuel Assemblies is the Revised Thermal Design Procedure (RTDP) with the WRB-2M DNB correlation. The design method utilized tomeet the DNB design criterion for the VANTAGE 5H fuel assemblies isthe RTDP with the WRB-1 DNB correlation. Uncertainties in plant operating parameters, nuclear and thermal parameters, fuel fabrication parameters, computer codes, and DNB correlation predictions areconsidered statistically to obtain DNB uncertainty factors in the RTDP methodology. RTDP design limit DNBR values are determined in order tomeet the DNB design criterion based on the DNB uncertainty factors.The RTDP design limit DNBR values are 1 .22 for the typical and thimblecelfs for the Robust Fuel Assemblies, and 1 .23 and 1 .22 for the typicaland thimble cells, respectively, for the VANTAGE 5H fuel assemblies.Additional DNBR margin is maintained by performing the safety analysesto DNBR limits that are higher than the design limit DNBR values. Thismargin between the design and safety analysis limit DNBR values is usedto offset known DNBR penalties (e g , rod bow, instrumentation biases,etc.), and to provide DNBR margin for design and operating flexibility. The Standard Thermal Design Procedure (STDP) is used for those analyses where RTDP is not applicable. The parameters used in theseanalyses are treated in a conservative way from a DNBR standpoint inthe STDP methodology. The parameter uncertainties are applied directlyto the safety analyses input values to give the lowest minimum DNBR. The design DNBR limit for STDP is the 95/95 limit for the appropriate DNB correlation. Additional DNBR margin is maintained in the safety analyses to offset the applicable DNBR penalties.Beaver Valley Units 1 and 2 B 3.4.1 - 1 Revision 0 RCS Pressure, Temperature, and Flow DNB LimitsB 3.4.1 BASESBACKG ROUN D (conti nued)The 95/95 DNBR correlation limit is 1.14 for the WRB-2M DNBcorrelation, and 1 .17 tor the WRB-1 and WRB-2 DNB correlations. The WRB -1, WRB-2, ar W-3 DNB correlations are used where the WRB-2MDNB correlation is not applicable. The W-3 DNB correlation is usedwhere the WRB-1 and WRB-2 DNB correlations are not applicable. TheWRB-2M, WRB-1, and WRB-2 DNB correlations were developed basedon mixing vane data, and therefore are only applicable in the heated rodspans above the first mixing vane grid. The W-3 DNB correlation, which does not take credit for mixing vane grids, is used to calculate the DNBRvalues in the heated region below the first mixing vane grid. The W-3DNB correlation is applied in the analysis of accident conditions wherethe system pressure is below the range of the primary correlation. The W-3 DNBR correlation limit is 1 .45 for system pressures in the range of500 to 1,000 psia. The W-3 DNBR correlation limit is 1.30 for systempressures greater than 1,000 psia.The WRB-1 and WRB-2M DNB correlations are associated withtransients that could impact the reactor core safety limits. Thesecorrelations, along with the WRB-2 and W-3 DNB correlations, are used in support of the licensing basis transient analyses. APPLICABLE SAFETY ANALYSESThe requirements of this LCO represent the initial conditions for DNBlimited transients analyzed in the plant safety analyses (Ref. 1). Thesafety analyses have shown that transients initiated from the limits of thisLCO will result in meeting the applicable DNBR criteria. The applicableDNBR criteria provide the acceptance limits for the RCS DNB parameters. Changes to the unit that could impact these parametersmust be assessed for their impact on the applicable DNBR ct"iteria. Keytransients analyzed for DNB concerns include loss of coolant flow eventsand dropped or stuck rod events. A key assumption in the analyses ofthese events is that the core power distribution is within the limits ofLCO 3.1.6, "Control Bank lnsertion Limits," LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR)." The pressurizer pressure limit and RCS average temperature limit specified in the COLR correspond to the analytical limits used in thesafety analyses, with allowance for measurement uncertainty. Theanalytical values include measurement uncertainties for the non-RTDP events. The measurement uncertainties are included in the DNBR limitfor the RTDP events.The RCS DNB parameters satisfy Criterion 2 of 10 CFR 50.36(c)(2xii).Beaver Valley Units 1 and 2B 3 4.1 - 2 Revision 0 RCS Pressure, Temperature, and Flow DNB LimitsB 3.4.1 BASES LCOThis LCO specifies limits on the monitored process variables - pressurizer pressure, RCS average temperature, and RCS total flow rate - to ensurethe core operates within the limits assumed in the safety analyses. These variables are contained in the COLR to provide operating and analysisflexibility from cycle to cycle. However, the minimum RCS flow, based onmaximum analyzed steam generator tube plugging, is retained in the TSLCO. The RCS flow value retained in the LCO is an analytical limit usedin the safety analysis. Operating within these limits will result in meetingthe DNBR criterion in the event of a DNB limited transient. In order to verify the analytical RCS flow value specified in the LCO, themeasured RCS total flow rate is adjusted for measurement error based on performing a precision heat balance and using the result to calibratethe RCS flow rate indicators.The numerical values for pressure, temperature, and flow rate specified the COLR are given for the measurement location and have been adjusted for instrument error.APPLlCABILITYln MODE 1, the limits on pressurizer pressure, RCS coolant averagetemperature, and RCS flow rate must be maintained during steady state operation in order to ensure DNBR criteria will be met in the event of an unplanned loss of forced coolant flow or other DNB limited transient. lnall other MODES, the power level is low enough that DNB is not a concern.A Note has been added to indicate the limit on pressurizer pressure is notapplicable during short term operational transients such as a THERMALPOWER ramp increase > 5o/o RTP per minute or a THERMAL POWER step increase > 1oo/o RTP. These conditions represent short term perturbations where actions to control pressure variations might be counterproductive. Also, since they represent transients initiated from power levels < 100% RTP, an increased DNBR margin exists to offset the tem porary pressure variations.,The DNBR limit is provided in SL 2.1.1, "Reactor Core SLs." The conditions which define the DNBR limit are less restrictive than the limitsof this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Should a violation of this LCO occur, the operator must check whether or not an SL may have been exceeded.Beaver Valley Units 1 and 2B 3.4.1 - 3 Revision 0 RCS Pressure, Temperature, and Flow DNB LimitsB 3.4.1 BASES ACTIONS A.1 RCS pressure and RCS average temperature are controllable and measurable parameters. With one or both of these parameters not withinLCO limits, action must be taken to restore parameter(s).RCS total flow rate is not a controllable parameter and is not expected to vary during steady state operation. lf the indicated RCS total flow rate isbelow the LCO limit, power must be reduced, as required by RequiredAction 8.1, to restore DNB margin and eliminate the potential for violationof the accident analysis bounds.The 2 hour Completion Time for restoration of the parameters providessufficient time to adjust plant parameters, to determine the cause for theoff normal condition, and to restore the readings within limits, and isbased on plant operating experience. 8.1lf Required Action A.1 is not met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2within 6 hours. In MODE 2, the reduced power condition eliminates the potential for violation of the accident analysis bounds. The Completion Time of 6 hours is reasonable to reach the required plant conditions in an orderly manner, SURVEILLANCE SR 3.4.1.1 REQUIREMENTS Since Required Action A.1 allows a Completion Time of 2 hours to restore parameters that are not within limits, the 12 hour Surveillance Frequency for pressurizer pressure is sufficient to ensure the pressure can berestored to a normal operation, steady state condition following load changes and other expected transient operations. The 12 hour interval has been shown by operating practice to be sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.sR 3.4.1.2 Since Required Action A.1 allows a Completion Time of 2 hours to restore parameters that are not within limits, the 12 hour Surveillance Frequencyfor RCS average temperature is sufficient to ensure the temperature canbe restored to a normal operation, steady state condition following load changes and other expected transient operations. The 12 hour intervalhas been shown by operating practice to be sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.Beaver Valley Units 1 and 2B 3.4.1 - 4Revision 0 RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 BASES SURVEILLANCE REQUI REMENTS (continued)sR 3.4.1 .3The 12 hour Surveillance Frequency for RCS total flow rate is performed using the installed flow instrumentation. The 12 hour interval has beenshown by operating practice to be sufficient to regularly assess potentialdegradation and to verify operation within safety analysis assumptions.sR 3.4.1 .4 Measurement of RCS total flow rate by performance of a precision caforimetric heat bafance once every 18 months allows the installed RCS flow instrumentation to be calibrated and verifies the actual RCS flow rate is greater than or equal to the minimum required RCS flow rate.The Frequency of 18 months reflects the importance of verifying flow aftera refueling outage when the core has been altered, which may havecaused an alteration of flow resistance. This SR is modified by a Note that allows entry into MODE 1, without having performed the SR, and placement of the unit in the best condition for performing the SR. The Note states that the SR is not required to be performed until 7 days after > 95% RTP. This exception is appropriatesince the heat balance requires the plant to be close to 100% RTP toobtain the required RCS flow accuracies. The Surveillance shall be performed within 7 days after reaching 95% RTP.REFERENCES 1.UFSAR, Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).Beaver Valley Units I and 2B 3.4.1 - 5 Revision 0 RCS Minimum Temperature for CriticalityB 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.2 BASES RCS Minimum Temperature for Criticality BACKGROUND This LCO is based upon meeting several major considerations before the reactor can be made critical and while the reactor is critical. The first consideration is moderator temperature coefficient (MTC),LCO 3.1.3, "Moderator Temperature Coefficient (MTC)." In the transient and accident analyses, the MTC is assumed to be in a range from slightly positive to negative and the operating temperature is assumed to bewithin the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the plant is operated consistent with these assumptions. The second consideration is the protective instrumentation. Because certain protective instrumentation (e.g., excore neutron detectors) can beaffected by moderator temperature, a temperature value within thenominal operating envelope is chosen to ensure proper indication andresponse while the reactor is critical. The third consideration is the pressurizer operating characteristics. The transient and accident analyses assume that the pressurizer is within its normal startup and operating range (i.e., saturated conditions and steam bubble present). lt is also assumed that the RCS temperature is within its normal expected range for startup and power operation. Since thedensity of the water, and hence the response of the pressurizer totransients, depends upon the initial temperature of the moderator, a minimum value for moderator temperature within the nominal operating envelope is chosen.The fourth consideration is that the reactor vessel is above its minimum nil ductility reference temperature when the reactor is critical.APPLICABLE SAFETY ANALYSESThe RCS minimum temperature for criticality is not itself an initialcondition assumed in Design Basis Accidents (DBAs). However, theclosely aligned temperature for hot zero power (HZPl is a processvariable that is an initial condition of DBAs. DBAs that assume the HZPtemperature as an initial condition include the rod cluster control assembly (RCCA) withdrawal from subcritical, RCCA ejection, and main steam line break. Each of these events assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.Beaver Valley Units 1 and 2B 3.4.2 - 1Revision 0 RCS Minimum Temperature for Criticality B 3.4.2 BASES APPLICABLE SAFEry ANALYSES (continued) All low power safety analyses assume initial RCS loop temperatures > the HZP temperature of 547"F (Ref. 1). The minimum temperature forcriticality limitation provides a small band, 6"F, for critical operation below HZP. This band allows critical operation below HZP during plant startup and does not adversely affect any safety analyses since the MTC is not significantly affected by the small temperature difference between HZP and the minimum temperature for criticality. The RCS minimum temperature for criticality satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCO Compliance with the LCO ensures that the reactor will not be made or maintained critical (k"tr > 1.0) at a temperature less than a small band below the HZP temperature, which is assumed in the safety analysis. Failure to meet the requirements of this LCO may produce initial conditions inconsistent with the initial conditions assumed in the safety analysis. APPLICABILITY In MODE 1 and MODE 2 with ker ) 1.0, LCO 3.4.2 is applicable since the reactor can only be critical (k"n > 1.0) in these MODES.The special test exception of LCO 3.1.9, "PHYSICS TESTS Exceptions -MODE 2," permits PHYSICS TESTS to be performed at s 5% RTP with RCS loop average temperatures slightly lower than normally allowed sothat fundamental nuclear characteristics of the core can be verified. In order for nuclear characteristics to be accurately measured, it may be necessary to operate outside the normal restrictions of this LCO. For example, to measure the MTC at beginning of cycle, it is necessary to allow RCS loop average temperatures to fall below Tnotoad, which maycause RCS loop average temperatures to fall below the temperature limit of this LCO.ACTIONS A1 lf the parameters that are outside the limit cannot be restored, the plant must be brought to a MODE in which the LCO does not apply. Toachieve this status, the plant must be brought to MODE 2 with Kus < 1.0 within 30 minutes. Rapid reactor shutdown can be readily and practicallyachieved within a 30 minute period. The allowed time is reasonable, based on operating experience, to reach MODE 2 with Ketr < 1.0 in anorderly manner and without challenging plant systems.Beaver Valley Units 1 and 2B 3.4.2 - 2Revision 0 RCS Minimum Temperature for CriticalityB 3.4.2 BASES SURVEILLANCE SR 3.4.2.1 REQUIREMENTSRCS loop average temperature is required to be verified at or above 541"F every 12 hours. The SR to verify RCS loop average temperatures every 12 hours takes into account indications and alarms that arecontinuously available to the operator in the control room and is consistent with other routine Surveillances which are typically performed once per shift. In addition, operators are trained to be sensitive to RCStemperature during approach to criticality and will ensure that theminimum temperature for criticality is met as criticality is approached. REFERENCES

1. UFSAR Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).Beaver Valley Units 1 and 2B 3.4.2 - 3 Revision 0 RCS Pff Limits B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.3 RCS Pressure and Temperature (Pff) Limits BASES BACKGROUNDAll components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loadsare introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips.

This LCO limits the pressure andtemperature changes during RCS heatup and cooldown, within the designassumptions and the stress limits for cyclic operation.The PTLR contains Pff limit curves for heatup, cooldown, inservice leakand hydrostatic (ISLH) testing, and data for the maximum rate of change of reactor coolant temperature (Ref. 1).Each Pff limit curve defines an acceptable region for normal operation. The usual use of the curues is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.The LCO establishes operating limits that provide a margin to brittlefailure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittlefailure, and the LCO limits apply mainly to the vessel. The limits do notapply to the pressurizer, which has different design characteristics and operating functions. 10 CFR 50, Appendix G (Ref. 2), requires the establishment of PIT limits for specific material fracture toughness requlrements of the RCPBmaterials. Reference 2 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. lt mandates the use of the American Society ofMechanical Engineers (ASME) Code, Section Xl, Appendix G (Ref. 3).The neutron embrittlement effect on the material toughness is reflected byincreasing the nil ductility reference temperature (RT*ot) as exposure toneutron fluence increases. The actual shift in the RTr.ror of the vessel material will be established periodically by removing and evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref.4) andAppendix H of 10 CFR 50 (Ref. 5). The operating P/T limit curves will beadjusted, as necessary, based on the evaluation findings and the recommendations of Regulatory Guide 1,99 (Ref. 6).Beaver Valley Units 1 and 2B 3.4.3 - 1Revlsion 0 RCS Pff Limits B 3.4.3 BASES BACKG ROU N D (continued )The P/T limit curves are composite curves established by superimposing limits derived from stress analyses of those portions of the reactor vessel and head that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel wifl dictate the most restrictive limit. Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls. The criticality limit curve includes the Reference 2 requirement that it be> 40'F above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for ISLH testing. However, the criticality curve is not operationally limiting; a more restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for Criticality." The consequence of violating the LCO limits is that the RCS has beenoperated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. ln theevent these limits are exceeded, an evaluation must be performed todetermine the effect on the structural integrity of the RCPB components.The ASME Code, Section Xl, Appendix E (Ref. 7), provides a recommended methodology for evaluating an operating event that causesan excursion outside the limits.APPLICABLE SAFETY ANALYSESThe P/T limits are not derived from Design Basis Accident (DBA)analyses. They are prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of changeconditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. The methodology for determining the P/T limits ls identified in Reference 1 .Although the P/T limits are not derived from any DBA, the P/T limits areacceptance limits since they preclude operation in an unanalyzed condition.RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36(c)(2xii). Beaver Valley Units I and 2B 3.4.3 - 2 Revision 0 RCS P/T LimitsB 3.4.3 BASES LCO The two elements of this LCO are: The limit curves for heatup, cooldown, and ISLH testing andLimits on the rate of change of temperature. The LCO limits apply to all components of the RCS, except the pressurizer. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and ISLH testing P/T limit curves. Thus, the LCO forthe rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.Violating the LCO limits places the reactor vessel outside of the bounds ofthe stress analyses and can.increase stresses in other RCPBcomponents. The consequences depend on several factors, as follow: The severity of the departure from the allowable operating PIT regime or the severity of the rate of change of temperature,The length of time the limits were violated (longer violations allowthe temperature gradient in the thick vessel walls to become more pronounced), andThe existences, sizes, and orientations of flaws in the vessel material.a.b.a.b.c.APPLICABILITY The RCS PIT limits LCO provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 2). Although lhe P/T limits were developed to provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5)or ISLH testing, their Applicability is at all times in keeping with theconcern for nonductile failure. The limits do not apply to the pressurizer. During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits," LCO 3.4.2, "RCS Minimum Temperature for Criticality," and Safety Limit 2.1, "Safety Limits," also provide operational restrictions for pressure and temperature and maximum pressure. Furthermore, MODES 1 and 2 are above thetemperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.Beaver Valley Units 1 and 2B 3.4.3 - 3Revision 0 RCS P/T LimitsB 3.4.3 BASES ACTIONS A.1 and A.2 Operation outside the Pff limits during MODE 1,2,3, or4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.Besides restoring operation within limits, an evaluation is required todetermine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be cornpleted beforecontinuing operation. Several methods may be used, includingcomparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. ASME Code, Section Xl, Appendix E (Ref. 7), may be used to support theevaluation. However. its use is restricted to evaluation of the vessel beltline.The72 hour Completion Time is reasonable to accomplish the evaluation. The evaluation for a mild violation is possible within this time, but moresevere violations may require special, event specific stress analyses orinspections. A favorable evaluation must be completed before continuingto operate.Condition A is modified by a Note requiring Required Action A.2 to becompleted whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficientbecause higher than analyzed stresses may have occurred and may haveaffected the RCPB integrity. 8.1 and 8.2lf a Required Action and associated Completion Time of Condition A arenot met, the plant must be placed in a lower MODE because either theRCS remained in an unacceptable PiT region for an extended period of increased stress or a sufficiently severe event caused entry into anunacceptable region. Either possibility indicates a need for more carefulexamination of the event, best accomplished with the RCS at reduced pressure and temperature. ln reduced pressure and temperatureconditions, the possibility of propagation with undetected flaws is decreased.Beaver Valley Units 1 and 2B 3.4.3 - 4 Revision 0 RCS P/T LimitsB 3.4.3 BASESACTIONS (continued) lf the required restoration activity cannot be accomplished within 30 minutes, Required Action 8.1 and Required Action 8.2 must beimplemented to reduce pressure and temperature.lf the required evaluation for continued operation cannot be accomplishedwithin 72 hours or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Action 8.1 and Required Action B.2. A favorable evaluationmust be completed and documented before returning to operating pressure and temperature conditions.Pressure and temperature are reduced by bringing the plant to MODE 3 within 6 hours and to MODE 5 with RCS pressure < 500 psig within36 hours.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.C.1 and C.2Actions must be initiated immediately to correct operation outside of thePiT limits at times other than when in MODE 1,2,3, or 4, so that theRCPB is returned to a condition that has been verified by stress analysis.The immediate Completion Time reflects the urgency of initiating action torestore the parameters to within the analyzed range. Most violations willnot be severe, and the activity can be accomplished in this time in a controlled manner.Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify thatthe RCPB integrity remains acceptable and must be completed prior to , entry into MODE 4. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, or inspection of the components. ASME Code, Section Xl, Appendix E (Ref. 7), may be used to support the evaluation. However. its use is restricted to evaluation of the vessel beltline.Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity. Beaver Valley Units 1 and 2 B34.3-5Revision 0 RCS Pff Limits B 3.4.3 BASES SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within the PTLR limits is required every30 minutes when RCS pressure and temperature conditions are undergoing pfanned changes. This Frequency is considered reasonablein view of the control room indication available to monitor RCS status. Also, since temperature rate of change limits are specified in hourly increments, 30 minutes permits assessment and correction for minordeviations within a reasonable time.Surveillance for heatup, cooldown, or ISLH testing may be discontinued when the definition given in the relevant plant procedure for ending theactivity is satisfied. This SR is modified by a Note that only requires this SR to be performed during system heatup, cooldown, and ISLH testing. No SR is given for criticality operations because LCO 3.4.2 contains a more restrictive requirement. REFERENCES 2.3.4.5.6.7.1.Pressure and Temperature10 CFR 50, Appendix G. Report (PTLR).ASME, Boiler and Pressure Vessel Code, SectionASTM E 185-82, July 1982.10 CFR 50, Appendix H.Regulatory Guide 1.99, Revision 2,May 1988.ASME. Boiler and Pressure Vessel Code. SectionAppendix G.Appendix E.Beaver Valley Units 1 and 2B 3.4.3 - 6 Revision 0 RCS Loops - MODES 1 and 2B 3.4.4 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.4 RCS Loops - MODES 1 and 2 BASES BACKGROUND The primary function of the RCS is removal of the heat generated in the fuel due to the fission process, and transfer of this heat, via the steamgenerators (SGs), to the secondary plant.The secondary functions of the RCS include:Moderating the neutron energy level to the thermal state, toincrease the probability of fission, lmproving the neutron economy by acting as a reflector,Carrying the soluble neutron poison, boric acid,Providing a second barrier against fission product release to the environment, and Removing the heat generated in the fuel due to fission product decay following a unit shutdown.The reactor coolant is circulated through three loops connected in parallelto the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow and temperature instrumentation for bothcontrol and protection. The reactor vessel contains the clad fuel. The SGs provide the heat sink to the isolated secondary coolant. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage. This forced circulation of the reactor coolant ensures mixing of the coolant for properboration and chemistry control.a.b.c.d.e.APPLICABLE SAFETY ANALYSESSafety analyses contain various assumptions for the design bases accident initial conditions including RCS pressure, RCS temperature, reactor power level, core parameters, and safety system setpoints. Theimportant aspect for this LCO is the reactor coolant forced flow rate,which is represented by the number of RCS loops in service. All of the safety analyses performed at full rated thermal power assume that all three RCS loops are in operation as an initial condition (Ref. 1).Some safety analyses have been performed at zero power conditionsassuming only two RCS loops are in operation to conservatively boundlower MODES of operation. The events which assume that two RCPs are in operation are the uncontrolled RCCA (Bank) withdrawal from Beaver Valley Units 1 and 2 B 3.4.4 - 1 Revision 0 RCS Loops - MODES 1 and 2B 3.4.4 BASES APPLICABLE SAFEry ANALYSES (continued)subcritical, and the zero power rod ejection events. While all safety anafyses performed at fuff rated thermal power assume that all RCS loopsare in operation, certain events examine the effects resulting from the loss of an RCS loop. These events include the partial loss of forced RCS flow and the RCP rotor seizure/shaft break. lt is demonstrated that allapplicable acceptance criteria are met for each of these events. The remaining safety analyses assume operation of all three RCS loopsduring the event, up to the time of reactor trip, to ensure that all applicableacceptance criteria are met. The events analyzed beyond the time ofreactor trip were examined assuming that a loss of offsite power occurs,which results in the coastdown of the RCPs. Plant operation with all RCS loops in operation in MODES 1 and 2ensures adequate heat transfer between the reactor coolant and the fuel cladding.RCS Loops - MODES 1 and 2 satisfy Criterion 2 af 10 CFR 50.36(c)(2xii). LCO The purpose of this LCO is to require an adequate forced flow rate forcore heat removal. Flow is represented by the number of RCPs in operation for removal of heat by the SGs. To meet safety analysisacceptance criteria for DNB, three pumps are required at rated power.An OPERABLE RCS loop consists of an OPERABLE RCP in operation providing forced flow for heat transport and an OPERABLE SG. APPLICABILITYIn MODES 1 and 2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that theassumptions of the accident analyses remain valid, all RCS loops arerequired to be OPERABLE and in operation in these MODES to prevent DNB and core damage. ,In MODES 3, 4, and 5, the decay heat production rate is much lower thanthe full power heat rate. As such, the forced circulation flow and heat sink requirements are reduced for lower, noncritical MODES as indicated bythe LCOs for MODES 3, 4, and 5. Operation in other MODES is covered by: LCO 3.4.5, "RCS Loops - MODE 3,"LCO 3.4.6, 'RCS Loops - MODE 4,"LCO 3.4.7, 'RCS Loops - MODE 5, Loops Filled,"LCO 3.4.8, 'RCS Loops - MODE 5, Loops Not Filled,"Beaver Valley Units 1 and 2 B 3.4.4 - 2 Revision 0 RCS Loops - MODES 1 and 2B 3,4.4 BASES APPLICAB I LITY (continued) LCO 3.9.4, LCO 3.9.5,"Residual Heat Removal (RHR) and Coolant Circulation -High Water Level' (MODE 6), and"Residual Heat Removal (RHR) and Coolant Circulation -Low Water Level" (MODE 6).ACTIONS A.1 lf the requirements of the LCO are not met, the Required Action is to reduce power and bring the plant to MODE 3. The reactor shutdown reduces the core heat removal needs and minimizes the possibility of violating DNB limits. The Cornpletion Time of 6 hours is reasonable, based on operatingexperience, to reach MODE 3 from full power conditions in an orderly manner and without challenging safety systems. SURVEILLANCE SR 3.4.4.1 REQUIREMENTS This SR requires verification every 12 hours that each RCS loop is inoperation. Verification includes flow rate, temperature, or pump statusmonitoring, which help ensure that forced flow is providing heat removal while maintaining the margin to DNB. The Frequency of 12 hours is sufficient considering other indications and alarms available to theoperator in the control room to monitor RCS loop performance. REFERENCES

1. UFSAR Chapter 14 (Unit 1) and UFSAR Chapter 15 (Unit 2).Beaver Valley Units 1 and 2B 3.4.4 - 3Revision 0 RCS Loops - MODE 3B 3.4.5B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.5 RCS Loops - MODE 3 BASES BACKGROUND In MODE 3, the primary function of the reactor coolant is removal ofdecay heat and transfer of this heat, via the steam generator (SG), to the secondary plant fluid. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through three RCS loops, connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protection, and indication. The reactor vessel contains the clad fuel. The SGs provide the heat sink. The RCPscirculate the water through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage. In MODE 3, RCPs are used to provide forced circulation for heat removalduring heatup and cooldown. The MODE 3 decay heat removal requirements are low enough that a single RCS loop with one RCP running is sufficient to remove core decay heat. However, one additionalRCS loop is required to be OPERABLE to ensure redundant capability fordecay heat removal. APPLICABLE SAFETY ANALYSESWhenever the reactor trip breakers (RTBs) are in the closed position and the control rod drive mechanisms (CRDMs) are energized and the Rod Control System is capable of withdrawing rods, an inadvertent rod withdrawal from subcritical, resulting in a power excursion, is possible.Such a transient could be caused by a malfunction of the rod controlsystem. In addition, the possibility of a power excursion due to theejection of an inserted control rod is possible with the breakers closed or open. Such a transient could be caused by the mechanical failure of a CRDM.Therefore, in MODE 3 with the Rod Control System capable of rodwithdrawal, accidental control rod withdrawal from subcritical is postulated and requires at least two RCS loops to be OPERABLE and in operation toensure that the accident analyses limits are met. For those conditionswhen the Rod Control System is not capable of rod withdrawal, two RCS loops are required to be OPERABLE, but only one RCS loop is required to be in operation to be consistent with MODE 3 accident analyses.Beaver Valley Units 1 and 2B 3.4.5 - 1Revision 0 RCS Loops - MODE 3B 3.4.5 BASES APPLICABLE SAFEry ANALYSES (continued) Failure to provide decay heat removal may result in challenges to a fission product barrier. The RCS loops are part of the primary success path that functions or actuates to prevent or mitigate a Design Basis Accident or transient that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.RCS Loops - MODE 3 satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCO The purpose of this LCO is to require that at least two RCS loops be OPERABLE. In MODE 3 with the Rod Control System capable of rodwithdrawal, two RCS loops must be in operation. Two RCS loops are required to be in operation in MODE 3 with the Rod Control System capable of rod withdrawal due to the postulation of a power excursion because of an inadvertent control rod withdrawal. The required number of RCS loops in operation ensures that the Safety Limit criteria will be met for all of the postulated accidents.When the Rod Control System is not capable of rod withdrawal, only oneRCS loop in operation is necessary to ensure removal of decay heat from the core and homogenous boron concentration throughout the RCS. Anadditional RCS loop is required to be OPERABLE to ensure that a redundant RCS loop is available for decay heat removal.The Note permits all RCPs to be removed from operation for < t hour perB hour period. The purpose of the Note is to perform tests that are designed to validate various accident analyses values. One of thesetests is validation of the pump coastdown curve. Pump coastdown ismodeled in a number of accident analyses, including a loss of flowaccident. This test is generally performed in MODE 3 during the initialstartup testing program, and as such should only be performed once. lf,however, changes are made to the RCS that would cause a change tothe flow characteristics of the RCS, the input values of the coastdown curve must be revalidated by condupting the test again. Another test performed during the startup testlng program is the validation of rod droptimes during cold conditions, both with and without flow.The no flow test may be performed in MODE3,4, or 5 and requires that the pumps be stopped for a short period of time. The Note permits the stopping of the pumps in order to perform this test and validate theassumed analysis values. As with the validation of the pump coastdowncurve, this test should be performed only once unless the flowcharacteristics of the RCS are changed. The t hour time period specifiedis adequate to perform the desired tests, and operating experience hasshown that boron stratification is not a problem during this short period with no forced flow. Beaver Valley Units 1 and 2B 3.4.5 - 2Revision 0 RCS Loops - MODE 3B 3.4.5 BASES LCO (continued) a.Utilization of the Note is permitted provided the following conditions aremet, along with any other conditions imposed by initial startup test procedures: No operations are permitted that would dilute the RCS boronconcentration with coolant at boron concentrations less thanrequired to assure the SDM of LCO 3.1.1, thereby maintaining themargin to criticality. Boron reduction with coolant at boronconcentrations less than required to assure SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circufation andCore outlet temperature is maintained at least 10"F below saturation temperature, so that no vapor bubble may form and possibly causea natural circulation flow obstruction. An OPERABLE RCS loop consists of one OPERABLE RCP and oneOPERABLE SG, which has the minimum water level specified inSR 3.4.5.2. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required. b.APPLlCABILITYln MODE 3, this LCO ensures forced circulation of the reactor coolant toremove decay heat from the core and to provide proper boron mixing.The most stringent condition of the LCO, that is, two RCS loopsOPERABLE and two RCS loops in operation, applies to MODE 3 with the Rod Control System capable of rod withdrawal. The least stringentcondition, that is, two RCS loops OPERABLE and one RCS loop inoperation, applies to MODE 3 with the Rod Control System not capable of rod withdrawal. Operation in other MODES is covered by:LCO 3.1 .10,LCO 3.4.4, LCO 3.4.6, LCO 3.4.7, LCO 3.4.8, LCO 3.9.4,LCO 3.9.5,"RCS Boron Limitations < 500oF,"'RCS Loops - MODES 1 and 2,""RCS Loops - MODE 4,""RCS Loops - MODE 5, Loops Filled,""RCS Loops - MODE 5, Loops Not Filled,""Residual Heat Removal (RHR) and Coolant Circulation -High Water Level" (MODE 6), and"Residual Heat Removal (RHR) and Coolant Circulation -Low Water Level" (MODE 6).Beaver Valley Units 1 and 2 B 3.4.5 - 3 Revision 0 RCS Loops - MODE 3B 3.4.5 BASES ACTIONS A.1 lf one required RCS loop is inoperable, redundancy for heat removal is lost. The Required Action is restoration of the required RCS loop to OPERABLE status within the Completion Time of 72 hours, This timeallowance is a justified period to be without the redundant, nonoperatingloop because a single loop in operation has a heat transfer capability greater than that needed to remove the decay heat produced in thereactor core and because of the low probability of a failure in theremaining loop occurring during this period.8.1 lf restoration for Required Action A.1 is not possible within 72 hours, theunit must be brought to MODE 4. In MODE 4, the unit may be placed onthe Residual Heat Removal System. The additional Completion Time of12 hours is compatible with required operations to achieve cooldown and depressurization from the existing plant conditions in an orderly mannerand without challenging plant systems.C.1 and C.2lf one required RCS loop is not in operation, and the Rod Control System is capable of rod withdrawal, the Required Action is either to restore therequired RCS loop to operation or to place the Rod Control System in a condition incapable of rod withdrawal (e.9., de-energize all CRDMs by opening the RTBs or de-energizing the motor generator (MG) sets or byopening afl of the individual rod lift coil disconnect switches). When the Rod Control System is capable of rod withdrawal, it is postulated that a power excursion could occur in the event of an inadvertent control rod withdrawal. This mandates having the heat transfer capacity of two RCS loops in operation. lf only one loop is in operation, the Rod Control System must be rendered incapable of rod withdrawal. The CompletionTimes of t hour, to restore the required RCS loop to operation or defeatthe Rod Control System is adequate to perform these operations in an orderly manner without exposing the unit to risk for an undue time period.D.2and D.3 lf two required RCS loops are inoperable or no RCS loop is in operation, except during conditions permitted by the Note in the LCO section, the Rod Control System must be placed in a condition incapable of rod withdrawal (e.9., all CRDMs must be de-energized by opening the RTBs orde-energizing the MG sets or by opening all of the individual rod lift coildisconnect switches). All operations involving introduction of coolant into theRCS with boron concentration less than required to meet the minimum SDM D.1 Beaver Valley Units 1 and 2 B 3.4.5 - 4Revision 0 RCS Loops - MODE 3B 3.4.5 BASES ACTIONS (continued)of LCO 3.1.1 must be suspended, and action to restore one of the RCS loopsto OPERABLE status and operation must be initiated. Boron dilution requiresforced circulation for proper mixing, and opening the RTBs or de-energizing the MG sets or by opening all of the individual rod lift coil disconnect switches removes the possibility of an inadvertent rod withdrawal.Suspending the introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required toassure continued safe operation. With coolant added without forcedcirculation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate CompletionTime reflects the importance of maintaining operation for heat removal. The action to restore must be continued until one loop is restored to OPERABLEstatus and operation. SURVEILLANCE SR 3.4.5.1 REQUIREMENTS This SR requires verification every 12 hours that the required foops are in operation. Verification includes flow rate, temperature, and pump status monitoring, which help ensure that forced flow is providing heat removal.The Frequency of 12 hours is sufficient considering other indications andalarms available to the operator in the control room to monitor RCS loop performance.sR 3.4.5.2SR 3.4.5.2 requires verification of SG OPERABILITY. SG OPERABILITYis verified by ensuring that the secondary side narrow range water level is>- 28o/o (Unit 1 ) or > 155% (Unit 2)for required RCS loops. lf the SGsecondary side narrow range water fevel is not within the required limit,the tubes may become uncovered and the associated loop may not becapable of pro':,iding the heat sink for removal of the decay heat. The12 hour Frequency is considered adequate in view of other indications available in the control room to alert the operator to a loss of SG level.sR 3.4.5.3 Verification that each required RCP is OPERABLE ensures that safety analyses limits are met. The requirement also ensures that an additionalRCP can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power availability to each requiredRCP not in operation. Alternatively, verification that a pump is inoperation also verifies proper breaker alignment and power availability.Beaver Valley Units 1 and 2B 3.4.5 - 5 Revision 0 RCS Loops - MODE 3 BASES SURVEILLANCE REQUI REMENTS (continued) This SR is modified by a Note that states the SR is not required to be performed until 24 hours after a required pump is not in operation. REFERENCES None.Beaver Valley Units 1 and 2B 3.4.5 - 6 RCS Loops - MODE 4 B 3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.6 RCS Loops - MODE 4 BASES BACKGROUND In MODE 4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam generator (SG)secondary side coolant or the component cooling water via the residual heat removal (RHR) heat exchangers. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.The reactor coolant is circulated through three RCS loops connected in parallel to the reactor vessel, each loop containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, andtemperature instrumentation for controf, protection, and indication. The RCPs circulate the coolant through the reactor vessel and SGs at asufficient rate to ensure proper heat transfer and to prevent boric acid stratification. ln MODE 4, either RCPs or RHR loops can be used to provide forcedcirculation. The intent of this LCO is to provide forced flow from at least one RCP or one RHR loop for decay heat removal and transport. The flow provided by one RCP loop or RHR loop is adequate for decay heat removal. The other intent of this LCO is to require that two paths beavailable to provide redundancy for decay heat removal.APPLICABLE SAFETY ANALYSES In MODE 4, RCS circulation is required for decay heat removal. The RCS and RHR loops provide this circulation. RCS Loops - MODE 4 satisfies Criterion 4 of 10 CFR 50.36(c)(2xii). LCO The purpose of this LCO is to require that at least two loops beOPERABLE in MODE 4 and that one of these loops be in operation. The LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS loops and RHR loops. Any one loop in operation provides enough flow to remove the decay heat from the core with forcedcirculation. An additional loop is required to be OPERABLE to provide redundancy for heat removal.Note 1 permits all RCPs or RHR pumps to be removed from operation for< t hour per B hour period. The purpose of the Note is to permit pumpswapping or tests such as those designed to validate various accidentanalyses values or confirm equipment operability. The t hour time period is adequate to perform pump swaps and most tests that may benecessary in MODE 4, and operating experience has shown that boronstratification is not a problem during this short period with no forced flow. Beaver Valley Units 1 and 2B 3.4.6 - 1 Revision 0 RCS Loops - MODE 4 B 3.4.6 BASES LCO (continued) a.Utilization of Note 1 is permitted provided the following conditions are met along with any other conditions imposed by the test procedures:No operations are permitted that would dilute the RCS boronconcentration with coolant with boron concentrations less thanrequired to meet SDM of LCO 3.1.1, therefore maintaining the margin to criticality. Boron reduction with coolant at boron concentrations less than required to assure SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation andCore outlet temperature is maintained at least 10"F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.Note 2 requires that the secondary side water temperature of each non-isolated SG be < 50"F above each of the non-isolated RCS cold legtemperatures before the start of the first RCP with any non-isolated RCS cold leg temperature < the enabfe temperature specified in the PTLR.This restraint is to prevent a low temperature overpressure event due to athermal transient when an RCP is started. An OPERABLE RCS loop comprises an OPERABLE RCP and anOPERABLE SG, which has the minimum water level specified insR 3.4.6.2.Similarly for the RHR System, an OPERABLE RHR loop comprises an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger. RCPs and RHR pumps are OPERABLE if they are capable of being powered and are able to provideforced flow if required. b.APPLICABILlTYln MODE 4, this LCO ensures forced circulation of the reactor coolant toremove decay heat from the core and to provide proper boron mixing.One loop of either RCS or RHR provides sufficient circulation for these purposes. However, two loops consisting of any combination of RCS andRHR loops are required to be OPERABLE to meet single failure considerations. Operation in other MODES is covered by: LCO 3.4.4, LCO 3.4.5,LCO 3.4.7,"RCS Loops - MODES 1"RCS Loops - MODE 3,""RCS Loops - MODE 5, and 2," Loops Filled," Beaver Valley Units 1 and 2B 3.4.6 - 2Revision 0 RCS Loops - MODE 4B 3.4.6 BASES APPLICAB I LITY (continued)LCO 3.4.8, LCO 3.9.4,LCO 3.9.5,'RCS Loops - MODE 5, Loops Not Filled,""Residual Heat Removal (RHR) and Coolant Circufation -High Water Level" (MODE 6), and"Residual Heat Removal (RHR) and Coolant Circulation -Low Water Level" (MODE 6).ACTIONS A.1 lf one required foop is inoperable, redundancy for heat removal is lost. Action must be initiated to restore a second RCS or RHR loop to OPERABLE status. The immediate Completion Time reflects theimportance of maintaining the availability of two loops for heat removal.4.2lf restoration is not accomplished and an RHR loop is OPERABLE, theunit must be brought to MODE 5 within 24 hours. Bringing the unit toMODE 5 is a conservative action with regard to decay heat removal. Withonly one RHR loop OPERABLE, redundancy for decay heat removal islost and, in the event of a loss of the remaining RHR loop, it would besafer to initiate that loss from MODE 5 rather than MODE 4. The Completion Time of 24 hours is a reasonable time, based on operating experience, to reach MODE 5 from MODE 4 in an orderly manner and without challenging plant systems.This Required Action is modified by a Note which indicates that the unitmust be placed in MODE 5 only if a RHR loop is OPERABLE. With noRHR loop OPERABLE, the unit is in a condition with only limited cooldown capabilities. Therefore, the actions are to be concentrated on the restoration of a RHR loop, rather than a cooldown of extended duration.B.1 and 8.2 lf two required loops are inoperable or a required loop is not in operation, except during conditions permitted by Note 1 in the LCO section, afl operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action to restore one RCS or RHR loop to OPERABLE status and operation must be initiated. The required margin to criticality must not be reduced in this type of operation. Suspending theintroduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 is required to assurecontinued safe operation. With coofant added without forced circulation,unmixed coolant could be introduced to the core, however coolant addedwith boron concentration meeting the minimum SDM maintains acceptableBeaver Valley Units 1 and 2B 3.4.6 - 3 Revision 0 RCS Loops - MODE 4 B 3.4.6 BASES ACTIONS (continued)margin to subcritical operations. The immediate Completion Times reflectthe importance of maintaining operation for decay heat removal. The action to restore must be continued until one loop is restored to OPERABLE statusand operation. SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This SR requires verification every 12 hours that the required RCS orRHR loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providingheat removal. The Frequency of 12 hours is sufficient considering other indications and alarms available to the operator in the control room tomonitor RCS and RHR loop performance.sR 3.4.6.2SR 3.4.6.2 requires verification of SG OPERABILIry. SG OPERABILITYis verified by ensuring that the secondary side narrow range water level is >28% (Unit 1) or >- 15.5% (Unit 2). lf the SG secondary side narrowrange water level is less than the required limit, the tubes may becomeuncovered and the associated loop may not be capable of providing theheat sink necessary for removal of decay heat. The 12 hour Frequency isconsidered adequate in view of other indications available in the controlroom to alert the operator to the loss of SG level.sR 3.4.6.3 Verification that each required pump is OPERABLE ensures that an additional RCS or RHR pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to each required pump not in operation. Alternatively, verification that a pump is in operation also verifies proper breaker alignment and power availability. The Frequency of 7 days is considered reasonable in view ofother administrative controls available and has been shown to beacceptable by operating experience.This SR is modified by a Note that states the SR is not required to be performed until 24 hours after a required pump is not in operation. REFERENCES None.Beaver Valley Units 1 and 2B 3.4.6 - 4 Revision 0 RCS Loops - MODE 5, Loops FilledB 3.4.7B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.7 RCS Loops - MODE 5, Loops Filled BASES BACKGROUND In MODE 5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and transfer this heat either to the steam generator (SG) secondary side coolant via natural circulation (Ref. 1) or the component cooling water via the residual heat removal (RHR) heat exchangers. While the principal means for decay heatremoval is via the RHR System, the SGs via natural circulation (Ref. 1)are specified as a backup means for redundancy. Even though the SGs cannot produce steam in this MODE, they are capable of being a heatsink due to their large contained volume of secondary water. As long asthe SG secondary side water is at a lower temperature than the reactorcoolant, heat transfer will occur. The rate of heat transfer is directly proportional to the temperature difference. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.In MODE 5 with RCS loops filled, the reactor coolant is circulated bymeans of two RHR loops connected to the RCS, each loop containing anRHR heat exchanger, an RHR pump, and appropriate flow and temperature instrumentation for control and indication. One RHR pumpcirculates the water through the RCS at a sufficient rate to prevent boricacid stratification.The number of loops in operation can vary to suit the operational needs.The intent of this LCO is to provide forced flow from at least one RHR loop for decay heat removal and transport. The flow provided by oneRHR loop is adequate for decay heat removal. The other intent of thisLCO is to require that a second path be available to provide redundancyfor heat removal. The LCO provides for redundant paths of decay heat removal capability.The first path can be an RHR loop that must be OPERABLE and in operation. The second path can be another OPERABLE RHR loop ormaintaining at least one unisolated SG with a secondary side water levelof >28% for Unit 1 or> 15.5% for Unit 2 to provide an alternate method for decay heat removal via natural circulation (Ref.1).APPLICABLE SAFETY ANALYSESIn MODE 5, RCS circufation is required for decay heat removal. The RHR loops provide this circulation.RCS Loops - MODE 5 (Loops Filled) satisfies Criterion 4 of1 0 CFR 50.36(c)(2)(ii). Beaver Valley Units 1 and 2 B 3.4.7 - 1Revision 0 RCS Loops - MODE 5, Loops FilledB 3.4.7 BASES LCO The purpose of this LCO is to require that at least one of the RHR loopsbe OPERABLE and in operation with an additional RHR loop OPERABLE or one unisolated SG with a narrow range secondary side water level>28% for Unit 1 or > 15.5o/o for Unit 2. One RHR loop provides sufficient forced clrculation to perform the safety functions of the reactor coolantunder these conditions. An additional RHR loop is required to beOPERABLE to meet single failure considerations. However, if the standby RHR loop is not OPERABLE, an acceptable alternate method isone unisolated SG with a narrow range secondary side water level > 28%for Unit 1 or > 15.5% for Unit 2. Should the operating RHR loop fail, theSG could be used to remove the decay heat via natural circulation.lmplicit in the provision of this LCO that allows the reliance on a SG fornatural circulation are the requirements for an adequate secondary side makeup water supply to maintain the SG level, an adequate steam reliefcapability to remove decay heat, and for the capability to control RCS pressure to assure the RCS remains pressurized and subcooled during natural circulation. These additional requirements for natural circulationare consistent with the generic recommendations of Reference 1 and themore detailed BVPS Unit 1 and Unit 2 specific recommendations of Reference 2.Note 1 permits all RHR pumps to be removed from operation < t hour per 8 hour period. The purpose of the Note is to permit pump swapping ortests such as those designed to validate various accident analyses valuesor confirm equipment operability. The t hour time period is adequate toperform pump swaps and most tests that may be necessary in MODE 5,and operating experience has shown that boron stratification is not likelyduring this short period with no forced flow.Utilization of Note 1 is permitted provided the following conditions are met, along with any other conditions imposed by the test procedures: No operations are permitted that would dilute the RCS boronconcentration with coolant with boron concentrations less thanrequired to meet SDM of LCO 3.1.1, therefore maintaining themargin to criticality. Boron reduction with coolant at boronconcentrations less than required to assure SDM is maintained is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation, andCore outlet temperature is malntained at least 10"F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.Note 2 allows one RHR loop to be inoperable for a perlod of up to2 hours, provided that the other RHR loop is OPERABLE and in operation. This permits periodic surveillance tests to be performed when a.b.Beaver Valley Units 1 and 2B 3.4.7 - 2Revision 0 RCS Loops - MODE 5, Loops FilledB 3.4.7 BASES LCO (continued) the testing results in the required RHR loop being rendered inoperable. The remaining OPERABLE RHR loop is adequate to provide the required cooling during the time allowed by Note 2.Note 3 requires that the secondary side water temperature of each non-isolated SG be < 50oF above each of the non-isolated RCS cold leg temperatures before the start of the first reactor coolant pump (RCP) witha non-isolated RCS cold leg temperature < the enable temperaturespecified in the PTLR. This restriction is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started. Note 4 provides for an orderly transition from MODE 5 to MODE a durinj a planned heatup by permitting removal of RHR loops from operation when at least one RCS loop is in operation. This Note provides for the transition to MODE 4 where an RCS loop is permitted to be in operation and replaces the RCS circulation function provided by the RHR loops. By permitting the removal of the RHR loops from operation this Note also eliminates the LCO requirement for an RCS loop to provide cooling via natural circulation. RHR pumps are OPERABLE if they are capable of being powered and are able to provide flow if required. A SG can perform as a heat sink via natural circulation when it has an adequate water level and is OPERABLE.APPLICABILITY In MODE 5 with at least one RCS loop unisolated and filled, this LCO requires forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing. One loop of RHR provides sufficient circulation for these purposes. However, oneadditional RHR loop is required to be OPERABLE, or the secondary side water fevel of at least one unisofated SG is required to be > 28o/o for Unit 1 or > 15.59'" for Unit 2.Operation in other MODES is covered by: LCO 3.4.4, LCO 3.4.5, LCO 3.4.6, LCO 3.4.8, LCO 3.9.4, LCO 3.9.5,'RCS Loops - MODES 1 and 2i"RCS Loops - MODE 3;""RCS Loops - MODE 4;""RCS Loops - MODE 5, Loops Not Filled;""Residual Heat Removal (RHR) and Coolant Circulation -High Water Level" (MODE 6), and"Residual Heat Removal (RHR) and Coolant Circulation -Low Water Level" (MODE 6).Beaver Valley Units 1 and 2 B 3.4.7 - 3Revision 0 RCS Loops - MODE 5, Loops FilledB 3.4.7 BASES ACTIONSA.1, A.2. B.1 and B.2lf one RHR loop is OPERABLE and either the required SG has asecondary side water level that is not within the required limit, or onerequired RHR loop is inoperable, redundancy for heat removal is lost.Action must be initiated immediately to restore a second RHR loop toOPERABLE status or to restore the required SG secondary side waterlevel. Either Required Action will restore redundant heat removal loops.The immediate Completion Time reflects the importance of maintainingthe availability of two paths for heat removal.C.1 and C.2 lf a required RHR loop is not in operation, except during conditions permitted by Notes 1 and 4, or if no required loop is OPERABLE, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1must be suspended and action to restore one RHR loop to OPERABLEstatus and operation must be initiated. Suspending the introduction ofcoolant into the RCS of coolant with boron concentration less thanrequired to meet the minimum SDM of LCO 3.1.1 is required to assurecontinued safe operation. With coolant added without forced circulation,unmixed coolant could be introduced to the core, however coolant addedwith boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate CompletionTimes reflect the importance of maintaining operation for heat removal.SURVEILLANCE SR 3.4.7.1 REQUIREMENTSThis SR requires verification every 12 hours that the required loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal.The Frequency of 12 hours is sufficient considering other indications andalarms available to the operator in the control room to monitor RHR loop performance. sR 3.4.7.2Verifying that at least one unisolated SG is OPERABLE by ensuring thesecondary side narrow range water level is>28o/o for Unit 1 or > 15.5%for Unit 2 ensures an alternate decay heat removal method via natural circulation in the event that the second RHR loop is not OPERABLE. lf both RHR loops are OPERABLE, this Surveillance is not needed. The12 hour Frequency is considered adequate in view of other indications available in the control room to alert the operator to the loss of SG level.Beaver Valley Units 1 and 2 B 3.4.7 - 4Revision 0 RCS Loops - MODE 5, Loops FilledB 3.4.7 BASES SURVEILLANCE REQU I REMENTS (continued)sR 3.4.7.3Verification that each required RHR pump is OPERABLE ensures that an additional pump can be placed in operation, if needed, to maintain decayheat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available to each required RHR pump not in operation. Alternatively, verification that a pump is inoperation also verifies proper breaker alignment and power availability. lfsecondary side water level is>28o/o for Unit 1 or > 15.5% for Unit 2 tn atleast one unisolated SG, this Surveillance is not needed. The Frequencyof 7 days is considered reasonable in view of other administrative controlsavailable and has been shown to be acceptable by operating experience. This SR is modified by a Note that states the SR is not required to be performed until 24 hours after a required pump is not in operation. REFERENCES 2.1.NRC Information Notice 95-35, "Degraded Ability of SteamGenerators to Remove Decay Heat by Natural Circulation." Westinghouse Letter # FENOC-04-228, "Beaver Valley Units 1 and2 Mode 5, Loops Filled Natural Circulation Cooling Assessment,"dated January 31, 2005.Beaver Valley Units 1 and 2B 3.4.7 - 5 RCS Loops - MODE 5, Loops Not FilledB 3.4.8B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.8 RCS Loops - MODE 5, Loops Not Filled BASES BACKGROUNDln MODE 5 with the RCS loops not filled or isolated, the primary functionof the reactor coolant is the removal of decay heat generated in the fuel,and the transfer of this heat to the component cooling water via the residual heat removal (RHR) heat exchangers. The steam generators (SGs) are not available as a heat sink when the loops are not filled orisolated. The secondary function of the reactor coolant is to act as acarrier for the soluble neutron poison, boric acid.In MODE 5 with loops not filled or isolated, only RHR pumps can be used for coolant circulation. The number of pumps in operation can vary to suitthe operational needs. The intent of this LCO is to provide forced flowfrom at least one RHR pump for decay heat removal and transport and to require that two loops be available to provide redundancy for heat removal.APPLICABLE SAFETY ANALYSESln MODE 5, RCS circulation is required for decay heat removal. TheRHR loops provide this circulation. The flow provided by one RHR loop is adequate for heat removal and for boron mixing.RCS loops in MODE 5 (loops not filled) satisfies Criterion 4 of 10 CFR 50.36(c)(2xii). LCO The purpose of this LCO is to require that at least two RHR loops beOPERABLE and one of these loops be in operation. An OPERABLE loop is one that has the capability of transferring heat from the reactor coolantat a controlled rate. Heat cannot be removed via the RHR System unlessforced flow is used. A minimum of one running RHR pump meets theLCO requirement for one loop in operation. An additional RHR loop is required to be OPERABLE to meet single failure considerations.Note 1 permits all RHR pumps to be removed from operation for< 15 minutes when switching from one loop to another. The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and core outlet temperature is maintained > 10'F below saturation temperature. The Note prohibitsboron dilution with coolant at boron concentrations less than required toassure SDM of LCO 3.1.1 is maintained or draining operations when RHRforced flow is stopped.Beaver Valley Units 1 and 2B 3.4.8 - 1 Revision 0 RCS Loops - MODE 5, Loops Not FilledB 3.4.8 BASES LCO (continued) Note 2 allows one RHR loop to be inoperable for a period of <2 hours, provided that the other loop is OPERABLE and in operation. This permits periodic surveillance tests to be performed when the testing results in the required RHR loop being rendered inoperable. The remainingOPERABLE RHR loop is adequate to provide the required cooling during the time allowed by Note 2.An OPERABLE RHR loop is comprised of an OPERABLE RHR pump capable of providing forced flow to an OPERABLE RHR heat exchanger. RHR pumps are OPERABLE if they are capable of being powered and are able to provide flow if required. APPLICABILITY In MODE 5 with loops not filled or isolated, this LCO requires core heat removal and coolant circulation by the RHR System.Operation in other MODES is covered by: "RCS Loops - MODES 1 and 2,""RCS Loops - MODE 3,"'RCS Loops - MODE 4,""RCS Loops - MODE 5, Loops Filled,""Residual Heat Removal (RHR) and Coolant Circulation -High Water Level" (MODE 6), and"Residual Heat Removal (Rl-JR) and Coolant Circulation -Low Water Level" (MODE 6).LCO 3.4.4,LCO 3.4.5,LCO 3.4.6, LCO 3.4.7 , LCO 3.9.4,LCO 3.9.5, ACTIONS A.1 lf one required RHR loop is inoperable, redundancy for RHR is lost.Action must be initiated to restore a second loop to OPERABLE status.The immediate Completion Time reflects the importance of maintaining the avaifability of two loops for heat removal.8.1 and B.2lf no required loop is OPERABLE or the required loop is not in operation,except during conditions permitted by Note 1, all operations involving introduction of coolant into the RCS with boron concentration less than required to meet the minimum SDM of LCO 3.1.1 must be suspended and action must be initiated immediately to restore an RHR loop toOPERABLE status and operation. The required margin to criticality mustnot be reduced in this type of operation. Suspending the introduction of coolant into the RCS of coolant with boron concentration less thanrequired to meet the minimum SDM of LCO 3.1.1 is required to assure Beaver Valley Units 1 and 2B 3.4.8 - 2Revision 0 RCS Loops - MODE 5, Loops Not FilledB 3.4.8 BASESACTIONS (continued) continued safe operation. With coolant added without forced circulation, unmixed coolant could be introduced to the core, however coolant added with boron concentration meeting the minimum SDM maintains acceptable margin to subcritical operations. The immediate Completion Time reflects the importance of maintaining operation for heat removal. The action to restore must continue until one loop is restored to OPERABLE status and operation. SURVEILLANCE REQUIREMENTS sR 3.4.8.1 This SR requires verification every 12 hours that the required loop is inoperation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal.The Frequency of 12 hours is sufficient considering other indications and alarms available to the operator in the control room to monitor RHR loop performance. sR 3.4.8.2 Verification that each required pump is OPERABLE ensures that an additional pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verificatlon is performed by verifying proper breaker alignment and power available to each required pump not in operation. Alternatively, verification that a pump is in operation also verifies proper breaker alignment and power availability. The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience. This SR is modified by a Note that states the SR is not required to be performed until 24 hours after a required pump is not in operation. REFERENCES None.Beaver Valley Units 1 and 2 B3.48-3 Revision 0 PressurizerB 3.4.9 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.9 Pressurizer BASES BACKGROUND The pressurizer provides a point in the RCS where liquid and vapor aremaintained in equilibrium under saturated conditions for pressure control purposes to prevent bulk boiling in the remainder of the RCS. Keyfunctions include maintaining required primary system pressure during steady state operation, and limiting the pressure changes caused by reactor coolant thermal expansion and contraction during normaf foad transients. The pressure control components addressed by this LCO include the pressurizer water level, the required heaters, and their controls and emergency power supplies. Pressurizer safety valves and pressurizer power operated relief valves are addressed by LCO 3.4.10, "PressurizerSafety Valves," and LCO 3.4.11, "Pressurizer Power Operated Relief Valves (PORVs)," respectively.The intent of the LCO is to ensure that a steam bubble exists in the pressurizer prior to power operation to minimize the consequences of potential overpressure transients. The presence of a steam bubble is consistent with analytical assumptions. Relatively small amounts of noncondensible gases can inhibit the condensation heat transfer between the pressurizer spray and the steam, and diminish the spray effectiveness for pressure control.Electrical immersion heaters, located in the lower section of the pressurizer vessel, keep the water in the pressurizer at saturation temperature and maintain a constant operating pressure. A minimum required available capacity of pressurizer heaters ensures that the RCS pressure can be maintained. The capability to maintain and control system pressure is important for maintaining subcooled conditions in the RCS and ensuring the capability to remove core decay heat by either forced or natural circulation of reactor coolant. Unless adequate heatercapacity is available, the hot, high pressure condition cannot bemaintained indefinitefy and still provide the required subcooling margin in the primary system. lnability to control the system pressure and maintainsubcooling under conditions of natural circulation flow in the primary system could lead to a loss of single phase natural circulation anddecreased capability to remove core decay heat.Beaver Valley Units 1 and 2 B 3.4.9 - 1 Revision 0 PressurizerB 3.4.9 BASES APPLICABLE SAFETY ANALYSESIn MODES 1, 2, and 3, the LCO requirement for a steam bubble is reflected implicitly in the accident analyses. Safety analyses performedfor lower MODES are not limiting. All analyses performed from a critical reactor condition assume the existence of a steam bubble and saturatedconditions in the pressurizer. In making this assumption, the analyses neglect the small fraction of noncondensible gases normally present.Safety analyses presented in the UFSAR (Ref. 1) do not take credit for pressurizer heater operation; however, an implicit initial condition assumption of the safety analyses is that the RCS is operating at normal pressure. Although the safety analyses do not take credit for pressurizer heater operation, the pressurizer heaters are modeled in any transient where pressurizer heater operation could lead to more limiting results (e.g., pressurizer filling events).The maximum pressurizer water level limit, which ensures that a steam bubble exists in the pressurizer, satisfies Criterion 2 of 10 CFR 50,36(cX2Xii). Although the heaters are not specifically used in accidentanalysis, the need to maintain subcooling in the long term during loss of offsite power, as indicated in NUREG-Arc7 (Ref. 2), is the reason for providing an LCO.LCO The LCO requirement for the pressurizer to be OPERABLE with a water volume s 1235 cubic feet, which is equivalent to gzoh, ensures that asteam bubble exists. Limiting the LCO maximum operating water level preserves the steam space for pressure control. The LCO has beenestablished to ensure the capability to establish and maintain pressurecontrol for steady state operation and to minimize the consequences of potential overpressure transients. Requiring the presence of a steambubble is also consistent with analytical assumptions. The LCO requires two sets of OPERABLE pressurizer heaters, each witha capacity > 150 kW, capable of being powered from the emergency power supply. There are four groups of backup pressurizer heaters powered from emergency busses. Two groups of backup heaters aresupplied from each train of emergency power. The LCO requirement fora set of heaters per emergency bus may be met by using any combination of heaters in the two groups powered from the sameemergency bus that total > 150 kW of heater capacity. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wlde margin to subcooling can be obtained in the loops.The amount needed to maintain pressure is dependent on the heat losses.Beaver Valley Units 1 and 2B 3.4.9 - 2 Revision 0 Pressurizer B 3.4.9 BASES APPLICABILITY The need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature, resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, applicability has beendesignated for MODES 1 and 2. The applicability is also provided for MODE 3. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational perturbation, such as reactor coolant pump startup.In MODES 1, 2, and 3, there is need to maintain the availability of pressurizer heaters, capable of being powered from an emergency powersupply. In the event of a loss of offsite power, the initial conditions ofthese MODES give the greatest demand for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. ForMODE 4,5, or 6, it is not necessary to control pressure (by heaters) to ensure loop subcooling for heat transfer when the Residual Heat Removal (RHR) System is available or in service, and therefore, the LCO is not applicable. ACTIONS A.1A.34.2 and A.4 Pressurizer water level control malfunctions or other plant evolutions may result in a pressurizer water level above the nominal upper limit, even with the plant at steady state conditions. Normally the plant will trip in this event since the upper limit of this LCO is the same as the Pressurizer Water Level - High Trip.lf the pressurizer water level is not within the limit, action must be taken tobring the plant to a MODE in which the LCO does not apply. To achieve this status, within 6 hours the unit must be brought to MODE 3 with all rods fully inserted and incapable of withdrawal. Additionally, the unit must be brought to MODE 4 within 12 hours. This takes the unit out of theapplicable MODES. The allowed Corr,pletion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.B1lf one required set of pressurizer heaters is inoperable, restoration is required within 72 hours. The Completion Time of 72 hours is reasonableconsidering the anticipation that a demand caused by loss of offsite power would be unlikely in this period. Pressure control will continue to be maintained during this time using the remaining OPERABLE heaters.Beaver Valley Unlts 1 and 2 B 3.4.9 - 3 Revision 0 PressurizerB 3.4.9 BASES ACTIONS (continued)C.1 and C.2 lf one set of pressurizer heaters are inoperable and cannot be restored in theallowed Completion Time of Required Action 8.1, the plant must be broughtto a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3.within 6 hours and to MODE 4 within12 hours. The allowed Completion Times are reasonable, based onoperating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE SR 3.4.9.1 REQUIREMENTS This SR requires that during steady state operation, pressurizer level is maintained below the nominal upper limit to provide a minimum space fora steam bubble. The Surveillance is performed by observing theindicated level. The 12 hour interval has been shown by operating practice to be sufficient to regularly assess level for any deviation andverify that operation is within safety analyses assumption of ensuring thata steam bubble exists in the pressurizer. Alarms are also available forearly detection of abnormal level indications. sR 3.4.9.2The SR is satisfied when the power supplies are demonstrated to becapable of producing the minimum power and the associated pressurizerheaters are verified to be at the required kW capacity. The Surveillanceverifies that a total heater capacity of at least 150 kW is available fromeach emergency bus. Each required set of heaters may be comprised ofany combination of heaters in the two groups powered from the sameemergency bus. This may be done by testing the power supply outputand by performing an electrical check on heater element continuity andresistance or by energizing the heaters and measuring current. The Frequency of 18 months is considered adequate to detect heaterdegradation and has been shown by operating experience to be acceptable. REFERENCES 2.1.UFSAR Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).NUREG-0737 , November 1980.Beaver Valley Units 1 and 2B 3.4.9 - 4Revision 0 Pressurizer Safety ValvesB 3.4.10B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.10 Pressurizer Safety Valves BASES BACKGROUND The pressurizer safety valves provide, in conjunction with the Reactor Protection System, overpressure protection for the RCS. The Unit 1 pressurizer safety valves are totally enclosed, pilot-actuated, self-actuated valves. The Unit 2 pressurizer safety valves are totally enclosed pop type, spring loaded, self actuated valves with backpressure compensation. The safety valves are designed to prevent the system pressure from exceeding the system Safety Limit (SL), 2735 psig, whichis 1 10o/o of the design pressure.Because the safety valves are totally enclosed and self actuating, theyare considered independent components. The rated relief capacity for each valve at both unrts is 345,000 lbm/hr. The capacity of the pressurizer safety valves is based on the valve geometry. The pressurizer safety valve capacity is used in the analysis of the completeloss of steam flow to the turbine event, to demonstrate that the capacity issufficient to maintain RCS pressure below 110o/o of the design pressure.The discharge flow from the pressurizer safety valves is directed to the pressurizer relief tank. This discharge flow is indicated by an increase intemperature downstream of the pressurizer safety valves or increase in the pressurizer relief tank temperature or level.Overpressure protection is required in MODES 1,2,3,4, and 5; however,in MODE 4, with one or more RCS cold leg temperatures < the enabletemperature specified in the PTLR, and MODE 5 and MODE 6 with the reactor vessel head on, overpressure protection is provided by operating procedures and by meeting the requirements of LCO 3.4.12,"Overpressure Protection System (OPPS)."The upper and lower pressure limits are based on the + 17o tolerance requirement (Ref. 1)for lifting pressures above 1000 psig. The 1% ASME tolerance requirement is met by assuring the as left lift setting is within 1% of 2485 psig. The lift setting is for the ambient conditions associated with MODES 1, 2, and 3. This requires either that the valves be set hot orthat a correlation between hot and cold settings be estabtished. The pressurizer safety valves are part of the primary success path andmitigate the effects of postulated accidents. OPERABILITY of the safetyvalves ensures that the RCS pressure will be limited to 1 1 0% of design pressure. The consequences of exceeding the American Society of Mechanical Engineers (ASME) pressure limrt (Ref. 1) could includedamage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation.Beaver Valley Units 1 and 2B 3.4 10 - 1 Revision 24 Pressurizer Safety ValvesB 3.4.10 BASES APPLICABLE SAFETY ANALYSES All accident and safety anafyses in the UFSAR (Ref. 2) that require safety valve actuation assume operation of three pressurizer safety valves to limit increases in RCS pressure. The overpressure protection analysis (Ref. 3) is also based on operation of three safety valves. Accidents that could result in overpressurization if not properly terminated include: a.b.c.d.f.e.Uncontrolled rod withdrawal at power,Loss of reactor coolant flow,Loss of external electrical load,Loss of normal feedwater,Loss of all AC power to station auxiliaries, andLocked rotor. Detailed analyses of the above transients are contained in Reference 2.Safety valve actuation is required in events a, c, d, e, and f (above) to limit the pressure increase. The analysis for some of these events also model the PORVs, because modeling the PORVs leads to more limiting analysis results. Therefore, pressurizer safety valve actuation may not berequired in the analysis of these events. Compliance with this LCO isconsistent with the design bases and accident analyses assumptions. Pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCO The three pressurizer safety valves are set to open at the RCS design pressure (2485 psig), and within the ASME specified tolerance, to avoidexceeding the maximum design pressure SL, to maintain accident analyses assumptions, and to comply with ASME requirements. Thesafety valves are OPERABLE if the lift settings are found within + 3o/o for ,Unit 1 and +1 .6%l-3% for Unit 2. The upper and lower pressure tolerance limits are based on the + 1o/otalerance requirements (Reference

1) for lifting pressures above 1000 psig. The 1% ASME tolerance requirement is met by assuring the as left lift setting is within 1% of 2485 psig. The limit protected by this Specification is the reactor coolant pressure boundary (RCPB) SL of 110% of design pressure. lnoperability of one ormore valves could result in exceeding the SL if a transient were to occur.The consequences of exceeding the ASME pressure limit could includedamage to one or more RCS components, increased leakage, oradditional stress analysis being required prior to resumption of reactor operation.

Beaver Valley Units 1 and 2B 3.4.10 - 2 Revision 0 Pressurizer Safety Valves B 3.4.1 0 BASES APPLICABILITYIn MODES 1, 2, and 3, and portions of MODE 4 above the OPPS enable temperature, OPERABILITY of three valves is required because the combined capacity is required to keep reactor coolant pressure below f A% of its design value during certain accidents. MODE 3 and portionsof MODE 4 are conservatively included, although the listed accidents maynot require the safety valves for protection. The LCO is not applicable in MODE 4 when any RCS cold legtemperature is < the enable temperature specified in the PTLR or in MODE 5 because overpressure protection is provided by the OPPS.Overpressure protection is not required in MODE 6 with the reactor vessel head off.The Applicability is modified by a Note that allows the lift settings of thesafety valves to be verified and set in place when the plant is hot if this method of setting the valves is to be used. Alternate methods of verifyingthe lift settings (i.e., sending the valves to a test facility) may be used as well, in which case the Note may be ignored. The Note allows entry into MODES 3 and 4 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure andtemperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurancethat the valves are OPERABLE near their design condition. Only one valve at a time will be removed from service for testing. The 54 hour exception is based on 18 hour outage time for each of the three valves.The 18 hour period is derived from operating experience that hot testing can be performed in this timeframe. ACTIONS A.1 With one pressurizer safety valve inoperable, restoration must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS Overpressure Protection System. An inoperable safety valve coincident with an RCS overpressure event couldchallenge the integrity of the pressure boundary.8.1 and 8.2lf the Required Action of A.1 cannot be met within the required Completion Time or if two or more pressurizer safety valves are inoperable, the plant must be brought to a MODE in which the requirement does not apply. To achieve this status, the plant must bebrought to at least MODE 3 within 6 hours and to MODE 4 with any RCScold leg temperatures < the enable temperature specified in the PTLR within 24 hours. The allowed Compfetion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plantBeaver Valley Units 1 and 2B 3.4.10 - 3Revision 0 Pressurizer Safety ValvesB 3.4.10 BASESACTIONS (continued) systems. With any RCS cold leg temperatures at or below the enabletemperature specified in the PTLR, overpressure protection is provided bythe OPPS. The change from MODE 1,2, or 3 to MODE 4 reduces theRCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by three pressurizer safety valves. SURVEILLANCE REQUIREMENTSsR 3.4.10.1SRs are specified in the Inservice Testing Program. Pressurizer safetyvalves are to be tested in accordance with the requirements of the ASME Code (Ref. 4), which provides the activities and Frequencies necessary tosatisfy the SRs. The lift setting shall correspond to ambient conditions ofthe valve at nominal temperature and pressure. Nominal temperature and pressure includes MODE 3 operating conditions as provided in theApplicability Note allowing 54 hours for testing and examination of thevalves in MODE 3. No additional requirements are specified. The pressurizer safety valve setpoints are + 3o/o of 2485 psig for Unit 1 and +1 .6%l-3% of 2485 psig for Unit 2 for OPERABILITY; however, the valves are reset to + 1o/o of 2485 psig during the Surveillance to allow for drift.REFERENCES 2.4.3.1.ASME, Boiler and Pressure Vessel Code, SectionUFSAR Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).WCAP-7769, October 1971(Unit 1) and WCAP-7769, Rev. 1, June 1972 (Unit 2).ASME code for Operation and Maintenance of Nuclear Power Plants.Beaver Valley Units 1 and 2 B 3.4.10 - 4Revision 0 Pressurizer PORVsB 3.4.11 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.1 1 Pressurizer Power Operated Relief Valves (PORVs)BASES BACKGROUND The pressurizer is equipped with two types of devices for pressure relief: pressurizer safety valves and PORVs. The PORVs are controlled to open at a specific set pressure when the pressurizer pressure increases andcfose when the pressurizer pressure decreases. The PORVs may also be manually operated from the control room. Block valves, which are normally open, are located between the pressurizer and the PORVs. The block valves are used to isolate the PORVs in case of excessive leakage or a stuck open PORV. Block valve closure is accomplished manually using controls in the controf room. A stuck open PORV is, in effect, a small break loss of coolant accident (LOCA). As such, block valve closure terminates the RCS depressurization and coolant inventory loss. The PORVs and their associated block valves may be used by plant operators to depressurize the RCS to recover from certain transients if normal pressurizer spray is not available. Additionally, the series arrangement of the PORVs and their block valves permit performance ofsurveillances on the valves during power operation. The PORVs may also be used for feed and bleed core cooling in the caseof multiple equipment failure events that are not within the design basis, such as a total loss of feedwater.Unit t has three air-operated DC powered PORVS. Each PORV is provided with a separate nitrogen backup supply in addition to the normal air supply. Two of the three PORVs are powered from separate trains of DC power. The associated block valves are powered from 480 VAC 1E power supplies. Two of the three block valves are powered from separate trains of AC Power.Unit 2 has three solenoid-operated DC powered PORVs. Two of the three PORVs are powered from separate trains of DC power. The associated block valves are powered from 480 VAC 1E power supplies.Two of the three block valves are powered from separate trains of AC power such that each PORV and associated block valve are powered from the same train (Ref. 1).Each PORV has a relief capacity of 210,000 lbm/hr at 2500 psia for Unit 1, and 232,000lbm/hr at 2350 psia for Unit 2. The functional designof the PORVs is based on maintaining pressure below the Pressurizer Beaver Valley Units 1 and 2B 3.4.11 - 1Revlsion 0 Pressurizer PORVsB 3.4.11 BASESBACKGROUND (continued) Pressure - High reactor trip setpoint following a step reduction of 50% of full load with steam dump. ln addition, the PORVs minimize challenges to the pressurizer safety valves and also may be used for low temperature overpressure protection. See LCO 3.4.12, "Overpressure Protection System (OPPS)." APPLICABLE SAFETY ANALYSES Plant operators employ the PORVs to depressurize the RCS in response to certain plant transients if normal pressurizer spray is not available. For the Steam Generator Tube Rupture (SGTR) event, the safety analysis assumes that manual operator actions are required to mitigate the event. A loss of offsite power is assumed to accompany the event, and thus, normal pressurizer spray is unavailable to reduce RCS pressure. The PORVs are assumed to be used for RCS depressurization, which is one of the steps performed to equalize the primary and secondary pressures in order to terminate the primary to secondary break flow and theradioactive releases from the affected steam generator. The PORVs are also modefed in safety analyses for events that result inincreasing RCS pressure for which departure from nucleate boiling ratio (DNBR) criteria are critical (Ref. 2). By assuming PORV actuation, the primary pressure remains below the high pressurizer pressure trip setpoint; thus, the DNBR calculation is more conservative. As such, this actuation is not required to mitigate these events, and PORV automaticoperation is, therefore, not an assumed safety function.Pressurizer PORVs satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCO The LCO requires the PORVs and their associated block valves to beOPERABLE for manual operation to mitigate the effects associated with an SGTR.By maintaining at least two PORVs and their associated block valvesOPERABLE, two flow paths are provided for RCS pressure control. An OPERABLE block valve may be either open and energized with the capability to be closed, or closed and energlzed with the capability to be opened, since the required safety function is accomplished by manualoperation. Although typicafly open to allow PORV operation, the block valves may be OPERABLE when closed to isolate the flow path of aninoperable PORV that is capable of being manually cycled (e.g., as in the case of excessive PORV leakage). Similarly, isolation of an OPERABLE PORV does not render that PORV or block valve inoperable provided the relief function remains available wlth manual action.Beaver Valley Units 1 and 2B 3.4.11 - 2Revision 0 Pressurizer PORVs B 3.4.11 BASES LCO (continued)An OPERABLE PORV is required to be capable of manually opening and closing, and not experiencing excessive seat leakage. Excessive seat leakage, although not associated with a specific acceptance criteria,exists when conditions dictate closure of the block valve to limit leakage.Satisfying the LCO helps minimize challenges to fission product barriers.APPLICABILITYIn MODES 1, 2, and 3, the PORV and its block valve are required to beOPERABLE to limit the potential for a small break LOCA through the flow path. The most likely cause for a PORV small break LOCA is a result of a pressure increase transient that causes the PORV to open. lmbalances in the energy output of the core and heat removal by the secondary system can cause the RCS pressure to increase to the PORV openingsetpoint. The most rapid increases will occur at the higher operating power and pressure conditions of MODES 1 and 2. The PORVs are also required to be OPERABLE in MODES 1 , 2, and 3 for manual actuation to mitigate a steam generator tube rupture event.Pressure increases are less prominent in MODE 3 because the core inputenergy is reduced, but the RCS pressure is high. Therefore, the LCO isappficable in MODES 1 ,2, and3. The LCO is not applicable in MODES 4,5, and 6 with the reactor vessel head in place when both pressure and core energy are decreased and the pressure surges become much less significant. LCO 3.4.12 addresses the PORV requirements in these MODES.ACTIONSA Note has been added to clarify that all pressurizer PORVs and block valves are treated as separate entities, each with separate Completion Times (i.e., the Completion Time is on a component basis).A.1 PORVs may be inoperable and capable of being manually cycled (e.9., excessive seat leakage). ln this condition, either the PORVs must be restored or the flow path isolated within t hour. The associated blockvalve is required to be closed, but power must be maintained to theassociated block valve, since removal of power would render the block valve inoperable. This permits operation of the plant until the next refueling outage (MODE 6) so that maintenance can be performed on the PORVs to eliminate the problem condition. Quick access to the PORV for pressure control can be made when power remains on the closed block valve. The Completion Time of t hour is based on plant operating experience that has shown that minor problemscan be corrected or closure accomplished in this time period.Beaver Valley Units 1 and 2B 3.4.11 - 3 Revision 0 Pressurizer PORVsB 3.4.11 BASES ACTIONS (continued)B.1,8.2. and B,3lf one or two PORVs is inoperable and not capable of being manuaflycycled, it must be either restored, or isolated by closing the associated block valve and removing the power to the associated block valve. The Completion Times of t hour are reasonable, based on challenges to thePORVs during this time period, and provide the operator adequate time tocorrect the situation. lf the inoperable valve cannot be restored toOPERABLE status, it must be isolated within the specified time. Withonly one PORV inoperable and not capable of being manually cycled andRequired Actions B.1 and 8.2 met, operation may continue until the nextrefueling outage (MODE 6) when the inoperable PORV can be repaired.Continued operation is acceptable because the two remaining PORVs areOPERABLE and provide two flow paths for RCS pressure control.ln addition to the isolation requirements described above, RequiredAction B.3 requires that one PORV be restored to OPERABLE status in72 hours. The Required Action is modified by a Note that specifies thatRequired Action 8.3 is only applicable if two PORVs are inoperable. Withtwo of the three PORVs inoperable, one PORV must be restored toOPERABLE status or capable of being manually cycled in order to assureredundant PORV flow paths are available. The Completion Time of72 hours to restore the required PORV to OPERABLE status or capableof being manually cycled is reasonable because one PORV remainsOPERABLE during this time. lf the required PORV cannot be restoredwithin this additional time, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition D.C.1, C.2.1, and C.2.2lf one PORV block valve is inoperable, either the block valve must be closed or the associated PORV placed in manual control in one hour. lfthe block valve is closed, it is accomplishing the prime functional requirement (to isolate the associated PORV to prevent an inadvertentRCS depressurization). In this case, operation may continue until the next refueling outage (MODE 6) when the inoperable block valve can berepaired. Continued operation is acceptable because the two remainingblock valves and PORVs are OPERABLE and provide two flow paths for RCS pressure control.Beaver Valley Units 1 and 2 B 3.4.11 - 4Revision 0 Pressurizer PORVs B 3.4.11 BASESACTIONS (continued)lf the inoperable block valve can not be closed, it is incapable of performing the prime functional requirement of isolating an inoperable PORV to prevent an inadvertent RCS depressurization. Therefore, if theblock valve cannot be restored to OPERABLE status within t hour, the Required Action is to place the PORV in manual control to preclude its automatic opening for an overpressure event and to avoid the potential for a stuck open PORV at a time that the block valve is inoperable. The Completion Time of t hour is reasonable, based on the small potential forchallenges to the system during this time period, and provides the operator time to correct the situation. Because two PORVs remainOPERABLE, the operator is permitted a Completion Time of 72 hours to restore the inoperable block valve to OPERABLE status. The time allowed to restore the block valve is based upon the Completion Time for restoring an inoperable PORV in Condition B, since the PORV may not be capable of mitigating an event if the inoperable block valve is not full open. lf the block valve is restored within the Completion Time of 72 hours, the PORV may be restored to automatic operation. lf it cannotbe restored within this additional time, the plant must be brought to a MODE in which the LCO does not apply, as required by Condition D.The Required Actions C.1, C.2.1, and C.2.2are modified by a Note stating that the Required Actions do not apply if the sole reason for the block valve being declared inoperable is as a result of power being removed to comply with other Required Actions. In this event, the Required Actions for inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address thecondition. While it may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of Condition B or E entry with PORV(s) inoperable and not capable of being manually cycled (e.9., as a result of failed control power fuse(s) or control switch malfunction(s)). D.1 and D.2 lf the Required Action of Condition A, B, or C is not met, then the plant must be brought to a MODE in which the LCO does not apply. Toachieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Timesare reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. ln MODES 4 and 5, automatic PORVOPERABILITY may be required. See LCO 3.4.12. Beaver Valley Units 1 and 2B 3.4.11 - 5 Revision 0 Pressurizer PORVsB 3.4.11 BASES ACTIONS (continued) F.1 E.1. E.2. E.3. and E.4 lf three PORVs are inoperable and not capable of being manually cycled, it is necessary to either restore at least one valve within the Completion Time of t hour or isolate the flow path by closing and removing the power to the associated block valves. The Completion Time of t hour is reasonable, based on the small potential for challenges to the system durlng this time and provides the operator time to correct the situation. lf no PORVs are restored within the Completion Time, then the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plantconditions from full power conditions in an orderly manner and without challenging plant systems. In MODES 4 and 5, automatic PORVOPERABILITY may be required. See LCO 3.4.12.F.2and F.3 lf more than one block valve is inoperable, Required Action F.1 requires that the associated PORVs be placed in manual control within one hour.Placing the PORVs in manual control precludes automatic opening for an overpressure event and avoids the potential for a stuck open PORV at a time that the block valve(s) are inoperable.Required Action F.2 requires one block valve to be restored toOPERABLE status within 2 hours. The Required Action is modified by aNote that specifies Required Action F.2 is only applicable if three block valves are inoperable. With three block valves inoperable, no fully OPERABLE PORV flow path exists and Action must be taken to restoreat least one block valve to OPERABLE status in two hours. The Completion Time of 2 hours is reasonable, based on the small potential for chaflenges to the system during this time and provide the operatorsome time to correct the situation.Required Action F.3 requires that one block valve be restored toOPERABLE status within 72 hours. The Required Action is modified by a Note that specifies that Required Action F.3 is applicable if two blockvalves are inoperable. With two of the three block valves inoperable, one block valve must be restored to OPERABLE status in order to assureredundant PORV flow paths are available. The Completion Time of 72 hours to restore the required block valve to OPERABLE status isreasonable because one other block valve remains OPERABLE duringthis time. Beaver Valley Units 1 and 2B 3.4.11 - 6Revision 0 Pressurizer PORVsB 3.4.11 BASESACTIONS (continued)The Required Actions F .1 , F .2, and F.3 are modified by a Note statingthat the Required Actions do not apply if the sole reason for the block valve being declared inoperable is a result of power being removed tocomply with other Required Actions. ln this event, the Required Actionsfor inoperable PORV(s) (which require the block valve power to be removed once it is closed) are adequate to address the condition. Whileit may be desirable to also place the PORV(s) in manual control, this may not be possible for all causes of Condition B or E entry with PORV(s)inoperable and not capable of being manually cycled (e.9., as a result of failed control power fuse(s) or control switch malfunctions(s)). G.1 and G.2lf the Required Actions of Condition F are not met, then the plant must bebrought to a MODE in which the LCO does not apply. To achieve thisstatus, the plant must be brought to at least MODE 3 within 6 hours andto MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In MODES 4 and 5, automatic PORVOPERABILIry may be required. See LCO 3.4.12.SURVEILLANCE SR 3.4.11.1 REQUIREMENTSBlock valve cycling verifies that the valve(s) can be opened and closed ifneeded. The basis for the Frequency of g2 days is the ASME Code (Ref. 3).This SR is modified by a Note. The Note modifies this SR by stating thatit is not required to be performed with the block valve closed inaccordance with the Required Actions of this LCO. Opening the blockvalve in this condition increases the risk of an unisolable leak from the RCS since the PORV is already inoperable.SR 3.4.11.2.1 and SR 3.4.11.2.2These Unit 1 and2 surveillances require a complete cycle of each PORV.Operating a PORV through one complete cycle ensures that the PORVcan be manually actuated for mitigation of an SGTR, In addition, the Unit 1 Surveillance (SR 3.4.11.2.1) requires that each PORV be cycledusing both the normal air supply and the backup nitrogen supply. Cycling the Unit 1 PORVs using both the normal and backup supply systemsactuates the solenoid control valves and check valves to ensure that both Beaver Valley Units 1 and 2B 3.4.11 -7Revision 0 Pressurizer PORVsB 3.4.1 1 BASES SURVEILLANCE REQU IREMENTS (continued) the normal and backup supplies are fully functional. The Frequency of18 months is based on a typical refueling cycle and industry accepted practice.The surveillances are modified by Notes that identify the Unit for whicheach Surveillance is applicable. REFERENCES 1.2.3.Regulatory Guide 1.32, February 1977 .UFSAR Chapter 14 (Unit 1), and UFSAR Chapter 15 (Unit 2).ASME code for Operation and Maintenance of Nuclear Power Plants.Beaver Valley Units 1 and 2B 3.4.11 - 8 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.12 Overpressure Protection System (OPPS)BASES BACKGROUND The OPPS controls RCS pressure at low temperatures so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the pressure and temperature (Pff) limits of 10 CFR 50, Appendix G (Ref. 1). The reactor vessel is the limiting RCPB component for demonstrating such protection. The PTLR provides the maximumallowable actuation logic setpoints for the power operated relief valves (PORVs) and the maximum RCS pressure for the existing RCS cold leg temperature during cooldown, shutdown, and heatup to meet the Reference 1 requirements during the MODES when low temperature overpressure protection is required. The reactor vessel material is less resistant to pressure stress at low temperatures than at normal operating temperature. As the vessel neutron exposure accumulates, the material toughness decreases (Ref. 2). RCS pressure, therefore, is maintained low at low temperaturesand is increased only as temperature is increased. The potential for vessel overpressurlzation is most acute when the RCS is water solid, occurring only while shutdown; a pressure fluctuation canoccur more quickly than an operator can react to relieve the condition. Exceeding the RCS P/T limits by a significant amount could cause brittle cracking of the reactor vessel. LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," requires administrative control of RCS pressure and temperature during heatup and cooldown to prevent exceeding the PTLR limits.This LCO provides RCS overpressure protection by having a minimumcoolant input capability and having adequate pressure relief capacity. Limiting coolant input capability requires all but one charging pump incapable of injection into the RCS and isolating the accumulators. lnaddition, the Unit 1 ECCS automatic high head safety injection (HHSI)flow path must be isolated. The pressure relief capacity requires either two redundant RCS relief valves or a depressurized RCS and an RCS vent of sufficient size. One RCS relief valve or the open RCS vent is the overpressure protection device that acts to terminate an increasing pressure event.With coolant input capability limited to one charging pump, the ability to provide additional core coolant is restricted. Due to the lower pressures in the MODES when low temperature overpressure protection is required and the lower core decay heat levels, the makeup system can provideBeaver Valley Units 1 and 2B 3 4.12 - 1Revision 0 OPPS B 3.4.12 BASESBACKG ROU N D (continued) adequate flow via the makeup control valve. lf conditions require the use of more than one charging pump for makeup in the event of loss ofinventory, then additional pumps can be made available through manual actions.The OPPS for pressure relief consists of two PORVs with reduced liftsettings, or a depressurized RCS and an RCS vent of sufficient size. TwoRCS relief valves are required for redundancy. One RCS relief valve has adequate relieving capability to keep from overpressurization for therequired coolant input capabilityPORV RequirementsAs designed for the OPPS, each PORV is signaled to open if the RCS pressure approaches a limit determined by the OPPS actuation logic.The OPPS actuation logic monitors both RCS temperature and RCS pressure (Unit 2) and RCS pressure (Unit 1) and determines when a condition not acceptable in the PTLR limits is approached. For Unit 2, the wide range RCS temperature indications are auctioneered to select the lowest temperature signal.In Unit 2,lhe lowest RCS temperature signal is processed through a function generator that calculates a pressure limit for that temperature.The calculated pressure limit is then compared with the indicated RCS pressure from a wide range pressure channel. ff the indicated pressuremeets or exceeds the calculated value, a PORV is signaled to open.The PTLR presents the PORV setpoints for OPPS. ln Unit 1, each PORVhas the same setpoint. In Unit 2, the setpoints are staggered so only onevalve opens during a low temperature overpressure transient. Having the setpoints of both valves within the limits in the PTLR ensures that theReference 1 limits will not be exceeded in any analyzed event.When a PORV is opened in an increasing pressure transient, the releaseof coolant will cause the pressure increase to slow and reverse. As the PORV releases coolant, the RCS pressure decreases until a reset pressure is reached and the valve is signaled to close. The pressure continues to decrease below the reset pressure as the valve closes.Beaver Valley Units 1 and 2 B 3.4.12 - 2Revision 0 OPPSB 3.4.12 BASES BACKGROUN D (continued)RCS Vent RequirementsOnce the RCS is depressurized, a vent exposed to the containmentatmosphere or pressurizer relief tank will maintain the RCS atcontainment ambient pressure in an RCS overpressure transient, if therelieving requirements of the transient do not exceed the capabilities of the vent. Thus, the vent path must be capable of relieving the flowresulting from the limiting low temperature overpressure mass or heatinput transient, and maintaining pressure below the P/T limits. Therequired vent capacity may be provided by one or more vent paths.For an RCS vent to meet the flow capacity requirement, it must be therequired size. The RCS vent requirement may be satisfied by removing a pressurizer safety valve, or similarly establishing a vent by opening anRCS vent valve of the required size. The vent must be above the level ofreactor coolant, so as not to drain the RCS when open. APPLICABLE SAFETY ANALYSESIn MODES 1, 2, and 3, and in MODE 4 with all RCS cold leg temperatures > the OPPS enable temperature specified in the PTLR, the pressurizer safety valves will prevent RCS pressure from exceedingthe Reference 1 limits. Analyses (Ref. 3) demonstrate that the reactor vessel is adequately protected against exceeding the Reference 1 PITlirnits. When any RCS cold leg temperature is < the OPPS enabletemperature specified in the PTLR, overpressure prevention is providedby two OPERABLE RCS PORVs or a depressurized and vented RCSwith a sufficient sized RCS vent. Each of these means has a limited overpressu re rel ief capabil ity.The actual temperature at which the pressure in the P/T limit curve fallsbelow the pressurizer safety valve setpoint rncreases as the reactorvessel material toughness decreases due to neutron embrittlement. Each time the PTLR curveq are revised, the OPPS must be re-evaluated to ensure its functional requirements can still be met using the RCS reliefvalve method or the depressurized and vented RCS condltion.The PTLR contains the acceptance limits that define the OPPS requirements. Any change to the RCS must be evaluated against the Reference 3 analyses to determine the impact of the change on the lowtemperature overpressure protection acceptance limits.Transrents that are capable of overpressurizing the RCS are categorizedas either mass or heat input transients. The OPPS design basis mass and heat input transients are discussed below.Beaver Valley Units 1 and 2B 3.4.12 - 3 Revision 0 OPPS B 3.4.12 BASES APPLICABLE SAFEry ANALYSES (continued) Mass Input Tvpe Transientsa. Inadvertent safety injection with one charging pump injectingthe RCS via the automatic Sl header for Unit 2 or b. One charging pump injecting into the RCS via the normal chargingheader with letdown flow isolated for Unit 1.Heat Input Tvpe Transients Reactor coolant pump (RCP) startup with temperature asymmetry between the RCS and steam generators. The following are required during the MODES when low temperature overpressure protection is required to ensure that mass and heat input transients do not occur, which either of the low temperature overpressure protection means cannot provide sufficient relief capacity:Rendering all but one charging pump incapable of injection, Deactivating the accumulator discharge isolation valves in thelr closed positions, Deactivating the Unit 1 ECCS automatic HHSI isolation valvestheir closed positions (to isolate the Sl flow path) andd. Disallowing the start of an RCP if the secondary temperature ismore than the limit specified in LCO 3.4.6, "RCS Loops - MODE 4,"and LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled." The Reference 3 analyses demonstrate that either one RCS relief valveor the depressurized RCS and RCS vent can maintain RCS pressurebelow the P/T limits when only one charging pump is capable of injecting into the RCS. Thus, the LCO allows only one charging pump capable of injecting into the RCS during the MODES when low temperature overpressure protection is required. The LCO also requires the accumulators isolation when accumulator pressure is greater than orequal to the maximum RCS pressure for the existing RCS cold legtemperature allowed in the PTLR.The isolated accumulators must have their discharge valves closed with the valve power removed. In addition to the isolation of the accumulators,the Unit 1 ECCS automatic HHSI flow path must be isolated with power removed from the isolation valves. The isolation of the Unit 1 automaticHHSI flow path is necessary to prevent an inadvertent Sl actuation from potentially overpressurizing the RCS. The Sl flow path was not a.b.Beaver Valley Units 1 and 2B3.4 12-4Revision 0 BASES APPLICABLE SAFEW ANALYSES (continued) considered in the Unit 1 OPPS setpoint analysis. The isolation of the Unit 2 Sl flow path is not required as the Unit 2 OPPS setpoint analysisconsiders an inadvertent Sl actuation and demonstrates that the Unit 2OPPS has sufficient capacity to prevent an overpressurization event.Fracture mechanics and the OPPS setpoint analyses established thetemperature of OPPS Applicability, which is the OPPS enabletemperature specified in the PTLR.PORV PerformanceThe fracture mechanics analyses show that the vessel is protected when the PORVs are set to open at or below the limit shown in the PTLR. The setpoints are verified by analyses that model the performance of the OPPS, for the low temperature overpressure transients of one charging pump injecting into the RCS and the start of an RCP when the steam generator secondary side temperature is less than or equal to 50'F higherthan the RCS cold leg temperatures. These analyses consider pressureovershoot and undershoot beyond the PORV opening and closing, resulting from signal processing and valve stroke times. The PORVsetpoints at or below the derived limit ensure the Reference l PlT limitswill be met.The PORV setpoints in the PTLR will be updated when the revised P/T limits are no longer protected by the low temperature overpressure analysis limits. The P/T limits are periodically modified as the reactorvessel material toughness decreases due to neutron embrittlementcaused by neutron irradiation. Revised limits are determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases forLCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," discuss these examinations.The PORVs are considered active components. Thus, the failure of one PORV is assumed to represent the worst case, single active failure.RCS Vent PerformanceWith the RCS depressurized, analyses show a vent size of 2.07 squareinches for Unit 1 or 3.14 square inches for Unit 2 is capable of mitigatingthe allowed low temperature overpressure transient. The capacity of a vent this size is greater than the flow of the limiting transient for the OPPSconfiguration, one charging pump capable of injecting into the RCS, maintaining RCS pressure less than the maximum pressure on the P/Tlimit curve.Beaver Valley Units 1 and 2B3.4 12-5 Revision 0 BASES APPLICABLE SAFEry ANALYSES (continued) The RCS vent is passive and is not subject to active failure.The OPPS satisfies Criterion 2 of 10 CFR 50.36(cX2Xii). LCO This LCO requires that the OPPS is OPERABLE. The OPPS is OPERABLE when the minimum coolant input is limited and pressure relief capabilities are OPERABLE. Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of theReference 1 limits as a result of an operational transient. To limit the coolant input capability, the LCO requires that a maximum of one charging pump be capable of injecting into the RCS, and allaccumulator discharge isolation valves be closed and immobilized (when accumulator pressure is greater than or equal to the maximum RCS pressure for the existing RCS cold leg temperature allowed in the PTLR).ln addition, the Unit 1 ECCS automatic HHSI flow path must be isolated with power removed from the isolation valves to prevent an inadvertent Sl from overpressurizing the RCS.The LCO is modified by three Notes. Note 1 allows two charging pumps to be made capable of injecting for < t hour during pump swapoperations. One hour provides sufficient time to safely complete theactual transfer and to complete the administrative controls andsurveillance requirements associated with the swap. The intent is tominimize the actual time that more than one charging pump is physicallycapable of injection. Note 2 states that an accumulator may be unisolated when the accumulator pressure is less than the maximum RCS pressure for the existing RCS cold leg temperature, as allowed by the P/Tlimit curves. This Note permits the accumulator discharge isolation valve Surveillance to be performed only under these pressure and temperature conditions. Note 3 pertains to the Unit 1 specific requirement for the ECCS automatic HHSI flow path to be isolated. The Note provides an allowance for the isolation valves to be opened for the purposes of flowtesting or valve stroke testing. The allowance provided by this Note isacceptable as valve position is administratively controlled during testing activities such that the valves can be closed if necessary. Beaver Valley Units 1 and 2B 3.4.12 - 6Revision 0 BASES LCO (continued) a.The elements of the LCO that provide low temperature overpressure mitigation through pressure relief are:Two OPERABLE PORVS,A PORV is OPERABLE for OPPS when its block valve is open, itslift setpoint is set to the limit required by the PTLR and testing proves its ability to open at this setpoint, and motive power isavailable to the two valves and their control circuits, or A depressurized RCS and an RCS vent.An RCS vent is OPERABLE when open with an area of > 2.07 sguare inches for Unit 1 or > 3.14 square inches for Unit 2.Each of these methods of overpressure prevention is capable ofmitigating the limiting low temperature overpressure transient. b.APPLICABILITY This LCO is applicable in MODE 4 when any RCS cold leg temperature is< the OPPS enable temperature specified in the PTLR, in MODE 5, and in MODE 6 when the reactor vessel head is on. The pressurizer safety valves provide overpressure protection that meets the Reference 1 PIT limits above the OPPS enable temperature specified in the PTLR. When the reactor vessel head is off, overpressurization cannot occur.LCO 3.4.3 provides the operational P/T limits for all MODES.LCO 3.4.10, "Pressunzer Safety Valves," requires the OPERABILITY of the pressurizer safety valves that provide overpressure protection duringMODES 1 , 2, and 3, and MODE 4 above the OPPS enable temperaturespecified in the PTLR.Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input transient can cause a very rapid increase in RCS pressure when little orno time allows operator action to mitigate the event. Beaver Valley Units 1 and 2B 3.4.12 - 7 Revision 0 OPPS B 3.4.12 BASES ACTIONSA Note prohibits the application of LCO 3.0.4.b to an inoperable OPPS.There is an increased risk associated with entering MODE 4 from MODE 5 and MODE 5 from MODE 6 with OPPS inoperable and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. A.1 With two or more charging pumps capable of injecting into the RCS, RCSoverpressurization is possible.To immediately initiate action to restore restricted coolant input capabilityto the RCS reflects the urgency of removing the RCS from this condition. 8.1 , C.1 , and C.2 An unisolated accumulator requires isolation within t hour. This is only required when the accumulator pressure is greater than or equal to the maximum RCS pressure for the existing temperature allowed by the P/T limit curves.lf isolation is needed and cannot be accomplished in t hour, Required Action C.1 and Required Action C.2 provide two options, either of which must be performed in the next 12 hours. The two options are increasingthe RCS temperature to > the OPPS enable temperature specified in the PTLR or depressurizing the accumulators below the OPPS limit in the PTLR.The Completion Times are based on operating experience that these activities can be accomplished in these time periods and on the low likelihood that an event requiring the OPPS will occur during the allowed times.D.1 ln MODE 4 when any RCS cold leg temperature is < the OPPS enabletemperature specified in the PTLR, with one required RCS PORV inoperable, the RCS PORV must be restored to OPERABLE status withina Completion Time of 7 days. Two RCS PORVs are required to provide low temperature overpressure mitigation while withstanding a single failure of an active component. The Completion Time considers the facts that only one of the RCS PORVs is required to mitigate an overpressure transient and that the likelihood of an active failure of the remaining valve path during this time period is very low.Beaver Valley Units 1 and 2B 3.4.12 - 8Revision 0 BASES ACTIONS (continued) E.1 The consequences of operational events that will overpressurize the RCS are more severe at lower temperature (Ref. 4). Thus, with one of the twoRCS PORVs inoperable in MODE 5 or in MODE 6 with the head on, theCompletion Time to restore two PORVs to OPERABLE status is 24 hours.The Completion Time represents a reasonable time to investigate and repair several types of PORV failures without exposure to a lengthy period with only one OPERABLE RCS PORV to protect against overpressure events.F.1 Action Condition F is only applicable to Unit 1. lf the Unit 1 ECCSautomatic HHSI flow path is unisolated for reasons other than permitted in LCO Note 3, action must be taken to isolate the flow path and remove power from the valve(s) used to isolate the flow path. One hour isallowed to accomplish this action. The Completion Time of one hour is a reasonable time to accomplish the required task and considers the low likelihood of an overpressure eventoccurring in this time.Condition F is modified by a Note. The Note identifies that Condition F is only applicable to Unit 1. G.1 The RCS must be depressurized and a vent must be established within12 hours when:Both required RCS PORVs are inoperable,A Required Action and associated Completion Time of Condition D, E, or F is not met, or The OPPS is inoperable for any reason other than Condition A, B,C, D, E, or F.The vent must be sized > 2.07 square inches for Unit 1 or > 3.14 square inches for Unit 2 to ensure that the flow capacity is greater than thatrequired for the design basis mass input transient during the MODES when low temperature overpressure protection is required. This action is needed to protect the RCPB from a low temperature overpressure event and a possible brittle failure of the reactor vessel.a.b.c.Beaver Valley Units 1 and 2B 3.4.12 - I Revision 0 OPPS B 3,4.12 BASES ACTIONS (continued) The Completion Time considers the time required to place the plant in this Condition and the relatively low probability of an overpressure event during this time period due to increased operator awareness of administrative control requirements. SURVEILLANCE REQUIREMENTS SR 3.4.1 2.1 and SR 3.4.1 2.2 To minimize the potential for a low temperature overpressure event by limiting the mass input capability, a maximum of one charging pump is verified capable of injecting into the RCS and the accumulator discharge isolation valves are verified closed with power removed from the valveoperator. A charging pump is rendered incapable of injecting into the RCS through removing the power from the pump by racking the breaker out under administrative control or by tagging the control switch in the pull to lock position. An alternate method of low temperature overpressure protection control may be employed using at least two independent means to prevent a pump from injecting into the RCS such that a single failure or single action will not result in an injection into the RCS. This may be accomplished by such means as isolating the discharge of the pump by a closed valve that is tagged in the closed position.The Frequency of 12 hours is sufficient, considering other indications and alarms available to the operator in the control room, to verify the requiredstatus of the equipment. sR 3.4.12.3 The RCS vent of > 2.07 square inches for Unlt 1 or > 3.14 square inches for Unit 2 is proven OPERABLE by verifying its open condition either: a. Once every 12 hours for a valve that is not locked (valves that aresealed or secured in the open position are considered "locked" inthis context) or

b. Once every 31 days for other vent path(s) (e.g., a vent valve thatlocked, sealed, or secured in position). A removed pressurizer safety valve or open manway also fits this category.The passive vent path arrangement must only be open to be OPERABLE.

This Surveillance is required to be met if the vent is being used to satisfy the pressure relief requirements of the LCO 3.4.12.c.2.Beaver Valley Units 1 and 2B 3.4.12 - 10Revision 0 OPPSB 3.4.12 BASES SURVEILLANCE REQUI REMENTS (continued) sR 3.4.12.4 The PORV block valve must be verified open every 72 hours to provide the flow path for each required PORV to perform its function whenactuated. The valve may be remotely verified open in the main controlroom. This Surveillance is performed if the PORV satisfies the LCO.The block valve is a remotely controlled, motor operated valve. The power to the valve operator is not required removed, and the manual operator is not required locked in the inactive position. Thus, the block valve can be closed in the event the PORV develops excessive leakage or does not close (sticks open) after relieving an overpressure situation. The 72 hour Frequency is considered adequate in view of other administrative controls available to the operator in the control room, suchas valve position indication, that verify that the PORV block valve remains open.sR 3.4.12.5 This SR is only applicable to Unit 1. The Unit 1 ECCS automatic HHSI flow path must be verified to be isolated by confirming that the required isolation valve(s) are closed and de-energized. The valve(s) utilized to isolate the flow path must be de-energized to prevent an inadvertent Slsignal from unisolating the flow path and injecting into the RCS. As this flow path was not specificalfy evaluated in the Unit 1 OPPS setpointanalysis, the flow path must be maintained isolated to prevent a possible overpressurization of the RCS by an inadvertent Sl actuation. The 7 day Frequency for performing this Surveillance is adequate in view of the administrative controls in place to de-energize the valves and the indications available in the control room. In addition, this Frequency has proven to be adequate,based on operating experience.sR 3.4.12.6 Performance of a COT is required within 12 hours after decreasing RCStemperature in any cold leg to < the OPPS enable temperature specified in the PTLR if the COT was not previously performed within 31 days andevery 31 days thereafter on each required PORV to verify and, asnecessary, adjust its lift setpoint. A successful test of any required contact(s) of a channel relay may be performed by the verification of thechange of state of a single contact of the relay. This clarifies what is an Beaver Valley Units 1 and 2B 3.4.12 - 11Revision 0 BASES SURVEILLANCE REQU I REM ENTS (continued) acceptable COT of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical SpecificationSurveillance Requirements. The COT will verify the setpoint is within the PTLR allowed maximum limits in the PTLR. PORV actuation coulddepressurize the RCS and is not required. The 12 hour Frequency considers the unlikelihood of a low temperature overpressure event during this time.A Note has been added indicating that this SR is not required to be performed until 12 hours after decreasing any RCS cold leg temperature to < the OPPS enable temperature specified in the PTLR. This Note provides an exception that allows the COT to be performed when the PORV lift setpoint can be reduced to the OPPS setting if desired. The COT is also met if the Surveillance has been successfully performed within 31 days prior to entering the applicable OPPS MODES. sR 3.4.12.7 Performance of a CHANNEL CALIBRATION on each required PORVactuation channel is required every 18 months to adjust the whole channel so that it responds and the valve opens within the required range and accuracy to known input.REFERENCES 2.4.1.3.10 CFR 50, Appendix G.Generic Letter 88-11.UFSAR Section 4.2.3 (Unit 1) and UFSAR Section 5.2.2.11 (Unit 2).Generic Letter 90-06.Beaver Valley Units 1 and 2B 3.4.12 - 12 Revision 0 RCS Operational LEAKAGE B 3.4.13 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.13 RCS Operational LEAKAGE BASES BACKGROUNDComponents that contain or transport the coolant to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.10 CFR 50, Appendix A, GDC 30, as discussed in Reference 1, requiresmeans for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45, as discussed in Reference 2, describes acceptable methods for selecting leakagedetection systems. The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactorcoofant LEAKAGE into the containment area is necessary. Quicklyseparating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur that is detrimental to the safety of the facility and the public.A limited amount of leakage inside containment is expected from auxiliary systems that cannot be made 100% leaktight. Leakage from thesesystems should be detected, located, and isolated from the containment atmosphere, if possible, to not interfere with RCS leakage deterction. This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation releaseassumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).Beaver Valley Units 1 and 2B 3.4.13 - 1Revision 0 RCS Operational LEAKAGEB 3.4.13 BASES APPLICABLE SAFETY ANALYSESExcept for primary to secondary LEAKAGE, the safety analyses do not address operational LEAKAGE. However, other operational LEAKAGE isrelated to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event.Primary to secondary LEAKAGE is a factor in the dose assessment ofaccidents or transients that involve secondary steam release to the atmosphere, such as a main steam line break (MSLB), a locked rotor accident (LRA), a Loss of AC Power (LACP), a Control Rod Ejection Accident (CREA) and to a lesser extent, a Steam Generator Tube Rupture (SGTR). The leakage contaminates the secondary fluid. The limit on the primary to secondary LEAKAGE ensures that the dose contribution at the site boundary from tube feakage following such accidents are limited to appropriate fractions of the 10 CFR 50.67 limit of25 Rem TEDE as allowable by Regulatory Guide 1.183. The limit on the primary to secondary leakage also ensures that the dose contribution from tube leakage in the control room is limited to the 10 CFR 50.67 limitof 5 Rem TEDE. Among all of the analyses that release primary sideactivity to the environment via tube leakage, the MSLB is of particularconcern because the ruptured main steam line provides a pathway torelease the primary to secondary leakage directly to the environmentwithout dilution in the secondary fluid.For Unit 1, the safety analysis for an event resulting in steam discharge tothe atmosphere conservatively assumes that primary to secondary LEAKAGE from all steam generators is 450 gallons per day (gpd) (i.e., 150 gpd per steam generator) or increases to 450 gpd as a result of accident induced conditions. Currently, the Unit 1 safety analyses do notspecifically assume additional primary to secondary LEAKAGE due to accident induced conditions. For Unit 2, due to adoption of the voltage based steam generator tuberepair criteria per guidance provided by Generic Letter (GL) 95-05 (Reference 3), the safety analysis for an event resulting in steamdischar-ge to the atmosphere conservatively assumes that primary tosecondary LEAKAGE from all steam generators is 450 gallons per day(gpd) (i.e., 150 gpd per steam generator) or increases to 450 gpd as a result of accident induced conditions for all accidents other than the MSLB. Currently, the Unit 2 MSLB safety analysis is the only analysisthat specifically assumes additional primary to secondary LEAKAGE dueto accident induced conditions.The Unit 2 dose consequences associated with the MSLB addresses anadditional 2.1 gpm leakage, which, per GL 95-05, is postulated to occur (via pre-existing tube defects) as a result of the rapid depressurization ofthe secondary side due to the MLSB, and the consequent high differential pressure across the faulted steam generator. The maximum allowedUnit 2 total accident induced leakage is 2.4 gpm.Beaver Valley Units 1 and 2 B 3.4.13 - 2Revision 0 RCS Operational LEAKAGEB 3.4.13 BASES APPLICABLE SAFEry ANALYSIS (continued)The RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCO RCS operational LEAKAGE shall be limited

a. Pressure Boundary LEAKAGE b.No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higherLEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. Should pressure boundaryLEAKAGE occur through a component which can be isolated fromthe balance of the Reactor Coolant System, plant operation may continue provided the leaking component is promptly isolated fromthe Reactor Coolant System since isolation removes the source of potential failure.Unidentified LEAKAGE One gallon per minute (gpm) of unidentified LEAKAGE is allowed asa reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO couldresult in continued degradation of the RCPB, if the LEAKAGE isfrom the pressure boundary.ldentified LEAKAGE Up to 10 gpm of identified LEAKAGE is considered allowablebecause LEAKAGE is from known sources that do not interfere withdetection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System. ldentified LEAKAGE includes LEAKAGE to the containment from specifically known and locatedsources, but does not include pressure boundary LEAKAGE orcontrolled reactor coolant pump (RCP) seal leakoff (a normal function not considered LEAKAGE).

Violation of this LCO couldresult in continued degradation of a component or system. c.Beaver Valley Units 1 and 2 B 3.4.13 - 3 Revision 0 RCS Operational LEAI(AGEB 3.4.1 3 BASES LCO (continued) d.Primary to Secondarv LEAKAGE throuqh Any One SGThe limit of 150 gallons per day per SG is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam GeneratorProgram Guidelines (Ref. 4). The Steam Generator Program operational LEAKAGE performance criterion in NEI 97-06 states,"The RCS operational primary to secondary leakage through anyone SG shall be limited to 150 gallons per day." The limit is basedon operating experience with SG tube degradation mechanisms thatresult in tube leakage. The operational leakage rate criterion inconjunction with the implementation of the Steam GeneratorProgram is an effective measure for minimizing the frequency of steam generator tube ruptures. APPLICABILITY ln MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatestwhen the RCS is pressurized.In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.LCO 3.4.14, "RCS Pressure lsolation Valve (PlV) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PlVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leak tight. lf bothvalves leak and result in a loss of mass from the RCS, the loss must be included in the allowable identified LEAKAGE.ACTIONS A.1 Unidentified LEAKAGE or identified LEAKAGE in excess of theLCO limits must be reduced to within limits within 4 hours. This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent furtherdeterioration of the RCPB.8.1 and B.2 lf any pressure boundary LEAKAGE exists, or primary to secondaryLEAKAGE is not within limit, or if unidentified or identified LEAKAGE cannot be reduced to within limits within 4 hours, the reactor must be brought to lower pressure conditions to reduce the severtty of theBeaver Valley Units 1 and 2B 3.4.13 - 4Revision 0 RCS Operational LEAKAGEB 3.4.13 BASESACTIONS (continued)LEAKAGE and its potential consequences. lt should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.The reactor must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.In MODE 5, the pressure stresses acting on the RCPB are much lower,and further deterioration is much less likely. SURVEILLANCE REQUIREMENTSsR 3.4.13.1Verifying RCS LEAKAGE to be within the LCO limits ensures the integrity ofthe RCPB is maintained. Pressure boundary LEAKAGE would at firstappear as unidentified LEAKAGE and can only be positively identified by inspection. lt should be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. Unidentified LEAKAGE and identified LEAKAGE are determined by performance of an RCS water inventory balance.The RCS water inventory balance must be met with the reactor at steadystate operating conditions (stable temperature, power level, pressurizerand makeup tank levels, makeup and letdown and RCP seal injection andreturn flows) and near operating pressure. The Surveillance is modifiedby two Notes. Note 1 states that this SR is not required to be performed until 12 hours after establishing steady state operation. The 12 hour allowance provides sufficient time to collect and process all necessarydata after stable plant conditions are established.Note 2 states that this SR is not applicable to primary to secondaryLEAKAGE because LEAKAGE of 150 gallons per day cannot bemeasured accurately by an RCS water inventory balance.Steady state operation is required to perform a proper inventory balancesince calculations during maneuvering are not useful. For RCSoperational LEAKAGE determination by water inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows. Beaver Valley Units 1 and 2 B 3.4.13 - 5Revision 0 RCS Operational LEAKAGEB 3.4.13 BASES SURVEILLANCE REQU I REMENTS (continued) An early warning of pressure boundary LEAKAGE or unidentifiedLEAKAGE is provided by the instrumentation systems that monitor thecontainment atmosphere radioactivity and the containment sump level. ltshould be noted that LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. These leakage detection systems are specified inLCO 3.4.15, 'RCS Leakage Detection lnstrumentation."The72 hour Frequency is a reasonable interval to trend LEAKAGE andrecognizes the importance of early leakage detection in the prevention of accidents.sR 3.4.13.2 This SR verifies that primary to secondary LEAKAGE is less than or equalto 150 gallons per day through any one SG. Satisfying the primary tosecondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Generator Program is met. lf this SRis not met, compliance with LCO 3.4.2A, "Steam Generator Tube lntegrity," should be evaluated. The 150 gallons per day limit ismeasured at room temperature (25'C) as described in Reference

5. The operational LEAKAGE rate limit applies to LEAKAGE through any one SG. lf it is not practical to assign the LEAKAGE to an individual SG, all the primary to secondary LEAKAGE should be conservatively assumed tobe from one SG.

The Surveillance is modified by a Note which states that the Surveillanceis not required to be performed until 12 hours after establishment of steady state operation. For RCS primary to secondary LEAKAGEdetermination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows.The Surveillance Frequency of 72 hours is a reasonable interval to trend primary to secondary LEAKAGE and recognizes the importance of earlyleakage detection in the prevention of accidents. The primary to secondary LEAKAGE is determined using continuous process radiationmonitors or radiochemical grab sampling in accordance with the EPRIguidelines (Ref. 5).REFERENCES 2.1.Unit 1 UFSAR Appendix 1A, '1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U.S. Nuclear Regulatory Commission General Design Criteria."UFSAR Section 4.2.7 .1 (Unit 1) and UFSAR Section 5.2.5 (Unit 2).Beaver Valley Units 1 and 2B 3.4.13 - 6Revision 0 RCS Operational LEAKAGE B 3.4.1 3 BASES REFERENCES (continued) 3.4.5.NRC Generic Letter 95-05: Voltage-Based Repair Criteria For Westinghouse Steam Generator Tubes Affected By OutsideDiameter Stress Corrosion Cracking.NEI 97-06, "Steam Generator Program Guidelines." EPRl, "Pressurized Water Reactor Primary-to-Secondary Leak Guidelines. "Beaver Valley Units 1 and 2B 3.4.13 - 7 Revision 0 RCS PIV LeakageB 3.4.14 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.14 RCS Pressure lsolation Valve (PlV) Leakage BASES BACKGROUND10 CFR 50.2,10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, AppendixA,as discussed in Reference 1, define RCS PlVs as any two normallyclosed valves in series within the reactor coolant pressure boundary (RCPB), which separate the high pressure RCS from an attached low pressure system. During their lives, these valves can produce varyingamounts of reactor coolant leakage through either normal operational wear or mechanical deterioration. The RCS PIV Leakage LCO allows RCS high pressure operation when leakage through these valves existsin amounts that do not compromise safety.The PIV leakage limit applies to each individual valve. Leakage through both series PlVs in a line must be included as part of the identified LEAKAGE, governed by LCO 3.4.13, "RCS Operational LEAKAGE." This is true during operation only when the loss of RCS mass through twoseries valves is determined by a water inventory balance (SR 3.4.13.1).A known component of the identified LEAKAGE before operation beginsis the least of the two individual leak rates determined for leaking series PlVs during the required surveillance testing; leakage measured throughone PIV in a line is not RCS operational LEAKAGE if the other is leaktight.Although this specification provides a limit on allowable PIV leakage rate, its main purpose is to prevent overpressure failure of the low pressure portions of connecting systems. The leakage limit is an indication that the PlVs between the RCS and the connecting systems are degraded ordegrading. PIV leakage could lead to overpressure of the low pressure piping or components. Failure consequences could be a loss of coolant accident (LOCA) outside of containment, an unanalyzed accident, that could degrade the ability for low pressure injection. The basis for this LCO is the 1975 NRC "Reactor Safety Study" (Ref. 2)that identified potential intersystem LOCAs as a significant contributor to the risk of core melt. A subsequent study (Ref. 3) evaluated various PIV configurations to determine the probability of intersystem LOCAS.The specific PlVs addressed by this LCO are listed in the Licensing Requirements Manual (LRM).Violation of this LCO could result in continued degradation of a PlV, which could lead to overpressurization of a low pressure system and the loss ofthe integrity of a fission product barrier.Beaver Valley Units 1 and 2 B 3.4.14 - 1Revision 0 RCS PIV LeakageB 3.4.14 BASES APPLICABLE SAFETY ANALYSESReference 2 identified potential intersystem LOCAs as a significantcontributor to the risk of core melt. The dominant accident sequence inthe intersystem LOCA category is the failure of the low pressure portionof the Emergency Core Coof ing System Low Head Injection Systemoutside of containment. The accident is the result of a postulated failureof the PlVs, which are part of the RCPB, and the subsequent pressurization of the Low Head Injection System downstream of the PlVsfrom the RCS. Because the low pressure portion of the system is not designed for RCS pressure, overpressurization failure of the low pressureline would result in a LOCA outside containment and subsequent risk of core melt.Reference 3 evaluated various PIV configurations, leakage testing of the valves, and operational changes to determine the effect on the probability of intersystem LOCAs. This study concluded that periodic leakage testingof the PlVs can substantially reduce the probability of an intersystem LOCA.RCS PIV leakage satisfies Critertan 2 of 10 CFR 50.36(c)(2xii). LCO The specific PlVs for which this LCO applies are listed in the LRM. RCSPIV leakage is identified LEAKAGE into closed systems connected to theRCS. lsolation valve leakage is usually on the order of drops per minute.Leakage that increases significantly suggests that something isoperationally wrong and corrective action must be taken.The LCO PIV leakage limit is 0.5 gpm per nominal inch of valve size witha maximum limit of 5 gpm. Note 4 in SR 3.4.14.1 provides an exceptionto the 0.5 gpm/inch diameter limit under certain circumstances.Reference 4 permits leakage testing at a lower pressure differential thanbetween the specified maximum RCS pressure and the normal pressureof the connected system during RCS operation (the maximum pressure differential) in those types of valves in which the higher service pressurewill tend to diminish the overall leakage channel opening. ln such cases, the observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to the pressure differential tothe one half power. This allowance is consistent with that provided byNote 3 in SR 3.4.14.1 .Beaver Valley Units 1 and 28 3.4.14 - 2Revision 0 RCS PIV LeakageB 3.4.14 BASES APPLICABILITYln MODES 1 , 2, 3, and 4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized. In MODE 4, valves the RHR flow path are not required to meet the requirements of thisLCO when in, or during the transition to orfrom, the RHR mode of operation.In MODES 5 and 6, leakage limits are not provided because the lowerreactor coolant pressure results in a reduced potential for leakage and for a LOCA outside the containment. ACTIONSThe Actions are modified by two Notes. Note 1 provides clarification thateach flow path allows separate entry into a Condition. This is allowedbased upon the functional independence of the flow path. Note 2requires an evaluation of affected systems if a PIV is inoperable. Theleakage may have affected system operability, or isolation of a leaking flow path with an alternate valve may have degraded the ability of theinterconnected system to perform its safety function.4.1The flow path must be isolated. Required Action A.1 is modified by aNote that the valves used for isolation must meet the same leakage requirements as the PlVs and must be within the RCPB or the highpressure portion of the system.Required Action A.1 requires that the isolation with one valve must be performed within 4 hours. Four hours provides time to reduce leakage inexcess of the allowable limit and to isolate the affected system if leakagecannot be reduced. The 4 hour Completion Time allows the actions and restricts the operation with leaking isolation valves.Motor-operated valves used to meet this isolation requirement shall be placed in the closed position with power supplies de-energized. 8.1 and 8.2 lf leakage cannot be reduced, or the other Required Actionsaccomplished, the plant must be brought to a MODE in which therequirement does not apply. To achieve this status, the plant must bebrought to MODE 3 within 6 hours and MODE 5 within 36 hours. ThisAction may reduce the leakage and also reduces the potential for a LOCA outside the containment. The allowed Completion Times are reasonable based on operating experience, to reach the required plant conditionsfrom full power conditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2 8 3.4.14 - 3Revision 0 RCS PIV LeakageB 3.4.14 BASES SURVEILLANCE SR 3.4.14.1 REQUIREMENTSThe list of valves for which this Surveillance is applicable is contained inthe LRM. Performance of leakage testing on each RCS PIV or isolationvalve used to satisfy Required Action A.1 is required to verify that leakageis below the specified limit and to identify each leaking valve. Theleakage limit of 0.5 gpm per inch of nominal valve diameter up to 5 gpm maximum applies to each valve. Leakage testing requires a stable pressure condition. To satisfy ALARA requirements, leakage may bemeasured indirectly (as from the performance of pressure indicators) ifaccomplished in accordance with approved procedures and supported by computations showing that the method is capable of demonstratingcompliance within the valve leakage criteria. In addition, for those valves where the leakage rate can be continuously monitored during plant operation, no other leakage rate testing is required. The leakage rate ofvalves continously monitored shall be recorded at intervals that satisfy the required Surveillance Frequency.For the two PlVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. lf thePlVs are not individually leakage tested, one valve may have failed completely and not be detected if the other valve in series meets the leakage requirement. In this situation, the protection provided by redundant valves would be lost.Testing is to be performed for all PlVs listed in the LRM prior to enteringMODE 2 after the plant is placed in MODE 5 for refueling. The Frequency,which results in testing the PlVs approximately every 18 months, is within the requirements of 10 CFR 50.55a(f) as contained in the Inservice TestingProgram, and is also within the frequency allowed by the American Societyof Mechanical Engineers (ASME) Code (Ref. 4), which is based on theneed to perform such surveillances under the conditions that apply duringan outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. However, this does not preclude performance of this Surveillance at power, if necessary toconfirm OPERABILITY, when it can be accomplished in a safe manner.An additional Frequency of "prior to entering MODE 2 whenever the unithas been in MODE 5 for 7 days or more, if leakage testing has not been performed in the previous 9 months" is applicable to certain PlVs. Thisadditional Frequency is modified by a Note that clarifies that thisFrequency is only applicable to PlVs specifically identified in the list ofPlVs in the LRM. The additional testing is specified for PlVs identified as"Event V" (potential loss of coolant accident outside containment) typePlVs consistent with References 2 and 3.Beaver Valley Units 1 and 2B 3.4.14 - 4 Revision 0 RCS PIV Leakage B 3.4.14 BASES SURVEILLANCE REQUIREMENTS (continued)The leakage limit is to be met at the RCS pressure associated with MODES 1 and 2. This permits leakage testing at high differential pressures not possible in the MODES with lower temperature restrictions.Entry into MODES 3 and 4 is allowed to establish higher differential pressures if necessary for performance of this Surveillance. The Notethat allows this provision is complementary to the Frequency of prior toentry into MODE 2, it leakage testing has not been performed in the previous 9 months. In addition, this Surveillance is not required to be performed on the RHR System when the RHR System is aligned to theRCS in the shutdown cooling mode of operation. PlVs contained in the RHR shutdown cooling flow path must be leakage rate tested after RHR is secured and stable unit conditions and the necessary differential pressures are established.Note 3 provides the allowance that the RCS PIV leakage may be verifiedat a pressure lower than the required RCS pressure range provided theobserved leakage rates are adjusted to the function maximum pressure in accordance with ASME OM Code (Ref. a).Note 4 provides an exception to the 0.5 gpm/inch diameter leakage limit of the LCO. The Note allows leakage rates > 0.5 gpm/inch diameter but< 5.0 gpm total provided the latest measured rate has not exceeded therate determined by the previous test by an amount that reduces the margin between measured leakage rate and the maximum permissible rate of 5.0 gpm by > 50%.REFERENCES 1.Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U. S. Nuclear Regulatory Commission General Design Criteria" WASH-1400 (NUREG-751014), Appendi;,: V, October 1975.NUREG-4677 , May 1980.ASME code for Operation and Maintenance of Nuclear Power Plants.2.3.4.Beaver Valley Units 1 and 2B 3.4.14 - 5Revision 0 RCS Leakage Detection InstrumentationB 3.4.1 5B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.15 RCS Leakage Detection Instrumentation BASES BACKGROUNDGDC 30 of Appendix A to 10 CFR 50, as discussed in Reference 1,requires means for detecting and, to the extent practical, identifying thelocation of the source of RCS LEAKAGE. Regulatory Guide 1.45,Revision 0, as discussed in Reference 2, describes acceptable methodsfor selecting leakage detection systems.Leakage detection systems must have the capabifity to detect significantreactor coolant pressure boundary (RCPB) degradation as soon afteroccurrence as practical to minimize the potential for propagation to a gross failure. Thus, an early indication or warning signal is necessary topermit proper evaluation of all unidentified LEAKAGE. ln addition tomeeting the OPERABILITY requirements, the monitors are typically set to provide the most sensitive response without causing an excessive number of spurious alarms.The non-Emergency Core Cooling System (ECCS) portion of thecontainment sump used to collect unidentified LEAKAGE is capable ofindicating increases above the normal level.The reactor coolant contains radioactivity that, when released to the containment, may be detected by radiation monitoring instrumentation.Radioactivity detection systems are included for monitoring both particulate and gaseous activities because of their sensitivities and rapidresponses to RCS LEAKAGE.Other indications may be used to detect an increase in unidentifiedLEAKAGE; however, they are not required to be OPERABLE by thisLCO. An increase in humidity of the containment atmosphere wouldindicate release of water vapor to the containment. Dew point temperature measurements can thus be used to monitor humidity levelsof the containment atmosphere as an indicator of potential RCS LEAKAGE.Since the humidity level is influenced by several factors, a quantitativeevaluation of an indicated leakage rate by this means may be questionable and should be compared to observed increases in liquidflow into or from the containment sump. Humidity level monitoring is considered most useful as an indirect indication to inform the operator to a potential problem. Humidity monitors are not required by this LCO.Beaver Valfey Units 1 and 2 B3.4 15-1 Revision 1B RCS Leakage Detection InstrumentationB 3.4.15 BASES BACKG ROUN D (continued) Air temperature and pressure monitoring methods may also be used to infer unidentified LEAKAGE to the containment. Containment temperature and pressure fluctuate slightly during plant operation, but a rise above the normally indicated range of values may indicate RCSleakage into the containment. The relevance of temperature and pressure measurements is affected by containment free volume and, for temperature, detector location. Alarm signals from these instruments can be valuable in recognizing rapid and sizable leakage to the containment. Temperature and pressure monitors are not required by this LCO.The above-mentioned LEAKAGE detection methods or systems differ insensitivity and response time. Some of these systems could serve as early warning systems signaling the operators that closer examination ofother detection systems is necessary to determine the extent of anycorrective action that may be required.APPLICABLE SAFETY ANALYSESThe need to evaluate the severity of an alarm or an indication is importantto the operators, and the ability to compare and verify with indicationsfrom other systems is necessary.The safety significance of RCS LEAKAGE varies widely depending on itssource, rate, and duration. Therefore, detecting and monitor:ing RCSLEAKAGE into the containment area is necessary. Quickly separatingthe identified LEAKAGE from the unidentifled LEAKAGE provides quantitative information to the operators, allowing them to take correctiveaction should a leakage occur detrimental to the safety of the unit and the public.RCS leakage detection instrumentation satisfies Criterion 1 of10 CFR 50.36(c)(2xii). LCOThis LCO requires instruments of diverse monitoring principles to beOPERABLE to orovide confidence that small amounts of unidentifiedLEAKAGE are detected in time to allow actions to place the plant in asafe condition, when RCS LEAKAGE indicates possible RCPB degradation.The LCO requires two instruments to be OPERABLE.Beaver Valley Units 1 and 2 B 3.4.15-2Revision 18 RCS Leakage Detection Instrumentation B 3.4.15 BASES LCO (continued)The non-ECCS portion of the containment sump is used to collectunidentified LEAKAGE. The monitor on the containment sump detects level or flow rate and is instrumented to detect when there is an increaseabove the normal value. The identification of an increase in unidentifiedLEAKAGE will be delayed by the time required for the unidentified LEAKAGE to travel to the containment sump and it may take longer than one hour to detect a 1 gpm increase in unidentified LEAKAGE, dependingon the origin and magnitude of the LEAKAGE. This sensitivity is acceptable for containment sump monitor OPERABILITY.The reactor coolant contains radioactivity that, when released to the containment, can be detected by the gaseous or particulate containment atmosphere radioactivity monitor. Only one of the two detectors is required to be OPERABLE. Radioactivity detection systems are includedfor monitoring both particulate and gaseous activities because of theirsensitivities and rapid responses to RCS LEAKAGE, but have recognizedlimitations. Reactor coolant radioactivity levels will be low during initialreactor startup and for a few weeks thereafter, until activated corrosion products have been formed and fission products appear from fuelelement cladding contamination or cladding defects. lf there are few fuelelement cladding defects and low levels of activation products, it may not be possible for the gaseous or particulate containment atmosphereradioactivity monitors to detect a 1 gpm increase within t hour duringnormal operation. However, the gaseous or particulate containment atmosphere radioactivity monitor is OPERABLE when it is capable ofdetecting a 1 gpm increase in unidentified LEAKAGE within t hour given an RCS activity equivalent to that assumed in the design calculations for the monitors (Reference 3).The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment sump monitor, in combination with a gaseous or particulate radicactivity monitor, provides an acceptableminimum. The containment sump monitor is comprised of the instruments associated with the non-ECCS portion of the containment sump which monitor narrow range level and sump pump discharge flow.The LCO only requires that the sump level or discharge flow monitor be OPERABLE. The required particulate and gaseous radioactivity monitors are RM-1RM-215A&B (Unit 1) and 2RMR-RQ303A&B (Unit 2).APPLICABILITYBecause of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS leakage detection instrumentation is required to be OPERABLE.Beaver Valley Units 1 and 2B 3.4.15 - 3 Revision 1B RCS Leakage Detection InstrumentationB 3.4.1 5 BASES APPLICABI Llry (continued) In MODE 5 or 6, the temperature is to be < 200"F and pressure ismaintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1 ,2,3, and 4, the likelihood of leakage and crack propagation are much smaller. Therefore, the requirements of this LCO are not applicable in MODES 5 and 6.ACTIONS A.1 and A.2 With the required containment sump monitor inoperable, no other form of sampling can provide the equivalent information; however, thecontainment atmosphere radioactivity monitor will provide indications ofchanges in leakage. Together with the containment atmosphereradioactivity monitor, the periodic surveillance for RCS water inventory balance, SR 3.4.13.1, must be performed at an increased frequency of 24 hours to provide information that is adequate to detect leakage. A Note is added allowing that SR 3.4.13.1 is not required to be performed until 12 hours after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows). The 12 hour allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established.Restoration of the required sump monitor to OPERABLE status within aCompletion Time of 30 days is required to regain the function after themonitor's failure. This time is acceptable, considering the Frequency andadequacy of the RCS water inventory balance required by RequiredAction A.1 . B.1 .1 , 8.1 .2, and 8.2 With both gaseous and particulate containment atmosphere radioactivity monitoring instrumentation channels inoperable, alternative action is required. Either grab samples of the containment atmosphere must be taken and analyzed or water inventory balances, in accordance with SR 3.4.13.1 , must be performed to provide alternate periodic information. With a sample obtained and analyzed or water inventory balance performed every 24 hours, the reactor may be operated for up to 30 days to allow restoration of the required containment atmosphere radioactivity monitors.Beaver Valley Units 1 and 2 B3.4 15-4Revision 18 RCS Leakage Detection InstrumentationB 3.4.1 5 BASES ACTIONS (continued)The 24 hour interval provides periodic information that is adequate todetect leakage. A Note is added allowing that SR 3.4.13.1 is not requiredto be performed until 12 hours after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows). The12 hour allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established. The 30 dayCompletion Time recognizes at least one other form of leakage detection is available. C.1 and C.2With the required containment sump monitor inoperable, the only meansof detecting LEAKAGE is the required containment atmosphere radiation monitor. A Note clarifies that this Condition is applicable when thecontainment atmosphere gaseous radioactivity monitor is the onlyOPERABLE monitor. The containment atmosphere gaseous radioactivity monitor typically cannot detect a 1 gpm leak within one hour when RCSactivity is low. In addition, this configuration does not provide the requireddiverse means of leakage detection. Indirect methods of monitoring RCS leakage must be implemented. Grab samples of the containmentatmosphere must be obtained to provide alternate periodic information.The 12 hour interval is sufficient to detect increasing RCS leakage. The Required Action provides 7 days to restore another RCS leakage monitor to OPERABLE status to regain the intended leakage detection diversity.The 7 day Completion Time ensures that the plant will not be operated ina degraded configuration for a lengthy time period.D.1 and D.2 lf a Required Action of Condition A, B, or C cannot be met, the plant mustbe brought to a MODE in which the requirement does not apply. .Toachieve this status, the plant must be brought to at least MODE 3 within6 hours and to MODE 5 within 36 hours. The allowed Completion Timesare reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.E.1 With all required monitors inoperable, no automatic means of monitoring leakage are available, and immediate plant shutdown in accordance with LCO 3.0.3 is required.Beaver Valley Units 1 and 2 B 3.4.15 - 5 Revision 18 RCS Leakage Detection InstrumentationB 3.4.1 5 BASES SURVEILLANCE SR 3.4.15.1 REQUIREMENTSSR 3.4.15.1 requires the performance of a CHANNEL CHECK of the required containment atmosphere radioactivity monitor. The check gives reasonable confidence that the channel is operating properly. The Frequency of 12 hours is based on instrument reliability and is reasonable for detecting off normal conditions.sR 3.4.15.2SR 3.4.15.2 requires the performance of a COT on the requiredcontainment atmosphere radioactivity monitor. The test ensures that the monitor can perform its function in the desired manner. A successful testof the required contact(s) of a channel relay may be performed by theverification of the change of state of a single contact of the relay. Thisclarifies what is an acceptable COT of a relay. This is acceptablebecause all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. The test verifies the alarm setpoint and relative accuracy of the instrument string. The Frequency of 92 days considers instrument reliability, and operatingexperience has shown that it is proper for detecting degradation.SR 3.4.15.3 and SR 3.4.15.4 These SRs require the performance of a CHANNEL CALIBRATf ON foreach of the RCS leakage detection instrumentation channels. Thecalibration verifies the accuracy of the instrument string, including theinstruments located inside containment. The Frequency of 18 months isa typical refueling cycle and considers channel reliability. Again,operating experience has proven that this Frequency is acceptable. REFERENCES 2.3.1.Unit 1 UFSAR Appendix 1A, "1971AEC General Design CriteriaConformance" and Unit 2 UFSAR Section 3.1, "Conformance withU.S. Nuclear Regulatory Commission General Design Criteria." Regulatory Guide 1.45, Revision 0, "Reactor Coolant PressureBoundary Leakage Detection Systems," May 1973.UFSAR Section 4.2.7 1 (Unit 1) and UFSAR Section 5.2.5 (Unit 2).Beaver Valley Units 1 and 2B 3.4.15 - 6 Revision 1B RCS Specific ActivityB 3.4.16B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.16 RCS Specific Activity BASES BACKGROUNDThe total effective dose equivalent (TEDE) that an individual at the siteboundary can receive for 2 hours during an accident and the totaleffective dose equivalent that a resident at the low population zone can receive during the course of an accident are specified in 10 CFR 50.67 (Ref. 1). The limits on specific activity ensure that the doses are held toan appropriate fraction of the 10 CFR 50.67 limits during analyzedtransients and accidents. The TS limits also ensure that the total effectivedose equivalent to a control room operator is within the dose limitsspecified by 10 CFR 50.67.The RCS specific activity LCO limits the allowable concentration level ofradionuclides in the reactor coolant. The LCO limits are established tominimize the offsite radioactivity dose consequences in the event of a steam line break (SLB) or steam generator tube rupture (SGTR) accident.The LCO contains specific activity limits for both DOSE EQUIVALENT l-131 and gross specific activity. The alfowable levels are intended to limit the TEDE at the site boundary and in the control room to anappropriate fraction of the 10 CFR 50.67 dose guideline limits. The limits in the LCO are based on BVPS specific radiological consequence analyses.APPLICABLE SAFETY ANALYSESThe LCO limits on the specific activity of the reactor coolant ensure that the resulting TEDE at the site boundary and in the control room will notexceed an appropriate fraction of the 10 CFR 50.67 dose guideline limitsfollowing a SLB or SGTR accident. The SLB or SGTR safety analysis (Ref. 2) assumes the specific activity of the reactor coolant at theLCO limit and an existing reactor coolant steam generator (SG) tubeleakage rate of 150 gallons per day (gpd) in each of the three steam generators. ln addition, the Unit 2 SLB analysis assumes additionalleakage that is calculated as described in Generic Letter 95-05 (Ref. 3)for facilities that have impfemented steam generator alternate repair criteria. The safety analysis also assumes the specific activity of thesecondary coolant at its limit of DOSE EQUIVALENT l-131 specified inLCO 3.7 .13, "Secondary Specific Activity." The analysis for the SLB or SGTR accident establishes the acceptance limits for RCS specific activity. References to these analyses are used toassess changes to the unit that could affect RCS specific activity, as they relate to the acceptance limits.Beaver Valley Units 1 and 2 B 3.4.16 - 1 Revision 0 RCS Specific Activity B 3.4.16 BASES APPLICABLE SAFETY ANALYSES (continued) The analyses are for two cases of reactor coolant specific activity. One case assumes specific activity at 0.35 pCi/gm DOSE EQUIVALENT l-131 with a concurrent large iodine spike that increases the l-131 activityappearance rate in the reactor coolant by a factor of 500 (SLB) or 335 (SGTR) immediately after the accident. The second case assumes the initial reactor coolant iodine activity at21 pCi/gm DOSE EQUIVALENT l-131 due to a pre-accident iodine spike caused by an RCS transient. In both cases, the noble gas activity in the reactor coolant is based on the equilibrium concentrations predicted while operating with 1% failed fuel, and proportionately reduced to correspond to the reduced concentrations of DOSE EQUIVALENT l-131 . The safety analyses show the radiological consequences of an SLB or SGTR accident are within the Reference 1 dose guideline limits for the pre-accident iodine spike case, and well within the 10 CFR 50.67 dose guidelines for the concurrent iodine spike case. Operation with iodine specific activity levels greater than the LCO limit is permissible for up to 48 hours, if the activity levels do not exceed the limits shown in Figure 3.4.16-1. The safety analysis has pre-accident iodine spiking levels up to 21 pCi/gm DOSE EQUIVALENT l-131.The remainder of the above limit permissible iodine levels shown in Figure 3.4.16-1 are acceptable because of the low probability of a SLB or SGTR accident occurring during the established 48 hour time limit. The occurrence of an SLB or SGTR accident at the permissible levelsapplicable from 80 to 100a/o power could increase the site boundary dose levels, but still be within 10 CFR 50.67 dose guideline limits.RCS specific activity satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCO The specific iodine activity is limited to 0.35 pCi/gm DOSE EQUIVALENT l-131 , and the gross specific activity in the r5ractor coolant is limited to the number of ;rCi/gm equal to 100 divided by E (average disintegration energy of the sum of the average beta and gamma energies of the non-iodine coolant nuclides). The limit on DOSE EQUIVALENT l-131 ensures the TEDE at the site boundary and in the control room during the Design Basis Accident (DBA) will be an appropriate fraction of the allowed TEDEdose. The limit on gross specific activity provides an additional indication of radionuclides (excluding iodines) that corresponds closely to the noble gas activity in the RCS and helps to ensure the effective doses during the DBA will be an appropriate fraction of the allowed dose.Beaver Valley Units 1 and 2B 3.4.16 - 2Revision 0 RCS Specific ActivityB 3.4.16 BASES LCO (continued) The SLB and SGTR accident analyses (Ref. 2) show that the resultant dose levels are within acceptable limits. Violation of the LCO may result in reactor coolant radioactivity levels that could, in the event of an SLB orSGTR, lead to site boundary or control room doses that exceed the 10 CFR 50.67 dose guideline limits.APPLICABILITY ln MODES 1 and 2, and in MODE 3 with RCS average temperature > 500oF, operation within the LCO limits for DOSE EQUIVALENT l-131 and gross specific activity are necessary to limit the potential radiological consequences of an SLB or SGTR to within the acceptable site boundary and control room dose values. For operation in MODE 3 with RCS average temperature < 500"F, and in MODES 4 and 5, the secondary side steam pressure is significantlyreduced which in turn reduces the probability and severity of a SLB or a SGTR.ACTIONS A.1 and A.2 With the DOSE EQUIVALENT 1-131 greater than the LCO limit, samplesat intervals of 4 hours must be taken to demonstrate that the limits of Figure 3.4.16-1 are not exceeded. The Completion Time of 4 hours is required to obtain and analyze a sample. Sampling is done to continue to provide a trend.The DOSE EQUIVALENT l-131 must be restored to within limits within 48 hours. The Completion Time of 48 hours is required, if the limit violation resulted from normal iodine spiking.A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODE(S) while relying on the ACTIONS.This allowance is acceptable due to the significant conservatismincorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the plant remains at, or proceeds to power operation. Beaver Valley Units 1 and 2B 3.4.16 - 3Revision 0 RCS Specific Activity B 3.4.16 BASES ACTIONS (continued) 8.1 With the gross specific activity in excess of the allowed limit, the unit must be placed in a MODE in which the requirement does not apply.The change within 6 hours to MODE 3 and RCS average temperature < 500'F lowers the secondary side steam pressure which in turn reduces the probability and severity of a SLB or SGTR. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 below 500"F from full power conditions in an orderly manner and without challenging plant systems.c,1 lf a Required Action and the associated Completion Time of Condition Ais not met or if the DOSE EQUIVALENT l-131 is in the unacceptable region of Figure 3.4.16-1, the reactor must be brought to MODE 3 with RCS average temperature < 500'F within 6 hours. The Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 below 500'F from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE SR 3.4.16.1 REQUIREMENTS SR 3.4.16.1 requires performing a gamma isotopic analysis as a measure of the gross specific activity of the reactor coolant at least once every 7 days. While basically a quantitative measure of radionuclides with half lives longer than 15 minutes, excluding iodines, this measurement is the sum of the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveillance provides an indication of any increase in gross specific activity.Trending the results of this Surveillance allows proper remedial action to be taken before reaching the LCO limit under normal operatingconditions. The Surveillance is applicable in MODES 1 and 2, and in MODE 3 with Tuun at least 500"F. The 7 day Frequency considers the unlikelihood of a gross fuel failure during the time.Beaver Valley Units I and 2 B 3.4.16 - 4Revision 0 RCS Specific ActivityB 3.4.16 BASES SURVEILLANCE REQUIREMENTS (continued)sR 3.4.1 6.2 This Surveillance is required to be performed in MODE 1 only to ensure iodine remains within limit during normal operation and following fast power changes when fuel failure is more apt to occur. The 1 4 dayFrequency is adequate to trend changes in the iodine activity level, considering gross activity is monitored every 7 days. The Frequency, between 2 and 6 hours after a power change > 15% RTP within a t hour period, is established because the iodine levels peak during this time following fuel failure; samples at other times would provide inaccurate results.sR 3.4.16.3A radiochemical analysis for E determination is required every 184 days (6 months) with the plant operating in MODE 1 equilibrium conditions.The E determination directly relates to the LCO and is required to verify plant operation within the specified gross activity LCO limit. The analysisfor E is a measurement of the average energies per disintegration forisotopes with half lives longer than 15 minutes, excluding iodines. TheFrequency of 184 days recognizes E does not change rapidly.This SR has been modified by a Note that indicates sampling is notrequired to be performed until 31 days after a minlmum of 2 effective full power days and 20 days of MODE 1 operation have elapsed since the reactor was last subcritical for > 48 hours. This ensures that theradioactive materials are at equilibrium so the analysis for f lsrepresentative and not skewed by a crud burst or other similar abnormal event.REFERENCES1. 10 CFR 50.67.2.UFSAR Section 14.2.5 and 1 4.2.4 (Unit 1) and UFSAR Section 15.1 5 and 15.6.3 (Unit 2).3. NRC Generic Letter 95-05: Voltage-Based Repair Criteria For Westinghouse Steam Generator Tubes Affected By OutsideDiameter Stress Corrosion Cracking.Beaver Valley Units 1 and 2 B 3.4.16 - 5Revision 8 RCS Loop lsolation ValvesB 3.4.17B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.17 RCS Loop lsolation Valves BASES BACKGROUND The reactor coolant loops are equipped with loop isolation valves that permit any loop to be isolated from the reactor vessel. One valve is installed on each hot leg and one on each cold leg. The loop isolation valves may be used to perform tasks such as maintenance or inspections on an isolated loop. Power operation with a loop isolated is not permitted. To ensure that inadvertent closure of a loop isolation valve does notoccur, the valves must be open with power to the valve operators removed in MODES 1, 2, 3 and 4. lf the valves are closed, a set of administrative controls must be satisfied prior to opening the isolation valves as described in LCO 3.4.18, 'RCS lsolated Loop Startup." APPLICABLE SAFETY ANALYSES The safety analyses performed for the reactor at power assume that all reactor coolant loops are initially in operation and the loop isolation valves are open. This LCO places controls on the loop isolation valves to ensure that the valves are not inadvertently closed in MODES 1 ,2,3 and 4. The inadvertent closure of a loop isolation valve when the Reactor Coolant Pumps (RCPs) are operating will result in a partial loss of forced reactorcoolant flow (Ref. 1). lf the reactor is at power at the time of the event, the effect of the partial loss of forced coolant flow is a rapid increase in the coolant temperature which could result in DNB with subsequent fueldamage if the reactor is not tripped by the Low Flow reactor trip. lf thereactor is shutdown and an RCS loop is in operation removing decay heat, closure of the loop isolation valve associated with the operating loop could also result in increasing coolant temperature and the possibility of fuel damage.RCS Loop lsolation Valves satisfy Criterion 2 of 10 CFR 50.36(c)(2xii). LCO This LCO ensures that the loop isolation valves are open and power to the valve operators is removed. Loop isolation valves may be used for tasks such as performing maintenance or inspections in MODES 5 and 6.The safety analyses assume that the loop isolation valves are open in anyRCS loops required to be OPERABLE by LCO 3.4.4, "RCS Loops -MODES 1 and 2," LCO 3.4.5, "RCS Loops - MODE 3," or LCO 3.4.6,"RCS Loops - MODE 4." Beaver Valley Units 1 and 2B3.4 17-1Revision 0 RCS Loop lsolation ValvesB 3.4.17 BASES APPLICABILITYIn MODES 1 through 4, this LCO ensures that the loop isolation valvesare open and power to the valve operators is removed. The safetyanalyses assume that the loop isolation valves are open in any RCSloops required to be OPERABLE.ln MODES 5 and 6, the loop isolation valves may be closed. Controlledstartup of an isolated loop is governed by the requirements of LCO 3.4.18, "RCS lsolated Loop Startup." ACTIONSThe Actions have been provided with a Note to clarify that all RCS loopisolation valves for this LCO are treated as separate entities, each withseparate Completion Times, i.e., the Completion Time is on a component basis.A.1 lf power is inadvertently restored to one or more loop isolation valve operators, the potential exists for accidental isolation of a loop. The loopisolation valves have motor operators. Therefore, these valves willmaintain their last position when power is removed from the valve operator. With power applied to the valve operators, only the controls and surveillances required by the Technical Specifications prevent thevalve from being operated. Although the controls and surveillancesrequired by the Technical Specifications make the occurrence of thisevent unlikely, the prudent action is to remove power from the loopisolation valve operators. The Completion Time of 30 minutes to remove power from the loop isolation valve operators is sufficient considering thecomplexity of the task.8.1, B.2, and 8.3Should a loop isolation valve be closed in MODES 1 through 4, the affected loop isolation valve(s) must remain closed and the plant placedin MODE 5. Once in MODE 5, the isolated loop may be started in a controlled manner in accordance with LCO 3.4.18, "RCS lsolated LoopStartup." Opening the closed isolation valve in MODES 1 through 4 couldresult in colder water or water at a lower boron concentration being mixed with the operating RCS loops resulting in positive reactivity insertion. The Completion Time of Condition B allows time for borating the operating loops to a shutdown boration level such that the plant can be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2B 3.4.17 - 2Revision 0 RCS Loop lsolation VafvesB 3.4.17 BASES SURVEILLANCE SR 3.4.17.1 REQUIREMENTS The Surveillance is performed at least once per 31 days to ensure thatthe RCS loop isolation valves are open, with power removed from the loop isolation valve operators. The primary function of this Surveillance is to ensure that power is removed from the valve operators, since SR 3.4.4.1 of LCO 3.4.4, "RCS Loops - MODES 1 and 2," ensures that the loop isolation valves are open by verifying every 12 hours that all loops are operating and circulating reactor coolant. The Frequency of 31 days is based on engineering judgment, and has proven to be acceptable. Operating experience has shown that the failure rate is so low that the 31 day Frequency is justified. REFERENCES

1. UFSAR Section 14.1.5 (Unit 1) and UFSAR Section 15.3.1 (Unit 2).Beaver Valley Units 1 and 2 B 3.4.17 - 3 Revision 0 RCS lsolated Loop StartupB 3.4.18 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.18 RCS lsolated Loop Startup BASES BACKGROUNDThe RCS may be operated with loops isolated in MODES 5 and 6 in order to perform tasks such as maintenance or inspections.

While operating with a loop isolated, there is potential for inadvertently opening theisolation valves in the isolated loop. In this event, the coolant in the isolated loop would suddenly begin to mix with the coolant in the operating loops. This situation has the potential of causing a positivereactivity addition with a corresponding reduction of SDM if: The boron concentration in the isolated loop is lower than the boronconcentration required to meet the SDM of LCO 3.1.1 when inMODE 5 orthe boron concentration of LCO 3.9.1 when in MODE 6 (boron dilution incident), andThe isolated portion of the RCS loop has not been drained and refilled from the refueling water storage tank (RWST) or RCS.As discussed in the UFSAR (Ref. 1), the startup of an isolated loop isdone in a controlled manner that virtually eliminates any undesirablereactivity addition from cold water or boron dilution because:This LCO and plant operating procedures require that the boronconcentration in the isolated loop be maintained > the boronconcentration required to maintain SDM, thus eliminating the potential for introducing coolant from the isolated loop that coulddilute the boron concentration in the operating loops, below theconcentration necessary to maintain the required SDM.ln addition, this LCO and plant operating procedures require that the isolated portion of the RCS loop be drained and refilled with water from the RWST or RCS. These requirements ensure the loop isfilled with water that has a boron concentration and a temperaturethat are within the limits assumed in the applicable SDM calculation. In addition, the refilling of the loop ensures that the borated water in the loop is well mixed prior to unisofating the loop.a.b.a.b.Beaver Valley Units 1 and 2B 3.4.18 - 1 Revision 0 RCS lsolated Loop StartupB 3.4.18 BASES APPLICABLE SAFETY ANALYSESDuring startup of an isolated loop, the controls required by this LCO prevent opening the loop isolation valves until the isolated loop is drained and refilled from the RWST or the RCS. In addition, the boron concentration of the isolated loop is verified to be within the limit for therequired SDM. This ensures that any undesirable reactivity effect from theisolated loop does not occur.The safety analyses assume a minimum SDM as an initial condition for Design Basis Accidents. Violation of this LCO could result in the SDM being reduced in the operating loops to less than that assumed in the safety analyses.The boron concentration of an isolated loop may affect SDM. Therefore,RCS isolated loop startup satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCOLoop isolation valves may be used for performing tasks such as maintenance or inspections when the plant is in MODE 5 or 6. This LCO ensures that the loop isolation valves remain closed until the affected loop is drained and refilled from the RWST or RCS and the boron concentration of the isolated loops is verified to be within acceptable limitto maintain the required SDM. APPLICABILlTYIn MODES 5 and 6, when an RCS loop has been isolated for > 4 hours ordrained this LCO becomes applicable to recover the affected loop. In MODES 5 and 6, the required SDM is large enough to permit operationwith isolated loops. Controlled startup of isolated loops is possible without significant risk of inadvertent criticality. This LCO is applicableunder these conditions.ln MODES 1, 2, 3, and 4 LCO 3.4.17, "RCS Loop lsolation Valves," requires that all loop isolation valves be open with power removed fromthe valve operator. ln MODES 5 and 6 if a loop is isolated for < 4 hoursand not drained the condition of the isolated loop has not changed significantly. Therefore, under these conditions, LCO 3.4.18 is not applicable. ACTIONS A.1 Requlred Action A.1 assumes that the prerequisites of the LCO are not met and a loop isolation valve has been inadvertently opened. Therefore,the Actions require immediate closure of isolation valves to preclude a boron dilution event or a cold water event. Beaver Valley Units 1 and 2 8 3.4.18 - 2 Revision 0 RCS lsolated Loop StartupB 3.4.1 8 BASES SURVEILLANCE SR 3.4.18.1 REQUIREMENTS This Surveillance verifies the isolated portion of the affected RCS loop isdrained and refilled with water from the RWST or RCS. This verification provides assurance that the loop is filled with water that has a boronconcentration and a temperature that are within the limits assumed in theapplicable SDM calculation. The Frequency of prior to opening the isolated loop hot or cold leg isolation valve provides additional assurance an isolated loop is returned to service in accordance with the provisions ofLCO 3.4.18. sR 3.4.1 8.2To ensure that the boron concentration of the isolated loop is greater thanor equal to the boron concentration required to meet the SDM of LCO 3.1.1 or boron concentration of LCO 3.9.1, this Surveillance is performed 2 hours prior to opening either the hot or cold leg isolationvalve. Performing the Surveillance 2 hours prior to opening either the hotor cold leg isolation valve provides reasonable assurance the boronconcentration will stay within acceptable limits until the loop is unisolated.This Frequency has been shown to be acceptable through operating experience.sR 3.4.1 8.3 This Surveillance verifies the isolated loop hot or cold leg isolation valveis opened within 4 hours following completion of the isolated loop refill.This verification confirms that the loop being returned to service has been recently refilled in accordance with SR 3.4.18.1. The Frequency of within4 hours after completion of the refill provides assurance that there is no significant change in boron concentration or temperature of the water in the loop since refill and that the contents of the loop remain well mixed when the loop is unisolated. t REFERENCES

1. UFSAR Section 14.1.6 (Unit 1) and Section 15.4.4 (Unit 2).Beaver Valley Units 1 and 2 B 3.4.18 - 3Revision 0 RCS Loops - Test ExceptionsB 3.4.19B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.'19 RCS Loops - Test Exceptions BASES BACKGROUND The primary purpose of this test exception is to provide an exception to LCO 3.4.4, 'RCS Loops - MODES 1 and 2," to permit reactor criticalityunder no flow conditions during certain PHYSICS TESTS (naturalcirculation demonstration, station blackout, and loss of offsite power) to be performed while at low THERMAL POWER levels.

Section Xl of 10 CFR 50, Appendix B (Ref. 1), requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded during normal operationand anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the power plant as specified in GDC 1, "Quality Standards and Records" (Ref. 2).The key objectives of a test program are to provide assurance that thefacility has been adequately designed to validate the analyticaf models used in the design and analysis, to verify the assumptions used to predict plant response, to provide assurance that installation of equipment at theunit has been accomplished in accordance with the design, and to verifythat the operating and emergency procedures are adequate. Testing may be performed prior to initial criticality, during startup, and following low power operations.The tests may include verifying the ability to establish and maintainnatural circulation following a plant trip between 10% and 2A% RTP, performing natural circulation cooldown on emergency power, and duringthe cooldown, showing that adequate boron mixture occurs and that pressure can be controlled using auxiliary spray and pressurizer heaters powered from the emergency power sources, APPLICABLE SAFETY ANALYSES The tests described above require operating the plant without forced convection flow and as such are not bounded by any safety analyses.However, operating experience has demonstrated this exception to be safe under the present applicability.As described in LCO 3.0.7, compliance with Test Exception LCOs isoptional, and therefore no criteria of 10 CFR 50.36(c)(2xii) apply. TestException LCOs provide flexibility to perform certain operations byappropriately modifying requirements of other LCOs. A discussion of thecriteria satisfied for the other LCOs is provided in their respective Bases.Beaver Valley Units 1 and 2B 3.4.19 - 1 Revision 0 RCS Loops - Test ExceptionsB 3.4.1 9 BASES LCOThis LCO provides an exemption to the requirements of LCO 3.4.4.The LCO is provided to allow for the performance of PHYSICS TESTS inMODE 2 (after a refueling), where the core cooling requirements aresignificantly different than after the core has been operating. Without the LCO, plant operations would be held bound to the normal operating LCOs for reactor coolant loops and circulation (MODES 1 and 2), and the appropriate tests could not be performed.In MODE 2, where core power level is considerably lower and the associated PHYSICS TESTS must be performed, operation is allowed under no flow conditions provided THERMAL POWER is <P-T and the reactor trip setpoints of the OPERABLE power level channels are set inaccordance with the nominal trip setpoints specified in the LicensingRequirements Manual (LRM). This ensures, if some problem caused the plant to enter MODE 1 and start increasing plant power, the Reactor Trip System (RTS) would automatically shut it down before power became too high, and thereby prevent violation of fuel design limits.The exemption is allowed even though there are no bounding safety analyses. However, these tests are performed under close supervision during the test program and provide valuable information on the plant'scapability to cool down without offsite power available to the reactor coolant pumps.APPLICABILITYThis LCO is applicable when performing low power PHYSICS TESTSwithout any forced convection flow. This testing is performed to establishthat heat input from nuclear heat does not exceed the natural circulationheat removal capabilities. Therefore, no safety or fuel design limits will beviolated as a result of the associated tests.ACT]ONS A.1When THERMAL POWER is > the P-7 interlock setpolnt (as specified for P-10 and P-13 in the LRM), the only acceptable action is to ensure thereactor trip breakers (RTBs) are opened immediately in accordance withRequired Action A.1 to prevent operation of the fuel beyond its designlimits. Opening the RTBs will shut down the reactor and prevent operation of the fuel outside of its design limits.Beaver Valley Units 1 and 2 B 3.4.19 - 2Revision 0 RCS Loops - Test Exceptions B 3.4.19 BASES SURVEILLANCE SR 3.4.19.1 REQUIREMENTSVerification that the power level is < the P-7 interlock setpoint (as specified for P-10 and P-13 in the LRM) will ensure that the fuel design criteria are not violated during the performance of the PHYSICS TESTS.The Frequency of once per hour is adequate to ensure that the powerlevel does not exceed the limit. Plant operations are conducted slowlyduring the performance of PHYSICS TESTS and monitoring the power level once per hour is sufficient to ensure that the power level does notexceed the limit.sR 3.4.1 9.2The specified power range and intermediate range neutron flux channelsand the P-10 and P-13 interlock setpoints must be verified to beOPERABLE and adjusted to the proper value. The Low Power ReactorTrips Block, P-7 interlock, is actuated from either the Power Range Neutron Flux, P-10, or the Turbine First Stage Pressure, P-13 interlock. The P-7 interlock is a logic Function with train, not channel identity. A COT is performed prior to initiation of the PHYSICS TESTS. The purpose of this Surveillance is to verify the required COT has been performed onthe specified channels consistent with the requirements of LCO 3.3.1,"Reactor Trip System." lf the Surveillance Requirements of LCO 3.3.1 are current, no additional testing is required by this Surveillance. This will ensure that the RTS is properly aligned to provide the required degree of core protection during the performance of the PHYSICS TESTS. A successful test of any required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact ofthe relay. This clarifies what is an acceptable COT of a relay. This isacceptable because all of the other required contacts of the relay are verified by other Technical Specification Surveillance Requirements. The SR 3.3.1 .7 and SR 3.3.1 ,1 1 Frequencies are sufficient for the specified channels to ensure the instrumentation is OPERABLE before initiatingPHYSICS TESTS.sR 3.4.19.3The Low Power Reactor Trips Block, P-7 interlock, must be verified to beOPERABLE in MODE 1 by LCO 3.3.1, "Reactor Trip System lnstrumentation." The P-7 interlock is actuated from either the PowerRange Neutron Flux, P-10, or the Turbine First Stage Pressure, P-13interlock. The P-7 interlock is a logic Function. An ACTUATION LOGICTEST is performed to verify OPERABILITY of the P-7 intedock prior to initiation of startup and PHYSICS TESTS. The purpose of thisSurveillance is to verify the required ACTUATION LOGIC TEST has been Beaver Valley Units 1 and 2B 3.4.19 - 3Revision 0 RCS Loops - Test ExceptionsB 3.4.1 I BASES SURVEILLANCE REQU IREMENTS (continued) performed on the P-7 interlock consistent with the requirements ofLCO 3.3.1, "Reactor Trip System." lf the Surveillance Requirements ofLCO 3.3.1 are current, no additional testing is required by thisSurveillance. This will ensure that the RTS is properly functioning to provide the required degree of core protection during the performance ofthe PHYSICS TESTS. The SR 3.3.1.5 Frequency is sufficient for the P-7interlock to ensure the instrumentation is OPERABLE before initiatingPHYSICS TESTS. REFERENCES 1.2.10 CFR 50, Appendix B, Section Xl.10 CFR 50, Appendix A, GDC 1, 1988.Beaver Valley Units 1 and 2 B 3.4.19 - 4Revision 0 SG Tube IntegrityB 3.4.20 B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.2A Steam Generator (SG) Tube Integrity BASES BACKGROUND Steam generator (SG) tubes are small diameter, thin wafled tubes that carry primary coolant through the primary to secondary heat exchangers. The SG tubes have a number of important safety functions. Steam generator tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary system's pressure and inventory. The SG tubes isolate the radioactive fission products in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act asthe heat transfer surface between the primary and secondary systems toremove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG. The SG heat removal function isaddressed by LCO 3.4.4, "RCS Loops- MODES 1 and 2," LCO 3.4.5,"RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops - MODE 4," and LCO 3.4.7,'RCS Loops - MODE 5, Loops Filled."SG tube integrity means that the tubes are capable of performing theirintended RCPB safety function consistent with the licensing basis, including applicable regulatory requirements. Steam generator tubing is subject to a variety of degradationmechanisms. Depending upon materials and design, steam generatortubes may experience tube degradation related to corrosion phenomena,such as wastage, pitting, intergranular attack, and stress corrosioncracking, along with other mechanically induced phenomena such asdenting and wear. These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG tube degradation.Specification 5.5.5, "Steam Generator (SG) Program," requires that a program be established and implemented to ensure that SG tube integrityis maintained. Pursuant to Specification 5.5.5, tube integrity ismaintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, accident induced leakage,and operational LEAKAGE. The SG performance criteria are described inSpecification 5.5.5. Meeting the SG performance criteria providesreasonable assurance of maintaining tube integrity at normal andaccident conditions. The processes used to meet the SG performance criteria are defined bythe Steam Generator Program Guidelines (Ref. 1).Beaver Valley Units 1 and 2B 3.4.20 - 1 Revision 0 SG Tube IntegrityB 3.4.20 BASES APPLICABLE SAFETY ANALYSESThe steam generator tube rupture (SGTR) accident is the limiting designbasis event for SG tubes and avoiding an SGTR is the basis for thisSpecification. The analysis of a SGTR event assumes a bounding primary to secondary LEAKAGE rate equal to the operational LEAKAGErate limits in LCO 3.4.13, "RCS Operational LEAKAGE,' plus the leakage rate associated with a double-ended rupture of a single tube. The accidentanalysis for a SGTR assumes that following reactor trip the contaminated secondary fluid is released to the atmosphere via safety valves.Environmental releases before reactor trip are discharged through the main condenser. For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT l-131 is assumed to be equal to theLCO 3.4.16, "RCS Specific Activity," limits, Pre-accident and concurrent iodine spikes are assumed in accordance with applicable regulatory guidance. For accidents that assume fuel damage, the primary coolant activity is a function of the amount of activity released from the damagedfuel. The dose consequences of these events are within the limits of 10CFR 50.67 (Ref. 2) as supplemented by Regufatory Guide 1.183 (Ref. 3)and within GDC-19 (Ref. 4) values.Unit 1 .The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their structural integrity (i.e., they are assumednot to rupture.) ln these analyses, the steam discharge to the atmosphereis conservatively assumed to include the total primary to secondaryLEAKAGE from all SGs of 450 gpd (i.e., 150 gpd per steam generator) or is assumed to increase to 450 gpd as a result of accident induced conditions. Currently, the Unit 1 safety analyses do not specifically assume additional primary to secondary LEAKAGE due to accident induced conditions.Unit 2:The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their structural integrity (i.e., they are assumed not to rupture). In these analyses, the steam discharge to the atmosphere is conservatively assumed to include the total primary to secondary LEAKAGE from all SGs of 450 gpd (i.e., 150 gpd per steam generator) or isassumed to increase to 450 gpd as a result of accident induced conditions for all accidents other than the Unit 2 main steam line break (MSLB).Currently, the Unit 2 MSLB safety analysis is the only analysis thatspecifically assumes additional primary to secondary LEAKAGE due to accident induced conditions. For the Unit 2 main steam line break (MSLB) analysis, an increased leakage assumption is applied. ln support of voltage based repair criteria pursuant to Generic Letter 95-05 (Ref. 5) analyses were performed to Beaver Valley Units 1 and 2 B 3.4.20 - 2 Revision 0 SG Tube IntegrityB 3.4.20 BASES APPLICABLE SAFETY ANALYSES (continued)determine the maximum MSLB induced primary to secondary leak rate that could occur without offsite doses exceeding the limits of 10 CFR 50.67 (Ref.2) as supplemented by Regulatory Guide 1.183 (Ref. 3) and withoutcontrol room doses exceeding GDC-19 (Ref. a). An additional

2.1 gpmleakage

is assumed in the Unit 2 MSLB analysis resulting from accidentconditions. Therefore, in the MSLB analysis, the steam discharge to the atmosphere includes primary to secondary LEAKAGE equivalent to theoperational leakage limit of 150 gpd per SG and an additianal2.l gpmwhich results in a total assumed accident induced leakage of 2.4 gpm.The combined projected leak rate from all sources (i.e., voltage based repair criteria, application of F*, freespan crack, leaking plug, leakage pastsleeves, etc.) for each SG must be less than the maximum allowable steam line break leak rate limit in any one steam generator (i.e., 2.2 gpm) in orderto maintain a total assumed accident induced leakage of < 2.4 gpm asexplained above. Maintaining the total assumed accident induced leakageto <2.4 gpm limits the resulting dose to within the requirements of 10 CFR 50 67 (Ref.2) as supplemented by Regulatory Guide 1.183 (Ref.3) and within GDC-19 (Ref. 4) values during a postulated steam line break event. Steam generator tube integrity satisfies Crlterion 2 of 10 CFR 50.36(c)(2)(ii). LCOA Note modifies the LCO to indicate that any reference to the repair of SG tubes is only applicable to Unit 2 at this time. The Unit 1 "Steam Generator Program" (in Specification 5.5.5) has no provision for SG tube repair.The LCO requires that SG tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the repair criteria be plugged orrepaired in accordance with the Steam Generator Program.During an SG inspection, any inspected tube that satisfies the Steam Generator Program repair criteria is repaired or removed from service by plugging. lf a tube was determined to satisfy the repair criteria but was not plugged or repaired, the tube may still have tube integrity. In the context of this Specification, a SG tube is defined as the entire lengthof the tube, including the tube wall and any repairs made to it, between the tube-to{ubesheet weld at the tube inlet and the tube-to-tubesheet weld atthe tube outlet. The tube{o-tubesheet weld is not considered part of the tube.A SG tube has tube integrity when it satisfies the SG performance criteria.The SG performance criteria are defined in Specification 5.5.5, "StearnBeaver Valley Units 1 and 2B 3.4.20 - 3Revision 0 SG Tube IntegrityB 3.4.20 BASES LCO (continued) Generator Program," and describe acceptable SG tube performance. TheSteam Generator Program also provides the evaluation process fordetermining conformance with the SG performance criteria.There are three SG performance criteria: structural integrity, accidentinduced leakage, and operational LEAKAGE. Failure to meet any one ofthese criteria is considered failure to meet the LCO.The structural integrity performance criterion provides a margin of safety against tube burst or collapse under normal and accident conditions, andensures structural integrity of the SG tubes under all anticipated transientsincluded in the design specification. Tube burst is defined as, "The gross structural failure of the tube wall. The condition typically corresponds to anunstable opening displacement (e.9., opening area increased in responseto constant pressure) accompanied by ductile (plastic) tearing of the tubematerial at the ends of the degradation." Tube collapse is defined as, "For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curye becomes zero." The structural integrity performance criterion provides guidance on assessing loads that have a significant effect on burst or collapse. ln that context, the term "significant" is defined as "An accident loading condition other than differential pressure is considered significant when the addition of such loads in the assessment of the structural integrity performance criterion could cause a lower structural limit or limitingburst/collapse condition to be established." For tube integrity evaluations, except for circumferential degradation, axial thermal loads are classified as secondary loads. For circumferential degradation; the classification of axiaf thermal loads as primary or secondary loads will be evaluated on a case-by-case basis. The division between primary and secondary classifications will be based on detailed analysis and/or testing. Structural integrity requires that the primary membrane stress intensity in atube not exceed the yield strength for all ASME Code, Section lll, ServiceLevel A (normal operatrng conditions) and Service Level B (upset or abnormal conditions) transients included in the design specification. This includes safety factors and applicable design basis loads based on ASMECode, Section lll, Subsection NB (Ref. 6) and Draft Regulatory Guide 1.121 (Ref. 7).The accident induced leakage performance criterion ensures that the primary to secondary LEAKAGE caused by a design basis accident, otherthan a SGTR, is within the accident analysis assumptions as described inthe Applicable Safety Analyses section of this Bases. The accident inducedleakage rate includes any primary to secondary LEAKAGE existing prior tothe accident in addition to primary to secondary LEAKAGE induced during the accident.Beaver Valley Units 1 and 2 B 3.4.20 - 4 Revision 0 SG Tube lntegrityB 3.4.20 BASES LCO (continued) The operational LEAKAGE performance criterion provides an observable indication of SG tube conditions during plant operation. The limit onoperational LEAKAGE is contained in LCO 3.4.13, 'RCS Operational LEAKAGE," and limits primary to secondary LEAKAGE through any one SG to 150 galfons per day. This limit is based on the assumption that a single crack leaking this amount would not propagate to a SGTR under the stress conditions of a LOCA or a main steam line break. lf this amount ofLEAKAGE is due to more than one crack, the cracks are very small, and the above assumption is conservative. APPLICABILITY Steam generator tube integrity is chaffenged when the pressuredifferential across the tubes is large. Large differential pressures acrossSG tubes can only be experienced in MODE 1,2,3, or 4.RCS conditions are far less challenging in MODES 5 and 6 than during MODES 1,2,3, and 4. In MODES 5 and 6, primary to secondary differential pressure is low, resulting in lower stresses and reduced potential for LEAKAGE.ACTIONSThe ACTIONS are modified by a Note clarifying that the Conditions maybe entered independently for each SG tube. This is acceptable because the Required Actions provide appropriate compensatory actions for eachaffected SG tube. Complying with the Required Actions may allow for continued operation, and subsequent affected SG tubes are governed bysubsequent Condition entry and application of associated Required Actions.A.1 and A.2A Note modifies Condition A and Required Action A.2 to indicate that anyreference to the repair of SG tubes is only appficable to Unit 2 at this time.The Unit 1 "Steam Generator Program" (in Specification 5.5.5) has no provision for SG tube repair.Condition A applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube repalr criteria butwere not plugged or repaired in accordance with the Steam GeneratorProgram as required by SR 3.4.20.2. An evaluation of SG tube integrityof the affected tube(s) must be made. Steam generator tube integrity isbased on meeting the SG performance criteria described in the Steam Generator Program. The SG repair criteria define limits on SG tube degradation that allow for flaw growth between inspections while still providing assurance that the SG performance criteria will continue to be Beaver Valley Units 1 and 2B 3.4.20 - 5Revision 0 SG Tube Integrity B 3.4.20 BASES ACTIONS (continued) met. In order to determine if a SG tube that should have been plugged or repaired has tube integrity, an evaluation must be completed that demonstrates that the SG performance criteria will continue to be met until the next refueling outage or SG tube inspection. The tube integritydetermination is based on the estimated condition of the tube at the time the situation is discovered and the estimated growth of the degradation prior to the next SG tube inspection. lf it is determined that tube integrityis not being maintained, Condition B applies.A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of plant operation with a SG tube that may not havetube integrity.lf the evaluation determines that the affected tube(s) have tube integrity, Required Action A.2 allows plant operation to continue until the next refueling outage or SG inspection provided the inspection intervalcontinues to be supported by an operational assessment that reflects theaffected tubes. However, the affected tube(s) must be plugged or repaired prior to entering MODE 4 following the next refueling outage or SG inspection. This Completion Time is acceptable since operation untilthe next inspection is supported by the operational assessment. 8.1 and 8.2lf the Required Actions and associated Completion Tlmes of Condition A are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE 3 within 6 hours and MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operatingexperience, to reach the desired plant conditions from full powerconditions in an orderly manner and without challenging plant systems.SURVEILLANCE SR 3.4.20.1 REQUIREMENTS During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref. 1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the SteamGenerator Program ensures that the inspection is appropriate andconsrstent with accepted industry practices. During SG inspections a condition monitoring assessment of the SGtubes is performed. The condition monitoring assessment determines the"as found" condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for the previous operating period.Beaver Valley Units 1 and 2B 3.4.20 - 6Revision 0 SG Tube Integrity B 3.4.20 BASES SURVEILLANCE REQUI REMENTS (continued) The Steam Generator Program in conjunction with the degradation assessment determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying the tube repair criteria. Inspection scope (i.e., whlch tubes or areas of tubing within the SG are to be inspected) is a function of existing and potentialdegradation locations. The Steam Generator Program and the degradation assessment afso specify the inspection methods to be usedto find potential degradation. Inspection methods are a function ofdeg radation morphology, non-destructive exam i nation ( N DE ) tech n iquecapabilities, and inspection locations. The Steam Generator Program defines the Frequency of SR 3.4.20.1.The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Ref. 8). The Steam Generator Program uses information on existing degradations and growth rates todetermine an inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the nextscheduled inspection. In addition, Specification 5.5.5 contains prescriptive requirements concerning inspection intervals to provideadded assurance that the SG performance criteria will be met betweenscheduled inspections. sR 3.4.20.2 A Note modifies SR 3.4.20.2 to indicate that any reference to the repair of SG tubes is only applicable to Unit 2 at this time. The Unit 1 "SteamGenerator Program" (in Specification 5.5.5) has no provision for SG tube repair.During an SG inspection, any inspected tube that satisfies the Steam Generator Program repair criteria is repaired or removed from service by plugging. The tube repair criteria delineated in Specification 5.5,5 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. ln addition, the tube repaircriteria, in conjunction with other elements of the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s). Reference 1 provides guidance for performing operational assessments to verify that the tubes remaining in service will continue to meet the SG performance criteria.Steam generator tube repairs are only performed using approved repair methods as described in the Steam Generator Program (Specification 5.5.5)Beaver Valfey Units 1 and 2B 3.4.20 - 7Revision 0 SG Tube Integrity B 3.4.24 BASES SURVEILLANCE REQU I REMENTS (continued) The Frequency of prior to entering MODE 4 following a SG inspectionensures that the Surveillance has been completed and all tubes meeting the repair criteria are plugged or repaired prior to subjecting the SG tubesto significant primary to secondary pressure differential. REFERENCES 1.2.3.NEI 97-06, "Steam Generator Program Guidelines."10 CFR 50.67, Accident Source Term.Regulatory Guide 1.183, "Alternative Radiological Source Terms For Evaluating Design Basis Accidents At Nuclear Power Reactors,"10 CFR 50 Appendix A, GDC 19.NRC Generic Letter 95-05, "Voltage-Based Repair Criteria For Westinghouse Steam Generator Tubes Affected By Outside 4.5.Diameter Stress Corrosion Cracking."6. ASME Boiler and Pressure Vessel Code, NB.Subsection 7.8.Draft Regulatory Guide 1.121, "Basis for Plugging Degraded SteamGenerator Tubes," August 1976.EPRI, "Pressurized Water Reactor Steam Generator Examination Guidelines."Beaver Valley Units 1 and 2B 3.4.20 - 8 Revision 0 AccumulatorsB 3.5.1B 3.5 EMERGENCY CORE COOLTNG SYSTEMS (ECCS)B 3.5.1 Accumulators BASES BACKGROUND The functions of the ECCS accumulators are to supply water to thereactor vessel during the blowdown phase of a large break loss of coolant accident (LOCA), to provide inventory to help accomplish the refill phasethat follows thereafter, and to provide Reactor Coolant System (RCS)makeup for a small break LOCA.The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, andheat from fission product decay, hot internals, and the vessel continues tobe transferred to the reactor coolant. The blowdown phase of thetransient ends when the RCS pressure falls to a value approaching that ofthe containment atmosphere.In the refill phase of a large break LOCA, which immediatety follows the blowdown phase, reactor coolant inventory has vacated the core through steam flashing and ejection out through the break. The core is essentially in adiabatic heatup. The balance of accumulator inventory is thenavailable to help fill voids in the lower plenum and reactor vesseldowncomer so as to establish a recovery level at the bottom of the coreand ongoing reflood of the core with the addition of safety injection (Sl)water.The accumulators are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The accumulators are passivecomponents, since no operator or control actions are required in order forthem to perform their function. Internal accumulator tank pressure issufficient to discharge the accumulator contents to the RCS, if RCS pressure decreases below the accumulator pressure.Each accumirlator is piped into an RCS cold leg via an accumulator line and is isolated from the RCS by a motor operated isolation valve and two check valves in series.The accumulator size, water volume, and nitrogen cover pressure areselected so that two of the three accumulators are sufficient to partiallycover the core before significant clad melting or zirconium water reactioncan occur following a LOCA. The need to ensure that two accumulatorsare adequate for this function is consistent with the large break LOCA assumptron that the entire contents of one accumulator will be lost via the RCS pipe break during the blowdown phase of a large break LOCA.Beaver Valley Units 1 and 2 B351-1 Revision 0 AccumulatorsB 3.5.1 BASES APPLICABLE SAFETY ANALYSES The accurnulators are assumed to be OPERABLE in both the large andsmall break LOCA analyses at full power and hot zero power (HZP)steam line break (SLB) analysis (Ref. 1). These are the Design Basis Accidents (DBAs) that estabfish the acceptance limits for the accumulators. Reference to the analyses for these DBAs is used toassess changes in the accumulators as they relate to the acceptance limits.ln performing the LOCA calculations, conservative assumptions are made concerning the availability of ECCS flow. In the early stages of a largebreak LOCA, with or without a loss of offsite power, the accumulators provide the sole source of makeup water to the RCS. The assumption ofloss of offsite power is required by regulations and conservatively imposes a delay wherein the ECCS pumps cannot deliver flow until theemergency diesel generators start, come to rated speed, and go throughtheir timed loading sequence. ln cold leg large break scenarios, the entire contents of one accumulator are assumed to be lost through the break.The limiting large break LOCA is a double ended guillotine break in the cold leg for both Units 1 and 2. During this event, the accumulatorsdischarge to the RCS as soon as RCS pressure decreases to below accumulator pressure.No credit is taken for ECCS pump flow in the analysis until full flow is available. lf offsite power is not available, the analysis accounts for thediesels starting and the pumps being loaded and delivering full flow.Durrng this time, the accumulators are analyzed as providing the solesource of emergency core cooling. No operator action is assumed duringthe blowdown stage of a large break LOCA.The worst case small break LOCA analyses also assume a time delay before pumped flow reaches the core. For the larger range of smallbreaks, the rate of blowdown is such that the increase in fuel clad temperature is terminated solely by the accumulators, with pumped flow then providing continued cooling. As break size decreases, theaccumulators and charging pumps both pfay a part in terminating the rise in clad temperature. As break size continues to decrease, the role of the accumulators continues to decrease until they are not required and the charging pumps become solely responsible for terminating the temperature increase.Thls LCO helps to ensure that the following acceptance criteria established for the ECCS by 10 CFR 50.46 (Ref. 2) will be met following a LOCA: a. Maximum fuel element cladding temperature is < 2200'F, Beaver Valley Units 1 and 2 B 3 5.1-2 Revision 15 AccumulatorsB 3.5.1 BASES APPLICABLE SAFETY ANALYSES (continued)

b. Maximum cladding oxidation is < 0.17 times the total claddingthickness before oxidation,Maximum hydrogen generation from a zirconium water reaction is< 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excfudingthe cladding surrounding the plenum volume, were to react, and Core is maintained in a coolable geometry.Since the accumulators discharge during the blowdown phase of a largebreak LOCA, they do not contribute to the long term cooling requirements of 10 CFR 50.46.

For both the large and small break LOCA=analyses, a nominal contained accumulator water volume is used. The nominal water volume assumed in the analyses is within the range of accumulator volumes specified inSurveillance Requirement 3.5.1.2. The contained water volume is not the same as the usable volume of the accumulators, since the accumulatorsare not completely emptied after discharge. For large breaks, an increase in water volume can be either a peak clad temperature penalty or benefit, depending on downcomer filling and subsequent spill through the break during the core reflooding portion of the transient. Therefore,the large break LOCA analyses use a range of accumulator volumes.The Unit 1 ASTRUM large break LOCA analysis statistically calculates the accumulator water volume over the range of accumulator volumesspecified in Surveillance Requirement 3.5.1 .2. For Unit 2, the large break LOCA analysis assumes values of 6898 gallons and 8019 gallons for accumulator volume. The large break LOCA analyses also credit the line water volume from the accumulator to the check valve.The minimum boron concentration is used in the post LOCA boronconcentration calculation. The calculation is performed to assure reactorsubcriticality in a post LOCA environment. Of particular rnterest is the large break LOCA, since no credit is taken for control rod assemblyinsertion. A reduction in the accumulator minimum boron concentration would produce a subsequent reduction in the available containment sumpconcentration for post LOCA shutdown and an increase in the maximum sump pH. The maximum boron concentration is used in determining thecold leg to hot leg recirculation injection switchover time and minimum sump pH.The small break LOCA analysis is performed at the minimum nitrogen cover pressure, since sensitivity analyses have demonstrated that a higher nitrogen cover pressure results in a computed peak clad c.d.Beaver Valley Units 1 and 2 B3.5 1-3Revision 15 AccumulatorsB 3.5.1 BASES APPLICABLE SAFETY ANALYSES (continued) temperature benefit. The maximum nitrogen cover pressure limit prevents accumulator relief valve actuation, and ultimately preservesaccumulator integrity. The accumulators also discharge following a SLB;however, their impact is minor with respect to meeting the design basis DNB limit.The specified Technical Specification values for the usable accumulator volume, boron concentration, and minimum nitrogen pressure areanalysis values. Also, the values specified for nitrogen pressure and volume do not account for instrument uncertainty. The effects on containment mass and energy releases from the accumulators are accounted for in the appropriate analyses (Ref 3).The accumulators satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCO The LCO establishes the minimum conditions required to ensure that theaccumulators are avaifable to accomplish their core cooling safety function following a LOCA. Three accumulators are required to ensurethat 100% of the contents of two of the accumulators will reach the core during a LOCA. This is consistent with the assumption that the contentsof one accumulator spill through the break. lf less than two accumulators are injected during the blowdown phase of a LOCA, the ECCSacceptance criteria of 10 CFR 50.46 (Ref.2) could be violated. For an accumulator to be considered OPERABLE, the isolation valvemust be fully open, power removed above 2000 psig, and the limits established in the SRs for usable volume, boron concentration, andnitrogen cover pressure must be met.APPLICABILITY ln MODES 1 and 2, and in MODE 3 with RCS pressure > 1000 psig, the accumulator OPERABILITY requirements are based on full power operation. Although cooling requirements decrease as power decreases,the accumulators are still required to provide core cooling as long as elevated RCS pressures and temperatures exist.This LCO is only applicable at pressures > 1000 psig. At pressures< 1000 psig, the rate of RCS blowdown is such that the ECCS pumps can provide adequate injection to ensure that peak clad temperature remains below the 10 CFR 50 46 (Ref. 2) limit af 2204"F .Beaver Valley Units 1 and 2 B351-4Revision 0 AccumulatorsB 3.5.1 BASES APPLI CAB I LITY (conti nued )ln MODE 3, with RCS pressure < 1000 psig, and in MODES 4,5, and 6, the accumulator motor operated isolation valves are closed to isolate the accumulators from the RCS. This allows RCS cooldown anddepressurization without discharging the accumulators into the RCS orrequiring depressurization of the accumulators. ACTIONS 4.1 lf the boron concentration of one accumulator is not within limits, it mustbe returned to within the limits within 72 hours. In this Condition, ability to maintain subcriticality or minimum boron precipitation time may bereduced. The boron in the accumulators contributes to the assumptionthat the combined ECCS water in the partially recovered core during the early reflooding phase of a large break LOCA is sufficient to keep that portion of the core subcritical. One accumulator below the minimumboron concentration limit, however, will have no effect on available ECCS water and an insignificant effect on core subcriticality during reflood.Boiling of ECCS water in the core during reflood concentrates boron inthe saturated liquid that remains in the core. In addition, current analysistechniques demonstrate that the accumulators discharge following a large main steam line break at hot zero power (HZP)', however, their impact is minor with respect to meeting the design basis departure from nucleate boiling (DNB) limit. Thus, 72 hours is allowed to return the boronconcentration to within limits. 8.1 lf one accumulator is inoperable for a reason other than boron concentration. the accumulator must be returned to OPERABLE status within 24 hours. In this Condition, the required contents of twoaccumulators cannot be assumed to reach the core during a LOCA. Dueto the severity of the consequences should a LOCA occur in theseconditions, the 24 hour Completion Time to open the valve, remove power from the valve operator control circuit, or restore the proper water volume or nitrogen cover pressure ensures that prompt action will betaken to return the inoperable accumulator to OPERABLE status The Completion Time minimizes the potential for exposure of the plant to aLOCA under these conditions and is justified in Reference 4.C 1 and C.2lf the accumulator cannot be returned to OPERABLE status within theassociated Completion Time, the plant must be brought to a MODE inwhich the LCO does not apply. To achieve this status, the plant must beBeaver Valley Units 1 and 2 B 3.5.1 - 5 Revision 0 Accumulators B 3.5.1 BASES ACTIONS (continued) brought to MODE 3 within 6 hours and RCS pressure reduced to< 1000 psig within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.D.1 lf more than one accumulator is inoperable, the plant is in a condition outside the accident analyses; therefore, LCO 3.0.3 must be entered immediately. SURVEILLANCE SR 3.5.1 .1 REQUIREMENTS Each accumulator isolation valve should be verified to be fully open every12 hours. This verification ensures that the accumulators are availablefor injection and ensures timely discovery if a valve should be less than fully open. lf an isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve position should not change once power is removed from the control circuit, a closed valve could result in not meeting accident analyses assumptions. This Frequency is considered reasonable in view of other administrative controls that ensure a mispositioned isolation vaJve is unlikely. SR 3.5.1 .2 and SR 3.5.1 .3 Every 12 hours, the usable borated water volume and nitrogen cover pressure are verified for each accumulator. The required accumulator water volumes and minimum nitrogen pressure value are analysis values.The values specified for accumulator water volume do not include the line water volume from the accumulator to the check valve and do not account for instrumentation uncertainty. Simllarly, the values specified for the nitrogen cover pressure also do not account for instrumentationuncertainty. The Frequency is sufficient to ensure adequate injection during a LOCA. Because of the static design of the accumulator, a 12 hour Frequency usually aflows the operator to identify changes before limits are reached. Operating experience has shown this Frequency to beappropriate for early detection and correction of off normal trends.Beaver Valley Units 1 and 2 B35.1 -6 Revision 4 Accumulators B 3.5.1 BASES SURVEILLANCE REQU I REMENTS (continued) sR 3.5.1.4 The value specified for boron concentration is an analysis value. The boron concentration should be verified to be within required limits for each accumulator every 31 days since the static design of the accumulators limits the ways in which the concentration can be changed. The 31 day Frequency is adequate to identify changes that could occur from mechanisms such as stratification or inleakage. Sampling the affectedaccumulator within 6 hours after a > 1% accumulator volume increase will identify whether inleakage has caused a reduction in boron concentrationto below the required limit. lt is not necessary to verify boronconcentration if the added water inventory is from the refueling water storage tank (RWST), because the water contained in the RWST is within the accumulator boron concentration requirernents. This is consistent with the recommendation of NUREG-1366 (Ref. 5).sR 3.5 1.5 Verification every 31 days that power is removed from each accumulator isolation valve operator control circuit when the RCS pressure is > 2000 psig ensures that an active failure could not result in the undetected closure of an accumulator motor operated isolation valve. lf this were to occur, only one accumulator would be available for injection given a single failure coincident with a LOCA. Power is removed from theaccumulator motor operated isolation valves control circuits by removing the plug in the lock out jack from the associated control circuits. Since power is removed under administrative control, the 31 day Frequency will provide adequate assurance that power is removed.This SR allows power to be supplied to the motor operated isolation valves control circuits when RCS pressure is < 2000 psig, thus allowing operational flexibility by avoiding unnecessary delays to remove control power during plant startups or shutdowns. REFERENCES 2.4.1.3.UFSAR, Chapter 14 (Unit 1)and UFSAR, Chapter 15 (Unit 2).10 cFR 50 46UFSAR, Chapter 14 (Unit 1) and UFSAR, Chapter 6 (Unit 2).WCAP-15049-A, Risk-lnformed Evaluation of an Extension to Accumulator Completion Times, Rev, 1 , April 1999. NU REG-1 366, February 1 990.5.Beaver Valley Units 1 and 2B 3.5.1 - 7Revision 0 ECCS - Operating B 3.5.2 B 3.5 EMERGENCY CORE COOL]NG SYSTEMS (ECCS)B 3.5.2 ECCS - Operating BASES BACKGROUND The function of the ECCS is to provide core cooling and negative reactivity to ensure that the reactor mre is protected after any of the following accidents: Loss of coolant accident (LOCA), coolant leakage greater than thecapability of the normal charging system,Rod ejection accident, Loss of secondary coolant accident, including uncontrolled steamrelease or loss of feedwater, and Steam generator tube rupture (SGTR).The addition of negative reactivity is designed primarily for the loss of secondary coolant accident where pnmary cooldown could add enough positive reactivity to achieve criticality and return to power.There are three phases of ECCS operation: injection, cold leg recirculation, and hot leg recirculation. ln the injection phase, water istaken from the refueling water storage tank (RWST) and injected into the Reactor Coolant System (RCS) through the cold legs. When sufficient water is removed from the RWST to ensure that enough boron has been added to maintain the reactor subcritical and the containment sumps have enough water to supply the required net positive suction head to the ECCS pumps, suction is switched to the containment sump for cold leg recirculation. After approximately 6.5 hours (Unit 1) or 6 hours (Unit 2), the ECCS flow is shifted to the hot leg recirculation phase to provide abackflush, which would reduce the boiling in the top of the core and any resulting boron precipitation. , The ECCS consists of two redundant, 1OA% capacity trains. Each ECCS train consists of two subsystems: the High Head Safety lnjection (HHSI)subsystem and a Low Head Safety Injection (LHSI) subsystem. The ECCS accumulators and the RWST are also part of the ECCS, but are not considered part of an ECCS flow path as described by this LCO.The ECCS flow paths consist of piping, valves, and pumps such thatwater from the RWST can be injected into the RCS following theaccidents described in this LCO. The Chemical and Volume ControlSystem charging pumps in both units are also utilized as HHSI pumps during a safety injection. For Unit 1, the major component of the HHSI a.b.c.d.Beaver Valley Units 1 and 2 B 3.5.2 - 1Revision 0 ECCS - Operating B 3.5.2 BASESBACKG ROUND (continued)subsystem is a charging pump (HHSI pump) and the major component of the LHSI subsystem is the LHSI pump. For Unit 2, the major component of the HHSI subsystem is a charging pump (HHSI pump). The Unit 2 LHSI subsystem is comprised of a LHSI pump used for the ECCSinjection mode of operation and a recirculation spray pump (2RSS-P21C or 2RSS-P21D) and associated recirculation spray heat exchanger used for the ECCS recirculation mode of operation. The HHSI and LHSI subsystems of each ECCS train are interconnected such that each ECCS train may utilize HHSI or LHSI subsystem components from the other ECCS train. This interconnecting and redundant subsystem design provides the operators with the ability to utilize components from oppositetrains to achieve the required 1O0% flow to the core.For Unit 1, during the injection phase of LOCA recovery, a suction headersupplies water from the RWST to the ECCS pumps. Water from thesupply header enters the LHSI pumps through parallel, normally open, motor operated valves. Water to the HHSI pumps is supplied via parallel motor operated valves to ensure that at least one valve opens on receiptof a safety injection actuation signal. The supply header then branches tothe three HHSI pumps. The discharge from the HHSI pumps divides into three supply lines, each of which feeds the injection lrne to one RCS cold leg. One HHSI pump is dedicated to each train of ECCS. The third pump is a "swing" pump that can be substituted for either dedicated HHSI pump in an ECCS train. The discharge from the LHSI pumps combines intoone line and then divides to feed an injection line to each of the RCS cold legs. Throttle valves in the HHSI injection lines are set to balance the flow to the RCS. This balance ensures sufficient flow to the core to meet the analysis assumptions following a LOCA in one of the RCS cold legs.For Unit 2, during the injection phase of LOCA recovery, a suctron headersupplies water from the RWST to the ECCS pumps. Water from thesupply header enters the LHSI pumps through parallel, normally open, motor operateC valves. Water to the HHSI pumps is supplied via parallel motor operated valves to ensure that at least one valve opens on receipt of a safety injection actuation signal. The supply header then branches to the three HHSI pumps. The discharge from the HHSI pumps is provided to two separate discharge lines, each of which then divides into threesupply lines. Each of these supply lines feeds the injection line to one RCS cold leg. One HHSI pump is dedicated to each train of ECCS. The third pump is a "swing" pump that can be substituted for either dedicated HHSI pump in an ECCS train. The discharge from the LHSI pumps is provided to two separate lines that combine into one line and then divideto feed an injection line to each of the RCS cold legs. Throttle valves in the HHSI lines are set to balance the flow to the RCS and limit pump runout. This balance ensures sufficient flow to the core to meet theanalysis assumptions following a LOCA in one of the RCS cold legs.Beaver Valley Units 1 and 2B 3.5.2 - 2Revisron 0 ECCS - OperatingB 3.5.2 BASESBACKG ROU ND (conti nued )For LOCAs that are too small to depressurize the RCS below the shutoff head of the LHSI pumps, the HHSI pumps supply water until the RCS pressure decreases below the LHSI pump shutoff head. During this period, the steam generators provide part of the core cooling function.For Unit 1, during the recirculation phase of LOCA recovery, LHSI pumpsuction is transferred to the containment sump. The LHSI pumps can also supply the HHSI pumps. Initially, recirculation is through the same paths as the injection phase. Subsequently, recirculation alternates injection between the hot and cold legs.For Unit 2, during the recirculation phase of LOCA recovery, LHSI pumps are stopped and the LHSI function is provided by two of the four recirculation spray pumps (2RSS-P21C and 2RSS-P21D). The dischargeof the two recirculation spray pumps is automatically aligned to the LHSI piping and recirculation spray pump suction is provided from the containment sump. The two recirculation spray pumps can also supply the HHSI pumps. Initially, recirculation is through the same paths as the injection phase. Subsequently, recirculation alternates injection between the hot and cold legs.The HHSI subsystem of the ECCS also functions to supply borated waterto the reactor core following increased heat removal events, such as a main steam line break (MSLB). The limiting design conditions occur when the negative moderator temperature coefficient is highly negative, such as at the end of each cycle. The ECCS subsystems are actuated upon receipt of an Sl signal. lf offsite power is available, the safeguard loads start immediately. lf offsite power is not available, the Engineered Safety Feature (ESF) buses shed normal operating loads and are connected to the emergency diesel generators (EDGs). Safeguard loads are then actuated in the programmed time sequence. The time delay associated with diesel starting, sequenced loading, and pump starting determines the time required before pumped flow is available to the core following a LOCA.The HHSI pumps "A" and "B" are capable of belng automatically started and are powered from separate ESF buses. HHSI pump "C" can be powered from either of the ESF buses that HHSI pump "A" or "8" is powered from. An interlock prevents HHSI pump "C" from being powered from both ESF buses simultaneously. In the event of a safety injection actuation signal coincident with a loss of offsite power, interlocks prevent operation of two HHSI pumps on the same bus to prevent overloading the EDGs.Beaver Valley Units 1 and 2B 3.5.2 - 3Revision 0 ECCS - Operating B 3.5.2 BASES BACKG ROU N D (continued )The active ECCS components, along with the passive accumulators andthe RWST covered in LCO 3.5.1, "Accumulators," and LCO 3.5.4,"Refueling Water Storage Tank (RWST)," provide the cooling waternecessary to meet GDC 35 as discussed in Reference 1.APPLICABLE SAFETY ANALYSES The LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref.2), will be metfollowing a LOCA:Maximum fuel element cladding temperature is < 2200"F, Maximum cladding oxidation is < 0.17 times the total cladding thickness before oxidation,Maximum hydrogen generation from a zirconium water reaction is< 0.01 times the hypothetical amount generated if all of the metal inthe cladding cylinders surrounding the fuel, excluding the claddingsurrounding the plenum volume, were to react,Core is maintained in a coolable geometry, andAdequate long term core cooling capability is maintained.The LCO also limits the potential for a post trip return to power following an MSLB event and ensures that containment temperature limits are met.Each ECCS subsystem is taken credit for in a large break LOCA event at full power (Ref. 3). This event establishes the requirement for runout flowfor the ECCS pumps, as well as the maximum response time for their actuation. The HHSI pumps are credited in a small break LOCA event. The small break LOCA is an important consideration in determining the performance requirements of the HHSI pumps. The SGTR and MSLBevents also credit the HHSI pumps. The OPERABILITY requirements forthe ECCS are based on the following LOCA analysis assumptions:A large break LOCA event, with a loss of offsite power or offsite power available and a srngle failure disabling one ECCS train and A small break LOCA event, with a loss of offsite power and a singlefailure disabling one ECCS train. a.b.c.d.e.a.b.Beaver Valley Units 1 and 2 B 3.5.2 - 4 Revision 0 ECCS - Operating B 3.5.2 BASES APPLICABLE SAFETY ANALYSES (continued) During the blowdown stage of a LOCA, the RCS depressurizes as primary coolant is ejected through the break into the containment. Thenuclear reaction is terminated either by moderator voiding during largebreaks or control rod insertion for small breaks. Following depressurization, emergency cooling water is injected into the cold legs,flows into the downcomer, fills the lower plenum, and refloods the core.The effects on containment mass and energy releases are accounted for in appropriate analyses (Ref. a). The LCO ensures that an ECCS trainwill deliver sufficient water to match boiloff rates soon enough to minimizethe consequences of the core being uncovered following a large LOCA. ltalso ensures that the HHSI pumps will deliver sufficient water during asmall LOCA to maintain RCS inventory. For smaller LOCAs, the HHSI pump delivers sufficient fluid to maintain RCS inventory. For a smallbreak LOCA, the steam generators continue to serve as a heat sink,providing part of the required core cooling.The ECCS trains satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCO In MODES 1 , 2, and 3, two independent (and redundant) ECCS trains arerequired to ensure that sufficient ECCS flow is available, assuming a single failure affecting either train. Additionally, individual componentswithin the ECCS trains may be called upon to mitigate the consequencesof other transients and accidents.For Unit 1, in MODES 1 ,2, and 3, an ECCS train consists of an HHSI subsystem and an LHSI subsystem. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable oftaking suction from the RWST upon a safety injection actuation signal and transferring suction to the containment sump during the recirculation phase of operation. For Unit 2, in MODES 1,2, and 3, an ECCS train consists of an HHSI subsystem and an LHSI subsystem. The Unit 2 LHSI subsystem includes a recirculation spray pump capable of supplying the Sl flow path duringthe recirculation phase of operation. Each train includes the piping, instruments, and controls to ensure an OPERABLE flow path capable oftaking suction from the RWST upon an Sl signal and transferring suctionto the containment sump during the recirculation phase of operation. Beaver Valley Units 1 and 2B 3.5.2 - 5Revision 0 ECCS - OperatingB 3.5.2 BASES LCO (continued) During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the three cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment surnp and to supply its flow simultaneously to both the RCS hot or cold legs for Unit 1. The flow path from the containment sump is cycled alternatively between the RCScold legs or hot legs for Unit 2.The flow path for each train must maintain its designed independence toensure that no single failure can disable both ECCS trains.The LCO is modified by three Notes. Note 1 provides an exception allowing the LHSI flow paths to be isolated for 2 hours in MODE 3, undercontrolled conditions, to perform pressure isolation valve testing perSR 3.4.14.1. The flow path is readily restorable from the control room.As indicated in Note 2, operation in MODE 3 with one required charging pump made incapable of injecting in order to facilitate entry into or exitfrom the Applicability of LCO 3.4.12, "Overpressure Protection System (OPPS)," is necessary when OPPS enable temperature is at or near theMODE 3 boundary temperature of 350"F. LCO 3.4.12 requires that onerequired charging pump be rendered incapable of injecting at and below the OPPS enable temperature. When this temperature is at or near theMODE 3 boundary temperature, time is needed to make a required charging pump incapable of injecting prior to entering the OPPSApplicability, and provide time to restore the inoperable pump to OPERABLE status on exiting the OPPS Applicability.Note 3 is only applicable to Unit 1. As indicated in Note 3, operation inMODE 3 with the Unit 1 ECCS automatic high head safety injection (HHSI) flow path isolated in order to facilitate entry into or exit from theApplicability of LCO 3.4.12, "Overpressure Protection System (OPPS)," isnecessary when the OPPS enable temperature is at or near the MODE 3 boundary temperature of 350"F. LCO 3.4.12 reguires that the Unit 1 ECCS automatic HHSlflow path be isolated when any RCS cold leg temperature is < the enable temperature specified in the PTLR. Whenthis temperature is near the MODE 3 boundary temperature, Note 3 provides time to isolate the ECCS automatic HHSI flow path prior to entering the OPPS Applicability, and to restore the flow path on exitingthe OPPS Applicability.Beaver Valley Units 1 and 2 B3.52-6 Revision 0 ECCS - Operating B 3.5.2 BASES APPLICABILITY ln MODES 1, 2, and 3, the ECCS OPERABILITY requirements for the limiting Design Basis Accident, a large break LOCA, are based on full power operation. Although reduced power would not require the same level of performance, the accident analysis does not provide for reducedcooling requirements in the lower MODES. MODE 2 and MODE 3 requirements are bounded by the MODE 1 analysis.This LCO is only applicable in MODE 3 and above. Below MODE 3, the Sl signal setpoint is manually bypassed by operator control, and system functional requirements are relaxed as described in LCO 3.5.3, "ECCS -Shutdown." ln MODES 5 and 6, plant conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops -MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level." ACT]ONS A.1 With one or more trains inoperable and at least rcA% of the ECCS flow equivalent to a single OPERABLE ECCS train available, the inoperablecomponents must be returned to OPERABLE status within 72 hours. The 72 hour Completion Time is based on an NRC reliability evaluation (Ref. 5) and is a reasonable time for repair of many ECCS components. An ECCS train is inoperable if it is not capable of delivering design flow tothe RCS. Individual components are inoperable if they are not capable of performing their design function or supporting systems are not available. The LCO requires the OPERABILITY of a number of independentsubsystems. Due to the redundancy of trains and the diversity ofsubsystems, the inoperability of one active component in a train does not render the ECCS incapable of performing its function. Neither does the inoperability of two different components, each in a different train,necessarily result in a loss of function for the ECCS (e.g , an lnoperable HHSI pump in one train and an inoperable LHSI pump in the other train).This allows increased flexibility in plant operations under circumstances when components in opposite trains are inoperable.An event accompanied by a loss of offsite power and the failure of an EDG can disable one ECCS train until power is restored. A reliability analysis (Ref. 5) has shown that the impact of having one full ECCS train inoperable is sufficiently small to justify continued operation for 72 hours.Beaver Valley Units 1 and 2 B3.52-7Revision 0 ECCS - Operating B 3.5.2 BASESACTIONS (continued) B.1 and B.2lf the inoperable trains cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must bebrought to MODE 3 within 6 hours and MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full powerconditions in an orderly manner and without challenging plant systems.c.1Condition A is appficable with one or more trains inoperable. The allowedCompletion Time is based on the assumption that at least 100% of theECCS flow equivalent to a single OPERABLE ECCS train is available. With less than l\Ooh of the ECCS flow equivalent to a single OPERABLE ECCS train available, the facillty is in a condition outside of the accidentanalyses. Therefore, LCO 3.0.3 must be entered immediately. SURVEILLANCE SR 3.5.2.1 REQUIREMENTS Verification of proper valve posrtion ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valvescould render both ECCS trains inoperable. Securing these valves by removing the plug from the lockout circuit of valve operator control circuitensures they cannot change position as a result of active failure or be inadvertently misaligned. These valves are of the type that can disable the function of both ECCS trains and invalidate the accident analyses. A 12 hour Frequency is considered reasonable because other administrative controls will decrease the chance of a mispositioned valve.sR 3.5.2.2 Verification that the HHSI pump minimum flow valve (MOV-1CH-373 forUnit 1 and 2CHS.MOV373 for Unit 2) is open with power removedensures that spurious or inadvertent closure of this valve is prevented. Closure of this valve could cause overheating of each of the HHSI pumps (potentially rendering both ECCS trains inoperable). Securing this valve in position by removal of power ensures that it cannot change position asa result of an active failure or be inadvertently misaligned. The verification that the valve is in the open posrtion may be accomplished byverifying flow through the minimum flow path using control room indication, by local verification of correct valve stem position, or by localflow verification using temporary instruments. The verification that the Beaver Valley Units 1 and 2 B35.2-8 Revision 0 ECCS - OperatingB 3.5.2 BASESSURVEI LLANCE REQU I REMENTS (continued)valve motor operator is de-energized may be accomplished by verifyingthe absence of valve position indicator lights. A 12 hour Frequency is considered reasonable in view of other administrative controls that will ensure a mispositioned valve is unlikely.sR 3.5.2.3Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not applyto valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve will automatically repositionwithin the proper stroke time. This Surveillance does not require anytesting or valve manipulation. Rather, it involves verrfication that thosevalves capable of being mispositioned are in the correct position. The31 day Frequency is appropriate because the valves are operated under administrative control, and an improper valve position would only affect a single train. This Frequency has been shown to be acceptable throughoperating experience.sR 3.5.2.4Periodic surveillance testing of ECCS pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME Code. This type of testing may be accomplished by measuring the pump developed head at only one pointof the pump characteristic curve. This verifies both that the measured performance is within an acceptable tolerance of the original pump baseline performance and that the performance at the test flow is greaterthan or equal to the performance assumed in the ECCS Flow Analysis excluding the Unit 2 recirculation spray pumps 2RSS-P21C and 2RSS-P21D. The specific acceptance criteria of the "required developed head" for each ECCS pump may be found in the lnservice Testing (lST)Program and the ECCS Flow Analysis, as applicable. The term "required developed head" refers to the pump performance at a given flow pointthat is assumed in the ECCS Flow Analysis. This is possible since the analysis assumes the pump deltvers different flows at different times during accident mitigation. These multiple points are represented by a curve. The values at various flow points are defined by the Minimum Operating Point (MOP) curve in the lST. The verification that the pump's developed head at the flow test point is greater than or equal to therequired developed head is performed by using the MOP curye.Beaver Valley Units 1 and 2 B 3.5.2 - I Revision 0 ECCS - Operating B 3.5.2 BASES SURVEILLANCE REQU I REMENTS (continued) For the Unit 2 recirculation spray pumps 2RSS-P21C and 2RSS-P21D, the term "required developed head" refers to the value that is assumed in the Containment lntegrity Safety Analysis for the recirculation spray pump's developed head at a specific flow point. This value for the required developed head at a flow point is defined as the MOP in the 1ST Program. The verification that the pump's developed head at the flow test point is greater than or equal to the required developed head is performedby using a MOP curve. The MOP curve is contained in the IST Programand was developed using the required developed head at a specific flow point as a reference point. From the reference point, a curve was drawnwhich is a constant percentage below the current pump performancecurye. Based on the MOP curye, a verification is performed to ensurethat the pump's developed head at the flow test point is greater than or equal to the required developed head. SRs are specified in the IST Program of the ASME Code. The ASME Code provides the activities andfrequencies necessary to satisfy the requirements.SR 3.5.2.5 and SR 3.5.2.6These Surveillances demonstrate that each automatic ECCS valveactuates to the required position on an actual or simulated Sl signal andthat each ECCS pump, except 2RSS-P21C and 2RSS-P21D, starts on receipt of an actual or simulated Sl signal. The Unit 2 recirculation spray pumps 2RSS-P21C and 2RSS-P21D start on a receipt of an actual or simulated coincidence Containment Pressure - High High signal and RWST Level Low signal or a coincidence RWST Level Extreme Low andSl signal.For the Automatic Switchover to the Containment Sump function of the ECCS, these Surveillances include a verification of the associatedrequired slave relay operation. The Automatic Switchover to theContainment Sump, Function 7 in LCO 3.3.2, "Engineered Safety FeatureActuation System'(ESFAS) Instrumentation," does not include arequirement to perform a SLAVE RELAY TEST due to equipment safety concerns if such a test was performed at power. Therefore, verification ofthe required slave relay OPERABILITY for the Automatic Switchover tothe Containment Sump ESFAS function is included in these 18-monthECCS Surveillances. This Surveillance is not required for valves that arelocked, sealed, or otherwise secured in the required position under administrative controls.The 18 month Frequency is based on the need to perform theseSurveillances under the conditions that apply during a plant outage and the potential for unplanned plant transients if the Surveillances were performed with the reactor at power. However, this does not preclude performance of this Surveillance at power when it can be accomplished in Beaver Valley Units 1 and 2 B352-10Revision 6 ECCS - OperatingB 3.5.2 BASESSURVEI LLANCE REQU I REM ENTS (continued)a safe manner. The 18 month Frequency is also acceptable based onconsideration of the design reliability (and confirming operatingexperience) of the equipment. The actuation logic is tested as part ofESF Actuation System testing, and equipment performance is monitored as part of the lnservice Testing Program.sR 3.5.2.7Periodic inspections of the accessible regions of the containment sump suction inlet strainers ensure that they are unrestricted, free of structuraldistress or abnormal corrosion, and stay in proper operating condition.Accessible regions of the sump strainers are those regions that can be visually examined without disassembling the strainer assembly or the grating and cover plates over the strainer assembly. The 18 monthFrequency is based on the need to perform this Surveillance under theconditions that apply during a plant outage, and on the need to haveaccess to the location. However, this does not preclude performance ofthis Surveillance at power when it can be accompfished in a safe manner.This Frequency has been found to be sufficient to detect abnormaldegradation and is confirmed by operating experience. REFERENCES 1.UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance, " (Unit 1) and UFSAR, Section 3.1, "Conformancewith U.S. Nuclear Regulatory Commission General Design Criteria, (Unit 2).10 cFR 50.46.UFSAR, Section 14.3 (Unit 1)and UFSAR, Section 15.6.5 (Unit 2).UFSAR, Section 14.3.4 (Unit 1) and UFSAR, Section 6.2.1 (Unit 2).5. NRC Memorandum to V. Stello, Jr., from R.L. Baer, "RecommendedInterim Revisions to LCOs for ECCS Components," December 1. 1975.2.3 4.Beaver Valley Units 1 and 2B 3.5.2 - 11 Revision 6 ECCS - ShutdownB 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.3 ECCS - Shutdown BASES BACKGROUNDThe Background section for Bases 3.5.2, "ECCS - Operating," is applicable to these Bases, with the following modifications. For Unit 1, in MODE 4, the required ECCS train consists of two subsystems: High Head Safety Injection (HHSI) and the Low Head Safety lnjection (LHSI). For Unit 2, in MODE 4, the required ECCS trainconsists of two subsystems: HHSI and the LHSI (which includes a LHSI pump and recirculation spray pump 2RSS-P21C or 2RSS-P21D and associated heat exchanger). The ECCS flow paths consist of piping, valves, and pumps such thatwater from the refueling water storage tank (RWST) can be injected into the Reactor Coolant System (RCS) following the accidents described inBases 3.5.2. APPLICABLE SAFETY ANALYSESThe Applicable Safety Analyses section of Bases 3.5.2 also applies tothis Bases section.Due to the stable condrtions associated with operation in MODE 4 and the reduced probability of occurrence of a Design Basis Accident (DBA), the ECCS operational requirements are reduced. lt is understood in these reductions that certain automatic safety injection (Sl) actuation is not available. ln this MODE, sufficient time exists for manual actuation of therequired ECCS to mitigate the consequences of a DBA.Only one train of ECCS is required for MODE 4. This requirementdictates that single failures are not considered during this MODE of operation. The ECCS trains satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCO ln MODE 4, one of the two independent (and redundant) ECCS trains is required to be OPERABLE to ensure that sufficient ECCS flow is available to the core following a DBA.For Unit 1, in MODE4, an ECCS train consists of an HHSI subsystemand an LHSI subsystem. The train includes the piping, instruments, andcontrols to ensure an OPERABLE flow path capable of taking suctionfrom the RWST upon being manually realigned and transferring suction tothe containment sump during the recirculation phase of operation. ForUnit 2, in MODE 4, an ECCS train consists of an HHSI subsystem and aLHSI subsystem that includes a LHSI pump used in the injection mode ofBeaver Valley Units 1 and 2 B35.3-1 Revision 0 ECCS - Shutdown B 3.5.3 BASES LCO (continued)operation and recirculation spray pumps 2RSS-P21C or 2RSS-P21D (asapplicable) and associated heat exchangers capable of supplying the Sl flow path during the recirculation mode of operation. The train includes the piping, instruments, and controls to ensure an OPERABLE flow pathcapable of taking suction from the RWST upon being manually realignedand transferring suction to the containment sump during the recirculationmode of operation. During an event requiring ECCS actuation, a flow path is required to provide an abundant supply of water from the RWST to the RCS via the ECCS pumps and their respective supply headers to each of the three cold leg injection nozzles. In the long term, this flow path may be switched to take its supply from the containment sump and to deliver its flow simultaneously to both the RCS hot or cold legs for Unit 1. The flow path from the containment sump is cycled alternately between the RCScold legs or hot legs for Unit 2. APPLICABILITYln MODES 1,2, and 3, the OPERABILITY requirements for ECCS are covered by LCO 3.5.2.In MODE 4 with RCS temperature below 350"F, one OPERABLE ECCStrain is acceptable without single failure consideration, on the basis of the stable reactivity of the reactor and the limited core cooling requirements. In MODES 5 and 6, plant conditions are such that the probability of an event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops -MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed byLCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation - HighWater Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level." ACTIONSA Note prohibits the application of LCO 3.0.4.b to an inoperable ECCShigh head subsystem when entering MODE

4. There is an increased risk associated with entering MODE 4 from MODE 5 with an inoperable ECCShigh head subsystem and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with theLCO not met after performance of a risk assessment addressinginoperable systems and components, should not be applied in this circumstance.Beaver Valley Units 1 and 2 B3.53-2 Revision 0 ECCS - ShutdownB 3.5.3 BASES ACTIONS (continued) 4.1 With no ECCS train OPERABLE, the plant is not prepared to respond to Design Basis Events requiring Sl.

The t hour Completion Time to restoreat least one ECCS train to OPERABLE status ensures that prompt action is taken to provide the required cooling capacity or to initiate actions to place the plant in MODE 5, where an ECCS train is not required.8.1 When the Required Actions of Condition A cannot be completed withinthe required Completion Time, the plant must be placed in MODE 5.Twenty-four hours is a reasonable time, based on operating experience,to reach MODE 5 in an orderly manner and without challenging plant systems or operators. SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The applicable Surveillance descriptions from Bases 3.5.2 apply.REFERENCES The applicable references from Bases 3.5.2 apply. Beaver Valley Units 1 and 2B 3.5.3 - 3Revrsion 0 B 3.s EMERGENCY CORE COOLING SYSTEMS (ECCS)B 3.5.4 Refueling Water Storage Tank (RWST)BASES BACKGROUNDThe RWST supplies borated water to the Chemical and Volume Control System (CVCS) during abnormal operating conditions, to the refuelingcavity during refueling, and to the ECCS and the Quench Spray Systemduring accident conditions.The RWST supplies water to the ECCS pumps through a common supply header. Water from the supply header enters the Low Head Safety Injection (LHSI) pumps through parallel, normally open, motor operatedvalves. Water to the charging pumps (i.e., the High Head Safety Injection (HHSI) pumps) is supplied via parallel motor operated valves to ensure that at least one valve opens on receipt of a safety injection actuation signal. The supply header then branches to the three HHSI pumps. The RWST supplies water to the quench spray pumps via separate redundantlines, A motor operated isolation valve is provided to isolate the RWSTfrom the ECCS once the system has been transferred to the recirculationmode. The recirculation mode is entered when pump suction istransferred to the containment sump following receipt of the RWST Low level signal (Unit 1) or the RWST Extreme level signal (Unit 2). Use of a single RWST to supply both trains of the ECCS and Quench Spray System is acceptable since the RWST is a passive component used for a short period of time following an accident, and passive failures are not required to be assumed to occur during the time the RWST is neededfollowing Design Basis Events.The switchover from normal operation to the injection phase of ECCS operation requires changing HHSI pump suction from the CVCS volumecontrol tank (VCT) to the RWST through the use of isolation valves. Eachset of isolation valves is interlocked so that the VCT isolation valves willbegin to close once the RWST isolation valves are fully open. Since theVCT is under pressure, the preferred pump suction will be from the VCTuntil the tank is isolated. This will result in a delay in obtaining the RWST borated water. The effects of this delay are discussed in the Applicable Safety Analyses section of these Bases.During normal operation, the LHSI pumps of the ECCS and the quench spray pumps are aligned to take suction from the RWST.The ECCS pumps are provided with recirculation lrnes that ensure each pump can maintain minimum flow requirements when operating at or nearshutoff head conditions. Beaver Valley Units 1 and 2 B354-1 Revision 0 RWSTB 3.5.4 BASES BACKG ROUN D (continued) When the suction for the ECCS pumps is transferred to the containmentsump, the recirculation flow paths are isolated from the RWST to preventa release of the containment sump contents to the RWST, which coufdresult in a release of contaminants to the atmosphere. This LCO ensures that:a. The RWST contains sufficient borated water to support the ECCSduring the injection phase and the Quench Spray System, b. Sufficient water volume exists in the containment sump to supportcontinued operation of the ECCS and Recirculation Spray System pumps at the time of transfer to the recirculation mode of cooling, and c. The reactor remains subcritical following a loss of coolant accident (LOCA).Insufficient water volume in the RWST could result in insufficient cooling capacity when the transfer to the recirculation mode occurs. lmproperboron concentrations could result in a reduction of SDM or excessiveboric acid precipitation in the core following the LOCA, as well asexcessive caustic stress corrosion of mechanical components andsystems inside the containment. APPLICABLE SAFETY ANALYSESDuring accident conditions, the RWST provides a source of boratedwater to the ECCS and Quench Spray System pumps. As such, it provides containment cooling and depressurization, core cooling, andreplacement inventory and is a source of negative reactivity for reactor shutdown (Ref. 1). The design basis transients and applicable safetyanalyses concerning each of these systems are discussed in the Applicable Safety Analyses section of B 3.5.2, "ECCS - Operating," B 3.5.3, "ECCS - Shutdown," and B 3.6.6, "Quench Spray System." These analyses are used to assess changes to the RWST in order to evaluate their effects in relation to the acceptance limrts in the analyses. The RWST must also meet volume, boron concentration, and temperature requirements for certain non-LOCA events. The volume is not an explicit assumption in non-LOCA events since the required volume rs a small fraction of the available volume. The usable volume limit is setby the LOCA and containment analyses. For the RWST, the usablevolume is different from the total volume contained since, due to thedesign of the tank, more water can be contained than can be delivered. Beaver Valley Units 1 and 2B 3.5.4 - 2Revision 0 RWSTB 3.5.4 BASES APPLICABLE SAFETY ANALYSES (continued)The minimum boron concentration is an explicit assumption in the mainsteam line break (MSLB) analysis to ensure the required shutdown capability. The minimum boron concentratlon limit is an important assumption in ensuring the required shutdown capability. The maximumboron concentration is an explicit assumption in "Spurious Operation ofthe Safety Injection System at Power" (Unit 1) and "lnadvertent Operation of the ECCS During Power Operation" (Unit 2), however, the results arevery insensitive to boron concentration. The maximum temperature ensures that the amount of cooling provided from the RWST during the heatup phase of a feedline break is consistent with safety analysisassumptions; the minimum temperature is an assumption in both the MSLB analysis and the "Spurious Operation of the Safety lnjectionSystem at Power" (Unit 1)and "lnadvertent Operation of the ECCSDuring Power Operation" (Unit 2).The RWST temperature impacts the large and small break LOCA peak cladding temperature (PCT) calculations, and the LOCA and MSLB containment peak pressure calculations.LOCA PCT Calculations:The large break LOCA analysis assumes that the quench spraytemperature is equal to the RWST lower limit of 45F. The lower RWST temperature results in a reduced containment backpressure, whichincreases steam binding, reducing the flooding rate and results in an increased PCT. The smalf break LOCA analysis assumes an RWSTtemperature of 65'F. Containment Integrity Calculations:Both the LOCA and MSLB containment integrity analyses credit the quench spray to reduce the containment pressure following the accident.The LOCA and MSLB containment analyses assume that the quench spray temperature is greater than or equal to the upper RWST temperature limit of 65"F. A higher RWST temperature results in areduced cooling and condensation spray capability, and therefore highercalculated containment pressures.The MSLB analysis has considered a delay associated with the lnterlockbetween the VCT and RWST isolation valves, and the results show thatthe departure from nucleate boiling design basis is met. The assumedresponse times are provided in the Licensing Requirements Manual.Beaver Valley Units 1 and 2 B35.4-3 Revision 0 BASES APPLICABLE SAFETY ANALYSES (continued)For a large break LOCA analysis, the minimum usable water volume of 317,000 gallons (Unit 1) and 368,000 gallons (Unit 2) and the lower boron concentration limit of 24OO ppm are used to compute the post LOCAsump boron concentration necessary to assure subcrittcality. The large break LOCA is the limiting case with respect to assuring subcriticality,since the safety analysis assumes that all control rods are out of the core.The containment iodine removal offsite dose radiological analysis andcontainment sump pH analysis and HHSI pump net positive suction headcalculation assume a minimum useable volume of 430,500 gallons (Unit 1) and 859,248 gallons (Unit 2), and therefore establish the required limit.The upper limit on boron concentration of 2600 ppm is used to determinethe maximum allowable time to switch to hot leg recirculation following alarge break LOCA. The purpose of switching from cold leg to hot leginjection is to avoid boron precipitation in the core following the accident.The RWST satisfies Criterion 3 of 10 CFR 50.36(cX2xii). LCOThe RWST ensures that an adequate supply of borated water is availableto cool and depressurize the containment ln the event of a Design Basis Accident (DBA), to cool and cover the core in the event of a LOCA, tomaintain the reactor subcritical following a DBA, and to ensure adequatelevel in the containment sump to support ECCS and Recirculation Spray System pump operation in the recirculation mode.To be considered OPERABLE, the RWST must meet the usable watervolume, boron concentration, and temperature limits established in the SRs.APPLICABILITY ln MODES 1,2, 3, and 4, RWST OPERABILITY requirements aredictated by ECCS and Quench Spray System OPERABILITYrequirements. Since both the ECCS and the Quench Spray System must be OPERABLE in MODES 1, 2, 3, and 4, the RWSf must also be OPERABLE to support their operation. Core cooling requirements inMODE 5 are addressed by LCO 3.4.7, "RCS Loops - MODE 5, LoopsFilled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled."MODE 6 core cooling requirements are addressed by LCO 3.9.4,"Residual Heat Removal (RHR) and Coolant Circulation - High WaterLevel," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level."Beaver Valley Units 1 and 2B 3.5.4 - 4 Revision 0 BASES ACTIONS A.1With RWST boron concentration or borated water temperature not within limits, they must be returned to within limits within 8 hours. Under theseconditions neither the ECCS nor the Quench Spray System can perform its design function. Therefore, prompt action must be taken to restore thetank to OPERABLE status. The 8 hour limit to restore the RWSTtemperature or boron concentration to within limits was developedconsidering the time required to change either the boron concentration ortemperature and the fact that the contents of the tank are still available for injection and spray. 8.1 With the RWST inoperable for reasons otherthan Condition A (e.g., watervolume), it must be restored to OPERABLE status within t hour. ln this Condition, neither the ECCS nor the Quench Spray System can perform its design function. Therefore, prompt action must be taken torestore the tank to OPERABLE status or to place the plant in a MODE inwhich the RWST is not required. The short time limit of t hour to restorethe RWST to OPERABLE status is based on this conditionsimultaneously affecting redundant trains.C.1 and C.2lf the RWST cannot be returned to OPERABLE status within theassociated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must bebrought to at least MODE 3 within 6 hours and to MODE 5 within36 hours. The allowed Completion Times are reasonable, based onoperating experience, to reach the required plant condrtions from full power conditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2 B35.4-5 Revision 0 BASES SURVEILLANCE SR 3.5.4.1 REQUIREMENTSThe RWST borated water temperature should be verified every 24 hoursi",i;#ff :"",';#i:'"ffi l[?i,i jffi:*lllJ:iffi

i'.TtJil'approach either limit and has been shown to be acceptable through operating experience.

The SR is modified by a Note that eliminates the requirement to perform this Surveillance when ambient air temperatures are within the operatinglimits of the RWST. With ambient air temperatures within the band, theRWST temperature should not exceed the limits.sR 3.5.4.2The RWST water volume should be verified every 7 days to be above the required usable level in order to ensure that a sufficient initial supply isavailable for injection and the Quench Spray System and to support continued ECCS and Recirculation Spray System pump operation on recirculation. Since the RWST volume is normally stable and ismonitored by a level alarm, a 7 day Frequency is appropriate and hasbeen shown to be acceptable through operating experience.sR 3.5.4 3The boron concentration of the RWST should be verified every 7 days tobe within the required limits. This SR ensures that the reactor will remain subcritical following a LOCA. Further, it assures that boron precipitation in the core will not occur and that the resulting sump pH will bemaintained in an acceptable range so the effect of chloride and causticstress corrosion on mechanical systems and components will beminimized. Since the RWST volume is normally stable, aT day samplingFrequency to verify boron concentration is appropriate and has beenshown to be acceptable through operating experience. REFERENCES

1. UFSAR, Chapter 14 (Unit 1)and UFSAR, Chapter 6 and Chapter 15 (Unit 2)Beaver Valley Unlts 1 and 2 B 3.5.4 - 6Revision 0 Seal Injection FlowB 3.5.5B 3.5 EMERGENCY CORE COOLTNG SYSTEMS (ECCS)B 3.5.5 Seal lnjection Flow BASES BACKGROUNDThe function of the seal injection throttle vafves during an accident is similar to the function of the ECCS throttle valves in that each restrictsflow from the charging pump header to the Reactor Coolant System (RCS).The restriction on reactor coolant pump (RCP) seal injection flow limits theamount of ECCS flow that would be diverted from the injection path following an accident. This limit is based on safety analysis assumptionsthat are required because RCP seal injection flow is not isolated during Sl.The RCP seal injection flow is restricted by the seal injection line flow resistance which is adjusted through positioning of the manual sealinjection throttle valves. The RCP seal injection flow is determined bymeasuring the charging pump discharge pressure, and the RCP sealinjection flow rate.The seal injection flow control valve fails open to ensure that, in the eventof either loss of air or loss of control signal to the valve, when the charging pumps are supplying charging flow, seal injection to the RCP seals is maintained. Positioning of the seal injection flow control valve may vary during normal plant operating conditions, resulting in a proportional change to RCP seal injection flow. The flow provided by seal injection throttle valves will remain fixed when seal injection flow controlvalve is repositioned provided the throttle vafve position(s) are not adjusted.APPLICABLE SAFETY ANALYSES ECCS subsystems are taken credit for in the large break loss ofcoolant accident (LOCA) at full power (Ref. 1). The minimum flow provided by the ECCS pumps is modeled in the LOCA analysis.

The charging pumps are also credited in the small break LOCA analysls. The small break LOCA analysis establishes the flow and discharge head atthe design point for the charging pumps. The steam generator tuberupture, feedline break and main steam line break event analyses also credit the charging pumps, but are not limiting in their design. Reference to these analyses is made in assessing changes to the Seal lnjectlon System for evaluation of their effects in relation to the acceptance limits inthese analyses.This LCO ensures that seal injection flow will be sufficient for RCP sealintegrity but limited so that the ECCS trains will be capable of delivering suffrcient water to match boiloff rates soon enough to minimize uncovering of the core following a large LOCA. lt also ensures that the Beaver Valley Unlts 1 and 2 B35.5-1 Revision 0 Seal Injection FlowB 3.5.5 BASES APPLICABLE SAFETY ANALYSES (continued) charging pumps will deliver sufficient water for a small LOCA and sufficient boron to maintain the core subcritical. For smaller LOCAs, the charging pumps alone deliver sufficient fluid to overcome the loss and maintain RCS inventory.Seal injection flow satisfies Criterion2 of 10 CFR 50.36(cX2xii). LCOThe intent of the LCO limit on seal injection flow is to make sure that flow through the RCP seal water injection line is low enough to ensure that sufficient charging pump injection flow is directed to the RCS via the injection points.The LCO is not strictly a flow limit, but rather a flow limit based on a flowline resistance. In order to establish the proper flow line resistance, a pressure and flow must be known. The flow line resistance is determinedby assuming that the RCS pressure is at normal operating pressure andthat the charging pump discharge pressure is greater than or equal to the value specified in this LCO. The charging pump discharge pressure remains essentially constant through all the applicable MODES of this LCO. A reduction in RCS pressure would result in more flow being diverted to the RCP seal injection line than at normal operating pressure.The valve settings established at the prescribed charging pump discharge pressure result in a conservative valve position should RCS pressuredecrease. The additional modifier of this LCO, the seal injection flowcontrol valve being full open, is required since the valve is designed to fail open for the accident condition. With the discharge pressure and control valve position as specified by the LCO, a flow limit is established. lt isthis flow limit that is used in the accident analyses.The limit on seal injection flow must be met to ensure that the ECCS isOPERABLE. lf these conditions are not met, the ECCS flow will not beas assumed in the accident analyses. APPLICABIL ITYIn MODES 1, 2, and 3, the seal injection flow limit is dictated by ECCSflow requirements, which are specified for MODES 1,2,3, and 4. The seal injection flow limit is not applicable for MODE 4 and lower; however,because high seal injection flow is less critical as a result of the lowerinitial RCS pressure and decay heat removal requirements ln theseMODES. Therefore, RCP seal injection flow must be limited inMODES 1 , 2, and 3 to ensure adequate ECCS performance.Beaver Valley Units 1 and 2B 3.5.5 - 2 Revision 0 Seal Injection FlowB 3.5.5 BASES ACTlONS 4.1With the seal injection flow outside its limit, the amount of charging flowavailable to the RCS may be reduced. ln this Condition, action must be taken to restore the flow to within its limit with charging pump discharge pressure > 2457 psig and the seal injection control valve full open. Theoperator has 4 hours from the time the flow is known to be outside the limit to correctly position the manual valves and thus be in compliancewith the accident analysis. The Completion Time minimizes the potentialexposure of the plant to a LOCA with insufficient injection flow and provides a reasonable time to restore seal injection flow within limits.This time is conservative with respect to the Completion Times of otherECCS LCOs; it is based on operating experience and is sufficient for taking corrective actions by operations personnel. 8.1 and 8.2 When the Required Actions cannot be completed within the required Completion Time, a controlled shutdown must be initiated. The Completion Time of 6 hours for reaching MODE 3 from MODE 1 is a reasonable time for a controlled shutdown, based on operatingexperience and normal cooldown rates, and does not challenge plantsafety systems or operators. Continuing the shutdown begun in RequiredAction 8.1 , an additional 6 hours is a reasonable time, based onoperating experience and normal cooldown rates, to reach MODE 4,where this LCO is no longer applicable. SURVE]LLANCE SR 3.5.5.1 REQUIREMENTSVerification every 31 days that the manual seal injection throttle valvesare adjusted to give a flow within the limit ensures that the ECCS injection flows stay within the safety analysis assumptions. The flow shall beverrfied by confirming seal injection flow <28 gpm with the RCS at normal operating pressure, the seal injection flow control valve full open, and the charging pump discharge pressure >- 2457 psig. The seal injection flow control valve in the flow path between the charging pump discharge and the RCS must be fully open during this Surveillance to correlate with the acceptance criteria. The Frequency of 31 days is based on engineering judgment and is consistent with other ECCS valve Surveillance Frequencies. The Frequency has proven to be acceptable through operating experience. Beaver Valley Units 1 and 2 B 3.5.5 - 3Revision 0 Seal Injection Flow B 3.5.5 BASESSURVEI LLANCE REQUI REM ENTS (continued)As noted, the Surveillance is not required to be performed until 4 hours after the RCS pressure has stabilized within s + 20 psig range of normal operating pressure. The RCS pressure requirement is specified since this configuration will produce the required pressure conditions necessaryto assure that the manual valves are set correctly. The exception is limited to 4 hours to ensure that the Surveillance is timely.REFERENCES

1. UFSAR, Chapter 14 (Unit 1)and UFSAR, Chapter6 and Chapter 15 (Unit 2).Beaver Valley Units 1 and 2 B35.5-4Revision 0 ContainmentB 3.6.1 B 3.6 CONTAINMENT SYSTEMSB 3.6.1 Containment BASES BACKGROUND The containment consists of the concrete reactor building, its steel liner, and the penetrations through this structure. The structure is designed tocontain radioactive materiaf that may be released from the reactor core following a design basis loss of coolant accident (LOCA). Additionally, this structure provides shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a dome roof. The inside surface of thecontainment is lined with a carbon steel liner to ensure a high degree of leak tightness during operating and accident conditions. The concrete reactor building is required for structural integrity of the containment under Design Basis Accident (DBA) conditions. The steel liner and its penetrations establish the leakage limiting boundary of thecontainment. Maintaining the containment OPERABLE limits the leakageof fission product radioactivity from the containment to the environment. SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50, Appendix J, Option B (Ref. 1), as modified by approved exemptions. The isolation devices for the penetrations in the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier.a. All penetrations required to be closed during accident conditions are either:1. Capable of being closed by an OPERABLE automatic containment isolation system or2. Closed by manual valves, blind flanges, or de-activatedautomatic valves secured in their closed positions, except as provided in LCO 3.6.3, "Containment lsolation Valves,"b. Each air lock is OPERABLE, except as provided in LCO 3.6.2,"Containment Air Locks."The equipment hatch is closed, andThe sealing mechanism associated with each penetration (e.9.,welds, bellows, or O-rings) is OPERABLE.d.Beaver Valley Units 1 and 2B 3.6.1 - 1Revision 0 ContainmentB 3.6.1 BASES APPLICABLE SAFETY ANALYSES The safety design basis for the containment is that the containment must withstand the pressures and temperatures of the limiting Design Basis Accident (DBA) without exceeding the design leakage rate. The DBAs that result in a challenge to containment OPERABILITY from high pressures and temperatures are a LOCA, a steam line break, and a rod ejection accident (REA) (Ref. 2). ln addition, release of significant fission product radioactivity within containment can occur from a LOCA orREA. In the DBA analyses, it is assumed that the containment is OPERABLE such that, for the DBAs involving release of fission product radioactivity, release to the environment is controlled by the rate ofcontainment leakage. A main steam line break inside containment is not evaluated as the dose consequences are bounded by a main steam line break outside containment. The containment was designed with anallowable leakage rate of 01% of containment air weight per day (Ref. 3).This leakage rate, used to evaluate offsite doses resulting from accidents, is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as L": the maximum allowable containment leakage rate at the calculated peakcontainment internal pressure (P") resulting from the limiting design basisLOCA. The allowable leakage rate represented by L" forms the basis for the acceptance criteria imposed on all containment leakage rate testing.L" is assumed to be 0.1% per day in the safety analysis at P" = 43.1 psig (for Unit 1) and 44.8 psig (for Unit 2) (Ref. 3).Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY. The containment satisfies Criterion 3 of 10 CFR 50.36(c)(2xii). LCO Containment OPERABILITY is maintained by limiting leakage to < 1.0 L,, except during the first unit startup prior to entering MODE 4 after performing a required Containment Leakage Rate Testing Program leakage test. At this time the other applicable leakage limits specified in the Containment Leakage Rate Testing Program must be met.Compliance with this LCO will ensure a containment configuration, including equipment hatch, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.Individual leakage rates for the containment air lock (LCO 3.6.2) arespeclfied in the Containment Leakage Rate Testing Program and are not specifically part of the acceptance criteria of 10 CFR 50, Appendix J.Therefore, leakage rates exceeding the air lock limits only result in thecontainment being inoperable when the leakage results in exceeding the overall acceptance criteria of 1.0 Lu.Beaver Valley Units 1 and 2B 3 6.1 -2Revision 6 Containment B 3.6.1 BASES APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure andtemperature limitations of these MODES. Therefore, containment is not required to be OPERABLE in MODE 5 to prevent leakage of radioactivematerial from containment. The requirements for containment during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations." ACTIONS A.1 ln the event containment is inoperable, containment must be restored to OPERABLE status within t hour. The t hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment during MODES 1, 2, 3, and 4. This time period also ensures that the probability of an accident (requiringcontainment OPERABILITY) occurring during periods when containment is inoperable is minimal. B.1 and 8.2 lf containment cannot be restored to OPERABLE status within the requiredCompletion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. Theallowed Completion Times are reasonable, based on operating experience,to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE SR 3.6.1 .1 REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. Failure to meet air lock leakage limits specified in LCO 3.6.2 does not invalidate the acceptability of these overall leakage determinations unless the air lock leakage contribution to overall Type A, B, and C leakage causes that leakage to exceed the following limits. As-left leakage prior to entering MODE 4 during the first unit startup after performing a required ContainmentLeakage Rate Testing Program leakage test is required to be < 0.6 Lu for combined Type B and C leakage, and < 0.75 Lu for overall Type A leakage. At all other times between required leakage rate tests, the acceptance criteria is based on the overall integrated containment leakage limit of < 1.0 L". At < 1.0 L" the offsite dose consequences are bounded by the assumptions of the safety analysis. SR Frequencies Beaver Valfey Units 1 and 2B 3.6.1 - 3 Revision 0 ContainmentB 3.6.1 BASES SURVEI LLANCE REQUI REMENTS (continued) are as required by the Containment Leakage Rate Testing Program. These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis.REFERENCES

1. 10 CFR 50, Appendix J, Option B.

2. UFSAR, Chapter 14 (Unit 1), and UFSAR, Chapter 15 (Unit 2).3. UFSAR, Section 5.2 (Unit 1), and UFSAR, Section 6.2 (Unit 2).Beaver Valley Units 1 and 2 B 3.6.1 - 4 Revision 0 Containment Air Locks B 3.6.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Air Locks BASES BACKGROUND Containment air locks form part of the containment pressure boundary and provide a means for personnel access during all MODES of operation.

Each air lock is nominally a right circular cylinder with a door at each end.The emergency air lock is significantly smaller than the personnel airlock and is not used for routine containment entry and exit. The doors are interlocked to prevent simultaneous opening. During periods when containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing both doors of an air lock to remainopen for extended periods when frequent containment entry is necessary. The emergency air lock, which is located in the equipment hatch opening, is normally removed from the containment building during a refuelingoutage. Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a Design Basis Accident (DBA) in containment. As such, closure of a single door supports containment OPERABILITY. Each of the doors contains double o-ring seals and local leakage rate testing capability to ensure pressure integrity. DBA conditions that increase containment pressure will result in increased sealing forces on the personnel air lock inner door and both doors on the emergency air lock. As the outer door on the personnel air lock is the only one of these doors that opens outward from containment, it is periodically tested in amanner where the containment DBA pressure is attempting to overcome the door sealing forces.The containment air locks form part of the containment pressureboundary. As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event of a , DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analyses. APPLICABLE SAFETY ANALYSESThe DBAs that result in a release of radioactive material withincontainment and containment pressurization are a loss of coolant accident (LOCA) and a rod ejection accident (REA) (Ref. 1). A mainsteam line break inside containment is not evaluated as the dose consequences are bounded by a main steam ltne break outsidecontainment. In the analysis of a design basis LOCA or REA, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containmentleakage. The containment was designed with an allowable leakage rateBeaver Valley Units 1 and 2 B 3.6.2 - 1Revision 0 Containment Air LocksB 3.6.2 BASES APPLICABLE SAFETY ANALYSES (continued) of 0.1o/o af containment air weight per day (Ref. 2). This leakage rate isdefined in 10 CFR 50, Appendix J, Option B (Ref.3), as L" = 0.1%ofcontainment air weight per day, the maximum allowable containmentleakage rate at the calculated peak containment internal pressureP^= 43.1 psig (for Unit 1) and 44.8 psig (for Unit 2) following a design basis LOCA. This allowable leakage rate forms the basis for theacceptance criteria imposed on the SRs associated with the air locks.The containment air locks satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCO Each containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air locksafety function is related to control of the containment leakage rateresulting from a DBA. Thus, each air lock's structural integrity and leaktightness are essential to the successful mitigation of such an event..Each air lock is required to be OPERABLE. For the air lock to beconsidered OPERABLE, the air lock interlock mechanism must beOPERABLE, the air lock must be in compliance with the Type B air lockleakage test, and both air lock doors must be OPERABLE. The interlockallows only one air lock door of an air lock to be opened at one time. This provision ensures that a gross breach of containment does not exist when containment is required to be OPERABLE. Closure of a single door ineach air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when'the airlock is not being used for normal entry into or exit from containment. APPLICABILlTY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactivematerial to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment air locks are not required in MODE 5 to prevent leakage of radioactive materialfrom containment. The requirements for the containment atr locks duringMODE 6 are addressed in LCO 3.9.3, "Containment Penetrations." ACTIONSThe ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. lf the outer door isinoperable, then it may be easily accessed for most repairs. However, ifthe inner door is inoperable it is permissible to enter the air lock through the OPERABLE door, which means there is a short time during which thecontainment boundary is not intact (during access through the OPERABLE door). The ability to open the OPERABLE door, even if itmeans the containment boundary is temporarily not intact, is acceptable Beaver Valley Units 1 and 2B 3.6.2 - 2 Revision 6 Containment Air LocksB 3.6.2 BASESACTIONS (continued)due to the low probability of an event that could pressurize thecontainment during the short time in which the OPERABLE door isexpected to be open. After each entry and exit, the OPERABLE doormust be immediately closed.A second Note has been added to provide clarification that, for this LCO,separate Condition entry is allowed for each air lock. This is acceptable,since the Required Actions for each Condition provide appropriatecompensatory actions for each inoperable air lock. Complying with theRequired Actions may allow for continued operation, and a subsequent inoperable air lock is governed by subsequent Condition entry and application of associated Required Actions.ln the event the air lock leakage results in exceeding the overall containment leakage rate acceptance criteria, Note 3 directs entry into theapplicable Conditions and Required Actions of LCO 3.6.1, "Containment."A.1, A.2, and A.3With one air lock door in one or more containment air locks inoperable,the OPERABLE door must be verified closed (Required Action A.1) ineach affected containment air lock. This ensures that a leak tightcontainment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within t hour. This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requirescontainment be restored to OPERABLE status within t hour.ln addition, the affected air lock penetration must be isolated by lockingclosed the OPERABLE air lock door within the 24 hour Completion Time.The 24 hour Completion Time is reasonable for locking the OPERABLEair lock door, considering the OPERABLE door of the affected air lock is being maintained closed.Required Action A.3 verifies that an air lock with an inoperable door has been isolated by the use of a locked and closed OPERABLE air lock door. This ensures that an acceptable containment leakage boundary ismaintained. The Completion Time of once per 31 days is based on engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrativecontrols. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to beverified locked closed by use of administrative means. Allowingverification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.Beaver Valley Units 1 and 2B 3.6.2 - 3Revision 0 Containment Air LocksB 3.6.2 BASES ACTIONS (continued) 8.1The Required Actions have been modified by two Notes. Note 1 ensuresthat only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable. With both doors in the same air lock inoperable, an OPERABLE door isnot available to be closed. Reouired Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affecttracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows useof the air lock for entry and exit for 7 days under administrative controls to perform activities not related to the repair of affected air lock components. Containment entry may be required on a periodic basis to perform Technical Specifications (TS) Surveillances and Required Actions, as wellas other activities on equipment inside containment that are required by TS or activities on equipment that support TS-required equipment. ThisNote is not intended to preclude performing other activities (i.e., non-TSrequired activities) if the containment is entered, using the inoperable air lock, to perform an allowed activity listed above. This allowance isacceptable due to the low probability of an event that could pressurize thecontainment during the short time that the OPERABLE door is expectedto be open. 8.2 and 8.3With an air lock interlock mechanism inoperable in one or more air locks,the Required Actions and associated Completion Times are consistent with those specified in Condition A.The Required Actions have been modified by two Notes. Note 1 ensuresthat only the Required Actions and associated Completion Times ofCondition C are required if both doors in the same air lock are inoperable. With both doors in the same air lock inoperable, an OPERABLE door isnot available to be closed. Reouired Actions C,1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from containment under the control of a dedicated individual stationed at theair lock to ensure that only one door is opened at a time (i.e., the individual per{orms the function of the interlock).Required Action 8.3 is modified by a Note that applies to air lock doorslocated in high radiation areas and allows these doors to be verifiedlocked closed by use of administrative means. Allowing verification byadmrnistrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.Beaver Valley Units 1 and 2B 3.6.2 - 4Revlsion 0 Containment Air LocksB 3.6.2 BASES ACTIONS (continued) C.1. C.2. and C.3 With one or more air locks inoperable for reasons other than thosedescribed in Condition A or B, Required Action C.1 requires action to be initiated immediately to evaluate previous combined leakage rates using current air lock test results. An evaluation is acceptable, since it is overfyconservative to immediately declare the containment inoperable if bothdoors in an air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.9., only one seal per door has failed), containment remains OPERABLE, yet only t hour (per LCO 3.6.1) would be provided to restore the air lock door to OPERABLE status priorto requiring a plant shutdown. In additlon, even with both doors failing the seal test, the overall containment leakage rate can still be within limits.Required Action C.2 requires that one door in the affected containment air lock must be verified to be closed within the t hour Completion Time.This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires that containment be restored to OPERABLE status within t hour.Additionally, the affected air lock(s) must be restored to OPERABLEstatus within the 24 hour Completion Time. The specified time period is considered reasonable for restoring an inoperable air lock to OPERABLE status, assuming that at least one door is maintained closed in eachaffected air lock. D.1 and D.2 lf the inoperable containment air lock cannot be restored to OPERABLEstatus within the required Completion Time, the plant must be brought toa MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTSsR 3.6.2.1Maintaining containment air locks OPERABLE requires compliance withthe leakage rate test requirements of the Containment Leakage Rate Testing Program. This SR reflects the leakage rate testing requirementswith regard to air lock leakage (Type B leakage tests). The acceptance criteria were established by Technical Specification requirements. The periodic testing requirements verify that the air lock leakage does not Beaver Valley Units 1 and 2 B 3.6.2 - 5Revision 0 Containment Air Locks B 3.6.2 BASES SURVEILLANCE REQU I REM ENTS (continued)exceed the allowed fraction of the overall containment leakage rate. TheFrequency is required by the Containment Leakage Rate Testing Program.The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is consideredreasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to thisSR requiring the results to be evaluated against the acceptance criteriawhich is applicable to SR 3,6.1.1 . This ensures that air lock leakage is properly accounted for in determining the containment leakage rate iswithin the acceptance criteria specified in the Containment Leakage Rate Testing Program.sR 3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an airlock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interlock feature supports containmentOPERABILITY while the air lock is being used for personnel transit in andout of the containment. Periodic testing of this interlock demonstratesthat the interlock will function as designed and that simultaneous openingof the inner and outer doors will not inadvertently occur. Given that theinterlock mechanism is not normally challenged when the containment airlock door is used for entry and exit (procedures require strict adherenceto single door opening), this test is only required to be performed every24 months. The 24 month Frequency is based on the need to performthis Surveillance under the conditions that apply during a plant outage,and the potential for loss of containment OPERABILIIY if theSurveillance were performed with the reactor at power. The 24 monthFrequency for the interlock is justified based on generic operating experience. The 24 month Frequency is based on engineering judgment and is considered adequate given that the interlock is not challengedduring the use of the airlock. REFERENCES 1.2.3.UFSAR, Chapter 14 (Unit 1), and UFSAR, Chapter 15 (Unit 2).UFSAR, Section 5.2 (Unit 1), and UFSAR, Section 6.2 (Unit 2).10 CFR 50, Appendix J, Option B.Beaver Valley Units 1 and 2 B3.62-6 Revision 0 Containment lsolation ValvesB 3.6.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.3 Containment lsolation Valves BASES BACKGROUNDThe containment isolation valves form part of the containment pressure boundary and provide a means for fluid penetrations not serving accidentconsequence limiting systems to be provided with two isolation barriersthat are closed on a containment isolation signal. These isolation devicesare either passive or active (automatic). Manual valves, de-activatedautomatic valves secured in their closed position (including check valveswith flow through the valve secured), blind flanges, and closed systems are considered passive devices. Check valves, or other automatic valves designed to close without operator action following an accident, areconsidered active devices. Two barriers in series are typically providedfor each penetration so that no single credible failure or malfunction of anactive component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system. These barriers (typically containment isolation valves)make up the Containment lsolation System.The list of containment penetrations and the associated isolation devicescredited for each penetration is specified in the Licensing Requirements Manual (LRM).Automatic isolation signals are produced during accident conditions.Containment Phase "A" isolation occurs upon receipt of a safety injectionsignal. The Phase "A" isolation signal isolates nonessential process linesin order to minimize leakage of fission product radioactivity. Containment Phase "B" isolation occurs upon receipt of a containment pressure-High High signal and isolates the remaining process lines, except systems required for accident mitigation. As a result, the containment isolation valves (and blind flanges) help ensure that the containment atmosphere will be isolated from the environment in the event of a release of fission product radioactivity to the containment atmosphere as a resuJt of a Design Basis Accident (DBA).The OPERABILITY requirements for containment isolation valves help ensure that containment is isolated within the time limits assumed in the safety analyses. Therefore, the OPERABILITY requirements provide assurance that the containment function assumed in the safety analyses will be maintained.Beaver Valley Units 1 and 2 B 3.6.3 - 1Revision 0 Containment lsolation ValvesB 3.6.3 BASES BACKG ROUND (continued) The Shutdown Purge System operates to supply outside air into thecontainment for ventilation and heating and may also be used to reduce the concentration of noble gases within containment prior to and during personnel access. The supply and exhaust lines each contain two42 inch isolation valves. Because of their large size, the 42 inch purge valves are not qualified for automatic closure from their open position under DBA conditions. Therefore, the 42 inch purge valves aremaintained closed in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained. APPLICABLE SAFETY ANALYSES The containment isolation valve LCO was derived from the assumptionsrelated to minimizing the loss of reactor coolant inventory andestablishing the containment boundary during major accidents. As part ofthe containment boundary, containment isolation valve OPERABILITY supports leak tightness of the containment. Therefore, the safetyanalyses of any event requiring isolation of containment is applicable tothis LCO.The DBAs that result in a release of radioactive material withincontainment and containment pressurization are a loss of coolant accident (LOCA) and a rod ejection accident (REA) (Ref. 1). A main steam line break inside containment is not evaluated as the doseconsequences are bounded by a steam line break outside containment.In the analyses for a design basis LOCA or REA, it is assumed that containment isolation valves are either closed or function to close withinthe required isolation time following event initiation. This ensures thatpotential paths to the environment through containment isolation valves (including containment purge valves) are minimized. The safety analysesassume that the 42 inch purge valves are closed at event initiation.The DBA radiological dose analysis, is based on the alternate sourceterm methodology (Ref. 2). Although the analysis assumes, the containment is isolated to achieve the design feakage rate, the analysisonly specifically models the release from, and isolation of, those valves that provide direct access to the outside atmosphere and which may be open during operation (i.e., vacuum pump suction isolation valves). Dueto the timing of fission product releases assumed in the radiological dose analyses (per Reference 2'1 and the relatively fast operation of the containment isolation valves, the operation of other containment isolation valves, after a DBA, is not specifically modeled. However, the requiredstroke times for containment isolation valves, required to be closed after aDBA, are specified in the LRM and are conservatively maintainedconsistent with the guidance of Reference

3. The radiological doseBeaver Valley Units 1 and 2 B363-2 Revision 0 Containment lsolation ValvesB 3.6.3 BASES APPLICABLE SAFETY ANALYSES (continued)analysis conservatively assumes a post DBA containment leakage at the design leakage rate (L") for the first 24 hours and one half the designleakage rate for the next 29 days after the DBA.The 42 inch containment purge and exhaust valves have not beenevaluated to ensure they can be closed automatically in MODES 1, 2, 3,and 4 to mitigate the effects of a DBA inside containment.

Therefore, the42 inch containment purge and exhaust valves are maintaineddeactivated in the closed position in MODES 1, 2, 3, and 4 to preventspurious or inadvertent operation of the valves.The containment isolation valves satisfy Criterion 3 of10 cFR 50.36(c)(2Xii). LCO Containment isolation valves form a part of the containment boundary.The containment isolation valves' safety function is related to minimizing the loss of reactor coolant inventory and establishing the containmentboundary during a DBA.The automatic power operated isolation valves are required to haveisolation times within limits and to actuate on an automatic isolation signal. The 4?-inch purge valves must be maintained deactivated in the closed position. The valves covered by this LCO are listed along with their associated stroke times in the LRM.The normally closed isolation valves and other passive isolation devicesare considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in their closed position, blind flanges or pipe caps are in place, and closed systems and hydraulic isolatorbellows are intact. However, ACTIONS Note 1 and SR 3.6.3.2 andSR 3.6.3.3 contain exceptions to this requirement that allow valves to beopen under administrative control. These passive isolationvalves/devices are those listed in the LRM.The containment isolation valve leakage rates are addressed byLCO 3.6.1, "Containment," as Type C testing.This LCO provides assurance that the containment isolation valves and purge valves will perform their designed safety functions to minimize theloss of reactor coolant inventory and establish the containment boundaryduring accidents.Beaver Valley Units 1 and 2 B36.3-3 Revision 0 Containment fsolation ValvesB 3.6.3 BASES APPLICABILITY ln MODES 1 , 2, 3, and 4, a DBA could cause a release of radioactive material to containment. ln MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure andtemperature limitations of these MODES. Therefore, the containment isolation valves are not required to be OPERABLE in MODE 5. The requirements for containment isolation valves during MODE 6 areaddressed in LCO 3.9.3, "Containment Penetrations." ACTIONS The ACTIONS are modified by a Note allowing penetration flow paths,except for 42-inch purge and exhaust valve penetration flow paths, to beunisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room.In this way, the penetration can be rapidly isolated when a need forcontainment isolation is indicated. Due to the size of the containment purge and exhaust line penetration and the fact that those penetrations exhaust directly from the containment atmosphere to the environment, the penetration flow path containing these valves may not be opened under ad mi nistrative controls. A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation valve. Complying with the Required Actions may allow for continued operation, and subsequent inoperable containment isolation valves are governed by subsequent Condition entry and application ofassociated Required Actions.The term "penetration flow path" utilized in the ACTIONS, refers to flow paths through the containment wall that are isolated by at least onecontainment isolation valve or equrvalent (i.e., a closed system, blind flange, etc.). The term "flow paths" used in the ACTIONS is intended to more accurately address containment penetrations that may have more than one flow path. For example, the RCS letdown penetration has three parallel inside power-operated automatic containment isolation valves and a single series outside power-operated automatic containment isolation valve. This penetration has three normal flow paths associated with it. Each inside power-operated automatic containment isolation valve is in series with the single outside containment isolation valve and constitutes a separate flow path. The ACTIONS specifically require the"affected" flow path to be isolated. The ACTIONS may be appliedseparately to each flow path in this penetration. In the example of theRCS letdown penetration described above, if one of the three insidecontainment isolation valves is inoperable, it becomes the "affected" flow path and in accordance with the ACTIONS must be isolated. lsolating the Beaver Valley Units 1 and 2 B 3.6.3 - 4Revision 0 Containment lsolation ValvesB 3.6.3 BASESACTIONS (continued)"affected" flow path in this example may be accomplished by closing the inoperable inside containment isolation valve. As the inside and outsidecontainment isolation valves, in this case, are associated with opposite trains, for both the electric power source and the isolation signal, the remaining two flow paths associated with this penetration may remain inservice since the capability to isolate these remaining flow paths, assuming a single active failure, is unaffected. However, if the singleoutslde RCS letdown isolation valve becomes inoperable, the capability to isolate all the flow paths associated with this penetration, assuming a single failure, would no longer exist. Therefore, all flow paths associated with this penetration would be "affected" and the ACTION to isolate the"affected" flow paths would be applicable to all flow paths associated with this penetration.The ACTIONS are further modified by a third Note, which ensuresappropriate remedial actions are taken, if necessary, if the affectedsystems are rendered inoperable by an inoperable containment isolation valve.A.1 and A.2 ln the event one containment isolation valve in one or more penetration flow paths is inoperable, the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single activefailure. lsolation barriers that meet this criterion are a closed andde-activated automatic containment isolation valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration flow path isolated in accordance withRequired Action A.1 , the device used to isolate the penetration should bethe closest available one to containment. Required Action A.1 must becompleted within 4 hours. The 4 hour Completion Time is reasonable,considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES 1,2,3, and 4.The use of check valves with flow through the valve secured as an isolation barrier per Required Action A.1 is limited to those check valvesused as the inside containment isolation valve for the affected penetration flow path. This limitation ensures that the use of check valves as anisolation barrier is consistent with the requirements of 10 CFR 50,Appendix A, Criterion 55 and 56. When using check valves as theisolation barrier, action must be taken to secure flow through the checkvalve. The action taken to secure flow may use methods such as (but notlimited to) the closure of another valve in the affected penetration flow Beaver Valley Units 1 and 2 B36.3-5Revrsion 0 Containment lsolation ValvesB 3.6.3 BASES ACTIONS (continued) path. The method used to secure flow to the check valve must not be adversely affected by a single active failure.For affected penetration flow paths that cannot be restored toOPERABLE status within the 4 hour Completion Time and that have been isolated in accordance with Required Action A.1, the affected penetration flow paths must be verified to be isolated on a periodic basis. This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of beingautomatically isolated will be in the isolation position should an eventoccur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside containment" is appropriate considering the fact that the devicesare operated under administrative controls and the probability of their misalignment is low. For the isolation devices inside containment, the time period specified as "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgmentand is considered reasonable in view of the inaccessibility of the isolation devices and other administrative controls that will ensure that isolationdevice misalignment is an unlikely possibility.Condition A has been modified by a Note indicating that this Condition is not applicable to penetration flow paths addressed by Condition C. For penetration flow paths with only one containment isolation valve and aclosed system inside containment, Condition C provides the appropriateactions when the single containment isolation valve associated with this type of penetration flow path is inoperable.Required Action A.2 is modified by two Notes. Note 1 applies to isolationdevices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is consrdered acceptable, since access to theseareas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devicesto be verified closed by use of administrative means. Allowing verificationby administrative means is considered acceptable, since the function of locking, sealing, or securing componenis is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in theproper position, is small.Beaver Valley Units 1 and 2 B363-6 Revision 0 Containment lsolation ValvesB 3.6.3 BASESACTIONS (continued) 8.1With two containment isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolatedwithin t hour. The method of isolation must include the use of at feastone isolation barrier that cannot be adversely affected by a single activefailure. lsolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange.The t hour Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordancewith Required Action 8.1 , the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains ineffect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following anaccident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriateconsidering the fact that the valves are operated under administrative control and the probability of their misalignment is low.C.1 and C.2With one or more penetration flow paths with one containment isolation valve inoperable, the inoperable valve flow path must be restored to OPERABLE status or the affected penetration flow path must be isolated.The method of isolation must include the use of at least one isolationbarrier that cannot be adversely affected by a single active failure.lsolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A checkvalve may not be used to isolate the affected penetration flow path.Required Action C.1 must be completed within the72 hour CompletionTime. The specified time period is reasonable considering the relativestability of the closed system (hence, reliability) to act as a penetrationisolation boundary and the relative importance of maintaining containmentintegrity during MODES 1,2,3, and 4. ln the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This periodic verification is necessary to assure leaktightness of containment and that containment penetratrons requiringisolation following an accident are isolated. The Completion Time of once per 31 days for verifying that each affected penetration flow path is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.Beaver Valley Units 1 and 2 B36.3-7Revision 0 Containment lsolation ValvesB 3.6.3 BASES ACTIONS (continued)Condition C is modified by a Note indicating that this Condition is onlyappficable to those penetration flow paths with one inoperablecontainment isolation valve connected to a closed system insidecontainment. Containment penetrations that credit a closed system forthe isolation barrier inside containment are those penetrations that havethe inside containment isolation valve identified as a closed system in theLRM. This Note is necessary since this Condition is written to specificallyaddress an inoperable containment isolation valve in those penetration flow paths that use one containment isolation valve connected to a closedsystem inside containment for the required isolation barriers.Required Action C.2 is modified by two Notes. Note 1 applies to valvesand blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verificationby administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devicesto be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function oflocking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these valves, once they have been verified to be in theproper position, is small.D.1 and D.2lf the Required Actions and associated Completion Times are not met, the plant must be brought to a MODE in which the LCO does not apply.To achieve this status, the plant must be brought to at least MODE 3within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging, plant systems.SURVEILLANCE SR 3.6 3.1 REQUIREMENTSEach 42-inch containment purge and exhaust valve is required to be verified deactivated in the closed position every 31 days for valvesoutside containment and prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days for valves inside containment. This Surveillance is designed to ensure that a gross breach of containment is not caused by an inadvertent or spurious opening of a containment purge or exhaust valve. The operation of the containment purge and exhaust valves has not been evaluated to confirm the ability toBeaver Valley Units 1 and 2 B3.63-8Revision 0 Containment lsolation ValvesB 3.6.3 BASESSURVEI LLANCE REQU I REMENTS (continued)close during a LOCA in time to limit offsite doses. Therefore, these valves are required to be deactivated in the closed position duringMODES 1,2,3, and 4. A containment purge or exhaust valve that isdeactivated in the closed position must have motive power to the valve operator removed. This can be accomplished by de-energizing thesource of electric power or by removing control power to the valve operator.sR 3.6.3.2 This SR requires verification that each containment isolation manual valve and blind flange located outside containment and not locked,sealed, or otherwise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment boundary iswithin design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those containment isolation valves outside containment and capable of being mispositionedare in the correct position. Since verification of valve position for containment isolation valves outside containment is relatively easy, the31 day Frequency is based on engineering judgment and was chosen to provide added assurance of the correct positions. The SR specifies that containment isolation valves that are open under administrative controlsare not required to meet the SR during the time the valves are open. ThisSR does not apply to valves that are locked, sealed, or otherwise securedin the closed position, since these were verified to be in the correct position upon locking, seafing, or securing.The Note applies to valves and blind flanges located in high radiationareas and allows these devices to be verified closed by use ofadministrative means. Allowing verification by administrative means isconsidered acceptable, since access to these areas is typically restrictedduring MODES 1,2,3 and 4 for ALARA reasons. Therefore, the probability of misalignment of these containment isolation valves, oncethey have been verified to be in the proper position, is small.sR 3 6.3.3 This SR requires verification that each containment isolation manualvalve and blind flange located inside containment and not locked, sealed,or othennrise secured and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage ofradioactive fluids or gases outside of the containment boundary is within design llmits. For containment isolation valves inside containment, the Frequency of "prior to entering MODE 4 from MODE 5 if not performed Beaver Valley Units 1 and 2B 3.6.3 - IRevisron 0 Containment lsolation ValvesB 3.6.3 BASES SURVEILLANCE REQU I REMENTS (continued)within the previous 92 days" is appropriate since these containment isolation valves are operated under administrative controls and the probability of their misalignment is low. The SR specifies that containment isolation valves that are open under administrative controlsare not required to meet the SR during the time they are open. ThisSR does not apply to valves that are locked, sealed, or otherwise securedin the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.This Note allows valves and blind flanges located in high radiation areas to be verified closed by use of administrative means. Allowing verificationby administrative means is considered acceptable, since access to these areas is typically restricted during MODES 1,2,3, and 4, foTALARA reasons. Therefore, the probability of misalignment of these containmentisolation valves, once they have been verified to be in their proper position, is small.sR 3.6.3.4Verifying that the isolation time of each automatic power operated containment isolation valve required to be closed during accident conditions (i.e., Containment lsolation Phase A or B signal) is within limitsis required to demonstrate OPERABILITY. The isolation time testensures that each valve required to automatically rsolate on a Containment lsolation Phase A or B signal will isolate in a time periodconsistent with the assumptions of the safety analyses. The requiredisolation times are specified in the LRM. This Surveillance is not requiredfor valves that are locked, sealed, or otherwise secured in the required position under administrative controls. The Frequency of this SR is in accordance with the Inservice Testing Program.sR 3.6.3.5 Automatic power operated containment isolation valve, r"quir"d to beclosed during accident conditions close on a Phase A or Phase B containment isolation signal to prevent leakage of radioactive material from containment following a DBA. This SR ensures that each automatic power operated containment isolation valve required to be closed duringaccident conditions will actuate to its isolation position on a Phase A or Phase B containment isolation signal. This Surveillance is not requiredfor valves that are locked, sealed, or otherwise secured in the requlred position under administrative controls. The 18 month Freguency is basedon the need to perform this Surveillance under the conditions that applyduring a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. However, thisBeaver Valley Units 1 and 2 B363-10Revision 0 Containment lsolation ValvesB 3.6.3 BASESSURVE ILLANCE REQUI REM ENTS (continued) does not preclude performance of this Surveillance at power when it canbe accomplished in a safe manner. Operating experience has shown thatthese components usually pass this Surveillance when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. REFERENCES 1.2.3.UFSAR, Chapter 14 (Unit 1), and UFSAR, Chapter 15 (Unit 2).Regulatory Guide 1.183, July 2000.Standard Review Plan 6.2.4.Beaver Valley Units 1 and 2B 3.6 3 -11Revision 0 Containment PressureB 3.6.4B 3.6 CONTAINMENT SYSTEMS B 3.6.4 BASES Containment Pressure BACKGROUND The containment pressure is limited during normal operation to preservethe initial conditions assumed in the accident analyses for a loss ofcoolant accident (LOCA) or steam line break (SLB). These limits also prevent the containment pressure from exceeding the containment design negative pressure differential with respect to the outside atmosphere inthe event of inadvertent actuation of the Quench Spray System. ln addition, the lower containment pressure limit provides assurance that sufficient net positive suction head exists for the pumps taking suction from the containment sump during the recirculation phase of operationafter a LOCA.Containment pressure is a process variable that is monitored and controlled. The containment pressure limits are derived from the inputconditions used in the containment functional analyses and thecontainment structure external pressure analysis. Should operation occuroutside these limits coincident with a Design Basis Accident (DBA), postaccident containment pressures could exceed calculated values.APPLICABLE SAFETY ANALYSESContainment internal pressure is an initial condition used in the DBAanalyses to establish the maximum peak containment internal pressure.The limiting DBAs considered, relative to containment pressure, are the LOCA and SLB, which are analyzed using computer codes. The worstcase LOCA results in a higher containment pressure than the worst case SLB. Thus, the LOCA event bounds the SLB event from the containmentpeak pressure standpoint (Ref. 1).The initial pressure assumed in the containment analysis was 14.2 psia.This resulted in a maximum peak pressure from a LOCA of 43.1 psig (Unit 1) and 44.8 psig (Unit 2). The containment analysis (Ref. 1) showsthat the maximum peak calculated containment pressure, P", results fromthe limiting LOCA. The maximum containment pressure resulting fromthe worst case LOCA, 43.1 psig (Unit 1) and 44.8 psig (Unit 2), does notexceed the containment design pressure, 45 psig.The containment was also designed for an internal pressure of 8.0 psia.The inadvertent actuation of the Quench Spray System was evaluated todetermine the resulting reduction in containment pressure. The initial pressure condition used in this evaluation was 12.8 psia. This resulted in a minimum pressure inside containment of 11.38 psia, which is within the containment design capability.Beaver Valley Units 1 and 2B 3.6.4 - 1Revision 6 Containment PressureB 3.6.4 BASES APPLICABLE SAFETY ANALYSES (continued) For certain aspects of transient accident analyses, maximizing thecalculated containment pressure is not conservative. ln particular, thecooling effectiveness of the Emergency Core Cooling System during thecore reflood phase of a LOCA analysis increases with increasingcontainment backpressure. Therefore, for the reflood phase, thecontainment backpressure is calculated in a manner designed to conservatively minimize, rather than maximize, the containment pressureresponse in accordance with 10 CFR 50, Appendix K (Ref.2).Containment pressure satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCOMaintaining containment pressure at less than or equal to the LCO upper pressure limit ensures that, in the event of a DBA, the resultant peakcontainment accident pressure will remain below the containment design pressure. Maintaining containment pressure at greater than or equal to the LCO lower pressure limit ensures that the containment will not exceedthe design negative differential pressure following the inadvertentactuation of the Quench Spray System. Maintaining containment pressure at greater than or equal to the LCO lower pressure limit alsoensures that sufficient net positive suction head will be available for the Unit 1 recirculation spray and low head safety injection pumps and theUnit 2 recirculation spray pumps.APPLICABILITYln MODES 1, 2, 3, and 4, a DBA could cause a release of radioactivematerial to containment. Since maintaining containment pressure withinlimits is essential to ensure initial conditions assumed in the accidentanalyses are maintained, the LCO is applicable in MODES 1,2,3 and 4.In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment pressure within the limits ofthe LCO is not required in MODE 5 or

6. 'ACTIONS A.1 When containment pressure is not within the limits of the LCO, it must be restored to within these limits within t hour. The Required Action isnecessary to return operation to within the bounds of the containment analysis.

The t hour Completion Time is consistent with the ACTIONS ofLCO 3.6.1 , "Containment," which requires that containment be restored toOPERABLE status within t hour. Beaver Valley Units 1 and 2B 3.6.4 - 2 Revision 0 Containment PressureB 3.6.4 BASES ACfIONS (continued) B.1 and 8.2lf containment pressure cannot be restored to within limits within therequired Completion Time, the plant must be brought to a MODE in whichthe LCO does not apply. To achieve this status, the plant must bebrought to at least MODE 3 within 6 hours and to MODE 5 within36 hours. The allowed Completion Times are reasonable, based onoperating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE SR 3.6.4.1 REQUIREMENTSVerifying that containment pressure is within limits ensures that unit operation remains within the limits assumed in the containment analysis.The 12 hour Frequency of this SR was developed based on operating experience related to trending of containment pressure variations duringthe applicable MODES. Furthermore, the 12 hour Frequency isconsidered adequate in view of other indications available in the controlroom, including alarms, to alert the operator to an abnormal containment pressure condition. REFERENCES 1.2.UFSAR, Chapter 14 (Unit 1), and UFSAR, Section 6.2 (Unit 2).10 CFR 50, Appendix K.Beaver Valley Units 1 and 2B 3.6.4 - 3 Revision 0 Containment Air TemperatureB 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 BASES Containment Ai r Temperature BACKGROUND The containment structure serves to contain radioactive material that maybe released from the reactor core following a Design Basis Accident (DBA). The containment average air temperature is limited during normal operation to preserve the initial conditions assumed in the accident analyses for a loss of coolant accident (LOCA) or steam line break (SLB).The containment average air temperature limits are derived from the inputconditions used in the containment functional analyses and thecontainment structure external pressure analyses. This LCO ensures that initial conditions assumed in the analysis of containment response to aDBA are not violated during unit operations. The total amount of energyto be removed from containment by the Quench and Recirculation Spraysystems during post accident conditions is dependent upon the energyreleased to the containment due to the event. Higher initial temperatureresults in higher peak containment pressure and temperature. Exceedingcontainment design pressure may result in leakage greater than that assumed in the accident analysis. Too low a containment temperature would adversely impact the small break LOCA safety analysis assumptions regarding the automatic actuation of Phase B containment isolation on containment high-high pressure. As such, operation withcontainment temperature outside the LCO limits violates an initialcondition assumed in the accident analysis.APPLICABLE SAFETY ANALYSESContainment average air temperature is an initial condition used in the DBA analyses and is important in establishing environmental qualification (EO) requirements to assure the required equipment inside containment performs as designed during and after a DBA. The upper limit forcontainment average air temperature ensures that operation ismaintained within the assumptions used in the DBA analyses for containment (Ref. 1). The lower containment temperature limit ensures that Containment lsolation Phase B will be actuated by the Containment Pressure - High High setpoint consistent with the assumptions of thesmall break LOCA analysis.The limiting DBAs considered relative to containment OPERABILITY are the LOCA and SLB. The DBA LOCA and SLB are analyzed usingcomputer codes designed to predict the resultant containment pressuretransients. No two DBAs are assumed to occur simultaneously or consecutively. The SLB resulted in the maximum calculated peakcontainment temperature and containment liner temperature. The Unit 1 SLB that resulted in the peak containment temperature occurred atBeaver Valley Units 1 and 2 B3.65-1 Revision 0 Containment Ai r Temperature B 3.6.5 BASES APPLICABLE SAFETY ANALYSES (continued) 100% RTP, with the worst case single failure of a main steam check valve. The Unit 1 SLB that resulted in the peak containment liner temperature occurred at 30% RTP, with the worst case single failure of a main steam check valve. The Unit 2 SLB that resulted in the peak containment temperature occurred at 100% RTP, with the worst case single failure of a main steam isolation valve. The Unit 2 SLB that resulted in the peak containment liner temperature occurred at 0% RTP,with the worst case single failure of a main steam isolation valve.The initial upper containment average air temperature assumed in the design basis analyses (Ref. 1) is 108'F. This resulted in a maximumcontainment air temperature of 355.9"F (for Unit 1) and 345.6'F (forUnit 2) and a maximum containment liner temperature of 257.9"F (forUnit 1) and 249.4"F (for Unit 2). The design temperature of thecontainment liner is 280"F.The containment air temperatures resulting from DBAs are used toestablish EQ requirements (Ref. 2) far equipment inside containment. The EQ requirements provide assurance the equipment inside containment required to function during and after a DBA performs asdesigned during the adverse environmental conditions resulting from aDBA. Air temperature profiles (containment air temperature vs time) are calculated for each DBA to establish EQ design requirements for the equipment inside containment. The equipment inside containment required to function during and after a DBA is confirmed to be capable of performing its design function under the applicable EQ requirement (i.e.,air temperature profile). Maintaining the initial containment air temperature within the required limits preserves the initial conditions assumed in the accident analyses which limits the containment airtemperature and pressure resulting from various DBAs. Limiting thecontainment air temperature and pressure that result from various DBAsensures the equipment inside containment will continue to perform asdesigned during and after a DBA. Therefore, it is concluded that thecalculated transient containment air temperature resulting from variousDBAs, including the most limiting temperature from a SLB, are acceptable. The upper temperature limit is also used in the depressurization evaluation to ensure that the minimum pressure limit is maintainedfollowing an inadvertent actuation of the Quench Spray System (Ref. 3).The containment pressure transient is sensitive to the initial air mass incontainment and, therefore, to the initial containment air temperature.The limiting DBA for establishing the maximum peak containment internal Beaver Valley Units 1 and 2 B 3.6.5 - 2Revision 16 Containment Ai r TemperatureB 3.6.5 BASES APPLICABLE SAFETY ANALYSES (continued) pressure is a LOCA. The temperature limit is used in this analysis toensure that in the event of an accident the design containment internal pressure will not be exceeded.Containment average air temperature satisfies Criterion 2 of1 0 CFR 50.36(c)(2)(ii). LCO During a DBA, with an initial containment average air temperature within the LCO temperature limits, the resultant accident temperature profile assures that the containment structural temperature is maintained below its design temperature and that required safety related equipment willcontinue to perform their function. APPLICABILITY ]n MODES 1, 2, 3, and 4, a DBA could cause a release of radioactivematerial to containment. In MODES 5 and 6, the probability andconsequences of these events are reduced due to the pressure andtemperature limitations of these MODES. Therefore, maintainingcontainment average air temperature within the limit is not required inMODE 5 or 6. ACTIONS A.1When containment average air temperature is not within the limits of theLCO, it must be restored to within llmits within 8 hours. This RequiredAction is necessary to return operation to within the bounds of thecontainment analysis. The I hour Completion Time is acceptableconsidering the sensitivity of the analysis to variations in this parameter and provides sufficient time to correct minor problems.8.1 and 8.2lf the containment average air temperature cannot be restored to within its limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable, basedon operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2 B 3.6.5 - 3Revision 6 Containment Air TemperatureB 3.6.5 BASES SURVEILLANCE SR 3.6.5.1 REQUIREMENTSVerifying that containment average air temperature is within the LCO limits ensures that containment operation remains within the limit assumed for the containment analyses. In order to determine thecontainment average air temperature, an arithmetic average is calculatedusing measurements taken at locations within the containment selected to provide a representative sample of the overall containment atmosphere.The 24 hour Frequency of this SR is considered acceptable based onobserved slow rates of temperature increase within containment as a result of environmental heat sources (due to the large volume of containment). Furthermore, the 24 hour Frequency is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal containment tern perature condition. REFERENCES 1.UFSAR, Chapter 14 (Unit 1), and UFSAR, Section 6.2 (Unit 2).10 cFR 50 49UFSAR, Section 5.2 (Unit 1) and UFSAR, Section 6.2 (Unit 2).2.3.Beaver Valley Units 1 and 2 B 3.6.5 - 4 Revision 0 B 3.6 CONTAINMENT SYSTEMS B 3.6.6 Quench Spray (OS) System BASES BACKGROUND The QS System is designed to provide containment atmosphere coolingto limit post accident pressure and temperature in containment to lessthan the design values. The QS System, operating in conjunction withthe Recirculation Spray (RS) System, is designed to cool and depressurize the containment structure to less than 50o/o of the peak calculated containment pressure within 24 hours following a Design Basis Accident (DBA). Reduction of containment pressure and the iodine removal capability of the spray limit the release of fission product radioactivity from containment to the environment in the event of a DBA.The QS System consists of two separate trains of adequate capacity,each capable of meeting the design bases. Each train includes a spray pump, spray headers, nozzles, valves, and piping. The two Unit 2 containment spray ring headers are shared by both QS System trains.Each train is powered from a separate Engineered Safety Features (ESF)bus. The refueling water storage tank (RWST) supplies borated water to the QS System.The QS System is actuated either automattcally by a Containment High-High pressure signal or manually. The QS System provides a sprayof cold borated water into the upper regions of containment to reduce the containment pressure and temperature during a DBA. Each train of the QS System provides adequate spray coverage to meet the system design requirements for containment heat and iodine fission product removal.The Unit 1 QS System also provides flow to the containment sump toimprove the net positive suction head available to the RS System pumps.The Containment Sump pH Control System provides sodium tetraborate (NaTB) to the containment sump. The NaTB added to the containmentsump water ensures an alkaline pH for the solution recirculated in the containment sump. Control of the containment sump water pH minimizesthe evolution of iodine and minimizes the occurrence of chloride andcaustic stress corrosion on mechanical systems and componentsexposed to the fluid. The QS System is a containment ESF system. lt is designed to ensurethat the heat removal capability required during the post accident period can be attained. Operation of the QS System and RS System providesthe required heat removal capability to limit post accident conditions toBeaver Valley Units 1 and 2 B 3.6.6 - 1 Revision 20 QS System B 3.6.6 BASES BACKG ROUND (continued)less than the containment design values and depressurize thecontainment structure to less than 50% of the peak calculated containment pressure within 24 hours following a DBA.The QS and RS Systems limit the temperature and pressure that could beexpected following a DBA and ensures that containment leakage ismaintained consistent with the accident analysis. APPLICABLE SAFETY ANALYSESThe limiting DBAs considered are the loss of coolant accident (LOCA)and the steam line break (SLB). The LOCA and SLB are analyzed using computer codes designed to predict the resultant containment pressure and temperature transients. No DBAs are assumed to occursimultaneously or consecutively. The postulated DBAs are analyzed, withrespect to the worst case single active failure. The appropriate single failure is assumed in the safety analysis. However, the maximum calculated peak containment pressure results from a LOCA postulated to occur in the RCS hot leg. The calculated peak containment pressurefrom this location occurs during the blowdown phase, prior to theactuation of any safety related equipment, consequently there is no singlefailure assumed in this analysis. The SLB resulted in the maximum calculated peak containment temperature and containment liner temperature. The Unit 1 SLB that resulted in the peak containmenttemperature occurred at 100% RTP, with the worst case single failure of amain steam check valve. The Unit 1 SLB that resulted in the peak containment liner temperature occurred at 30% RTP, with the worst casesingle failure of a main steam check valve. The Unit 2 SLB that resulted in the peak containment temperature occurred at 100% RTP and peak containment liner temperature occurred at 0% RTP, with the worst case single failure of a main steam isolation valve.During normal operation, the containment internal pressure is maintained within the limits of LCO 3.6.4, "Containment Pressure." Maintaining containment pressure within the required limits during operation ensuresthe capability to depressurize the containment to less than 50% of the peak calculated containment pressure within 24 hours after a DBA.The DBA analyses (Ref. 1) show that the maximum peak containment pressure of 43.1 psig (Unit 1) and 44.8 psig (Unit 2) results from the LOCA analysis and is calculated to be less than the containment design pressure. The maximum peak containment atmosphere temperature of 355.9"F (Unit 1) and 345.6'F (Unit 2) and the maxirnum containment ltnertemperature of 257.9"F (Unit 1) and 249.4"F (Unit 2) results from the SLB I analysis. The containment finer design temperature is 280"F. Thecontainment air temperatures resulting from DBAs are used to establishBeaver Valley Units 1 and 2 B3.66-2 Revision 16 QS SystemB 3.6.6 BASES APPLICABLE SAFETY ANALYSES (continued)EQ requirements (Ref. 2) for equipment inside containment. The EQ requirements provide assurance the equipment inside containment required to function during and after a DBA performs as designed during the adverse environmental conditions resulting from a DBA. Air temperature profiles (containment air temperature vs time) are calculated for each DBA to establish EQ design requirements for the equipment inside containment. The equipment inside containment required to function during and after a DBA is confirmed to be capable of performing its design function under the applicable EQ requirement (i.e., air temperature profile). Therefore, it is concluded that the calculatedtra nsient conta i nment atmosphere tem peratu res resu lting from various DBAs, including the most limiting temperature from a SLB, are acceptable.The modeled QS System actuation from the containment analysis isbased upon a response time associated with exceeding the Containment High-High pressure signal setpoint to achieving full flow through the quench spray nozzles. A delayed response time initiation provides conservative analyses of peak calculated containment temperature and pressure responses. The QS System total response time is specified in the Licensing Requrrements Manual (LRM)and includes the signal delay, diesel generator startup time, and system startup time.For certain aspects of accident analyses, maximizing the calculated containment pressure is not conservative. In particular, the cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing containment backpressure. For these calculations, the containment backpressure iscalculated in a manner designed to conservatively minimize, rather thanmaximize, the calculated transient containment pressures in accordancewith 10 CFR 50, Appendix K (Ref. 3).lnadvertent actuation of the QS System is, also evaluated, and theresultant reduction in containment pressure is calculated. The maximum calculated reduction in containment pressure does not reduce containment pressure below the minimum containment design pressureof 8.0 psia.The QS System satisfies Criterion 3 of 10 CFR 50.36(c)(2xii).Beaver Valley Units 1 and 2B 3.6.6 - 3 Revision 0 QS SystemB 3.6.6 BASES LCO During a DBA, one train of the QS System is required to provide the heat removal capability assumed in the safety analyses for containment. Toensure that requirements for heat removal are met, two QS System trains must be OPERABLE with power from two safety related, independent power supplies. Therefore, in the event of an accident, at least one train in each system will operate, assuming that the worst case single active failure occurs.Each QS System includes a spray pump, spray headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the RWST.APPLICABILITY ln MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment and an increase in containment pressure and temperature requiring the operation of the QS System.In MODES 5 and 6, the probability and consequences of these events arereduced due to the pressure and temperature limitations of theseMODES. Thus, the QS System is not required to be OPERABLE in MODE 5 or 6.ACTlONS A.1 lf one QS train is inoperable, it must be restored to OPERABLE statuswithin 72 hours. The components in this degraded condition are capable of providing 1OA% of the heat removal needs after an accident. The 72hour Completion Time was developed taking into account theredundant heat removal capabilities afforded by the OPERABLE train andthe low probability of a DBA occurring during this period.B.1 and 8.2lf the Required Action and associated Completion Time are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within6 hours and to MODE 5 within 36 hours. The allowed Completion Timesare reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner andwithout challenging plant systems.Beaver Valley Units 1 and 2 B3.66-4 Revision 20 QS SystemB 3.6.6 BASES SURVEILLANCE SR 3.6.6.1 REQUlREMENTSVerifying the correct alignment of manual, power operated, and automaticvalves, excluding check valves, in the QS System provides assurancethat the proper flow path exists for QS System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they were verified to be in the correct position prior tobeing secured. This SR does not require any testing or valvemanipulation. Rather, it involves verification that those valves outside containment and capable of potentially being mispositioned are in the correct position.sR 3.6.6.2Verifying that each QS System pump's developed head at the flow test point is greater than or equal to the required developed head ensures that QS System pump performance has not degraded during the cycle. The term "required developed head" refers to the value that is assumed in the Containment Integrity Safety Analysis for the QS pump's developed headat a specific flow point. This value for the required developed head at a flow point is defined as the Minimum Operating Point (MOP) in theInservice Testing (lST) Program. The verification that the pump's developed head at the flow test point is greater than or equal to therequired developed head is performed by using a MOP curye. The MOPcurye is contained in the lST Program and was developed using therequired developed head at a specific flow point as a reference point.From the reference point, a curve was drawn which is a constant percentage below the current pump performance curve. Based on theMOP curve, a verification is performed to ensure that the pump's developed head at the flow test point is greater than or equal to therequired developed head. Flow and differential head are normal test parameters of centrifugal pump performance required by the ASME Code (Ref. a). Since the QS System pumps cannot be tested with flow throughthe spray headers, they are tested on bypass flow. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend pedormance, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.Beaver Valley Units 1 and 2 B366-5 Revision 0 QS SystemB 3.6.6 BASES SURVEILLANCE REQUI REM ENTS (continued)SR 3.6.6.3 and SR 3.6.6.4These SRs ensure that each QS automatic valve actuates to its correct position and each QS pump starts upon receipt of an actual or simulatedcontainment spray actuation signal. This Surveillance is not required forvalves that are locked, sealed, or othenryise secured in the required position under administrative controls. The 18 month Frequency is basedon the need to perform these Surveillances under the conditions thatapply during a plant outage and the potential for an unplanned transient ifthe Surveillances were performed with the reactor at power. However, this does not preclude performance of this Surveillance at power when it can be accomplished in a safe manner. Operating experience has shownthat these components usually pass the Surveillances when performed atan 18 month Frequency. Therefore, the Frequency was concluded to beacceptable from a reliability standpoint.sR 3.6.6.5 This SR is performed following maintenance when the potential for nozzle blockage has been determined to exist by an engineering evaluation.The required evaluation will also specify an appropriate test method for determining the spray header OPERABILITY. This SR ensures that eachspray nozzle is unobstructed and that spray coverage of the containmentduring an accident is not degraded. Due to the passive nature of thedesign of the nozzle, a test following maintenance that results in the potential for nozzle blockage is considered adequate to detect obstructionof the nozzles.REFERENCES 2.3 4.1.UFSAR, Chapter 14 (Unit 1), and UFSAR, Section 6.2 (Unit 2).10 cFR 50.49.10 CFR 50, Appendix K. ASME code for Operation and Maintenance of Nuclear Power Plants.Beaver Valley Units 1 and 2B 3.6.6 - 6Revision 0 RS SystemB 3.6.7 B 3.6 CONTAINMENT SYSTEMS B 3.6.7 Recirculation Spray (RS) System BASES BACKGROUNDThe RS System, operating in conjunction with the Quench Spray (OS)System, is designed to limit the post accident pressure and temperaturein the containment to less than the design values and to depressurize the containment structure to less than 50% of the peak calculated contalnment pressure within 24 hours following a Design Basis Accident (DBA). The reduction of containment pressure and the removal of iodinefrom the containment atmosphere by the spray limit the release of fission product radioactivity from containment to the environment in the event ofa DBA.The RS System consists of two separate trains of adequate capacity,each capable of meeting the design and accident analysis bases.Unit 1 The Unit 1 Recirculation Spray System consists of four 50 percent capacity subsystems (2 per train). Each subsystem is composed of a spray pump, associated heat exchanger and flow path. Two of the recirculation spray pumps are located outside containment (RS-P-2A and RS-P-28) and two pumps are located inside containment (RS-P-1A and RS-P-18). The flow path from each pump is piped to an individual 180'reclrculation spray header inside containment. Train "A" electrical powerand river water is supplied to the subsystems containing recirculation spray pumps RS-P-1A and RS-P-2A. Train "8" electrical power and riverwater is supplied to the subsystems containing recirculation spray pumps RS-P-18 and RS-P-28.Unit 2The Unit 2 Recirculation Spray System consists of four 50 percent capacity subsystems (2 per train). Each subsystem is composed of a spray pump, associated heat exchanger and flow path. All recirculation spray pumps are located outside containment and supply flow to two 360' recirculation spray ring headers located in containment. One spray ring is supplied by the "A" train subsystem containing recirculation spray pump 2RSS-P21A and the "8" train subsystem containing recirculation spray pump 2RSS-P21D with the other spray ring being supplied by the "A" train subsystem containing recirculation spray pump 2RSS-P21C and the"8" train subsystem containing recirculation spray pump 2RSS-P218. When the water in the refueling water storage tank has reached a predetermined Level Extreme Low setpoint, the C and D subsystems are automatically switched to the cold leg recirculation mode of Emergency Core Cooling System (ECCS) operation.Beaver Valley Units 1 and 2 B367-1Revision 3 BASES BACKG ROUND (continued )Each train of the RS System provides adequate spray coverage to meetthe system design requirements for containment heat and iodine fission product removal.The RS System provides a spray of subcooled water into the upperregions of containment to reduce the containment pressure and temperature during a DBA. At Unit 1, upon receipt of a coincident High High Containment Pressure signal (Containment lsolation Phase B (ClB))and a RWST Level Low signal, the Unit 1 RS-P-1Aand RS-P-18 pumps immediately start. The Unit 1 RS-P-2A and RS-P-28 pumps start after a15 t 3 second time delay for emergency generator loadingconsiderations. At Unit 2, upon receipt of a High-High ContainmentPressure signal (Containment lsolation Phase B (ClB)) coincident with anRWST Level Low, all the Unit 2 RS pumps start immediately following receipt of the actuations signal. The RS pumps take suction from the containment sump and discharge through their respective spray coolersto the spray headers and into the containment atmosphere. Heat is transferred from the containment sump water to rrveriservice water ln thespray coolers. The Containment Sump pH Control System provides sodium tetraborateto the containment sump. The sodium tetraborate added to the containment sump ensures an alkaline pH for the solution recirculated in the containment sump. The resulting alkaline pH of the RS spray (pumped from the sump) enhances the ability of the spray to scavengeiodine fission products from the containment atmosphere. Control of the containment sump water pH minimizes the evolution of iodine andminimizes the occurrence of chloride and caustic stress corrosion onmechanical systems and components exposed to the fluid.The RS System is a containment ESF system. lt is designed to ensurethat the heat removal capability required during the post accident period can be attained. Operation of the QS and RS systems provides therequired heat removal capability to limit post accident conditions to lessthan the containment design values and depressurize the containment structure to less than 50% of the peak calculated contalnment pressurewithin 24 hours following a DBA.The RS System limits the temperature and pressure that could be expected following a DBA and ensures that containment leakage is maintained consistent with the accident analysis. Beaver Valley Units 1 and 2 B367 -2Revision 20 BASES APPLICABLE SAFETY ANALYSES The limiting DBAs considered are the loss of coolant accident (LOCA)and the steam line break (SLB). The LOCA and SLB are analyzed using computer codes designed to predict the resultant containment pressureand temperature transients; DBAs are assumed not to occur simultaneously or consecutively. The postulated DBAs are analyzedassuming the worst case single active failure. The appropriate single failure is assumed in the safety analysis. However, the maximum calculated peak containment pressure results from a LOCA postulated tooccur in the RCS hot leg. The calculated peak containment pressure from this location occurs during the blowdown phase, prior to the actuation of any safety related equipment, consequently there is no single failure assumed in this analysis. The SLB resulted in the maximum calculated peak containment temperature and containment linertemperature. The Unit 1 SLB that resulted in the peak containment temperature occurred at 100% RTP, with the worst case single failure of amain steam check valve. The Unit 1 SLB that resulted in the peak containment liner temperature occurred at 30% RTP, with the worst casesingle failure of a main steam check valve. The Unit 2 SLB that resulted in the peak containment temperature occurred at 100% RTP, with theworst case singfe failure of a main steam isolation valve (Ref. 1). The Unit 2 SLB that resulted in the peak containment liner temperature occurred at0% RTP, with the worst case single failure of a main steam isolation valve (Ref. 1).The peak containment pressure following a high energy line break is affected by the initial total pressure and temperature of the containment atmosphere. Maximizing the initial containment total pressure and average atmospheric temperature maximizes the calculated peak pressure.During normal operation, the containment internal pressure is maintainedwithin the limits of LCO 3.6.4, "Containment Pressure." Maintaining containment pressure within the required limits during operation ensuresthe, capability to depressurize the containment to less than 50% of the peak calculated containment pressure within 24 hours after a DBA. This capability and the variation of containment pressure are functions of river/service water temperature, RWST water temperature, and the containment air temperature.The DBA analyses show that the maximum peak containment pressure of 43.1 psig (Unit 1) and 44.8 psig (Unit 2) results from the LOCA analysis and is calculated to be less than the containment design pressure. Themaximum containment atmosphere temperature of 355.9'F (Unit 1) and 346.6"F (Unit 2) and the maximum containment liner temperature of 257.9"F (Unit 1)and 249.4"F (Unit 2) result from the SLB analysis. The containment liner design temperature is 280'F. The containment air temperatures resulting from DBAs are used to establish equipmentqualification (EQ) requirements (Ref . 2) for equipment inside containment. Beaver Valley Units 1 and 2 B367-3Revision 16 RS SystemB 3.6.7 BASES APPLICABLE SAFETY ANALYSES (continued)The EQ requirements provide assurance the equipment inside containment required to function during and after a DBA performs asdesigned during the adverse environmental conditions resulting from aDBA. Air temperature profiles (containment air temperature vs time) are calculated for each DBA to establish EQ design requirements for the equipment inside containment. The equipment inside containmentrequired to function during and after a DBA is confirmed to be capable of performing its design function under the applicable EQ requirement (i.e.,air temperature profile). Therefore, it is concluded that the calculatedtransient contai nment atmosphere tem peratures resulting from variousDBAs, including the most limiting temperature from a SLB, are acceptable. The RS System is not credited in the SLB containment analysis.The RS System actuation model from the containment analysis is basedupon a response time between receipt of the RWST Level Low signal in coincidence with the Containment Pressure High High to achieving full flow through the RS System spray nozzles. A delay in response time initiation provides conservative analyses of peak calculated containmenttemperature and pressure. The RS System maximum time fromcoincidence of Containment Pressure High High and RWST Level Low tothe start of effective RS spray is 65 seconds for Unit 1 and 77 seconds for Unit 2.In the case of the Unit 2 RS System, the containment safety analysismodels the operation of the system consistent with the system design.The Unit 2 analysis models the RS subsystems starting in the spray modeof operation. When the unit is shifted to the ECCS recirculation mode of operation the containment analysis models a reduction in recirculation spray flow to account for the Unit 2 RS subsystems used for the ECCSlow head recirculation function.For certain aspects of accident analyses, maximizing the calculated containment pressure is not conservative. ln particular, the coolingeffectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasrng containmentbackpressure. For these cafculations, the containment backpressure is calculated in a manner designed to conservatively minimize, rather thanmaximize, the calculated transient containment pressures in accordancewith 10 CFR 50, Appendix K (Ref. 3).The RS System satisfies Criterion 3 of 10 CFR 50.36(c)(2xii).Beaver Valley Units 1 and 2B 3.6.7 - 4 Revision 6 BASES LCO During a DBA, one train (two subsystems) of the RS System is required to provide the minimum heat removal capability assumed in the safety analysis. To ensure that this requirement is met, four RS subsystemsmust be OPERABLE. This will ensure that at least one train will operateassuming the worst case single failure occurs. APPLICABILITY]n MODES 1, 2, 3, and 4, a DBA could cause an increase in containment pressure and temperature requiring the operation of the RS System.ln MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of theseMODES. Thus, the RS System is not required to be OPERABLEMODE 5 or 6. ACTIONSThe ACTIONS are modified by a Note that is only applicable to Unit 2.The Note states that in addition to the applicable Required Actions ofLCO 3.6.7, "RS Systeffi," the Conditions and Required Actions ofLCO 3.5.2, "ECCS Operating," or LCO 3.5.3, "ECCS Shutdown," mayalso be applicable when subsystem(s) containing RS pumps 2RSS'P21Cor 2RSS-P21D are inoperable. The Note is provided to identify therelationship of these RS subsystems to the Unit 2 ECCS design.Although the affected subsystems are identified as part of the RS System,they also provide an ECCS safety function (low head recirculation). Therefore, depending on the inoperable condition of these Unit 2 RS subsystems the Actions of one or both of the affected LCOs (RS System and ECCS) may be applicable. A1This Required Action is only applicable to Unit 1. With one of the RS subsystems inoperable, the inoperable subsystem must be restored toOPERABLE status within 7 days. The components in this degradedcondition are capable of providing more than 100% of the heat removal needs (i.e., three of the four RS subsystems remain OPERABLE) after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of theRS and QS systems and the low probability of a DBA occurring during this period.The Action Condition is modified bv a Note that identifies the Action asonly applicable to Unit 1.Beaver Valley Units 1 and 2 B 3.6.7 - 5 Revision 0 RS SystemB 3.6.7 BASESACTIONS (continued) 8.1This Required Action is only applicable to Unit 1. With two of the required RS subsystems inoperable in the one train, at least one of the inoperable RS subsystems must be restored to OPERABLE status within 72 hours.The components in this degraded condition are capable of providing 1}0o/o of the heat removal needs after an accident. The 72 hour Completion Time was developed taking into account the redundant heatremoval capability afforded by the OPERABLE subsystems, a reasonableamount of time for repairs, and the low probability of a DBA occurringduring this period.The Action Condition is modified by a Note that identifies the Action as only applicable to Unit 1. c.1This Required Action is only applicable to Unit 2. With a single RSsubsystem inoperable or two subsystems inoperable in the same train,the inoperable subsystem(s) must be restored to OPERABLE statuswithin 72 hours. The remaining OPERABLE subsystems in this degradedcondition are capable of providing 10A% of the required heat removal andECCS low head recirculation functions after an accident. The 72 hour Completion Time was developed taking into account the redundantcapability afforded by the remaining OPERABLE subsystems, areasonable amount of time for repairs, and the low probability of a DBA occurring during this period.The Action Condition is modified by a Note that identifies the Action asonly applicable to Unit 2.D.1 and D.2lf the inoperable RS subsystem(s) cannot be restored to OPERABLEstatus within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours and to MODE 5 within 84 hours. The allowed Completion Time of 6 hours is reasonable,based on operating experience, to reach MODE 3 from full powerconditions in an orderly manner and without challenging plant systems.The extended interval to reach MODE 5 allows additional time and is reasonable considering that the driving force for a release of radioactivematerial from the Reactor Coolant System is reduced in MODE 3.Beaver Valley Units 1 and 2 B 3.6.7 - 6Revision 0 RS SystemB 3.6.7 BASESACTIONS (continued) E.1 With three or more RS subsystems inoperable, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately. SURVEILLANCE REQUIREMENTSsR 3.6.7.1 Verifying the correct alignment of manual, power operated, and automatic valves, excluding check valves, in the RS System provides assurancethat the proper flow path exists for operation of the RS System. ThisSR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified as being in the correct position prior tobeing secured. This SR does not require any testing or valve manipulation. Rather, it involves verification that those valves outsidecontainment and capable of potentialfy being mispositioned are in the correct position.sR 3.6.7.2Verifying that each RS System pump's developed head at the flow test point is greater than or equal to the required developed head ensures thatRS System pump performance has not degraded during the cycle. The term "required developed head" refers to the value that is assumed in the Containment lntegrity Safety Analysis for the RS pump's developed headat a specific flow point. This value for the required developed head at a flow point is defined as the Minimum Operating Point (MOP) in the lnservice Testing (lST) Program. The verification that the purnp's developed head at the flow test point is greater than or equal to therequired developed head is performed by using a MOP curve. The MOP curye is contained rn the IST Program and was developed using the required developed head at a specific flow point as a reference point.From the reference point, a curve was drawn which is a constant percentage below the current pump performance curve. Based on the MOP curve, a verification is performed to ensure that the pump'sdeveloped head at the flow test point is greater than or equal to therequired developed head. Flow and differential head are normal test parameters of centrifugaf pump performance required by the ASME Code (Ref. a). Since the RS System pumps cannot be tested with flow throughthe spray headers, they are tested on bypass flow. This test confirms one point on the pump design curve and is indicative of overall performance.Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. Beaver Valley Units 1 and 2 B3.67 -7Revision 0 RS SystemB 3.6.7 BASES SURVEI LLANCE REQUI REMENTS (continued)sR 3.6.7.3 These SRs ensure that each automatic valve actuates and that the RS System pumps start upon receipt of an actual or simuJated coincident witha Containment Pressure High High/RWST Level Low signal. However, the Unit 1 RS-P-2A and RS-P-28 pumps start after an additional delay of15 t 3 seconds for emergency diesel generator loading considerations. The start delay time is also verified for the RS System pumps.For the RS function of the Containment Spray System, this Surveillanceincludes a verification of the associated required slave relay operation. Recirculation Spray - Automatic Actuation, Function 2.b.1 in LCO 3.3.2,"Engineered Safety Feature Actuation System (ESFAS) Instrumentation,"does not include a requirement to perform a SLAVE RELAY TEST due toequipment safety concerns if such a test was performed at power.Therefore, verification of the required slave relay OPERABILITY for the Recirculation Spray-Automatic Actuation, Function 2.b.1 in LCO 3.3.2 is included in this 18-month Surveillance.This Surveillance is not required for valves that are locked, sealed, orotherwise secured in the required position under administrative controls.The 1B month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. However, this does not preclude performanceof this Surveillance at power when it can be accomplished in a safemanner. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.Therefore, the Frequency was considered to be acceptable from areliabi lity standpoint.sR 3.6.7.4 This SR is performeO foitowing maintenance when the potential for nazzle blockage has been determined to exist by an engineering evaluation. The required evaluation will also specify an appropriate test method for determining the spray ring OPERABILITY. Due to the passive design of the spray rings and their normally dry state, a test following maintenance that results in the potential for nozzle blockage is considered adequate fordetecting obstruction of the nozzles. Beaver Valley Units 1 and 2B 3.6.7 - 8Revision 6 RS SystemB 3.6.7 BASES REFERENCES 1.2.3.4.UFSAR, Chapter 14 (Unit 1), and UFSAR, Section 6.2 (Unit 2).10 cFR 50.49.10 CFR 50, Appendix K.ASME code for Operation and Maintenance of Nuclear Power Plants.Beaver Valley Units 1 and 2 B36.7-9Revislon 3 Containment Sump pH Control System B 3.6.8 B 3.6 CONTAINMENT SYSTEMS B 3.6.8 Containment Sump pH Control System BASES BACKGROUNDThe Containment Sump pH Control System is a passive systemconsisting of six baskets of sodium tetraborate (NaTB) that assist in reducing the iodine fission product inventory in the containment atmosphere resulting from a Design Basis Accident (DBA) (Refs. 1and 2).Radioiodine in its various forms is the fission product of primary concern in the evaluation of a DBA. lt is absorbed by the spray from thecontainment atmosphere. To enhance the iodine absorption capacity ofthe spray during recirculation from the sump, the spray solution isadjusted to an alkaline pH that promotes iodine hydrolysis, in which iodineis converted to nonvolatile forms.The NaTB is stored in baskets in the containment. The initial quench spray is acidic since it is a boric acid solution from the Refueling Water Storage Tank (RWST). As the initial spray solution, and subsequently therecirculation solution, comes in contact with the NaTB, the NaTB dissolves, raising the pH of the sump solution. The final pH of thecontainment sump water after a DBA is alkaline. Control of thecontainment sump water pH minirnizes the evolution of iodine as well as the occurrence of chloride and caustic stress corrosion on mechanical systems and components exposed to the fluid.Beaver Valley Units 1 and 2 B36.8-1 Revision 20 Containment Sump pH Control SystemB 3.6.8 BASES APPLICABLE SAFETY ANALYSESThe Containment Sump pH Control System is essential to the removal of airborne iodine within containment following a DBA (Refs. 3 and 4).Quench spray consists of a boric acid solution with a spray pH as low as4.6. As indicated in Standard Review Plan (SRP), Section 6.5.2, Rev 2,"Containment Spray as A Fission Product Cleanup System," fresh sprays (i.e., sprays with no dissolved iodine) are effective at scrubbing elementaliodine and thus a spray additive is unnecessary during the initial injection phase when the spray solution is being drawn from the RWST. As described in the SRP, research has shown that elemental iodine can be scrubbed from the atmosphere with borated water, even at low pH.Since long-term use of a plain boric acid spray could increase the potential for elemental iodine re-evolution during the recirculation phaseof the LOCA, the equilibrium sump solution pH is increased by addingNaTB. Regulatory Guide 1.183 guidance indicates that if the sump water pH is 7 or greater, then a licensee does not need to evaluate re-evolution of iodines for dose consequences. In accordance with the currentlicensing basis, the dose analysis need not address iodine re-evolution ifthe sump water pH of 7 or greater is achieved well within 16 hours afterthe LOCA and is maintained for the duration of the accident. TheContainment Sump pH Control System provides a passive safeguard withsix baskets of NaTB located in the containment. The basket contents dissolve as the sump fills, raising pH to the required value and maintaining it at or above that value throughout the accident.The Containment Sump pH Control System satisfies Criterion 3 of10 CFR 50.36(c)(2Xii). LCO The Containment Sump pH Control System is necessary to reduce therelease of radioactive material to the environment in the event of a DBA.To be considered OPERABLE, the srx sodium tetraborate storagebaskets must be in place and intact (i.e., having no relevant componentremcved, destroyed or damaged such that the basket cannot perform itsfunction), collectively contain > 188 cubic feet of sodium tetraborate (Unit 1 ) and > 292 cubic feet of sodium tetraborate (Unit 2) and becapable of providing the required pH adjustment.Beaver Valley Units 1 and 2 B368-2 Revision 20 Containment Sump pH Control SystemB 3.6.8 BASES APPLlCABlLITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactivematerial to containment requiring the operation of the Containment Sump pH Control System. The Containment Sump pH Control System assistsin reducing the iodine fission product inventory prior to release to the environment. ln MODES 5 and 6, the probability and consequences of these events arereduced due to the pressure and temperature limitations in theseMODES. Thus, the Containment Sump pH Control System is notrequired to be OPERABLE in MODE 5 or 6. ACTIONS A.1lf the Containment Sump pH Control System is inoperable, it must berestored to OPERABLE within 72 hours. The pH adjustment of therecirculation spray solution for corrosion protection and iodine removalreduced in this condition. The 72 hour Completion Time takes into account that the condition which caused the inoperable system wouldmost likely allow this passive system to continue to provide some capability for pH adjustment and iodine removal, the Containment Spray System would still be available and would remove some iodine from the containment atmosphere in the event of a DBA, and the low probability ofthe worst case DBA occurring during this period.8.1 and 8.2lf the Containment Sump pH Control System cannot be restored toOPERABLE status within the required Completion Time, the plant mustbe brought to a MODE in which the LCO does not apply. To achieve thisstatus, the plant must be brought to at least MODE 3 within 6 hours andto MODE 5 within 84 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. The extended interval to reach MODE 5 allows 48 hours forrestoration of the Containment Sump pH Control System in MODE 3 and36 hours to reach MODE 5. This is reasonable when considering the reduced pressure and temperature conditions in MODE 3 for the release of radioactive material from the Reactor Coolant System.Beaver Valley Unlts 1 and 2B 3.6.8 - 3 Revision 20 Containment Sump pH Control SystemB 3.6.8 BASES SURVEILLANCE SR 3.6.8.1 REQUIREMENTS This SR provides visual verification that the six sodium tetraboratestorage baskets are in place and intact and collectively contain > 188cubic feet of sodium tetraborate (Unit 1) and >292 cubic feet of sodium tetraborate (Unit 2). This amount of NaTB is sufficient to ensure that the recirculation solution following a LOCA is at the correct pH level. Noupper limit for quantity of NaTB is specified because pH values calculatedassuming the baskets are filled to capacity demonstrated acceptable pHvalues. The 18 months frequency is sufficient to ensure that this passive system is intact and contains the required amount of sodium tetraborate.sR 3.6.8.2This SR verifies via sampling that the sodium tetraborate contained in the NaTB storage baskets provides the minimum required buffering ability for containment sump borated water. The maximum required buffering abilityof the NaTB contained in the storage baskets is not required to be verifiedbecause the pH values calculated assuming the baskets are filled to capacity with high density NaTB under minimum boric acid conditionsdemonstrated acceptable pH values. The 18 months frequency issufficient to ensure the required buffering ability of the sodium tetraborateafter exposure to the containment environment. REFERENCES 2.3.4.1.UFSAR, Section 6.4 (Unit 1).UFSAR, Sections 6.2.2 and 6.5 (Unit 2).UFSAR, Chapter 14 (Unit 1).UFSAR, Chapter 15 (Unit 2).Beaver Valley Units 1 and 2B 3.6.8 - 4 Revision 20 B 3.7 PLANT SYSTEMSB 3.7.1 Main Steam Safety Valves (MSSVs)BASES BACKGROUND The primary purpose of the MSSVs is to provide overpressure protectionfor the secondary system. The MSSVs also provide protection againstoverpressurizing the reactor coolant pressure boundary (RCPB) by providing a heat sink for the removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser Circulating Water System and Atmospheric Dump Valves, are not available.Five MSSVs are located on each main steam header, outsidecontainment, upstream of the main steam isolation valves, as describedin UFSAR, Section 10.3.1 (Unit 1) and Section 10.3.2 (Unit 2) (Ref. 1).The specified valve lift settings and design relieving capacities are in accordance with the requirements of Section lll of the ASME Boiler and Pressure Code, l971Edition (Unit 1 and Unit 2) and Winter 1972 Addenda (Unit 2). The total design relieving capacity for all valves on alf of the steam lines is 12.8 x 106 lbs/hr (Unit 1) and 127 x106 lbs/hr (Unit 2) which is approximately 98'b (Unit 1) and 97% (Unit 2)of the total secondary steam flow of 13.1 x 10b lbs/hr at 100% RATED THERMALPOWER. The MSSV design includes staggered setpoints, according to Table 3.7 .1-2a (Unit 1) and Table 3.7 .1-2b (Unit 2) in the accompanying LCO, so that only the needed valves will actuate. Staggered setpoints reduce the potential for valve chattering that is due to steam pressure insufficient to fully open all valves following a turbine initiated reactor trip. The above capacity (98% or 97o/o as applicable of rated flow) is sufficientcapacity such that main steam pressure does not exceed 1 10% of the steam generator shell-side design pressure (the maximum pressureallowed by the ASME B&PV Code) for the worst-case loss-of-heat-sink event. This requirement is verified by analysis. APPLICABLE SAFETY ANALYSESThe design basis for the MSSVs comes from Reference 2 and its purpose is to limit the secondary system pressure to < 1 rc% of design pressure for any anticipated operational occurrence (AOO) or accident considered in the Design Basis Accident (DBA) and transient analysis.The events that challenge the relieving capacity of the MSSVS, and thus RCS pressure, are those characterized as decreased heat removal events, which are presented in UFSAR, Section 14.1 (Unit 1) and Section 15.2 (Unit 2) (Ref. 3). Of these, the full power turbine trip withoutsteam dump is the limiting AOO. This event also terminates normalfeedwater flow to the steam generators.Beaver Valley Units 1 and 2B3.7 1-1 Revision 0 MSSVSB 3.7.1 BASES APPLICABLE SAFETY ANALYSES (continued) The safety analysis demonstrates that the transient response for turbinetrip occurring from full power without a direct reactor trip presents nohazard to the integrity of the RCS or the Main Steam System. Oneturbine trip analysis is performed assuming primary system pressure control via operation of the pressur)zer relief valves and spray. Thisanalysis demonstrates that the DNB design basis is met. Another analysis is performed assuming no primary system pressure control, but crediting reactor trip on high pressurizer pressure and operation of the pressurizer safety valves. This analysis demonstrates that RCS integrityis maintained by showing that the maximum RCS pressure does notexceed 110% of the design pressure. All cases analyzed demonstratethat the MSSVs maintain Main Steam System integrity by limiting the maximum steam pressure to less than 110% of the steam generator design pressure.ln addition to the decreased heat removal events, reactivity insertionevents may also challenge the relieving capacity of the MSSVS. The uncontrolled rod cluster control assembly (RCCA) bank withdrawal at power event is characterized by an increase in core power and steam generation rate until reactor trip occurs when either the OvertemperatureAT or Power Range Neutron Flux-High setpoint is reached. Steam flow tothe turbine will not increase from its initial value for this event. The increased heat transfer to the secondary side causes an increase in steam pressure and may result in opening of the MSSVs prior to reactortrip, assuming no credit for operation of the atrnospheric or condenser steam dump valves. The UFSAR Section 14.1 (Unit 1) and Section 15.1 (Unit 2) safety analysis of the RCCA bank withdrawal at power event for arange of initial core power levels demonstrates that the MSSVs arecapable of preventing secondary side overpressurization for this AOO.The UFSAR safety analyses discussed above assume that all of the MSSVs for each steam generator are OPERABLE. lf there are inoperable MSSV(s), it is necessary to limit the primary system power during steady-state operation and AOOs to a value that does not result inexceeding the combined steam flow capacity of the turbine (if available) and the remaining OPERABLE MSSVs. The required limitation on primary system power necessary to prevent secondary systemoverpressurizatron may be determined by system transient analyses or conservatively arrived at by a simple heat balance calculation. In some arcumstances it is necessary to limit the primary side heat generationthat can be achieved during an AOO by reducing the setpoint of thePower Range Neutron Flux-High reactor trip function. For example, ifmore than one MSSV on a single steam generator is inoperable, an uncontrolled RCCA bank withdrawal at power event occurring from apartial power level may result in an increase in reactor power thatBeaver Valley Units 1 and 2 B37.1-2 Revision 0 MSSVsB 3.7.1 BASES APPLICABLE SAFETY ANALYSES (continued) exceeds the combined steam flow capacity of the turbine and theremaining OPERABLE MSSVs. Thus, for multiple inoperable MSSVs onthe same steam generator it is necessary to prevent this power increaseby lowering the Power Range Neutron Flux-High setpoint to an appropriate value. When the Moderator Temperature Coefficient (MTC)is positive, the reactor power may increase above the initial value during an RCS heatup event (e.g., turbine trip). Thus, for any number ofinoperable MSSVs, it is necessary to reduce the trip setpoint if a positiveMTC may exist at partial power conditions.The MSSVs are assumed to have two active and one passive failuremodes. The active failure modes are spurious opening, and failure to reclose once opened. The passive failure mode is failure to open upon demand.The MSSVs satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCO The accident analysis requires that five MSSVs per steam generator beOPERABLE to provide overpressure protection for design basistransients occurring at 100.6% RTP. The LCO requires that five MSSVs per steam generator be OPERABLE in compliance with Reference 2, andthe DBA analysis.

The OPERABILITY of the MSSVs is defined as the ability to open upon demand within the setpoint tolerances, to relieve steam generatoroverpressure, and reseat when pressure has been reduced. TheOPERABILITY of the MSSVs is determined by periodlc surveillancetesting in accordance with the Inservice Testing Program.This LCO provides assurance that the MSSVs will perform their designed safety functions to mitigate the consequences of accidents that couldresult in a challenge to the RCPB, or Maln Steam System integrity. APPLICABILITY ln MODES 1, 2, and 3, five MSSVs per steam generator are required to be OPERABLE to prevent main steam overpressurization.ln MODES 4 and 5, there are no credible transients requiring the MSSVS.The steam generators are not normally used for heat removal inMODES 5 and 6, and thus cannot be overpressurized; there is norequirement for the MSSVs to be OPERABLE in these MODES.Beaver Valley Units 1 and 2 B 3.7.1 - 3 Revision 0 BASES ACTIONSThe ACTIONS are modified by a Note indicating that separate Condition entry is allowed for each MSSV.With one or more MSSVs inoperable, action must be taken so that the available MSSV relieving capacity meets Reference 2 requirements. Operation with less than all five MSSVs OPERABLE for each steam generator is permissible, if THERMAL POWER is limited to the reliefcapacity of the remaining MSSVS. This is accomplished by restricting THERMAL POWER so that the energy transfer to the most limiting steam generator is not greater than the available relief capacity in that steam generator. A.1 In the case of only a single inoperable MSSV on one or more steam generators when the Moderator Temperature Coefficient is not positive, a reactor power reduction alone is sufficient to limit primary side heat generation such that overpressurization of the secondary side is precluded for any RCS heatup event. Furthermore, for this case there is sufficient total steam ffow capacity provided by the turbine and remaining OPERABLE MSSVs to preclude overpressurization in the event of anincreased reactor power due to reactivity insertion, such as in the event ofan uncontrolled RCCA bank withdrawal at power. Therefore, RequiredAction A.1 requires an appropriate reduction in reactor power within4 hours.The maximum THERMAL POWER corresponding to the heat removalcapacity of the remaining OPERABLE MSSVs is determlned via a conservative heat balance calculation as discussed below, with an appropriate allowance for calorimetric power uncertainty.The maximum THERMAL POWER corresponding to the heat removalcapacity of the remaining OPERABLE MSSVs is determined by the governing heat transfer relationship from the equation q = mAh, where qis the heat input from the primary side, m is the steam mass flow rate, and Ah is the heat of vaporization at the steam relief pressure assuming no subcooled feedwater. For each steam generator, at a specified pressure, the maximum allowable power level is determined as follows:Maximum Allowable Power Level < (100/Q) (w"h;nN) / K where: 0=K=Nominal NSSS power rating of the plant (including reactor coolant pump heat), MWt Conversion factor , 947 .82 (Btu/sec)/Mwt Beaver Valley Units 1 and 2 B37.1-4Revision 0 BASES ACTIONS (continued) Ws=hrs =N=Minimum total steam flow rate capability of the OPERABLEMSSVs on any one steam generator at the highest OPERABLE MSSV opening pressure, including tolerance and accumulation,as appropriate, lbm/sec. For example, if the maximum number of inoperable MSSVs on any one steam generator is one, then wsshould be a summation of the capacity of the OPERABLEMSSVs at the highest OPERABLE MSSV operating pressure,excluding the highest capacity MSSV. lf the maximum number of inoperable MSSVs per steam generator is three, then w' shouldbe a summation of the capacity of the OPERABLE MSSVs at the highest OPERABLE MSSV operating pressure, excluding the three highest capacity MSSVS.Heat of vaporization at the highest MSSV opening pressure, including tolerance and accumulation as appropriate, Btu/lbm.Number of loops in the plant.For use in determining the% RTP in Required Action A.1, the MaximumNSSS Power calculated above is reduced by 2% RTP to account for calorimetric power unceftainty. This is a conservative value that boundsthe uncertainties associated with both the feedwater flow venturis and the Leading Edge Flow Meter.8.1 and 8.2 In the case of multiple inoperable MSSVs on one or more steam generators, with a reactor power reduction alone there may be insufficienttotal steam flow capacity provided by the turbine and remaining OPERABLE MSSVs to preclude overpressurization in the event of anincreased reactor power due to reactivity insertion, such as in the event ofan uncontrolled RCCA bank withdrawal at power. Furthermore, for a single inoperable MSSV on one or more steam generators when theModerator Temperature Coefficient is positive the reactor power may increase as a result of an RCS heatup event such that flow capacity of the remaining OPERABLE MSSVs is insufficient. The 4 hour CompletionTime for Required Action 8.1 is consistent with A.1. An additional32 hours is allowed in Required ActionB.2 to reduce the Power RangeNeutron Flux-High reactor trip setpoints. The Completion Time of 36 hours is based on a reasonable time to correct the MSSV inoperability,the time required to perform the power reduction, operating experience to reset all channels of a protective function, and on the low probability ofthe occurrence of a transient that could result in steam generator overpressure during this period.Beaver Valley Units 1 and 2 8371-5Revisron 0 BASES ACTIONS (continued)The maximum THERMAL POWER corresponding to the heat removalcapacity of the remaining OPERABLE MSSVs is determined via a conservative heat balance calculation as discussed above, with anappropriate allowance for Nuclear lnstrumentation System trip channel uncertainties.To determine the Table 3.7.1-1 Maximum Allowable Power for RequiredActions B.1 and 8.2 (o/o RTP), the calculated Maximum NSSS Power isreduced by 9% RTP to account for Nuclear lnstrumentation System tripchannel uncertainties. An additional conservatism is employed by settingthe values equal to the most conservative between the two units, thisbeing the Unit 1 values.Required Action B.2 is modified by a Note, indicating that the Power Range Neutron Flux-High reactor trip setpoint reduction is only required inMODE 1. In MODES 2 and 3 the reactor protection system trips specifiedin LCO 3.3.1, "Reactor Trip System Instrumentation," provide sufficient protection. The allowed Completion Times are reasonable based on operating experience to accomplish the Required Actions in an orderly manner without challenging unit systems.C.1 and C.2 lf the Required Actions are not completed within the associated Completion Time, or if one or more steam generators have > 4 inoperableMSSVs, the unit must be placed in a MODE in which the LCO does notapply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4 within 12 hours. The allowed Completion Times are reasonable, based on operating experlence, to reach the required unit conditions from full power conditions in an orderly mannerand without challenging unit systems. SURVEILLANCE SR 3.7.1 .1 REQUIREMENTSThis SR verifies the OPERABILITY of the MSSVs by the verification ofeach MSSV lift setpoint in accordance with the Inservice Testing Programand the ASME Code (Ref. 4) requirements.Beaver Valley Units 1 and 2B 3 7.1 - 6 Revision 0 MSSVsB 3.7.1 BASES SURVEILLANCE REQUI REMENTS (continued)The ASME Code specifies the activities and frequencies necessary to satisfy the requirements. Table 3.7.1-2a (Unit 1) and Table 3.7 .1-2b (Unit 2) specify the required setpoint tolerance for OPERABILITY;however, the valves are reset to + 1% during the Surveillance to allow for drift. The lift settings correspond to ambient conditions of the valve at nominal operating temperature and pressure.This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR. The MSSVs may be either benchtested or tested in situ at hot conditions using an assist device to simulate lift pressure. lf the MSSVs are not tested at hot conditions, the lift setting pressure shall be corrected to ambient conditions of the valve atoperating temperature and pressure.REFERENCES

1. UFSAR, Section 10.3.1 (Unit 1) and Section 10.3.2 (Unit 2).ASME, Boiler and Pressure Vessel Code, Section Article NC-7000, Class 2 Components.

U FSAR, Section 14.1 (Unit 1) and Section 15.2 (Unit 2).ASME code for Operation and Maintenance of Nuclear Power Plants.2.3.4.Beaver Valley Units 1 and 2 B 3.7.1 - 7 Revision 0 B 3.7 PLANT SYSTEMSB 3.7.2 Main Steam lsolation Valves (MSlVs)BASES BACKGROUND Unit 1 is designed with main steam trip valves, main steam non-returncheck valves, and main steam trip bypass valves. The main steam trip valves perform similarfunctions as the Unit 2 MSIVs and will be herein referred to as MSlVs. The MSIVs isolate steam flow from the secondary side of the steam generators following a high energy line break (HELB).MSIV closure terminates flow from the unaffected (intact) steam generators. One MSIV is located in each main steam line outside, but close to,containment. The MSIVs are downstream from the main steam safety valves (MSSVS) and auxiliary feedwater (AFW) pump turbine steam supply, to prevent MSSV and AFW steam supply isolation from the steam generators by MSIV closure. Closing the MSIVs isolates each steam generator from the others, and isolates the turbine, Steam Bypass System, and other auxiliary steam supplies from the steam generators. The MSIVs close on a main steam isolation signal generated by either aContainment Pressure - lntermediate High High, Steam Line Pressure -Negative Rate - High, or Steam Line Pressure - Low function. For Unit 1,the MSIVs fail closed on loss of control air pressure. For Unit 2, the MSIVs fail closed on loss of control or actuation power.lsolation of the main steam lines provides protection in the event of a steam line break (SLB) inside or outside containment. Rapid isolation of the steam lines will limit the steam break accident to the blowdown from one steam generator (SG), at most. For an SLB upstream of the MSlVs, inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream ofthe MSlVs, closure of the MSIVs terminates the accident as soon as thesteam lines depressurize. For Unit 1, the main steam non-return check valves are designed to automatically prevent reverse flow of steam in the case of accidental pressure reduction in any steam generator or its piping. lf a steam line breaks between a non-return valve and a steam generator, the affected steam generator continues to blowdown while the non-return valve in the line prevents significant blowdown from the other steam generators. For Unit 2, whlch does not have main steam non-return check valves, steam line isolation will also mitigate the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.Beaver Valley Units 1 and 2B 3.7.2 - 1Revision 0 BASES BACKG ROUN D (continued)Each MSIV has an MSIV bypass valve. Although these bypass valvesare normally closed, they receive the same emergency closure signal asdo their associated MSlVs. The MSIVs may also be actuated manually.A description of the MSIVs is found in the UFSAR, Section 10.3 (Ref. 1).APPLICABLE SAFETY ANALYSES The design basis of the MSIVs is established by the containment analysisfor the large SLB inside containment, discussed in the UFSAR, Chapter 14 (Unit 1) and Section 6.2 (Unit 2) (Ref. 2). lt is also affected by the accident analysis of the SLB events presented in the UFSAR, Section 14.2.5.1 (Unit 1)and Section 15.1.5 (Unit 2) (Ref. 3). The design precludes the blowdown of more than one steam generator, assuming asingle active component failure (e.9., the failure of one MSIV to close on demand).The limiting case for the containment analysis is the SLB insidecontainment, with offsite power available, and failure of the main steamnon-return check valve (Unit 1) or the MSIV (Unit 2) on the affected steam generator to close. At lower powers, the steam generator inventory and pressure are at their maximum, maximizing the analyzed mass and energy release to the containment. Due to reverse flow and failure of themain steam non-return check valve (Unit 1) or the MSIV (Unit 2) to close,the additional mass and energy in the steam headers downstream fromthe other MSIVs contribute to the total release. With the most reactive rod cluster control assembly assumed stuck in the fully withdrawn position, there is an increased possibility that the core will become critical and return to power. The core is ultimately shut down by the boric acidinjection delivered by the Emergency Core Cooling System.The accident analysis compares several different SLB events againstdifferent acceptance criteria. The large SLB outside containmentupstream of the MSIV is limiting for offsite dose, although a break in thisshort section of main steam header has a very low probability. The largeSLB at hot zero power is the limiting case for a return to power event.The analysis includes scenarios with offsite power available, and with a loss of offsite power following turbine trip. With offsite power available, the reactor coolant pumps continue to circulate coolant through the steam generators, maximizing the Reactor Coolant System cooldown. With aloss of offsite power, the response of mitigating systems is delayed.Significant single failures considered include failure of an MSIV to close.Beaver Valley Units 1 and 2 83.7.2-2 Revision 0 MSIVsB 3.7.2 BASES APPLICABLE SAFETY ANALYSES (continued) The MSIVs serve only a safety function and remain open during poweroperation. These valves operate under the following situations:An HELB inside containment. In order to maximize the mass and energy release into containment, the analysis assumes that the MSIV in the affected steam generator remains open. For thisaccident scenario, steam is discharged into containment from all steam generators until the remaining MSIVs close. After MSIV closure, steam is discharged into containment only from the affected steam generator and from the residual steam in the main steam header downstream of the closed MSIVs in the unaffected loops.Closure of the MSIVs isolates the break from the unaffected steam generators.A break outside of containment and upstream from the MSIVs is nota containment pressurization concern. The uncontrolled blowdownof more than one steam generator must be prevented to lirnit the potential for uncontrolled RCS cooldown and positive reactivityaddition. Closure of the MSIVs isolates the break and limits theblowdown to a single steam generator.A break downstream of the MSIVs will be isolated by the closure ofthe MSlVs.d. Following a steam generator tube rupture, closure of the MSIVsisolates the ruptured steam generator from the intact steam generators to minimize radiological releases.

e. For Unit 2, the MSIVs are also utilized during other events such as afeedwater line break. This event is less limiting so far as MSIVOPERABILITY is concerned.

The MSIVs satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). a.b.LCO This LCO requires that three MSIVs in the steam lines be OPERABLE.The MSIVs are considered OPERABLE when the isolation times are within lrmits, and they close on a manual and automatic isolation actuation signal.This LCO provides assurance that the MSIVs will perform their designsafety function to mitigate the consequences of accidents that could result in offsite exposures comparable to the limits specified in Regulatory Guide 1.183 (Ref ).Beaver Valley Units 1 and 2B 37.2-3Revision 0 BASES APPLICABILITY The MSfVs must be OPERABLE in MODE 1, and in MODES 2 and 3 except when closed and de-activated, when there is significant mass andenergy in the RCS and steam generators. When the MSIVs are closed, they are already performing the safety function.ln MODE 4 the steam generator energy is low and the MSIVs are not required to support the safety analysis due to the low probability of a design basis accident. ln MODE 5 or 6, the steam generators do not contain much energy because their temperature is below the boiling point of water; therefore, the MSIVs are not required for isolation of potential high energy secondary system pipe breaks in these MODES. ACTIONS With one MSIV inoperable in MODE 1, action must be taken to restore OPERABLE status within 8 hours. Some repairs to the MSIV can bemade with the unit hot. The 8 hour Completion Time is reasonable,considering the fow probability of an accident occurring during this time period that would require a closure of the MSlVs.The 8 hour Completion Time is greater than that allowed for mostcontainment isolation valves because the MSIVs are valves that isolate a closed system penetrating containment. These valves differ from other containment isolation valves in that the closed system provides anadditional means for containment isolation. lf the MSIV cannot be restored to OPERABLE status within 8 hours, theunit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in MODE 2 within 6 hoursand Condition C would be,entered. The Completion Times are reasonable, based on operating experience, to reach MODE 2 and toclose the MSIVs in an orderly manner and without challenging unit systems.C.1 and C.2Condition C is modified by a Note indicating that separate Condition entry is allowed for each MSIV.Since the MSIVs are required to be OPERABLE in MODES 2 and 3, the inoperable MSIVs may either be restored to OPERABLE status or closed. When closed, the MSIVs are already in the position required by the assumptions in the safety analysis. Beaver Valley Units 1 and 2 B 3.7.2 - 4Revision 0 MSIVsB 3.7.2 BASES ACTIONS (continued) The 8 hour Completion Time is consistent with that allowed inCondition A.For inoperable MSIVs that cannot be restored to OPERABLE statuswithin the specified Completion Time, but are closed, the inoperableMSIVs must be verified on a periodic basis to be closed. This is necessary to ensure that the assumptions in the safety analysis remainvalid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of MSIV status indications available in the control room,and other administrative controls. to ensure that these valves are in the closed position.D.1 and D.2lf the MSIVs cannot be restored to OPERABLE status or are not closed within the associated Compfetion Time, the unit must be placed in aMODE in which the LCO does not apply. To achieve this status, the unit must be placed at least in MODE 3 within 6 hours, and in MODE 4 within12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from MODE 2conditions in an orderly manner and without challenging unit systems.SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies that MSIV closure time is within the limit specified in the Licensing Requirements Manual (Ref. 5). The MSIV total response time (signal generation plus MSIV closure time) is assumed in the accident anafyses. The MSIVs should not be tested at power due to the risk of a valve closure when the unit is generating power. As MSIVs are nottypically tested at power, they are exempt from the ASME Code (Ref. 6)requirements during operation in MODE 1 ar 2.The Frequency is in accordance with the Inservice Testing Program.This test is allowed to be conducted in MODE 3 with the unit at operating temperature and pressure. This SR is modified by a Note that allowsentry into and operation in MODE 3 prior to performing the SR.Beaver Valley Units 1 and 2B 3.7.2 - 5Revision 0 BASES SURVEILLANCE REQUI REM ENTS (continued)sR 3.7.2.2 This SR verifies that each MSIV can close on an actual or simulatedautomatic and manual actuation signal. The Frequency of MSIV testing is every 18 months. The 18 month Frequency for testing is based on the refueling cycle. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 monthFrequency. Therefore, this Frequency is acceptable from a reliability standpoint. REFERENCES 1.2.3.4.5.6.UFSAR, Section 10.3.UFSAR, Chapter 14 (Unit 1) and Sectron 6.2 (Unit 2).UFSAR, Section 14.2.5.1 (Unit 1) and Section 15.1.5 (Unit 2).Regulatory Guide 1 .183, July 2000.Licensing Requirements Manual (LRM) for BVPS Unit 1 and Unit 2.ASME code for Operation and Maintenance of Nuclear Power Plants.Beaver Valley Units 1 and 2 B3.72-6Revision 0 MFIVs and MFRVs and MFRV Bypass ValvesB 3.7.3 B 3.7 PLANT SYSTEMS Main Feedwater lsolation Valves (MFlVs) and Main Feedwater Regulation Valves (MFRVS) and MFRV Bypass Valves BASES B 3.

7.3 BACKGROUND

The MFIVs isolate main feedwater (MFW) flow to the secondary side ofthe steam generators following a high energy line break (HELB). Thesafety related function of the MFRVs is to provide the second isolation ofMFW flow to the secondary side of the steam generators following anHELB. Closure of the MFIVs or MFRVs and MFRV bypass valvesterminates flow to the steam generators, terminating the event forfeedwater line breaks (FWLBs) occurring upstream of the MFIVs orMFRVs. The consequences of events occurring in the main steam linesor in the MFW lines downstream from the MFIVs will be mitigated by theirclosure. Closure of the MFIVs or MFRVs and MFRV bypass valves,effectively terminates the addition of feedwater to an affected steam generator, limiting the mass and energy release for steam line breaks (SLBs) or FWLBs inside containment, and reducing the cooldown effects for SLBs.The MFIVs isolate the nonsafety related portions from the safety related portions of the system. In the event of a secondary side pipe ruptureinside containment, the valves limit the quantity of high energy fluid thatenters containment through the break, and provide a pressure boundary for the controlled addition of auxiliary feedwater (AFW) to the intact loops.One MFIV and one MFRV and MFRV bypass valve, are located on each MFW line, outside of containment. The MFIVs and MFRVs are located upstream of the AFW injection point so that AFW may be supplied to the steam generators following MFIV or MFRV closure. The piping volumefrom these valves to the steam generators must be accounted for incalculating mass and energy releases, and refilled prior to AFW reachingthe steam generator following either an SLB or FWLB.The MFIVs and MFRVs and MFRV bypass valves close on receipt of a safety injection or steam generator water level - high high signal. TheMFRVs will also close on receipt of a Tavg - Low coincident with reactor trip (P-4). They may also be actuated manually. In addition to the MFIVsand the MFRVs and MFRV bypass valves, a check valve outside containment is available. The check valve provides the first pressure boundary for the addition of AFW to the intact loop and prevents backflow in the feedwater line should a break occur upstream of the valve.A description of the MFIVs and MFRVs is found in the UFSAR, Section 10.3 5 (Unit 1) and Section 10.4.7 (Unit 2) (Ref. 1).Beaver Valley Units 1 and 2 B 3.7.3 - 1Revision 0 MFIVs and MFRVs and MFRV Bypass Valves B 3.7.3 BASES APPLICABLE SAFETY ANALYSESThe design basis of the MFIVs and MFRVs is established by the analyses for the large SLB. lt is also influenced by the accident analysis for thelarge FWLB. Closure of the MFIVs or MFRVs and MFRV bypass valves,are relied on to terminate a SLB for core response analysis and excessfeedwater event upon the receipt of a steam generator water level - high high signal.Failure of an MFIV, MFRV, or the MFRV bypass valves to close followingan SLB or FWLB can result in additional mass being delivered to the steam generators, contributing to cooldown. This failure also results inadditional mass and energy releases following a SLB or FWLB event.The MFIVs and MFRVs satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCOThis LCO ensures that the MFlVs, MFRVs, and the MFRV bypass valveswill isolate MFW flow to the steam generators, following an FWLB or main steam line break.This LCO requires that three MFIVs and three MFRVs and MFRV bypass valves be OPERABLE. The MFIVs and MFRVs and the MFRV bypass valves are considered OPERABLE when isolation times are within limits and they close on an isolation actuation signal.Failure to meet the LCO requirements can result in additional mass andenergy being released to containment following an SLB or FWLB insidecontainment. A feedwater isolation signal on steam generator water level- high high is relied on to terminate an excess feedwater flow event,failure to meet the LCO may result in the introduction of water into themain steam lines.APPLICABlLITYThe MFIVs and MFRVs and the MFRV bypass valves must be OPERABLE whenever there is significant mass and energy in theReactor Coolant System and steam generators. In MODES 1 , 2, and 3,the MFIVs and MFRVs and the MFRV bypass valves are required to beOPERABLE to limit the amount of available fluid that could be added tocontainment in the case of a secondary system pipe break inside containment. When the valves are closed and de-activated or isolated bya closed manual valve, they are already performing their safety function.ln MODES 4, 5, and 6, steam generator energy is low. Therefore, the MFlVs, MFRVs, and the MFRV bypass valves are not required to be OPERABLE.Beaver Valley Units 1 and 2 B37.3-2 Revision 0 MFIVs and MFRVs and MFRV Bypass Valves B 3.7.3 BASES ACTIONSThe ACTIONS Table is modified by a Note indicating that separateCondition entry is allowed for each valve.A.1 and A.2 With one MFIV in one or more flow paths inoperable, action must betaken to restore the affected valves to OPERABLE status, or to close orisolate inoperable affected valves within 72 hours. When these valvesare closed or isolated, they are performing their required safety function.The 72 hour Completion Time takes into account the redundancy affordedby the remaining OPERABLE valves and the low probability of an eventoccurring during this time period that would require isolation of the MFW flow paths. The72 hour Completion Time is reasonable, based on operating experience.lnoperable MFIVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.8.1 and 8.2 With one MFRV in one or more flow paths inoperable, action must betaken to restore the affected valves to OPERABLE status, or to close orisolate inoperable affected valves within 72 hours. When these valvesare closed or isolated, they are performing their required safety function.The 72 hour Completion Time takes into account the redundancy affordedby the remaining OPERABLE valves and the low probability of an event occurring during this time period that would require isolation of the MFW flow paths. The 72 hour Completion Time is reasonable, based onoperating experlence. r lnoperable MFRVs, that are closed or isolated, must be verified on a periodic basis that they are closed or isolated. This is necessary toensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls to ensure that the valves are closed or isolated.Beaver Valley Units 1 and 2B 3.7.3 - 3Revision 0 MFIVs and MFRVs and MFRV Bypass ValvesB 3.7.3 BASESACTIONS (continued)C.1 and C.2With one MFRV bypass valve in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status,or to close or isolate inoperable affected valves within 72 hours. Whenthese valves are closed or isolated, they are performing their required safety function.The 72 hour Completion Time takes into account the redundancy affordedby the remaining OPERABLE valves and the low probability of an eventoccurring during this time period that would require isolation of the MFW flow paths. The 72 hour Completion Time is reasonabf e, based on operating experience.lnoperable MFRV bypass valves that are closed or isolated must beverified on a periodic basis that they are closed or isolated. This isnecessary to ensure that the assumptions in the safety analysis remainvalid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room,and other administrative controls, to ensure that these valves are closed or isolated.D.1 With two inoperable in series valves in the same flow path, there may beno redundant system to operate automatically and perform the required safety function. The containment can be isolated with the failure of twovalves in parallel in the same flow path. Under these conditions, affectedvalves in each flow path must be restored to OPERABLE status, or theaffected flow path isolated within B hours. This action returns the systemto the condition where at least one valve in each flow path is performingthe required safety function. The 8 hour Completion Time is reasonable,based on operating experience, to complete the actions required to closethe MFIV or MFRV, or othenvise isolate the affected flow path.E.1 and E.2lf the MFIV(s) and MFRV(s) and the MFRV bypass valve(s) cannot berestored to OPERABLE status, or closed, or isolated within the associated Completion Time, the unit must be placed in a MODE in whichthe LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4 within 12 hours. Theallowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Beaver Valley Units 1 and 2 B 3.7.3 - 4 Revision 0 MFIVs and MFRVs and MFRV Bypass ValvesB 3.7.3 BASES SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR verifies that the closure time of each MFIV, MFRV, and MFRV bypass valve is within the limit(s) specified in the Licensing Requirements Manual (LRM) (Ref. 2). The total response times (signal generation plusvalve closure time) are assumed in the SLB or FWLB accident analyses.The Frequency for this SR is in accordance with the Inservice Testing Program.sR 3.7.3.2 This SR verifies that each MFIV, MFRV, and MFRV bypass valve canclose on an actual or simulated actuation signal. The Frequency for this SR is every 18 months. The 18 month Frequency for testing is based onthe refueling cycle. Operating experience has shown that these components usually pass the Surveillance when performed at the18 month Frequency. Therefore, this Frequency is acceptable from arel iabi lity standpoint. REFERENCES 2.1.UFSAR, Section 10 3 5 (Unit 1) and Section 10.4.7 (Unit 2).Licensing Requirements Manual (LRM) for BVPS Unit 1 and Unit 2.Beaver Valley Units 1 and 2 B373-5 Revision 0 ADVsB 3.7.4B 3.7 PLANT SYSTEMS Atmospheric Dump Valves (ADVs)B 3.7 .4 BASES BACKGROUNDThe ADV lines required OPERABLE include the three atrnospheric relief valves (one per steam generator (SG)) and the associated block (isolation) valves and for Unit 2 only, one residual heat release valve and its block valve and individual SG isolation valves. The Unit 2 residual heat release valve and all its associated isolation valves are counted asone of the required ADV lines for Unit

2. As discussed in the UFSAR,Section 10.3 (Ref. 1), the atmospheric relief valves and the residual heat release valve provide a method of removing core decay heat and cooling the unit to Residual Heat Removal (RHR) System entry conditions should the preferred heat sink via the condenser steam dump valves not be available.Each ADV line has a block valve. The block valves are normally openmanual valves.

The block valves can be used for isolatrng an ADV line ifnecessary. However, due to time constraints in the safety analysis, the ADV block valves must remain open for an ADV line to be considered OPERABLE. In addition to the block valve described above, the Unit 2residual heat release valve has three normally open isolation valves (onefor each SG) The individual SG isolation valves are used to isolate a faulted SG so the Unit 2 residual heat release valve can be used for accident mitigation. In order for the Unit 2 residual heat release valveADV line to be OPERABLE, the individual SG isolation valves must bemaintained open with the capability of being manually closed. The Unit 1 ADVs are DC powered air operated valves utilizing a non-safety related air system. The Unit 1 ADVs can normally be operatedfrom the control room. However, in order to meet the assumptions of theoperational assessment used to evaluate single failure concerns, theUnit 1 ADVs must be capable of being operated locally as well as from the control room in order to'be considered OPERABLE, The Unit 2 ADVs have an electro-hydraulic operator that can be operatedfrom the control room. Each Unit 2 atmospheric relief valve is poweredby the same emergency AC train power. The Unit 2 residual heat releasevalve is powered by the other emergency AC train. In order to meet theassumptions of the applicable safety analysis, the Unit 2 ADVs (includingthe residual heat release valve) must be capable of being operated locatlyas well as from the control room in order to be considered OPERABLE.Beaver Valley Units 1 and 2 B 3.7.4 - 1 Revision 0 ADVsB 3.7.4 BASES BACKG ROUN D (continued )The ADVs have a non-safety related automatic pressure controlcapability. However, the only function of the ADVs required by the safety analyses (and this Technical Specification) is the ability to cool down the plant following a Design Basis Accident (DBA).APPLICABLE SAFETY ANALYSES ln the accident analysis presented in the UFSAR (Ref. 2), the ADVs may be used by the operator to cool down the unit to RHR entry conditions foraccidents accompanied by a loss of offsite power.The design bases of the ADVs are established by the capability to coolthe unit to RHR System entry conditions. For the recovery from a designbasis steam generator tube rupture (SGTR) accident, the operator isrequired to perform a limited cooldown to establish adequate subcoolingas a necessary step to terminate the primary to secondary break flow intothe faulted steam generator. The time required to terminate the primaryto secondary break flow for the design basis SGTR accident is morecritical than the time required to cool down to RHR System entry conditions for this event and for other Design Basis Accidents (DBAs).Thus, the SGTR is the limiting event for the ADVs.For Unit 1, three ADVs with associated flow paths and isolation valves arerequired OPERABLE. Due to the design of the Unit 1 residual heatrelease valve, it can not be isolated from a SG with a ruptured tube. Therefore, the Unit 1 residual heat release valve is not used to mitigate aSGTR due to the dose requirements of the accident analysis. Therequirement for three OPERABLE ADV lines provides assurance that asingle active failure of one ADV line or a single active failure of the instrument air supply will not prevent the mitigation of a SGTR accident.The Unit 1 operational assessment used to evaluate the single failuresdescribed above also assumes that one ADV is lost to the faulted SG. lnthe case where the instrument air supply is available and an active failureof one of the remaining ADVs is assumed, the operational assessment assumes the remaining ADV is operated from the control room tosuccessfully mitigate the SGTR accident. ln the case where the activefailure is a loss of instrument air, and ADV operation is delayed, theoperational assessment assumes the two remaining ADVs are operated by local manual control to successfully mitigate the SGTR accident.Therefore, the Unit 1 ADVs must be capable of both remote and localmanual operation to be considered OPERABLE. The Unit 1 operationalassessment does not include a specific time to manually unblock an ADV.Therefore, the Unit 1 ADV block valves must remain open for the ADV lines to be considered OPERABLE.Beaver Valley Units 1 and 2F 374-2 Revision 0 BASES APPLICABLE SAFETY ANALYSES (continued) For Unit 2, four ADVs with associated flow paths and isolation valves arerequired OPERABLE to satisfy the SGTR accident analysis assumptionsof a single active failure and loss of offsite power. Requiring four Unit 2ADVs OPERABLE assures that two ADVs will remain OPERABLE for theSGTR analysis overfill mse (i.e., one ADV lost to the faulted SG and oneADV lost to a single active failure). Additionally, requiring four Unit 2ADVs OPERABLE assures that three ADVs will remain OPERABLE for the SGTR radiological dose case. The radiological dose case includesthe loss of one ADV as a single active failure (i.e., the ADV on the faulted SG fails open).The Unit 2 SGTR analysis requires that two ADVs (overfill case) or three ADVs (bounding dose case) remain OPERABLE to mitigate the accidentwithin the assumed time frame. All other radiological dose cases onlyrequire two ADVs, since a longer cooldown does not have as great animpact on SGTR doses as a failed open ADV on the faulted SG.Furthermore, in order to assure the SGTR accident can be mitigatedwithin the Unit 2 analysis requirements, the ADVs must be capable ofboth remote and local manual operation. ln addition, the Unit 2 safetyanalysis does not include additional time to manually unisolate a blockedADV. Therefore, an ADV line with a closed block valve is consideredinoperable. The Unit 2 safety analysis does account for the time it takesto manually isolate the faulted SG from the Unit 2 residual heat release valve so that the ADV line can be used to meet the accident analysis requirements. Therefore, the individual normally open SG isolation valves associated with the Unit 2 residual heat release valve must also be maintained open with the capability of being manually closed for the Unit2 residual heat release valve ADV line to be OPERABLE.The ADVs are equipped with block valves in the event an ADV spuriously fails to open or fails to close during use. The ADVs, as well as the RHRV, at each unit may pass some amount of steam leakage, since the SGTR radiological analyses for BVPS-1 and BVPS-2 include a steam flowmargin factor. Such leakage may pass through the Main Steam Safety Valves, as well. TS 3.7.1 OPERABILITY of the MSSVs is not affected,since these valves are not discussed or credited in SGTR accidentmitigation. Any observed steam leakage would have to be measurableon the installed Main Steam Flow System instruments (above instrument accuracy) to be considered significant. The ADVs satisfy Criterion 3 of 10 CFR 50.36(c)(2xii).Beaver Valley Units 1 and 2B 3.74-3Revision 9 BASES LCOThe LCO requires three Unit 1 ADV lines and four Unit 2 ADV lines to beOPERABLE. The ADV lines required OPERABLE include the three atmospheric relief valves (one per SG) and the associated block (isolation) valves and for Unit 2 only, one residual heat release valve and its block valve and individual SG isolation vafves. The Unit 2 residual heat release valve and all its associated isolation valves are counted as one ADV line for Unit 2. The number of ADV lines required OPERABLE is consistent with each Unit's design and the safety analyses requirements described above.An OPERABLE ADV line is capable of providing controlled relief of the main steam flow and capable of fully opening and closing. In order to beOPERABLE, the ADVs (including the Unit 2 residual heat release valve) must be capable of remote manual and local manual operation. Also, the block valve associated with each ADV line must be open for the line to beconsidered OPERABLE. ln addition to the above requirements, the threeindividual SG isolation valves associated with Unit 2 residual heat releasevalve must be open and capable of being manually closed for the residualheat release valve ADV line to be considered OPERABLE.The block valves associated with each ADV line must be OPERABLE to isolate a failed open ADV line. In addition, the three individual SG isolation valves associated with the Unit 2 residual heat release valveADV line must be OPERABLE to enable a faulted SG to be isolated fromthe residual heat release valve ADV line.Failure to meet the LCO could result in the inability to cool the unit underthe limiting accident conditions within the time limit assumed in the applicable safety analyses described above.APPLICAB ILITY In MODES 1,2, and 3, and in MODE 4, when steam generator is being relied upon for heat removal, the ADVs are required to be OPERABLE.ln MODF 5 or 6. an SGTR is not a credible event. ACTIONS A.1 With one required ADV line inoperable, action must be taken to restoreOPERABLE status within 7 days. The 7 day Completion Trme allows forthe redundant capability afforded by the remaining OPERABLE ADVlines, a nonsafety grade backup in the condenser steam dump valves,and MSSVS.Beaver Valley Units 1 and 2 B 3.7.4-4 Revision 9 ADVs B 3.7.4 BASES ACTIONS (continued) 8.1With two or more ADV lines inoperable, action must be taken to restoreall but one ADV line to OPERABLE status. Since the block valve can be closed to isolate an ADV, some repairs may be possible with the unit at power. The 24 hour Completion Time is reasonable to repair inoperableADV lines, based on the availability of the condenser steam dump valves and MSSVs, and the low probability of an event occurring during this period that would require the ADV lines.C.1 and C.2lf the ADV lines cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in whichthe LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4, without reliance upon steam generator for heat removal, within 24 hours. In this condition, the unit utilizes RHR for cooling. Therefore, operation may continue with one or more ADV lines inoperable because the RCS cooling function requiredto mitigate a SGTR event would be accomplished by the RHR System.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE SR 3.7.4.1 REQUIREMENTS To perform a controlled cooldown of the RCS, the ADVs must be able tobe opened and throttled through their full range. This SR ensures that the ADVs are tested through a full control cycle at least once per fuel cycle.The requirement to stroke the valve through the full range of operation may be accomplished by remote manual control. In addition, thisSurveillance must also verify the capability to locally operate each ADV.The verification of local operation does not require that the ADV bestroked through the full range of travel (i.e., if the valve is stroked fullopen and closed by remote manual operation, the capability to operatethe ADV locally may be verified by observing valve stem movement). TheADVs must be capable of both remote and local manual operation inorder to be considered OPERABLE. Performance of inservice testing oruse of an ADV during a unit cooldown may satisfy this requirement.Operating experience has shown that these components usually pass the Surveillance when performed at the 1B month Frequency. TheFrequency is acceptable from a reliability standpoint.Beaver Valley Units 1 and 2B 3.7.4 - 5 Revision 9 BASES SURVEILLANCE REQUIREMENTS (continued)sR 3.7.4.2 The function of the block valve is to isolate a failed open ADV. Cyclingthe block valve cfosed and open demonstrates its capability to performthis function. Performance of maintenance or other testing that results incycling these valves including the use of the block valve during unit cooldown may satisfy this requirement. Operating experience has shownthat these components usually pass the Surveillance when performed atthe 18 month Frequency. The Frequency is acceptable from a reliability standpoint.sR 3.7.4.3 The function of the individual SG isolation valves associated with theUnit 2 residual heat release valve is to isolate the residual heat releasevalve from a SG with a ruptured tube. lsolating the SG with a rupturedtube minimrzes the resulting dose when the residual heat release valve is used for SGTR accident mitigation. Cycling these isolation valves closedand open demonstrates the capability to perform this function.Performance of maintenance or other testing that results in cycling thesevalves, including the use of the isolation valve during unit cooldown may satisfy this requirement. Operating experience has shown that thesecomponents usually pass the Surveillance when performed at the1B month Frequency. The Frequency is acceptable from a reliability standpoint. The Surveillance is modified by a Note that states the Surveillance is onlyapplicable to Unit 2. The Note is necessary because the correspondlng Unit '1 residual heat release valve is not required OPERABLE byLCO 3.7.4. Only the Unit 2 residual heat release valve is requiredOPERABLE by LCO 3.7.4. This is because Unit 2 requires the additional relief capacity provided by this valve for accident mitigation and the Unit 2 residual heat release valve has individual SG isolation valves that allow itto be isolated from a faulted SG so it can be used for accident mitigation. REFERENCES 2.1.UFSAR, Section 10.3.UFSAR, Section 14 (Unit 1) and UFSAR Section 15 (Unit 2).Beaver Valley Units 1 and 2 B3.74-6Revision 9 AFW SystemB 3.7.5B 3.7 PLANT SYSTEMS B 3.7.5 Auxiliary Feedwater (AFW) System BASES BACKGROUNDThe AFW System automatically supplies feedwater to the steam generators (SGs) to remove decay heat from the Reactor Coolant Systemupon the loss of normal feedwater supply. The AFW System consists of two motor driven pumps and one steam turbine driven pump configured into three trains. The AFW System design is such that it can perform its function following a total loss ofnormal feedwater and the single failure of an AFW pump. Any two of the three AFW pumps are capable of supplying the required feedwater flow assumed in the accident analyses. The pumps are equipped with independent recirculation lines to prevent pump operation against aclosed system. Each motor driven AFW pump is powered from an independent Class 1E power supply and each pump feeds all three SGs. The steam turbine driven AFW pump receives steam from a minimum oftwo main steam lines upstream of the main steam isolation valves. Eachof the steam feed lines will supply 100% of the steam requirements forthe turbine driven AFW pump. For Unit 1, the turbine driven AFW pumpsteam feed lines from each of the three main steam lines combine to formone supply header. The single header then splits into two parallel pathswith one Train "A" operated and one Train "B" operated isolation valve on each pathway. The two parallel paths then combine into one headerwhich supplies steam to the turbine driven AFW pump. For Unit 2, theturbine driven AFW pump steam feed lines from each of the three main steam lines contain two in-line series solenoid operated isolatlon valves.Downstream of the series isolation valves, the three lines combine to formone main header. The main header then supplies the turbine driven AFW pump. Although the turbine driven pump in each Unit is capable ofreceiving the required steam supply from any one of the three main steam lines, only two steam feed lines are required OPERABLE.The flow path from the primary plant demineralized water storage tank (PPDWST) (WT-TK-10 (Unit 1)and 2FWE-TK210 (Unit 2)) to the SGsconsists of individual supply lines to each of the three AFW pumps. Each motor driven AFW pump is connected to its train related supply header.In addition, for Unit 1, each motor driven AFW pump has the ability to bealigned to the opposite train header. The turbine driven pump can alsobe afigned to either the Train "A" or "B" supply header.Beaver Valley Units 1 and 2 B3.75-1Revision 0 AFW SystemB 3.7.5 BASESBACKG ROUN D (conti nued)The Train "A" and "8" supply headers branch out to each SG feedwaterline via three normally open remotely operated valves arranged in parallel flow paths. The individual Train "A" and "8" supply header flow paths arethen combined into one common feedwater line injection header for each SG. The common feedwater injection headers each contain a checkvalve. Each common feedwater injection header supplies a separate SGvia the normal feedwater header downstream of the feedwater isolation valves.The SGs function as a heat sink for core decay heat. The heat load isdissipated by releasing steam to the atmosphere from the SGs via the main steam safety valves (MSSVs) or atmospheric dump valves (ADVs).lf the main condenser is available, steam may be released via the steam dump valves.The AFW System is capable of supplying feedwater to the SGs duringnormal unit startup, shutdown, and hot standby conditions. During a normal plant cooldown, one pump at full flow is sufficient to remove decay heat and cool the unit to residual heat removal (RHR) entryconditions. Thus, the requirement for diversity in motive power sources for the AFW System is met.The AFW System is designed to supply sufficient water to the SG(s) toremove decay heat with SG pressure at the setpoint of the MSSVS.Subsequently, the AFW System supplies sufficient water to cool the unit to RHR entry conditions, with steam released through the ADVs.The AFW System actuates automatically on SG water level

• low low bythe ESFAS (LCO 3.3.2). The system also actuates on Undervoltage

-RCP bus (turbine driven AFW pump only), safety injection, and trip of allrunning MFW pumps (motor driven AFW pumps only).The AFW System is discussed in the UFSAR, Section 10.3.5.2.2 (Unit 1)and Section 10.4.9 (Unit 2) (Ref 1).APPLICABLE SAFETY ANALYSESThe AFW System mitigates the consequences of any event with loss of 'normal feedwater.The design basis of the AFW System is to supply water to the SG toremove decay heat and other residual heat by delivering at least theminimum required flow rate to the SGs at pressures corresponding to thelowest MSSV set pressure plus 1%.Beaver Valley Units 1 and 28 3.7.5 - 2 Revision 0 AFW SystemB 3.7.5 BASES APPLICABLE SAFETY ANALYSES (continued) ln addition, the AFW System must supply enough makeup water toreplace the SG secondary inventory lost as the unit cools to MODE 4conditions. Sufficient AFW flow must also be available to account for flow losses such as pump recirculation and line breaks.The limiting Design Basis Accident (DBA) for the AFW System are loss of normal feedwater and feedwater line break.For the loss of normal feedwater and feedwater line break, the analyses are performed assuming loss of offsite power coincident with reactor trip.The limiting single active failure is the failure of the turbine driven AFW pump, which requires both remaining motor driven AFW pumps to be OPERABLE.The AFW System design is such that it can perform its function following a feedwater line break (FWLB) between the MFW isolation valves and containment, combined with a loss of offsite power following turbine trip,and a single active failure of an AFW pump. Sufficient flow would bedelivered to the two intact SGs by the two remaining AFW pumps. No pump runout occurs due to the cavitating venturis. Two motor driven pumps or one motor driven pump combined with the turbine driven pumpcan deliver the design bases flows to the intact SGs during a FWLB. There are two distinct flows that must be delivered during a FWLB. They are prior to fault isolation (i.e., during the first 15 minutes) and subsequentto fault isolation via operator action. Any two of the three AFW pumps arecapable of supplying the flows required prior and subsequent to fault isolation.The AFW System design is such that it can perform its function followinga total loss of normal feedwater. Any two of the three AFW pumps arecapable of supplying the required flows to the three intact SGs during this event.With one feedwater injection header inoperable, an insufficient number ofSGs are available to meet the feedline break analysis. This analysis assumes AFW flow will be provided to the two remaining intact feedwaterlines. Should a feedline break occur on one of the OPERABLE feedwater headers with one feedwater injection header already inoperable, the plant could no longer meet its safety analysis.The ESFAS automatically actuates the AFW turbine driven pump and associated power operated valves and controls when required to ensurean adequate feedwater supply to the SGs during loss of power. Power operated valves are provided for each AFW line to control the AFW flowto each SG. Beaver Valley Units 1 and 2 B 3.7.5 - 3Revision 0 AFW SystemB 3.7.5 BASES APPLICABLE SAFETY ANALYSES (continued)The AFW System satisfies the requirements of Criterion 3 of 10 CFR 50.36(c)(2xii). LCO This LCO provides assurance that the AFW System will perform itsdesign safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three AFW pumps in three trains are required to beOPERABLE to ensure the availability of decay heat removal capability forall events accompanied by a loss of offsite power and a single failure.This is accomplished by powering two of the pumps from independentemergency buses. The third AFW pump is powered by a different means,a steam driven turbine supplied with steam from a source that is not isolated by closure of the MSlVs.ln addition, the LCO requires three feedwater injection headers to be OPERABLE. The common feedwater line injection headers must be OPERABLE to ensure the required AFW trains have the capability of providing flow to all three SGs.The AFW System is configured into three trains. The AFW System isconsidered OPERABLE when the components and flow paths required to provide redundant AFW flow to the steam generators are OPERABLE.OPERABILITY of the three feedwater trains shall consist of:One motor driven AFW pump with a flow path from the PPDWST toeach feedwater line injection header via the Train "A" supply header.One motor driven AFW pump with a flow path from the PPDWST to each feedwater line injection header via the Train "8" supply header.One turbine driven AFW pump capable of being powered from twosteam supplies with a flow path from the PPDWST to each feedwater line injection header via the designated train supply header. Only two out of three steam supply lines to the turbine driven pump must be OPERABLE to provide the required redundancy. The piping, valves, instrumentation, and controls in the required flow paths also are required to be OPERABLE. a.b.C.Beaver Valley Units 1 and 2 B3.75-4Revision 0 AFW SystemB 3.7.5 BASES LCO (continued)The LCO is modified by a Note indicating that one AFW train, whichincludes a motor driven pump and the required feedwater injectionheader(s), are required to be OPERABLE in MODE 4. One motor driven AFW train and the feedwater injection header(s) required to support flowto the SG(s) being relied on for decay heat removal are sufficient inMODE 4. The other AFW trains and injection headers are not required OPERABLE in this MODE. This is because of the reduced heat removal requirements and short period of time in MODE 4 during which the AFWis required and the insufficient steam available in MODE 4 to power theturbine driven AFW pump.APPLlCABILITYIn MODES 1, 2, and 3, the AFW System is required to be OPERABLE inthe event that it is called upon to function when the MFW is lost. lnaddition, the AFW System is required to supply enough makeup water to replace the steam generator secondary inventory, lost as the unit cools toMODE 4 conditions.ln MODE 4 the AFW System may be used for heat removal via the steam generators.ln MODE 5 or 6, the steam generators are not normally used for heatremoval, and the AFW System is not required. ACTIONSA Note prohibits the application of LCO 3.0.4.b to an inoperable AFWtrain when entering MODE 1. There is an increased risk associated with entering MODE 1 with an AFW train inoperable and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified conditionin the Applicability with the LCO not met after performance of a riskassessment addressing inoperable systems and components, should not be applied in this circumstance. A.1 lf the turbine driven AFW train is inoperable due to one inoperable steam supply in MODE 1,2, or 3, or if a turbine driven pump is inoperable for any reason while in MODE 3 immediately following refueling, action mustbe taken to restore the inoperable equipment to an OPERABLE statuswithin 7 days. The 7 day Completion Time is reasonable, based on thefollowing reasons:a. For the inoperabillty of the turbine driven AFW pump due to one inoperable steam supply in MODE 1,2, or 3, the 7 day CompletionTime is reasonable since there is a redundant steam supply line forthe turbine driven pump and the turbine driven train is still capable of performrng its specified function.Beaver Valley Units 1 and 2 B3.75-5Revision 0 AFW System B 3.7.5 BASES ACTIONS (continued) b.For the inoperability of a turbine driven AFW pump while in MODE 3 immediately subsequent to a refueling, the 7 day Completion Time is reasonable due to the minimal decay heat levels in this situation. For both the inoperability of the turbine driven pump due to one inoperable steam supply and an inoperable turbine driven AFW pump while in MODE 3 immediately folfowing a refueling outage, the 7 day Completion Time is reasonable due to the availability of redundant OPERABLE motor driven AFW pumps, and due to the low probability of an event requiring the use of the turbine driven AFW pump.The second Completion Time for Reguired Action A.1 establishes a limiton the maximum time allowed for any combination of Conditions to beinoperable during any continuous failure to meet this LCO.The 10 day Completion Time provides a limitation time allowed in thisspecified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B areentered concurrently. The AND connector between 7 days and 10 daysdictates that both Completion Times apply simultaneously, and the morerestrictive must be met.Condition A is modified by a Note which limits the applicability of theCondition for an inoperable turbine driven AFW pump in MODE 3 to whenthe unit has not entered MODE 2 following a refueling. Condition Aallows one AFW train to be inoperable for 7 days vice the 72 hour Completion Time in Condition B. This longer Completion Time is basedon the reduced decay heat following refueling and prior to the reactorbeing critical. B.1 and 8.2 With one of the required AFW trains (pump or flow path) inoperable inMODE 1, 2, ar 3 for reasons other than Condition A, action must be takento realign OPERABLE AFW pumps to separate train supply headerswithin 2 hours (if both train supply headers are OPERABLE) and to restore the AFW train to OPERABLE status within 72 hours. This Condition includes the loss of two required steam supply lines to theturbine drrven AFW pump. Required Action 8.1 to realign the OPERABLE pumps to separate supply headers preserves trainseparation and enhances system reliability. The two hours allowed forthis Action is reasonable based on operating experience to perform thespecified task. The 72 hour Completion Time is reasonable, based onredundant capabilities afforded by the AFW System, time needed forrepairs, and the low probability of a DBA occurring during this time period.Beaver Valley Units 1 and 2B 3.7.5 - 6Revision 0 AFW SystemB 3.7.5 BASES ACTIONS (continued)Required Action 8.1 is modified by a Note indicating that the RequiredAction is only applicable if both supply headers are OPERABLE.With one inoperable AFW pump, the remaining two AFW pumps will bealigned to separate redundant headers capable of supplying flow to each steam generator.A realistic analysis of a loss of normal feedwater event demonstrates thatone motor driven AFW pump will maintain sufficient steam generator inventory to provide a secondary heat sink and prevent the RCS fromexceeding applicable pressure and temperature limits.For Unit 1, the licensing basis has changed to a requirement for two ofthree AFW pumps to meet the flow requirements for the limiting DBAs.This change was necessitated by the installation of cavitating venturis in the AFW injection paths. The venturis protect the AFW pumps fromrunout conditions and allow for flow to be directed to the intact steam generators during a FWLB. Cavitating venturis in each individual injection path to the steam generators ensure that sufficient flow will be deliveredto the two intact steam generators during a FWLB. Since no single failures are assumed to occur while in an Action Condition, adequate flowcan be supplied by the two OPERABLE AFW pumps. Based on this, the Completion Time of 72 hours for one inoperable AFW purnp continues toremain applicable. This change to the Unit 1 licensing basis is consistent with the original licensing basis for Unit 2.The second Completion Time for Required Action B.2 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO.The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limitis considered reasonable for situations in which Conditions A and B are entered concurrently. The AND connector between 72 hours and 10 daysdictates that both Completion Times apply simultaneously, and the more restrictive must be met.C.1 and C.2With one of the required motor driven AFW trains (pump or flow path)inoperable in MODE 1 , 2, or 3, and the turbine driven AFW train inoperable due to one inoperable steam supply in MODE 1,2, or 3, acttonmust be taken to restore the affected equipment to OPERABLE statuswithin 24 hours. ln this condition, the AFW System may no longer beable to meet the required flow to the SGs assumed in the safety analysis (i.e., from two AFW pumps). Even assuming no further single activeBeaver Valley Units 1 and 2B 3.7.5 - 7 Revisron 0 AFW SystemB 3.7.5 BASES ACTIONS (continued)failures when in this Condition, the accident (a FLB or MSLB) could result in the loss of the remaining steam supply to the turbine driven AFW pump. Therefore, only a single OPERABLE AFW pump may be left tomitigate the accident. The 24 hour Completion Time is reasonable, based on the redundantOPERABLE steam supply to the turbine driven AFW pump, theavailability of the remaining OPERABLE ryotor driven AFW pump, andthe low probability of an event occurring that would require the inoperablesteam supply to be available for the turbine driven AFW pump.D.1 and D.2When Required Action A.1 , B. 1 , 8.2, C. 1 , or C.2 cannot be completedwithin the required Completion Time, or. lf two AFW trains are inoperable in MODE 1, 2,or 3 for reasons otherthan Condition C. or. lf one or two feedwater injection headers are inoperable in MODE 1,2, ar 3,the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 4 within 18 hours.The allowed Completion Times are reasonable, based on operatingexperience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.In MODE 4 with two AFW trains inoperable, operation is allowed tocontinue because only one motor driven pump AFW train is required in accordance with the Note that modifies the LCO. lf a motor driven AFW pump is not available in MODE 4 and the SG(s) are relied on for decayheat removal then Condition F is applicable. However, in MODE 4, twoRHR loops may be used for decay heat removal in lieu of the SG(s)consistent with the requirements of LCO 3.4.6, "RCS Loops - MODE 4."tn MODE 4, with one or two feedwater injection headers inoperable, operation is allowed to continue because the remaining OPERABLEinjection header(s) provide a flow path to the SG(s) relied on for decay heat removal. Additionally, in MODE 4, the RHR loops may be used inlieu of or to supplement the SG(s) for decay heat removal consistent withthe requirements of LCO 3.4.6, "RCS Loops - MODE 4."Beaver Valley Units 1 and 2 B375-8Revision 0 AFW SystemB 3.7.5 BASES ACTIONS (continued) E.1 lf all three AFW trains or if all three feedwater injection headers areinoperable in MODE 1,2, or 3, the unit is in a seriously degraded condition with no safety related means for conducting a cooldown, and only limited means for conducting a cooldown with nonsafety related equipment. In such a condition, the unit should not be subjected to areduction in MODE that could increase the likelihood of the AFW System being required to support heat removal. The seriousness of this conditionrequires that action be started immediately to restore one AFW train toOPERABLE status with the capability of providing flow to the steam generator(s).Required Action E.1 is modified by a Note indicating that all requiredMODE changes are suspended until one AFW train is restored toOPERABLE status with the capability of providing flow to the steam generator(s). In this case, LCO 3.0.3 is not applicable because it couldforce the unit into a less safe condition. F.1In MODE 4, either the reactor coolant pumps or the RHR loops can be used to provide forced circulation. This is addressed in LCO 3.4.6, "RCS Loops - MODE 4." With one required AFW train or with the requiredfeedwater injection header(s) inoperable, action must be taken toimmediately restore the inoperable train to OPERABLE status with thecapability of providing flow to the steam generator(s). The immediate Completion Time is consistent with LCO 3.4.6.SURVEILLANCE REQUIREMENTS For the following AFW Surveillance Requirements (SRs), constant communications shall be established and maintained between the control room and the auxiliary feed pump room while any normat AFW pump discharge valve is closed during surveillance testing.sR 3.7.5.1 Verifying the correct alignment for manual, power operated, and automatic valves in the AFW System water and steam supply flow paths provides assurance that the proper flow paths will exist for AFWoperation. Completing verification includes re-verifying these requirements by a second and independent operator. This SR does notapply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to locking,sealing, or securing. This SR also does not apply to valves that cannotBeaver Valley Units 1 and 2B 3.7.5 - 9 Revision 0 AFW SystemB 3.7.5 BASES SURVEILLANCE REQUIREMENTS (continued) be inadvertently misaligned, such as check valves. This Surveillancedoes not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position.The SR is modified by a Note that states one or more AFW trains may beconsidered OPERABLE during alignment and operation for steam generator level control, if it is capable of being manually (i.e., remotely or locally, as appropriate) realigned to the AFW mode of operation, providedit is not otherwise inoperable. This exception allows the system to be out of its normal standby alignment and temporarily incapable of automaticinitiation without declaring the train(s) inoperable. Since AFW may beused during startup, shutdown, hot standby operations, and hot shutdown operations for steam generator level control, and these manualoperations are an accepted function of the AFW System, OPERABILITY (i.e., the intended safety function) continues to be maintained. The 31 day Frequency is based on engineering judgment, is consistentwith the procedural controls governing valve operation, and ensures correct valve positions.sR 3.7.5.2 Verifying that each AFW pump's developed head at the flow test point is greater than or equal to the required developed head ensures that AFWpump performance has not degraded during the cycle. The term"required developed head" refers to the value that is assumed in the AFWsafety analysis for developed head at a flow point. This value for requireddeveloped head at a flow point is defined as the Minimum Operating Point (MOP) in the Inservice Testing Program. Flow and differential head are normal test parameters of centrifugal pump performance required by the ASME Code (Ref 2). Because it is undesirable to introduce cold AFW into the steam generators while they are operating, this testing is normally performed on recirculation flow. For Unit 1, the recirculation flow rate isassumed to be a fixed value since the recirculation lrne flow resistance remains constant. For Unit 2, the recirculation flow rate is adjusted to aspecific value. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. Performance of inservicetesting as required in the ASME Code (Ref. 2) satisfies this requirement. This SR is modified by a Note indicating that the SR should be deferred until suitable test conditions are established for testing the turbine driven AFW pump. This deferral is required because there is insufficient steam pressure to perform the test.Beaver Valley Units 1 and 2B 3.7.5 - 10Revision 0 AFW SystemB 3.7.5 BASES SURVEILLANCE REQU I REMENTS (continued)sR 3.7.5.3 This SR verifies that AFW can be delivered to the appropriate steam generator in the event of any accident or transient that generates anESFAS, by demonstrating that each automatic valve in the flow pathactuates to its correct position on an actual or simulated actuation signal.This Surveillance is not required for valves that are locked, sealed, orotherwise secured in the required position under administrative controls.The 18 month Frequency is based on the need to perform thisSurveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. However, this does not preclude performance of this Surveillance at power when it can be accomplished in a safemanner. The 18 month Frequency is acceptable based on operatingexperience and the design reliability of the equlpment. The SR is modified by two Notes. Note 1 states one or more AFW trains may be considered OPERABLE during alignment and operation for steam generator level control, if it is capable of being manually (i.e., remotely orlocally, as appropriate) realigned to the AFW mode of operation, providedit is not otheruuise inoperable. This exception allows the system to be outof its normal standby alignment and temporarily incapable of automaticinitiation without declaring the train(s) inoperable. Since AFW may beused during startup, shutdown, hot standby operations, and hot shutdownoperations for steam generator level control, and these manualoperations are an accepted function of the AFW System, OPERABILITY (i.e., the intended safety function) continues to be maintained. Note 2indicates the SR is not required to be met in MODE 4 when the steam generator(s) are relied upon for heat removal. ln MODE 4, the heatremoval requirements are less such that more time is available foroperator action to manually initiate AFW if necessary.sR 37.54 This SR verifies the AFW pumps will start in the event of any accident ortransient that generates an ESFAS by demonstrating each AFW pumpstarts automatically on an actual or simulated actuation signal in MODES 1, 2, and 3. In MODE 4, the required pump's autostart feature lsnot required. The 18 month Frequency is based on the need to performthis Surveillance under the conditions that apply during a unit outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. However, this does not preclude performance of this Surveillance at power when it can be accomplished ina safe manner. Beaver Valley Units 1 and 2 B3.75-11 Revision 0 AFW SystemB 3.7.5 BASES SURVEILLANCE REQU I REMENTS (continued) This SR is modified by three Notes. Note 1 indicates the SR be deferreduntil suitable test conditions are established for testing the turbine driven AFW pump. This deferral is required because there is insufficient steam pressure to perform the test. Note 2 states that one or more AFW trains may be considered OPERABLE during alignment and operation for steam generator level control, if it is capable of being manually (i.e., remotely orlocally, as appropriate) realigned to the AFW mode of operation, providedit is not othenruise inoperable. This exception allows the system to be out of its normal standby alignment and temporarily incapable of automaticinitiation without declaring the train(s) inoperable. Since AFW may beused during startup, shutdown, hot standby operations, and hot shutdown operations for steam generator level control, and these manual operations are an accepted function of the AFW System. OPERABILITY (i.e., the intended safety function) continues to be maintained. Note 3 indicates the SR is not required to be met in MODE 4 when steam generator(s) are relied upon for heat removal. ln MODE 4, the heatremoval requirements are less such that more time is available for operator action to manually initiate AFW if necessary.sR 3.7.5.5This SR verifies the AFW is properly aligned by verifying the flow pathsfrom the PPDWST (WT-TK-10 (Unit 1)and 2FWE-TKZ1O (Unit 2)) toeach steam generator prior to entering MODE 2 after more than 30 cumulative days in any combination of MODE 5 or 6 or defueled.OPERABILITY of AFW flow paths must be verified before sufficient coreheat is generated that would require the operation of the AFW Systemduring a subsequent shutdown. The Frequency is reasonable, based on engineering judgement and other administrative controls that ensure flow paths remain OPERABLE. To further ensure AFW System alignment, flow path OPERABILITY is verified following extended outages to determine no misalignment of valves has occurred. This SR ensures the flow path from the PPDWST to the steam generators is properly aligned.REFERENCES 2.1.UFSAR, Section 10.3.5.2 2 (Unit 1)and Section 10.4.9 (Unit 2).ASME code for Operation and Maintenance of Nuclear Power Plants.Beaver Valley Units 1 and 2B 3.7.5 - 12Revision 0 B 3.7 PLANT SYSTEMS B 3.7.6 erimary Plant Demineralized Water Storage Tank (PPDWST)BASES BACKGROUNDThe PPDWST provides a safety grade source of water to the steam generators for removing decay and sensible heat from the ReactorCoolant System (RCS). The PPDWST provides a passive flow of water, by gravity, to the Auxiliary Feedwater (AFW) System (LCO 3.7.5). The steam produced is released to the atmosphere by the main steam safety valves or the atmospheric dump valves. The AFW pumps operate with recirculation to the PPDWST to ensure a minimum pump flow is maintained. Because the PPDWST is a principal component in removing residual heat from the RCS, it is designed to withstand earlhquakes and other natural phenomena, including missiles that might be generated by natural phenomena. The PPDWST is designed to Seismic Category l to ensureavailability of the feedwater supply. Feedwater is also avallable fromalternate sources. A description of the PPDWST is found in the UFSAR, Section 10.3.5.2.2 (Unit 1) and Section 10.4.9 (Unit 2) (Ref. 1 ).APPLICABLE SAFETY ANALYSES The auxiliary feedwater pumps are normally aligned to take suction from the PPDWST. The PPDWST provides cooling water to remove decayheat and to cool down the unit. Since the Engineered Safety Feature (ESF) design function requires that sufficient feedwater be availabte during transient and accident conditions to place the unit in a safe shutdown condition, the limiting event for the condensate volume is a lossof offsite power (LOOP) transient. ln the event of a LOOP, the PPDWSTinventory must be available to maintain the unit in MODE 3 for t hours with steam discharge to the atmosphere and with no reactor coolant pumps in operation. The minimum usable volume conservatively boundsthe analysis value. The minimum usable volume may be appropriatelyincreased to account for measurement uncertainties.The PPDWST satisfies Criterion 3 of 10 CFR 50.36(cX2xii).Beaver Valley Units 1 and 2 B3.76-1Revision 0 PPDWSTB 3.7.6 BASES LCO The PPDWST level required is equivalent to a usable volume of> 130,000 gallons, which is based on maintaining the unit in MODE 3 for t hours with steam discharge to the atmosphere and with no reactor coolant pumps in operation following a LOOP and subsequent reactor tripfrom full power.The OPERABILITY of the PPDWST is determined by maintaining thetank level at or above the minimum required level. APPLICABILITYln MODES 1, 2, and 3, and in MODE 4, when steam generator is being relied upon for heat removal, the PPDWST is required to be OPERABLE.In MODE 5 or 6, the PPDWST is not required because the AFW Systemis not required. ACTIONSA.1 and A.2 lf the PPDWST is not OPERABLE, the OPERABILITY of the backup supply (i.e., river/service water systems) should be verified by administrative means within 4 hours and once every 12 hours thereafter.OPERABILITY of the backup water supply must include verification that the flow paths from the backup water supply to the AFW pumps are OPERABLE. The PPDWST must be restored to OPERABLE status within 7 days, because the backup supply may be performing this function in addition to its normal functions. The 4 hour Completion Time is reasonable, based on operating experience, to verify the OPERABILITY ofthe backup water supply. Additionally, verifying the backup water supplyevery 12 hours is adequate to ensure the backup water supply continues to be available. The 7 day Completion Time is reasonable, based on an OPERABLE backup water supply being available, and the low probability ofan event occurring during this time period requiring the PPDWST.8.1 and 8.2 lf the PPDWST cannot be restored to OPERABLE status within theassociated Completion Time, the unit must be placed in a MODE in whichthe LCO does not apply. To achieve this status, the unit must be placedin at least MODE 3 within 6 hours, and in MODE 4, without reltance onthe steam generator for heat removal, within 24 hours. The allowed Completion Times are reasonable, based on operating experience, toreach the required unit conditions from full power conditions in an orderlymanner and without challenging unit systems. Beaver Valley Units 1 and 2 B376-2 Revision 0 BASES SURVEILLANCE SR 3.7.6.1 REQUIREMENTS This SR verifies the PPDWST contains the required usable volume of cooling water. The 12 hour Frequency is based on operating experienceand the need for operator awareness of unit evolutions that may atfect thePPDWST inventory between checks. Also, the 12 hour Frequency isconsidered adequate in view of other indications in the control room, including alarms, to alert the operator to abnormal deviations in thePPDWST level. REFERENCES

1. UFSAR, Section 10.3.5.2.2 (Unit 1) and Section 10.4.9 (Unit 2).Beaver Valley Units 1 and 2 B3.76-3Revision 0 CCW SystemB 3.7.7 B 3.7 PLANT SYSTEMSB 3.7.7 Component Cooling Water (CCW) System BASES BACKGROUND The CCW System, which is commonly referred to as the PrimaryComponent Cooling Water System for Unit 2, provides a heat sink for the removal of process and operating heat from components during normaloperation. The CCW System serves as a barrier to the release ofradioactive byproducts between potentially radioactive systems and the Service Water System, and thus to the environment.The CCW System consists of two 1A0% capacity, cooling water trains.Each train shares common piping headers and may be crosstied duringnormal operation. The CCW System consists of three rc}% capacity pumps, heat exchangers, and associated surge tank (Unit 1 utilizes one surge tank common for both trains). UFSAR, Section 9.4 (Unit 1)andSection 9.2.2.1 (Unit 2) (Ref. 1) lists the required flows for the various equipment cooled by the CCW System. The largest primary CCW heat load occurs during unit cooldown when the Residual Heat Removal (RHR) System is initially placed in operation. With the service water temperature at its maximum limit, two CCW pumps and two CCW heatexchangers can transfer the design heat loads from all components served. During most operating conditions, however, only one CCW pumpis necessary to transfer the heat loads. One CCW pump motor is powered from one of the two emergency 4,160 V switchgear buses and asecond CCW pump motor is powered from the other bus. The third CCW pump motor, which is not normally connected to either of the buses canbe manually connected to either. Additional information on the designand operation of the CCW System, afong with a list of the components served, is presented in Reference 1.APPLICABLE SAFETY ANALYSES The CCW System serves no Design Basis Accident (DBA) loss of coolant accident (LOCA) mitigation function and is not a system which functionsto mitigate the failure of or presents a challenge to the integrity of a fission product barrier. The CCW System has redundant components to ensure performance of the cooling function in the event of a single failure. The principal function of the CCW System is the removal of decay heat from the reactor via the RHR System. The RHR System does not perform aDBA mitigation function. The CCW System is not required in short termaccident scenarios to provide cooling water to mitigate the consequencesof DBAs. The CCW System, however, is used to supply the RHR heatexchangers, in long term DBA scenarios, with cooling water to cool the unit from RHR entry conditions to Cold Shutdown. The time required for cooldown is a function of the number of CCW and RHR trains operating, Beaver Valley Units 1 and 28 3.7.7 - 1 Revision 0 CCW SystemB 3.7.7 BASES APPLICABLE SAFETY ANALYSES (continued)the auxiliary CCW System heat loads (other than RHR), and the service water temperature. The CCW System has been identified in the probabilistic safety assessment as significant to public health and safety.The CCW System satisfies Criterion 4 of 10 CFR 50.36 (c) (2) (ii).LCO The CCW trains are independent of each other to the degree that eachhas separate controls and power supplies.

Should the need arise tocooldown the unit, two trains of CCW must be OPERABLE. At least oneCCW train will operate assuming the worst case single active failureoccurs coincident with a loss of offsite power.A CCW train is considered OPERABLE when: The pump and associated surge tank are OPERABLE andThe associated piping, valves, heat exchanger, and instrumentation and controls required to perform the required function are OPERABLE.Each CCW train is considered OPERABLE if it is operating or if it can be placed in service manually.a.b.APPLICABILITYIn MODES 1, 2, 3, and 4, the CCW System is a normally operating system. In MODE 4, the CCW System must be prepared to perform itsReactor Coolant System heat removal function, which is achieved bycooling the RHR heat exchanger.In MODE 5 or 6, the OPERABILITY requirements of the CCW System are determined by the systems it supports. ACTIONS 4.1Required Action A.1 is modified by a Note indicating that the applicableConditions and Required Actions of LCO 3.4.6, "RCS Loops - MODE 4,"be entered if an inoperable CCW train results in an inoperable RHR loop.This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.lf one CCW train is inoperable, action must be taken to restore it toOPERABLE status within 72 hours. ln this Condition, the remainingOPERABLE CCW train is adequate to perform the heat removal function.The 72 hour Completion Time is reasonable, based on the redundantcapabilities afforded by the OPERABLE train.Beaver Valley Units 1 and 2 B3.77-2 Revision 0 CCW SystemB 3.7.7 BASES ACTIONS (continued) 8.1 and 8.2lf the CCW train cannot be restored to OPERABLE status within theassociated Completion Time, the unit must be placed in a MODE in whichthe LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours and in MODE 5 within 36 hours. Theallowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. c.1Condition C applies to two inoperable CCW trains. Condition C is modified by a Note that states the Condition is only applicable in MODE 4 with inadequate CCW flow to the RHR heat exchangers to support the required decay heat removal needed to maintain the unit in MODE 5. Inaddition, the Actions are modified by a Note that states LCO 3.0.3 and allother LCO Actions requiring a MODE change from MODE 4 to MODE 5are suspended until adequate CCW flow to the RHR heat exchangers is established to maintain the unit in MODE 5.With two inoperable CCW trains, LCO 3.0.3 would be applicable in MODES 1,2, and 3 and result in the plant being placed in MODE 4.However, without adequate RHR decay heat removal capability,transitioning to MODE 5 from MODE 4 in accordance with LCO 3.0.3 may not be possible. ln this case, Condition C would be applicable in MODE 4and would replace LCO 3.0.3 for two inoperable CCW trains. Condition C provides more appropriate Actions than LCO 3.0.3 for reaching MODE 5 when the required RHR cooling capacity is not available. lf adequateRHR decay heat removal capability is available to transition frorn MODE 4 to MODE 5, Condition C would not be applicable and the requirements ofLCO 3.0.3 would be applied until the plant reached MODE 5.With two CCW trains inoperable and inadequate CCW flow to the RHRheat exchangers to support the required decay heat removal function, action must be initiated immediately to restore one CCW train toOPERABLE status. The action and Completion Time are reasonable, considering the required decay heat removal capacity to maintain the unitin MODE 5 is not available and the other systems available in MODE 4 to safely remove decay heat until adequate cooling capacity rs restored to place and rnaintain the unit in MODE 5.Beaver Valley Units 1 and 2 B37.7 -3 Revision 7 CCW SystemB 3.7.7 BASES SURVEILLANCE SR 3.7.7.1 REQUIREMENTS This SR is modified by a Note indicating the isolation of the CCW flow toindividual components may render those components inoperable butdoes not affect the OPERABILITY of the CCW System.Verifying the correct alignment for manual, power operated, and automatic valves in the CCW flow path to the RHR heat exchangers provides assurance the proper flow paths exist for CCW operation. ThisSR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. This SR also does not apply tovalves that cannot be inadvertently misaligned, such as check valves.This Surveillance does not require any testing or valve manipulation;rather, it involves verification that those valves capable of being mispositioned are in the correct position.The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions. REFERENCES 1.UFSAR, Section 9.4 (Unit 1) and Section 9.2.2.1 (Unit 2).Beaver Valley Units 1 and 2 B3.77-4Revision 0 B 3.7 PLANT SYSTEMS B 3.7.8 Service Water System (SWS)BASES BACKGROUNDThe SWS, which is commonly referred to as the Reactor Plant RiverWater System for Unit 1 , provides a heat sink for the removal of processand operating heat from safety related components during a Design Basis Accident (DBA) or transient. During normal operation, and a normalshutdown, the SWS also provides this function for various safety related and nonsafety related components. The safety related function iscovered by this LCO.The SWS consists of two 100% capacity, safety related, cooling water trains. There are three 100% capacity main SWS pumps capable of taking suction from the Ohio River at the intake structure supplying thetwo trains. For Unit 1, one SWS pump is normally operated to supply the quantity of water needed for the essential cooling requirements for alloperating conditions. For Unit 2, two SWS pumps are normally operatedconcurrently to supply the quantity of water needed for the essential cooling requirements for all operating conditions. One SWS pump motor is powered from one of the two emergency 4,160 V switchgear buses anda second SWS pump motor is powered from the other bus. The third SWS pump motor, which is not normally connected to either of the busescan be manually connected to either. The SWS provides cooling water to such loads as the Diesel Generator Cooling System heat exchangers, the Recirculation Spray System heat exchangers, control room emergencycooling coils, charging pump lube oil coolers, and component cooling water heat exchangers. In addition, the SWS provides a source of emergency makeup water to the Auxiliary Feedwater System. Only one of three SWS pumps is needed to provide the cooling for the minimumnumber of components required for safe shutdown following a DBA. In the event of a DBA or transient, initiating a containment isolation phase Bsignal, the SWS is designed to supply sufficient cooling water to safelyshutdown the unit, assuming any single active component failurecoincident with a loss of offsite power (LOOP).Additional information about the design and operation of the SWS, alongwith a list of the components served, is presented in the UFSAR, Section 9.9 (Unit 1)and Section 9.2.1 (Unit 2) (Ref. 1).APPLICABLE SAFETY ANALYSESThe design basis of the SWS is for one SWS train to provide cooling to safety related components, required for safe shutdown, following a DBA.These components are listed in Reference 1. The SWS is designed to perform its function with a single failure of any active component,assuming a LOOP. The SWS, in conjunction with the ComponentBeaver Valley Units 1 and 2 B37.8-1Revision 0 BASES APPLICABLE SAFETY ANALYSES (continued) Cooling Water (CCW) System, also cools the unit from residual heat removal (RHR) entry conditions to Cold Shutdown during normal and post accident operations (Reference 2). The time required for this evolution is a functlon of the number of CCW and RHR System trains that are operating. The SWS satisfies Criterion 3 of 10 CFR 50.36(c)(2xii). LCO Two SWS trains are required to be OPERABLE to provide the required redundancy to ensure the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.An SWS train is considered OPERABLE during MODES 1 , 2, 3, and 4 when: The pump is OPERABLE and The associated piping, valves, and instrumentation and controlsrequired to perform the safety related function are OPERABLE.a.b.APPLICABILITY ln MODES 1, 2, 3, and 4, the SWS is a normally operating system that is required to support the OPERABILITY of the equipment serviced by theSWS and required to be OPERABLE in these MODES.In MODES 5 and 6, the OPERABILITY requirements of the SWS are determined by the systems it supports. ACTIONS 4.1 lf one SWS train is inoperable, action must be taken to restore it to OPERABLE status within 72 hours. ln this Condition, the remainingOPERABLE SWS train is adequate to perform the heat removal function.However, the overall reliability is reduced because a single failure in the OPERABLE SWS train could result in loss of SWS function. Required Action A.1 is modified by two Notes. The first Note indicates theapplicable Conditions and Required Actions of LCO 3.8.1, "AC Sources -Operating," should be entered if an inoperable SWS train results in an inoperable emergency diesel generator. The second Note indicates theapplicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops -MODE 4," should be entered if an inoperable SWS train results in an inoperable decay heat removal train. This is an exception to LCO 3.0.6and ensures the proper actions are taken for these components. The Beaver Valley Units 1 and 2B 378-2Revision 0 BASES ACTIONS (continued) 72hour Completion Time is based on the redundant capabilities affordedby the OPERABLE train, and the low probability of a DBA occurringduring this time period.8.1 and 8.2lf the SWS train cannot be restored to OPERABLE status within theassociated Completion Time, the unit must be placed in a MODE in whichthe LCO does not apply. To achieve this status, the unit must be placedin at least MODE 3 within 6 hours and in MODE 5 within 36 hours.The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. c.1Condition C applies to two inoperable SWS trains. Condition C ismodified by a Note that states the Condition is only applicable in MODE 4with inadequate SWS flow to the CCW heat exchangers to support the required decay heat removal needed to marntain the unit in MODE 5. lnaddition, the Actions are modified by a Note that states LCO 3.0.3 and allother LCO Actions requiring a MODE change from MODE 4 to MODE 5 are suspended until adequate SWS flow to the CCW heat exchangers is established to maintain the unit in MODE 5.With two inoperable SWS trains, LCO 3.0.3 would be applicabfe inMODES 1 , 2, and 3 and result in the plant being placed in MODE 4.However, without adequate RHR decay heat removal capability,transitioning to MODE 5 from MODE 4 in accordance with LCO 3.0.3 may not be possible. In this case, Condition C would be applicable in MODE 4 and would replace LCO 3.0.3 for two inoperable SWS trains. Condition C provides a more appropriate Action than LCO 3.0.3 for reaching MODE 5when the required RHR cooling capacity is not available. lf adequateRHR decay heat removal capability is available to transition from MODE 4to MODE 5, Condition C would not be applicable and the requirements ofLCO 3.0.3 would be applied until the plant reached MODE 5.With two SWS trains inoperable and inadequate SWS flow to the CCWheat exchangers to support the required decay heat removal function bythe RHR System, action must be initiated immediately to restore oneSWS train to OPERABLE status. The action and Completion Time are reasonable, considering the required decay heat removal capacity tomaintain the unit in MODE 5 is not available and the other systems available in MODE 4 to safely remove decay heat until adequate cooling capacity ls restored to place and maintain the unit in MODE 5.Beaver Valley Units 1 and 2B 3.7.8 - 3 Revision 7 SWSB 3.7.8 BASES SURVEILLANCE SR 3.7.8.1 REQUIREMENTS This SR is modified by a Note indicating that the isolation of the SWScomponents or systems may render those components inoperable, but does not affect the OPERABILITY of the SWS.Verifying the correct alignment for manual, power operated, and automatic valves in the SWS flow path provides assurance that the proper flow paths exist for SWS operation. This SR does not apply to valves that are locked, sealed, or othenruise secured in position, sincethey are verified to be in the correct position prior to being locked, sealed, or secured. This SR does not require any testing or valve manipulation;rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply tovalves that cannot be inadvertently misaligned, such as check valves.The 31 day Frequency is based on engineering judgment, is consistentwith the procedural controls governing valve operation, and ensures correct valve positions.sR 3.7.8.2This SR verifies proper automatic operation of the SWS valves on an actual or simulated actuation signal. The SWS is a normally operating system that cannot be fully actuated as part of normal testing. This Surveillance is not required for valves that are locked, sealed, orotherwise secured in the required position under administrative controls.Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency. Therefore, theFrequency is acceptable from a reliability standpoint.sR 3.7.8.3 This SR verifies proper automatic operation of the SWS pumps on anactual or simulated actuation signal. The SWS is a normally operating system that cannot be fully actuated as part of normal testing duringnormal operation. Operating experience has shown these components usually pass the Surveillance when performed at the 18 monthFrequency. Therefore, the Frequency is acceptable from a reliability standpoint. REFERENCES 2.1.UFSAR, Section 9.9 (Unit 1) andUFSAR, Sectron 9.3 (Unit 1) and Section 9-2.1 (Unit 2).Section 5.4.7 (Unit 2).Beaver Valley Units 1 and 2B 3.7.8 - 4 Revision 0 B 3.7 PLANT SYSTEMS B 3.7.9 Ultimate Heat Sink (UHS)BASES BACKGROUNDThe UHS provides a heat sink for processing and operating heat from safety related components during a transient or accident, as well as during normal operation. This is done by utilizing the Service Water System (SWS), which is commonly referred to as the Reactor Plant River Water System for Unit 1. SWS, as used throughout this Bases, applies toboth the Unit 2 SWS and the Unit 1 Reactor Plant River Water System. The UHS for BVPS is the Ohio River as discussed in UFSAR, Section 9.9 (Unit 1) and Section 9.2.5 (Unit 2) (Ref. 1). The two principal functions ofthe UHS are the dissipation of residual heat after reactor shutdown, anddissipation of residual heat after an accident. The UHS and the SWS have interfaces at the SWS intake structure andthe outfall structure. The SWS rnlet water temperature is unaffected by the SWS heat loads, because the outfall structure is located sufficientlydownstream of the intake structures to prevent recirculation. Therefore,SWS temperatures (at the intake structure or inlet header piping) can be used to verify the required UHS temperature. The basic performancerequirements are that a 30 day supply of water be available, and that thedesign basis temperatures of safety related equipment not be exceeded.Additional information on the design and operation of the system, along with a list of components served, can be found in Reference 1.APPLICABLE SAFETY ANALYSES The UHS is the sink for heat removed from the reactor core following allaccidents and anticipated operational occurrences in which the unit is cooled down and placed on residual heat removal (RHR) operation. The operating limits are based on conservative heat transfer analyses forthe worst case LOCA. Reference 1 provides the details of theassumptions used in the analysis, which include worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and worst case single active failure (e.9., single faifure of a manmade structure). The UHS is designed in accordance with Regulatory Guide 1.27 (Ref .2), as addressed in the UFSAR, which requires a 30 day supply of cooling water in the UHS. The UHS satisfies Criterion 3 of 10 CFR 50.36(c)(2xii).Beaver Valley Units 1 and 2 B379-1Revision 0 BASES LCO The UHS is required to be OPERABLE and is considered OPERABLE if it is capable of providing a sufficient volume of water at or below the maximum temperature that would allow the SWS to operate for at least30 days following the design basis LOCA without the loss of net positivesuction head (NPSH), and without exceeding the maximum design temperature of the equipment served by the SWS. To meet thiscondition, the average UHS temperature should not exceed 90'F (Unit 1)and 89"F (Unit 2) and the level should not fall below 654 ft mean sea levelat the intake structure during normal unit operation. APPLICABILITY In MODES 1, 2, 3, and 4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES. In MODE 5 or 6, the OPERABILITY requirements of the UHS aredetermined by the systems it supports.ACTIONS A.1 and A.2 lf either the UHS temperature or level requirements are not met, the UHSis inoperable and the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at leastMODE 3 within 6 hours and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems.SURVEILLANCE SR 3.7.9.1 REQUIREMENTS This SR verifies adequate long term (30 day) cooling can be maintained., The specified level also ensures sufficient NPSH is available to operatethe SWS pumps. The 24 hour Frequency is based on operatingexperience related to trending of the parameter variations during the applicable MODES. This SR verifies the UHS water level is > 654 ft mean sea level at the intake structure.sR 3.7.9.2 This SR verifies the SWS is available to cool the required loads during maximum accident or normal design heat loads for 30 days following aDesign Basis Accident. The 24 hour Frequency is based on operating Beaver Valley Units 1 and 2 B3.79-2 Revision 0 BASES SURVElLLANCE REQU I REM ENTS (continued)experience related to trending of the parameter variations during theapplicable MODES. This SR verifies the average water temperature of the UHS is < 90'F (Unit 1) and < Bg"F (Unit 2). The UHS temperature can be determined from SWS temperature indicators at the intake structure or on inlet piping headers.REFERENCES 2.1.UFSAR, Section 9.9 (Unit 1) and Section 9.2.5 (Unit 2).Regulatory Guide 1.27 (Unit 2) and Safety Guide 27 (Unit 1).Beaver Valley Units 1 and 2 B3.79-3 Revislon 0 CREVS B 3.7.10 B 3.7 PLANT SYSTEMSB 3.7.10 Control Room Emergency Ventilation System (CREVS)BASES BACKGROUND The Control Room Emergency Ventilation System (CREVS) provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity. BVPS has a common control room envelope (CRE) for Unit 1 and Unit 2.The CREVS consists of pressurization fan subsystems, the CRE isolation subsystems, and a CRE boundary that limits the inleakage of unfiltered air.The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unitduring normal and accident conditions. This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations andequipment that physically form the CRE. The OPERABILIry of the CREboundary must be maintained to ensure that the inleakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program.There are three CREVS pressurization fan subsystems, one (Unit 1) and two (Unit 2). The pressurization fan subsystems draw filtered outside air into the CRE.The CRE isolation subsystems isolate the Unit 1 and Unit 2 normal air intake and exhaust penetration 1;ev,, paths by closing at least one of the two series isolation dampers in each of the four penetration flow paths.Closure of both units' intake and exhaust isolation dampers may be initiated by an isolation signal from either unit. However, the operation ofthe intake and exhaust dampers at each unit is dependent upon the availability of that unit's power sources. The isolation subsystem of a CREVS train consists of all 4 isolation dampers in that train (2 per unit).Both the Unit 1 and Unit 2 isolatron dampers associated with a train are required OPERABLE for an OPERABLE CREVS train. The isolationsubsystem is OPERABLE for a unit when the associated Unit 1 andUnit 2 dampers are capable of closing on that unit's required isolation signals or the damper(s) are secured closed. Beaver Valley Units 1 and 2B 3 7 10 - 1Revision 7 CREVSB 3.7.1 0 BASES BACKG ROUN D (conti nued )The CREVS pressurization fan subsystem located on the Unit 1 side ofthe combined control room consists of one manually started pressurization fan and filter subsystem that provides filtered air to pressurize the CRE. The Unit 1 pressurization fan subsystem filterconsists of a prefilter, an activated charcoal adsorber section for removal of gaseous activity (principally iodines), a high efficiency particulate air (HEPA) filter, and one of the two 1 0O% capacity Unit 1 fans. Only one ofthe two Unit 1 fans is required for an OPERABLE CREVS train. The CREVS pressurization fan subsystems located on the Unit 2 side ofthe CRE consists of two automatically started redundant train related subsystems that draw in outside air through filters to provide filtered air to pressurize the CRE. Each pressurization fan subsystem filter consists ofa moisture separator, a HEPA filter, an activated charcoal adsorber, a second HEPA filter, and a fan. A second bank of HEPA filters follows theadsorber section to collect carbon fines and provide backup in case offailure of the main HEPA filter. For both units, ductwork, heaters, valves or dampers, and instrumentation also form part of the system.Unit 1 can credit any two of the three available CREVS pressurization fansubsystems to meet the LCO requirement for two OPERABLE CREVStrains. However, Unit 2 can only credit the Unlt 2 specific pressurizationfan subsystems to meet the LCO requirement for two OPERABLE CREVS trains.The CREVS is an emergency system, parts of which may also operateduring normal unit operations in the standby mode of operation. Upon receipt of a CREVS actuating signal(s), normal unfiltered outside airsupply and exhaust dampers to the CRE are closed and (for Unit 2 only)a pressurization fan subsystem is initiated and the emergency air supply damper in the operating CREVS train is opened to bring in outside air through filters to pressurize the CRE. The Unit 1 pressurization fan subsystem is manually placed in service if required. The air continues to be recirculated within the CRE by the Control Room Emergency Air Cooling System (CREACS) (LCO 3.7.11) both during normal operationand during CREVS operation.Pressurization of the CRE minimizes infiltration of unfiltered air throughthe CRE boundary from all the surrounding areas adjacent to the CRE boundary. A single CREVS train operating at a flow rate of 800 to 1000 cfm will pressurize the CRE to maintain a positive pressure relative to the outside atmosphere. The CREVS operation in maintaining the CRE habitable is discussed in UFSAR, Section 9.13 (Unit 1) andSection 9 4 (Unit 2) (Ref. 1)Beaver Valley Units 1 and 2 B 3.7.10 - 2 Revision 7 CREVSB 3.7.10 BASES BACKGROUN D (continued)Redundant CREVS trains are required OPERABLE to ensure the pressurization and filtration function can be accomplished should onetrain fail. Normally open isolation dampers are arranged in series pairs sothat the failure of one damper to shut will not result in a breach ofisolation. The CREVS is designed in accordance with Seismic Category lrequirements. The CREVS is designed to maintain a habitable environment in the CRE for 30 days of continuous occupancy after a Design Basis Accident (DBA)without exceeding 5 rem total effective dose equivalent (TEDE). Thislimitation is consistent with the requirements of General DesignCriteria 19 of Appendix "A", 10 CFR 50 and 10 CFR 50.67.The CREVS is automatically actuated by a containment isolation phase B (ClB) signal or a control room area high radiation signal. In addition, theCREVS can be actuated manually. The OPERABILITY requirements forthe CREVS instrumentation are specified in LCO 3.3.7, "CREVSActuation I nstrumentation. "CREVS does not have automatic detection and isolation for hazardouschemicals or smoke. Refer to Applicable Safety Analyses for adiscussion of the design basis of CREVS with regard to these events. APPLICABLE SAFETY ANALYSES The CREVS components are arranged in redundant, safety relatedventilation trains. The location of most components and ducting withinthe CRE helps to minimize air in leakage and ensures an adequatesupply of filtered air to all areas requiring access. The CREVS provides airborne radiological protection for the CRE occupants, as demonstratedby the CRE habitabllity analyses for the most limiting DBAs: loss ofcoolant accident (LOCA), control rod ejectron accident (CREA), and mainsteam line break (MSLB) accident, presented in the UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2) (Ref. 2). CRE isolation and operation of CREVS was not credited in other DBAs.The worst case single active failure of a component of the CREVS,assuming a loss of offsite power, does not impair the ability of the system to perform its design function.The LOCA accident analysis assumes an automatic isolation of the CREnormal ventilation system following a CIB signal and subsequent manual initiation of a CREVS pressurization fan subsystem for filtered makeup and pressurization of the CRE. Although the CIB signal will automaticallystart one of the two Unit 2 CREVS pressurization fan subsystems, a Beaver Valley Units 1 and 2 B3710-3 Revision 7 CREVSB 3.7.10 BASES APPLICABLE SAFETY ANALYSES (continued)30 minute delay to allow for manual initiation of a CREVS pressurization fan subsystem is specifically assumed in the analysis to permit the use ofthe Unit 1 CREVS pressurization fan subsystem which requires manualoperator action to place in service (Ref. 3). The CREA and the MSLBaccident analyses assume manual initiation of the emergency pressurization mode of operation of CRE ventilation (i.e., CRE ventilationisolation, filtered makeup and pressurization), within 30 minutes after the accident.Although the CRE occupant dose calculations for the limiting DBAs (i.e.,LOCA, CREA, and MSLB) assume that the CRE is pressurized in30 minutes of the accident by manually actuating a pressurization fan subsystem, the specifi cation conservatively requires automatic actuationof a Unit 2 CREVS pressurization fan subsystem. The current safety analyses do not assume the control room arearadiation monitors provide a CREVS actuation signal for any DBA.However, requirements for the automatic initiation of CREVS (bothisolation and pressurization fan subsystems) on high radiation areretained in the Technical Specifications in case this automatic function isrequired to support the assumptions of a fuel handling accident analysis for the movement of recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) or the movement of fuel over recently irradiated fuel consistent with the guidance of NUREG-1431 (Ref. 4).An automatic start time delay is included in the initiation circuitry of theUnit 2 CREVS pressurization fan subsystems. The basis for this time delay includes the following considerations:The delay times prevent loading of the pressurization fans onto the emergency busses until after the emergency diesel generator loadsequencing is completed. The pressurization fan delay times are staggered to ensure only onefan will be operating. A pressurization fan is started early to minlmize dose to the operators.The delay times are selected such that sufficient time will be available for the manual initiation of a pressurization fan subsystemwithin 30 minutes after an accident should a pressurization fan failto start.1.2.3 4.Beaver Valley Units 1 and 2B 3.7.10 - 4 Revision 7 CREVS B 3.7.10 BASES APPLICABLE SAFETY ANALYSES (continued)An evaluation of all chemical hazards from onsite, offsite, andtransportation sources has determined that the probability of a hazardouschemical spill resulting in unacceptable exposures was less than NRCdesign basis criteria. As a result, the plant design basis as described in BVPS Unit 2 UFSAR, Section 2.2.3.1.2 and 6.4.4.2 (Ref. 5) does not postulate any hazardous chemical release events. Therefore, physical provisions for protection against hazardous chemicals are not requiredand CRE inleakage of hazardous chemicals would be fimited by theinleakage rate established for radiological events. lf a hazardous chemical release were identified to be onsite, the CRE would be manuallyisolated to minimize CRE inleakage as a defense in depth measure, byclosing all supply and exhaust dampers and verifying that CREVS is not in operation. Technical Specification Amendment No. 233 (Unit 1) andNo. 115 (Unit 2) (Ref. 6) removed the control room chlorine detectionsystem. In addition, Amendment No.257 (Unit 1) and No. 139 (Unit 2)(Ref. 7) which removed the bottled air pressurization system, confirmed that the ability to manually isolate the CRE is sufficient to justify removal of these systems with respect to hazardous chemical events.In the event of a fire outside the control room. the CRE would be manually isolated to minimize CRE inleakage. lf the abllity of CREoccupants to remain in the control room is compromised, then remote shutdown locations are available. Therefore, no quantitative limits for CRE inleakage of smoke have been established. Technical Specification Amendment No. 257 (Unit 1 ) and No. 139 (Unit 2) (Ref. 7) which removedthe bottled air pressurization system, confirmed that the ability tomanually isolate the CRE in combination with availability of self-containedbreathing apparatus is sufficient to justify removal of the system withrespect to a smoke event. Therefore, a smoke challenge will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels.The CREVS satisfies Criterion 3 of 10 CFR 50.36(c)(2xii) o f th I LCO Two CREVS trains including the associated train related inlet and exhaustisolation dampers are required to be OPERABLE to ensure that at leastone train is available if a single active failure disables the other train. Acombination of two out of three CREVS pressurization fan subsystemsfrom either Unit 1 or Unit 2 satisfies the LCO requirement for Unit 1 . Onlythe Unit 2 CREVS pressurization fan subsystems may be used to satisfythe LCO requirement for Unit 2.Beaver Valley Units 1 and 2B 3 7 10 - 5 Revision 7 CREVSB 3.7.1 0 BASES LCO (continued) The OPERABILITY of CREVS ensures that the CRE will remain habitablewith respect to potential radiation hazards for operations personnel during and following all credible accident conditions. The OPERABILITY of this system is based on limiting the radiation exposure to personnel occupyingthe CRE to 5 rem TEDE. This limitation is consistent with the requirements of General Design Criteria 19 of Appendix "A", 10 CFR 50and 10 CFR 50.67. Total system failure, such as from a loss of all ventilation trains or from an inoperable CRE boundary, could result inexceeding these dose limits in the event of a large radioactive release.Each CREVS train is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE.A CREVS train is OPERABLE when the associated:

a. Fan is OPERABLE (including required automatic startcapability for Unit 2 fans), b. HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions, and c. Heater, prefilter (Unit 1), moisture separator (Unit 2), ductwork, valves, and dampers are OPERABLE (i.e., capable of supporting pressurization of the CRE when a CREVS train isactuated). This includes:In MODES 1,2,3, and 4, the series normal air intakeand exhaust isolation dampers for both units must be OPERABLE and capable of automatic closure on a CIBactuation signal.

The series normal air intake and exhaust isolation dampers for both units may also be considered OPERABLE when secured in a closed position with power removed. ,During fuel assembly movement involving recentlyrrradiated fuel assemblies, the series normal air intakeand exhaust isolation dampers for both units must beOPERABLE and capable of automatic initiation by a control room high radiation signal. The series air intakeand exhaust isolation dampers for both units may also be considered OPERABLE when secured in a closed position with power removed.LCO 3.3.7, "CREVS Actuation Instrumentation," contains theOPERABILITY, ACTION, and Surveillance Requirements for the CREVS actuating i nstrumentation. 1)2\Beaver Valley Units 1 and 2 83.7.10-6 Revision 7 CREVSB 3.7.1 0 BASES LCO (continued) ln order for the CREVS trains to be considered OPERABLE, the CREboundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke.The LCO is modified by a Note allowing the CRE boundary to be opened intermittentfy under administrative controls. This Note only applies toopenings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. Forentry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings (hatches, access panels, floor plugs, etc.), these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the openingand to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated. lf the above conditions for utilizing the LCO Note cannot be met, then Action B shouldbe entered. APPLlCABILITYIn MODES 1, 2, 3, 4, and during the movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) and the movement of fuel assemblies over recently irradiated fuel assemblies, the CREVS is required to beOPERABLE to ensure that the CRE will remain habitable during and following a DBA.ln MODES 5 and 6, when no fuel movement involving recently irradiatedfuel is taking place, there are no requirements for CREVS OPERABILITYconsistent with the safety analyses assumptions applicable in theseMODES. A fuel handling accident (FHA) rnvolving non-recently irradiated fuel will result in radiation exposure, to personnel occupying the CRE, thatis within the guideline values specified in 10 CFR 50.67 without any reliance on the requirements of this Specification to limit personnel exposure.This LCO is applicable during movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) and during movement of fuel assembliesover recently irradiated fuel assemblies. During fuel movement involving recently irradiated fuel there is a potential for a limiting FHA for which the requirements of this Specification may be necessary to limit radiationexposure to personnel occupying the CRE to within the requirements ofBeaver Valley Units 1 and 2 B 3.7.10 - 7 Revision 7 CREVS B 3.7.10 BASESAPPL I CAB I LITY (continued )10 CFR 50.67. Although the movement of recently irradiated fuel is not currently permitted, these requirements are retained in the Technical Specifications in case the CREVS is necessary to support theassumptions of a safety analysis for fuel movement involving recently irradiated fuel, consistent with the guidance of Reference 4.ACTIONS A.1 When one required CREVS train is inoperable for reasons other than an inoperable CRE boundary (this action includes one or more of theassociated train related series isolation dampers inoperable), action must be taken to restore it to OPERABLE status within 7 days. ln this Condition, the remaining OPERABLE CREVS train (including theassociated train of isolation dampers) is adequate to perform the CREoccupant radiation protection function. However, the overall reliability is reduced because a failure in the OPERABLE CREVS train could result in loss of CREVS function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time, and the ability of the remaining train to provide the required safety function.and B.lf the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem TEDE), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. As discussed in the Applicable Safety Analyses section, the current licensing basis identifies that CRE inleakage limits for hazardous chemicals and smoke are not necessary to protect CRE occupants; therefore, the limit established for radiologicalevents is the limiting value for determining entry into Condition B for an inoperable CRE boundary. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect onCRE occupants from the potential hazards of a radiologlcal or chemical event or a challenge from smoke. Actions must be taken within 24 hours to verify that in the event of a DBA, the mitigating actions will ensure thatCRE occupant radiological exposures will not exceed the calculated dose of the licensrng basis analyses of DBA consequences, and that the CRE occupants are protected from hazardous chemicals and smoke. These Beaver Valley Units 1 and 2 B37.10-8Revision 7 CREVSB 3.7.10 BASES ACTIONS (continued) mitigating actions (i.e., actions that are taken to offset the consequencesof the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is rntentional or unintentional. The 24 hour Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. ln addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the CRE boundary.C.1 and C.2 1n MODE 1,2,3, or 4, if the inoperable CREVS train or the CREboundary cannot be restored to OPERABLE status within the requiredCompletion Time the unit must be placed in a MODE that minimizes accident risk. To achieve this status, the unit must be placed in at leastMODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderlymanner and without challenging unit systems. D.1 and D.2During fuel movement involving recently irradiated fuel assemblies, if an inoperable CREVS train cannot be restored to OPERABLE status wlthin the required Completion Time, the OPERABLE CREVS train must immediately be placed in the emergency pressurization mode of operation. This action requires the GRE ventilation isolation dampers tobe closed and the CRE to be pressurized by the operating CREVS train.This action ensures that the remaining train is OPERABLE, that no failures preventing automatic actuation will occur, and that any active failure would be readily detected.An alternative action is to immediately suspend activities that could result in a release of radioactivity that might require isolation of the CRE. This involves suspending movement of recently irradiated fuel assemblies and suspending movement of fuel assemblies over recently irradiated fuel assemblies. This places the unit in a condition that minimizes the accident risk. This does not preclude the movement of fuel to a safe position.Beaver Valley Units 1 and 2B3.7 10-9Revision 7 CREVSB 3.7.10 BASESACTIONS (continued) E.1 During fuel movement involving recently irradiated fuel assemblies, if two required CREVS trains are inoperable or with one or more requiredCREVS trains inoperable due to an inoperable CRE boundary, action must be taken immediately to suspend activities that could result in a release of radioactivity that might require isolation of the CRE. Two inoperable trains also include the conditions of one or more inoperable series isolation dampers in both trains or one or more inoperable series isolation dampers in one train and the opposite CREVS train inoperable. This Action involves suspending movement of recently irradiated fuel assemblies and suspending movement of fuel assemblies over recentlyirradiated fuel assemblies. This places the unit in a condition that minimizes the accident risk. This Action does not preclude the movement of fuel to a safe position.F.1 lf both required CREVS trains are inoperable in MODES 1, 2, 3, or 4 forreasons other than an inoperable CRE boundary (i.e., Condition B) theCREVS may not be capable of performing the intended function and theunit is in a condition outside the accident analyses. Two inoperable trainsalso include the conditions of one or more inoperable series isolation dampers in both trains or one or more inoperable series isolation dampers in one train and the opposite CREVS train inoperable. In thiscondition, Specification 3.0.3 must be entered immediately. SURVEILLANCE REQUIREMENTSsR 3.7 .10 1Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditionson this system are not severe, testing each train once every month provides an adequate check of this system. The CREVS fan and filter flow path is operated for > 15 minutes by initiating flow through the HEPAfilter and charcoal adsorber train with heaters operating to ensure thatthey function properly. This Surveillance does not require that the CRE be isolated in order to verify fan and filter flow path functionality. The31 day Frequency is based on the reliabillty of the equipment and train redundancy.Beaver Valley Units 1 and 2B3.7 10-10Revrsion 7 CREVS B 3.7.1 0 BASES SURVEILLANCE REQUI REMENTS (continued)sR 3.7.1 0.2 This SR verifies that the required CREVS testing is performed inaccordance with the Ventilation Filter Testing Program (VFTP). TheVFTP includes testing the performance of the HEPA filter, charcoaladsorber efficiency, minimum flow rate, and the physical properties of theactivated charcoal. Specific test Frequencies and additional informationare discussed in detail in the VFTP.sR 3.7.10.3 This SR verifies that each CREVS train operates as required on an actualor simulated containment isolation phase B actuation signal (only requiredin MODES 1 , 2, 3, and 4) and control room high radiation actuation signal (only required for fuel movement involving recently irradiated fuel). The actuation testing includes verification that each train of series air intakeand exhaust isolation dampers for both units close to isolate the CRE from the outside atmosphere. ln addition, for Unit 2, the automatic start (following a time delay) of each CREVS pressurization fan subsystemsupplying air to pressurize the CRE through the HEPA filters and charcoaladsorber banks is verified. For Unit 1, an automatic start of the CREVS pressurization fan subsystem is not required since the Unit 1 subsystem is placed in service by manual operator action. LCO 3.3.7, "CREVS Actuation lnstrumentation," contains theOPERABILITY requirements including the Applicability, ACTION, andSurveillance Requirements for the CREVS actuating instrumentation.The Frequency of 1B months is based on industry operating experienceand is consistent with the typlcal refueling cycle.sR 3.7.1 0.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. Thedetails of the testing are specified ln the Control Room Envelope Habitability Program.fhe CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of DBAconsequences is no more than 5 rem TEDE. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rateassumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, Condttion BBeaver Valley Units 1 and 2B 3.7 10 -11 Revision 7 CREVSB 3.7.10 BASES SURVEILLANCE REQUIREMENTS (continued) must be entered. Required Action 8.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for theoccupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2.7.3, (Ref. 8) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 9). These compensatory measures may also be used as mitigating actions as required by Required Action 8.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref. 10).Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis DBA consequence analysis, repairing theCRE boundary, or a combination of these actions. Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status. REFERENCES 2.3.4.5.6.7.B 9.1.UFSAR, Section 9.13 (Unit 1)and Sections 6.4 and 9.4 (Unit 2).UFSAR, Section 14 (Unit 1) and Chapter 15 (Unit 2).UFSAR Table 14.1-1A (Unit 1) and UFSAR Table 15.0-13 (Unit 2).NUREG-1431, Rev. 2, Standard Technical Specifications for Westinghouse Plants.UFSAR, Sections 2.2.3.1.2 and 6.4.4.2 (Unit 2).Amendment No.233 (Unit 1) and Amendment No. 115 (Unit 2),September 7 ,2000.Amendment No. 257 (Unit 1) and Amendment No. 139 (Unit 2), September 10, 2003.Regulatory Guide 1 .196. NEI 99-03, "Control Room Habitability Assessment," June 2001.10. Letter from Eric J. Leeds (NRC) to James W. Davis (NEl) datedJanuary 30, 2004, "NEl Draft White Paper, Use of Generic Letter 91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No. M1040300694). Beaver Valley Units 1 and 2 B 3.7.10 -12 Revision 26 B 3.7 PLANT SYSTEMSB 3.7.11 Control Room Emergency Air Cooling System (CREACS)BASES BACKGROUND The Control Room Emergency Air Cooling System (CREACS) provides 1 ) a control room heat removal function following isolation of the control room, and 2) control room atmosphere purge capability for the combinedunits' main control room. The heat removal function ensures that thecontrol equipment qualification is maintained following isolation of thecontrol room. The purge function is necessary to limit the dose receivedby control room personnel following certain design basis accidents (DBAs). Each unit has its own CREACS. Each unit's CREACS consists of a single ventilation air intake and two independent and redundant trains consisting of river/service water emergency cooling coils, ventilationducts, fans and fan controls. However, the CREACS trains share common ventilation ductwork and normal air inlet and exhaust flow paths.The CREACS heat removal function is discussed in the UFSAR,Section 9.13 (Unit 1)and Section 9.4 (Unit 2) (Ref. 1). The CREACS control room atmosphere purge function is discussed in the UFSAR,Table 14.1-1A (Unit 1)and Table 15.0-13 (Unit 2) (Ref.2).The CREACS is an emergency system, parts of which operate duringnormal unit operations. A single train of CREACS on each unit is capableof maintaining its side of the combined control room at < the equipmentdesign limit of 120"F. A single train of CREACS from either unit iscapabfe of providing adequate control room atmosphere purge capabilityto meet either unit's DBA requirements. APPLICABLE SAFETY ANALYSES The design basis of the CREACS heat removal function is to provideemergency air cooling for the control room to maintain the temperaturewithin the equipment design limit for a mild environment (120'F) following certain DBAs when the control room is isolated. The CREACS also provides an atmosphere purge function for the control room followingcertain DBAs. Only manual actuation is credited for both CREACS functions at each unit.The CREACS components are arranged in redundant, safety related trains. A single active failure of a component of the CREACS, wtth a lossof offsite power, does not impair the ability of the system to perform its design function. The CREACS is designed in accordance with Seismic Category I requirements. During normal and emergency control room operation, the control roomair cooling is usually maintained by the non safety related air conditioning equipment which is integral to the control room ventllation systems. Beaver Valley Units 1 and 2B 3.7.11 - 1 Revision 26 BASES APPLICABLE SAFETY ANALYSES (continued) During emergency operation when the control room is isolated, the safety related CREACS is manually initiated to provide air cooling to maintain the temperature < 120"F when the normal non safety related air conditioning becomes unavailable. The CREACS is capable of removing sensible and latent heat loads from the control room, which include consideration of equipment heat loads to ensure equipmentOPERABILITY. The CREACS heat removal function is only required following post-DBA isolation of the control room (when control room isolation is required to meet radiological dose analysis requirements) andthe normal non safety related air conditioning equipment is unavailable. The heat removal function of CREACS is credited in DBAs for MODES 1, 2,3, and 4 (e g , the loss of coolant accident (LOCA), the main steam line break (MSLB) and control rod ejection DBAs for both units require control room isolation). Since neither unit requires control room isolation (and hence the control room heat function of CREACS) to meet its fuel handling accident (FHA) DBA nor requires control room isolation following any other DBA in MODES 5 and 6 (e.g , waste gas tank rupture DBA), the heat removal function of CREACS is not required in MODES 5 and 6 or during fuel movement involving non-recently irradiated fuel. The design basis of the CREACS control room ventilation purge functionensures the capability to manually purge the air from the control room forselected DBAs to ensure acceptable dose consequences to the control room personnel following a DBA.For both Unit 1 and Unit 2, the MSLB and steam generator tube rupture (SGTR) accident analyses credit a manually initiated 30 minute control room ventilation purge at a flow rate of > 16,200 cfm after the accidentsequence is complete and the environmental release has beentermrnated. Also for Unit 1 only, the FHA analysis for fuel movementinvolving non-recently irradiated fuel credits a manually initiated 30 minute control room ventilation purge at a flow rate of > 1S,200 cfm after the accident sequence is complete and the environrnental release has been terminated. The dose consequence analyses assume that for the MSLB, the SGTR, and the Unit 1 FHA, control room purge is initiated at T=24 hours, T=8 hours and T=2 hours after accident initiation, respectively. Only Unit 1 requires the purge function of CREACS during fuel movementinvolving non-recently irradiated fuel. Therefore, the purge function ofCREACS is required for Unit 1 during fuel movement involving non-recently irradiated fuel. Thus, the control room ventilation purge functions of CREACS are credited in DBAs for MODES 1 ,2,3, and 4 at both units, and for fuel movement involving non-recently irradiated fuel assemblies atUnit 1.Beaver Valley Units 1 and 2 B3711 -2 Revision 0 CREACSB 3.7.11 BASES APPLICABLE SAFETY ANALYSES (continued)This LCO is also applicable for both units during movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) and during movement of fuelassemblies over recently irradiated fuel assemblies. The requirement forrecently irradiated fuel assemblies is included because there is a potential for a limiting FHA for which the requirements of this Specification may benecessary to limit radiation exposure to personnel occupying the control room to within the requirements of 10 CFR 50.67. Although the movement of recently irradiated fuel is not currently permitted for either unit, the requirements for both the temperature control and purge functions are retained in the Technical Specifications in case the CREACS functions are necessary to support the assumptions of a safety analysis for fuel movement involving recently irradiated fuel, consistentwith the guidance of NUREG-1431 (Ref. 3).The CREACS satisfies Criterion 3 of 10 CFR 50.36(c)(2xii). LCOThe Unit 1 FHA analysis does not require control room isolation tothe dose to control room personnel to within the required limits.Therefore, a Note modifying the LCO requirement is included to clarifythat the Unit 1 CREACS heat removal function is not required OPERABLE to support fuel movement involving non-recently irradiatedfuel. Only the purge function of the Unit 1 CREACS rs required to supportfuel movement involving non-recently irradiated fuel as only the purgefunction is required in the Unit 1 accident analysis to limit dose. The Note is only applicable to Unit 1 because operation of the Unit 2 CREACS isnot required by the Unit 2 FHA analysis for fuel movement involving non-recently irradiated fuel. Therefore, operation of the Unit 2 CREACS is notrequired to limit the dose to control room personnel from a FHA involvingnon-recently irradiated fuel.Two trains of the CREACS are required to be OPERABLE to ensure that at least one is available, assuming a single failure disabling the othertrain. Total system failure of the heat removal function could result in theequipment operating temperature exceeding limits in the event of an accident. Total system failure of the control room atmosphere purgefunction could result in exceeding a dose of 5 rem TEDE to the controlroom operator in the event of a large radioactive release following aMSLB, SGTR, or a Unit 1 FHA.Beaver Valley Units 1 and 2 B3711-3Revision 0 CREACSB 3.7.11 BASES LCO (continued)With regard to the control room atmospheric purge function only, the LCOrequirement for two OPERABLE CREACS trains may be met by crediting OPERABLE Unit 1 train(s) for Unit 2 and crediting OPERABLE Unit 2train(s) for Unit 1. The control room atmospheric purge flow requirementsfor each unit are the same and the control room envelope is common.Therefore, the purge flow assumed in the DBA analysis may be accomplished by the manual initiation of a CREACS train from either unit.The CREACS is considered to be OPERABLE when the individual components necessary to maintain the control room temperature < 120"F (when the control room is isolated) and to provide the control room ventilation purge function at the required flow rate are OPERABLE in two tralns. These components include the river/service water emergency cooling coils, necessary ductwork and associated dampers, fans, and associated fan controls. The capability to manually operate thecomponents of the CREACS is all that is required for OPERABILITY. ln addition, the CREACS must be OPERABLE to the extent that air circulation necessary for the required temperature control can be maintained. APPLICABILlTY CREACS must be OPERABLE in MODES 1, 2, 3, and 4 at either unit and during fuel movement involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) ateither unit. The CREACS ensures that control room temperatures will not exceed equipment operational requirements and that the control roomventilation is capable of purging the control room atmosphere after a DBA to maintain dose within the limit.For Unit 1 only, during movement of non-recently irradiated fuelassemblies and during movement of fuel assemblies over non-recentlyirradiated fuel assemblies, the ventilation purge function of CREACS mustbe OPERABLE. The Unit 1 temperature control function of CREACS isnot required OPERABLE during fuel movement involving non-recentlyirradiated fuel because the Unit 1 FHA analysis does not require controlroom isolation to limit dose. CREACS is not required in MODES 5 or 6 at either unit during no fuelmovement nor is it required during fuel movement involving non-recentlyirradiated fuel movement at Unit 2.Beaver Valley Unrts 1 and 2 837 11 -4 Revision 0 CREACS B 3.7.11 BASES ACTIONS A.1With one CREACS train inoperable, action must be taken to restoreOPERABLE status within 30 days. In this Condition, the remainingOPERABLE CREACS train is adequate to maintain the control room temperature < 120"F when the control room is isolated and provide the required control room atmosphere purge function. However, the overall reliability is reduced because a single failure in the OPERABLE CREACS train could result in loss of CREACS function. The 30 day CompletionTime is based on the low probability of an event requiring control room isolation or purge, the consideration that the remaining train can providethe required protection, and that alternate safety or nonsafety related means of cooling the control room air and of purging the control roomatmosphere are available.8.1 and 8.2ln MODE 1,2,3, or 4, if the inoperable CREACS train cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes the risk. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.C.1 and C.2Condition C is modified by two Notes indicating the applicability of thisCondition to each unit. Note 1 states that the Condition is only applicable to Unit 1 during movement of irradiated fuel assemblies and fuelassemblies over irradiated fuel assemblies. Note 2 states that thisCondition is only applicable to Unit 2 during movement of recentlyirradiated fuel assemblies and fuel assemblies over recently irradiated fuel assemblies. lf the inoperable CREACS train cannot be restored toOPERABLE status within the required Completion Time, the OPERABLE CREACS train must be placed rn operation immediately. This actionrequires that the OPERABLE CREACS ventilation fan be in service andcirculating control room air, and if tl'ie heat removal function is required bythe LCO, with river/service water being supplied to the emergency cooling coils. This action ensures the remaining train is OPERABLE and activefailures will be readily detected. An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room or a purge of the control room atmosphere.Beaver Vatley Units 1 and 2 H^3.7.11-5Revision 0 BASES ACTIONS (continued) This involves suspending movement of irradiated fuel assemblies andsuspending movement of fuel assemblies over irradiated fuel assemblies. This places the unit in a condition that minimizes accident risk. This does not preclude the movement of fuel to a safe position.D.1Condition D is modified by two Notes indicating the applicability of thisCondition to each unit. Note 1 states that the Condition is only applicable to Unit 1 during movement of irradiated fuel assemblies and fuel assemblies over irradiated fuel assemblies. Note 2 states that this Condition is only applicable to Unit 2 during movement of recently irradiated fuel assemblies and fuel assemblies over recently irradiated fuel assemblies. With two CREACS trains inoperable, action must be taken irnmediately to suspend activities that could result in a release of radioactivity that might require isolation of the control room or a purge of the control room atmosphere. This involves suspending movement of irradiated fuel assemblies and suspending movement of fuel assemblies over irradiated fuel assemblies. This places the unit in a condition thatminimizes risk. This does not preclude the movement of fuel to a safe position.E.1 lf both CREACS trains are inoperable in MODE 1,2,3, or 4, the control room CREACS may not be capable of performing its intended function.Therefore, LCO 3.0.3 must be entered immediately. SURVEILLANCE SR 3.7.1 1 .1 REQUIREMENTS This SR verifies the heat removal capability of the system is sufficient toremove the required heat foad to maintain the control room temperature within the equipment design limit (< 120'F). The verification of the CREACS heat removal capability consists of a combination of riveriservice water flow measurement, fan performance, and mechanicalcleaning and inspections of the riveriservice water cooling coils. This SR also verifies the control room atmosphere purge capability of the system is sufficient to remove air from the control room for the DBAs thatrequire a control room purge to limit dose. The control room purge capability is verified by assuring each train of CREACS can be aligned to purge the control ioom atmosphere and can achieve the required purgeflow rate of > 16,200 cfm. This part of the SR may be accomplished by Beaver Valley Units 1 and 2 83.7.11-6 Revision 0 BASES SURVEILLANCE REQUIREMENTS (continued)measuring fan performance during normal system alignment to verify thefan's capability to purge the control room at the required flow rate. Theability of the required dampers to be aligned for a control room purge can be verified by observing partial movement of the dampers. Realignmentof the CREACS to the purge mode of operation and measuring the actual purge flow rate is not required to satisfy this SR. The 18 month Frequency is appropriate since significant degradation of the CREACS isslow and is not expected over this time period.REFERENCES 1.2.3.UFSAR, Section 9.13 (Unit 1) and Section 9.a (Unit 2).UFSAR, Table 14.1-1A (Unit 1) and Table 15.0-13 (Unit 2).NUREG-1431, Rev. 2, Standard Technical Specifications for Westinghouse Plants.Beaver Valley Units 1 and 2 B 3.7 11 -7 Revisron 26 SLCRSB 3.7.12 B 3.7 PLANT SYSTEMS B 3.7.12 Supplemental Leak Collection and Release System (SLCRS)BASES BACKGROUND SLCRS filters airborne radioactivity from the containment building (Unit 1only) and the fuel building (both Units) following a fuel handling accidentinvolving recently irradiated fuel. This ensures that, prior to release to theenvironment, the exhaust from these areas in the event of a fuel handlingaccident is limited to radioactive releases within 10 CFR 50.67 (Ref. 1)limits. For Unit 1, the SLCRS train consists of a prefilter, an activatedcharcoal adsorber section for removal of gaseous activity (principally iodines), a high efficiency particulate air (HEPA) filter, and a filter exhaustfan. Ductwork, valves or dampers, and instrumentation also form part ofthe system. For Unit 2, the SLCRS train consists of a heater, a demister, a HEPA filter. an activated charcoal adsorber section for removal of gaseous activity (principally iodines), and a filter exhaust fan. Ductwork,valves or dampers, and instrumentation also form part of the system, as well as demisters functioning to reduce the relative humidity of the air stream. For Unit 2 only, a second bank of HEPA filters follows the adsorber section to collect carbon fines and provides a backup in casethe main HEPA filter bank fails. The downstream HEPA filter is notcredited in the accident analysis, but serves to collect charcoal fines, and to back up the upstream HEPA filter should it develop a leak.The SLCRS is discussed in References 2 and

3. The SLCRS may be used for normal, as well as post accident, atmospheric cleanup functions.During normal operation, the SLCRS provides ventilation to the areas it SCTVES.APPLICABLE SAFETY ANALYSES During fuel handling operations, the postulated event that results in the most severe radiological consequences is a fuel handling accident (Ref. a). The limiting fuel handling accident analyzed in Reference 4, includes dropping a single irradiated fuel assembly and handling tool (conservatively estimated at 2500 pounds) directly onto another irradiatedfuel assembly resulting in both assemblies being damaged. The analysisassumes a 100 hour decay time prior to moving irradiated fuel.The applicable limits for offsite and control room dose from a fuelhandling accident are specified in 10 CFR 50.67.

Standard Review Plan, Section 15.0.1 , Rev 0 (Ref. 5) provides an additional offsite dose criteriaof 6.3 rem total effective dose equivalent (TEDE) for fuel handling accidents.Beaver Valley Units 1 and 2 B3.7 12-1 Revision 0 SLCRSB 3.7.12 BASES APPLICABLE SAFETY ANALYSES (continued)The water level requirements of LCO 3.7.15, "Fuel Storage Pool WaterLevel," in conjunction with a minimum decay time of 100 hours prior toirradiated fuel movement, ensure the resulting offsite and control room dose from the limiting fuel handling accident is within the limits requiredby 10 CFR 50.67 and within the acceptance criteria of Reference 5without the need for containment and fuel building closure or filtration. Therefore, the SLCRS requirements contained in LCO 3.7.12 are onlyapplicable during refueling operations involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours). Current requirements based on the decay time ofthe fuel prevent the movement of recently irradiated fuel. However, therequirements for SLCRS are retained in the Technical Specificatlons incase these requirements are necessary to support fuel movement involving recently irradiated fuel consistent with the guidance of NUREG-1431 (Ref. 7).The SLCRS satisfies Criterion 3 of 10 CFR 50.36(c)(2xii). LCOThis LCO limits the consequences of a fuel handling accident involvingrecently irradiated fuel in the containment (Unit 1 only) and the fuel storage pool (both units) by limiting the potential escape paths for fission product radioactivity. One train of the SLCRS exhausting from the fuelbuilding and/or for Unit 1, the containment is required to be OPERABLE and in operation during fuel movement involving recently irradiated fuel with the required arca exhaust flow discharging through the SLCRSHEPA filters and charcoal adsorbers. This ensures that air, prior torelease to the environment, is being filtered during fuel movement withinthe fuel storage pool and/or, for Unit 1 only, during fuel movement withinthe containment when required in accordance with LCO 3.9.3.c.3.System failure could result in the atmospheric release from SLCRSexceeding 10 CFR 50.67 limits in the event of a fuel handling accident involving recently irradiated fuel. The SLCRS is considered OPERABLEwhen individual components ensure the radioactivity released in theareas of the containment (Unit 1 only) and the fuel building is filteredthrough the SLCRS and that fuel building doors are closed.A SLCRS train is considered OPERABLE when its associated:Fan is OPERABLE,HEPA filter and charcoal adsorbers are not excessively restrictingflow, and are capable of performing their filtration functions, and Heater (Unit 2 only), demister (Unit 2 only), ductwork, valves, anddampers are OPERABLE and air flow can be maintained. a.b.c.Beaver Valley Units 1 and 2 B37.12-2 Revision 0 SLCRS B 3.7.12 BASES LCO (continued) The SLCRS is considered in operation whenever the required area(s)exhaust flow is discharging through at least one train of the SLCRS HEPA filters and charcoal adsorbers. The LCO is modified by a Note allowingthe fuel building boundary to be opened intermittently underadministrative controls. For entry and exit through doors, theadministrative control of the opening is performed by the person(s)entering or exiting the area. For other openings, these controls consist ofstationing a dedicated individual at the opening who is in continuouscommunication with the control room. This individual will have a methodto rapidly close the opening when fuel building isolation is required tosupport SLCRS operation. As clarified in the LCO 3.7.14 NOTE, applicable to Unit 2 only,Specification 3.7.12 applies to the fuel cask area when a fuel assembly isin the cask area during the installation phase of the Unit 2 rerack project.APPLICABILIryWhen required in accordance with LCO 3.9.3.c.3 (for Unit 1), one train of SLCRS is required to be OPERABLE and in operation to alleviate theconsequences of a fuel handling accident inside containment. ThisApplicability applies only to Unit 1 in accordance with the provisions of LCO 3.9.3, "Containment Penetrations" when the Containment Purge andExhaust System penetrations are open coincident with fuel movementinvolving recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) within containment.During movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours)within the fuel storage pool or during movement of fuel assemblies overrecently irradiated fuel assemblies within the fuel storage pool, one trainof SLCRS is required to be OPERABLE and in operation to alleviate theconsequences of a potential fuel handling accident.Since SLCRS is not credited in any existing DBA analysis applicable in MODES 1,2,3,4,5, and 6 the SLCRS is not required to be OPERABLEin these MODES (except as required to support fuel movement involvingrecently irradiated fuel assemblies described above). ACTIONS A.1 A Note modifies Condition A since this Condition is onfy applicable toUnit 1. Only Unit 1 relies on SLCRS to filter the exhaust from the containment building to mitigate a fuel handling accident involving the movement of recently irradiated fuel.Beaver Valley Units 1 and 2 B37.12-3 Revision 16 SLCRS B 3.7.12 BASES ACTIONS (continued) This Condition is only applicable when a Unit 1 SLCRS train is required OPERABLE and in operation in accordance with the provision of the containment penetrations LCO requirement 3.9.3.c.3. lf the requiredSLCRS train is inoperable or not in operation, the requirements of LCO 3.9.3 are not met. lmmediate action must be taken to place the unitin a condition in which LCO 3.9.3 does not apply. The applicableConditions and Required Actions of LCO 3.9.3, "Containment Penetrations" must be entered immediately. The Required Actions of LCO 3.9.3 provide the appropriate precautions, for this condition, to preclude a fuel handling accident involving recently irradiated fuel insidecontainment for which the SLCRS train is required.8.1 and B.2A Note indicating that LCO 3.0.3 does not apply modifies Required Action 8.1 and B.2.With SLCRS inoperable or not in operation the requirements of the LCOcannot be met during fuel movement involving recently irradiated fuelwithin the fuel storage pool. lmmediate action must be taken to place theunit in a condition in which the LCO does not apply. lmmediate actionmust be taken to suspend movement of recently irradiated fuelassemblies and the movement of fuel assemblies over recently irradiated fuel assemblies in the fuel storage pool. This will preclude a fuel handlingaccident involving recently irradiated fuel. The requirements of this action do not preclude the movement of fuel assemblies to a safe position.lf fuel movement involving recently irradiated fuel takes place inMODES 1,2,3, or 4, LCO 3.0.3 is applicable. However, fuel movementis independent of reactor operation. Therefore, a plant shutdown in accordance with LCO 3.0.3 is not required if this Required Action is not met.SURVEILLANCE SR 3.7.12.1 REQUIREMENTS This SR reguires verificatron every 12 hours that the required portion (fuelbuilding exhaust or containment exhaust (Unit 1)) of the SLCRS train is inoperation with the required area exhaust flow discharging through theSLCRS HEPA filters and charcoal adsorbers. Verification includesoperation of fans, alignment of dampers, and discharge flow paths fromthe fuel building or containment (Unit 1 only). The Frequency af 12 hours is sufficient considering other indications and alarms available to the operator in the control room to monitor SLCRS performance. Beaver Valley Units 1 and 2 B3712-4Revision 0 BASES SURVEILLANCE REQU I REM ENTS (continued)sR 3.7.12.2 fhis SR verifies that the required SLCRS testing is performed inaccordance with the Ventilation Filter Testing Program (VFTP). TheVFTP includes testing HEPA filter performance, charcoal adsorbers efficiency, minimum system flow rate, and the physical properties of theactivated charcoal (general use and following specific operations).Specific test Frequencies and additional information are discussed indetail in the VFTP.sR 3.7.12.3 This SR verifies the integrity of the fuel building enclosure. The ability ofthe fuel building to maintain negative pressure with respect to potentially uncontaminated adjacent areas is periodically tested to verify proper function of the SLCRS. During fuel movement involving recentlyirradiated fuel assemblies in the fuel storage pool, the SLCRS must beOPERABLE and in operation. To ensure performance during a fuel handling accident the fuel pool storage area must be maintained at a negative pressure relative to atmospheric pressure during system operation. The Frequency of 18 months is consistent with the Frequencies specified in Regulatory Guide 1.52 (Ref. 6)A Note that states this Surveillance is only required to be met during fuelmovement involving recently irradiated fuel assemblies within the fuel storage pool modifies this SR. This Note is necessary as the Unit 1SLCRS is also required in accordance with LCO 3.9.3.c,3 during fuelmovement involving recently irradiated fuel inside containment. As SR 3.7.12.3 has nothing to do with fuel movement inside containment, itis not required in order to confirm the OPERABILITY of a Unit 1 SLCRStrain for compliance with LCO 3.9.3.c.3. REFERENCES 2.4.5 6.1.3.10 cFR 50.67.UFSAR, Section 6.6 (Unit 1) and Section 6.5.3.2 (Unit 2).UFSAR, Section 9.13.2 (Unit 1) and Section 9.4 (Unit 2).UFSAR Section 14.2.1 (Unit 1) and Section 15.7.4 (Unit 2).NUREG-0800, Section 15.0.1, Rev 0. Regulatory Guide 1.52 (Rev 2).Beaver Valley Units 1 and 2B 3.7.12 - 5Revision 0 SLCRSB 3.7.12 BASES REFERENCES (continued)

7. NUREG-1431, Rev. 2, Standard Technical Specifications for Westinghouse Plants.Revision 0 Beaver Valley Units 1 and 2 B37.12-6 Secondary Specifi c ActivityB 3.7.13B 3.7 PLANT SYSTEMS B 3.7.13 Secondary Specific Activity BASES BACKGROUNDActivity in the secondary coolant results from steam generator tubeoutleakage from the Reactor Coolant System (RCS). Under steady state conditions, the activity is primarily iodines with relatively short half livesand, thus, indicates current conditions.

During transients, l-131 spikes have been observed as well as increased releases of some noble gases.Other fission product isotopes, as well as activated corrosion products in lesser amounts, may also be found in the secondary coolant.A limit on secondary coolant specific activity during power operationminimizes releases to the environment because of normal operation,anticipated operational occurrences, and accidents.This limit is lower than the activity value that might be expected from a 150 gallons per day steam generator tube leak (LCO 3.4.13, "RCS Operational LEAKAGE") of primary coolant at the limit of 0.35 pCi/gmDOSE EQUIVALENT 1-131 (LCO 3.4.16, "RCS Specific Activity"). The steam line failure is assumed to result in the release of the iodine activitycontained in the steam generator inventory, the feedwater, and thereactor coolant LEAKAGE.Operating a unit at the allowable primary and secondary coolant specific activity limits will result in exposures within the 10 CFR 50.67 (Ref. 1)total effective dose equivafent (TEDE) limits, as supplemented byRegulatory Guide 1.183 (Ref 3).APPLICABLE SAFETY ANALYSESThe accident analysis of the main steam line break (MSLB), as discussedin the UFSAR, Chapter 14 (Unit 1)and Chapter 15 (Unit 2) (Ref.2)assumes the initial secondary coolant specific activity to have aradioactive isotope concentration of 0.10 prCi/gm DOSE EQUIVALENTl-131 . This assumption is used in the analysis for determining theradiological consequences of the postulated accident. The accidentanalysis, based on this and other assumptions, shows that theradiological consequences of an MSLB do not exceed the 10 CFR 50.67 (Ref. 1) TEDE limits, as supplemented by Regulatory Guide 1.183 (Ref. 3).The MSLB accident analysis assumes a total release of iodine activity inthe steam generator connected to the failed steam line. ln addition, a portion of the iodine activity in the remaining steam generators is alsoreleased via the steaming process due to assumption of loss of offsite Beaver Valley Units 1 and 2 B37.13-1 Revision 0 Secondary Specific ActivityB 3.7.1 3 BASES APPLICABLE SAFETY ANALYSES (continued) power. With the loss of offsite power, the remaining steam generatorsare utilized for core decay heat removal by venting steam to theatmosphere through the MSSVs and steam generator atmospheric dump valves (ADVs). The Auxiliary Feedwater System supplies the necessarymakeup to the steam generators. Venting continues until the reactorcoolant temperature and pressure have decreased sufficiently for the Residual Heat Removal System to complete the cooldown.In the evaluation of the radiological consequences of this accident, the activity released from the steam generator connected to the failed steamline is assumed to be released directly to the environment. Theunaffected steam generator is assumed to discharge steam and anyentrained activity through the MSSVs and ADVs during the event. Since no credit is taken in the analysis for actlvity plateout or retention, the resultant radiological consequences represent a conservative estimate of the potential integrated dose due to the postulated steam line failure.Secondary specific activity limits satisfy Criterion 2 of 10 CFR 50.36(c)(2Xii). LCOAs indicated in the Applicable Safety Analyses, the specific activity of thesecondary coolant is required to be < 0.10 pCiigm DOSE EQUIVALENTl-131 to limit the radiological consequences of a Design Basis Accident (DBA) to within the required limits (Ref. 1 and Ref. 3).Monitoring the specific activity of the secondary coolant ensures that when secondary specific activity limits are exceeded, appropriate actionsare taken in a timely manner to place the unit in an operational MODEthat would minimize the radiological consequences of a DBA.APPLICABILITYIn MODES 1, 2, 3, and 4, the limits on secondary specific activity apptydue to the potential for secondary steam releases to the atmosphere.ln MODES 5 and 6, the primary to secondary LEAKAGE is minimal.Therefore, monitoring of secondary specific activity is not required.Beaver Valley Units 1 and 2 837 13-2 Revision 0 Secondary Specific ActivityB 3.7.13 BASES ACTIONS A.1 and A.2DOSE EQUIVALENT l-131 exceeding the allowable value in the secondary coolant, is an indication of a problem in the RCS and contributes to increased post accident doses. lf the secondary specific activity is not within limits, the unit must be placed in a MODE in whichthe LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours, and in MODE 5 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full powerconditions in an orderly manner and without challenging unit systems. SURVE]LLANCE SR 3.7.1 3.1 REQUIREMENTSThis SR verifies that the secondary specific activity is within the limits ofthe accident analysis. A gamma isotopic analysis of the secondary coolant, which determines DOSE EQUIVALENT l-131, confirms thevalidity of the safety analysis assumptions as to the source terms in post accident releases. lt also serves to identify and trend any unusual isotopic concentrations that might indicate changes in reactor coolant activity or LEAKAGE. The 31 day Frequency is based on the detection of increasing trends of the level of DOSE EQUIVALENT l-131, and allows for appropriate action to be taken to maintain levels below the LCO limit. REFERENCES 2.3.1.10 cFR 50.67.UFSAR, Chapter 14 (Unit 1) and Chapter 15 (Unit 2).Regulatory Guide 1 .183, July 2000.Beaver Valley Units 1 and 2 B37.13-3 Revision 0 Spent Fuel Pool StorageB 3.7.14 B 3.7 PLANT SYSTEMSB 3.7.14 Spent Fuel Pool Storage BASES BACKGROUND The spent fuel storage racks contain storage locations for 1627 fuel assemblies (Unit 1) and 1088 fuel assemblies when the spent fuel storage pool contains only Boraflex racks or 1690 fuel assemblies when the spent fuel storage pool contains only Metamic racks (Unit 2). The racks are designed to store Westinghouse 17X17 fuel assemblies with nominal enrichment up to 5.0 weight percent.For Unit 1, the spent fuel storage racks are divided into three regions withdifferent fuel burnup-enrichment limits associated with each region. Fuelassemblies may be stored in any location, as specified in Table 3.7.14-1A, provided the fuel burnup-enrichment combinations are withinthe limits specified for the associated storage rack region in theaccompanying LCO. For Unit 1, the spent fuel storage racks are constructed, in part, from aboron carbide and aluminum-composite material with the trade name"Boral." The Boral material provides a neutron absorbing function to maintain the stored fuel in a subcritical condition. Therefore, solubleboron is not required in the Unit 1 spent fuel pool to maintain the spentfuel rack multiplication factor, kerr , < 0.95 when the fuel assemblies are stored in the correct fuel pool location in accordance with theaccompanying LCO and no fuel movement is in progress (i.e., the pool is in a static condition). The fact that soluble boron concentration is not required to maintain the Unit 1 spent fuel rack multiplication factor, kerr ,s 0.95 is confirmed in Holtec Report Hl-92791 (Ref. 1). However, a boronconcentration is maintained in the Unit 1 spent fuel pool to providenegative reactivity for postulated accident conditions (i.e., a misplacedfuel assembly resulting from fuel movement) consistent with the guidelines of ANSI 16.1-1975 (Ref. 2) and the April 1978 NRC letter (Ref. 3). The required Unit 1 spent fuel pool boron concentration for a reactivity excursion due to accident conditions is 1050 ppm.Safe operation of the Unit 1 spent fuel pool with no rRovement ofassemblies may therefore be achieved (without reliance on soluble boron)by controlling the location of each stored fuel assembly in accordance with the accompanying LCO.Beaver Valley Units 1 and 2B3.7 14-1 Revision 16 Spent Fuel Pool StorageB 3.7.14 BASESBACKG ROU N D (continued)Boraflex Racks For Unit 2, spent fuel storage is dictated by four different storageconfigurations associated with fuel burnup, enrichment, decay, interface and Integral Fuel Burnable Absorber (IFBA) requirements. Fuel assemblies must be stored in the configurations specified in Table3.7.14-18 or Specification 4.3.1 .1 .e. For Unit 2, new or partially spent fuel assemblies within the limits of Table 3.7,14-18 may be allowed unrestrictive storage in the fuel storage racks. New or partially spent fuel assemblies not within the limits of Table 3.7.14-1F will be stored in compliance with Specification 4.3.1.1.e,Reference 4. In the first Unit 2 configuration, designated as "All-Cell", Westinghouse 17x17 standard fuel assemblies can be stored in a repeating 2x2 matrixof storage cells where all the assemblies have nominal enrichments less than or equal to 1 .856 w/o U-235. Fuel assemblies with initial nominal enrichments greater than 1.856 w/o U-235 must satisfy a minimumburnup requirement as shown in Table 3.7.14-18, to be eligible forstorage in this configuration.ln the second Unit 2 configuration, deslgnated as "3x3", Westinghouse17x17 standard fuel assemblies can be stored in a repeating 3x3 matrixof storage cells with eight storage cell locations forming a ring of depleted fuel assemblies that surround a fuel assembly with initial nominalenrichment up to 5.0 w/o. The depleted fuel assemblies for thisconfiguration must have an initial nominal enrichment of less than orequal to 1 .194 wlo U-235, or satisfy a minimum burnup requirement for higher initial enrichments as shown in Reference 4 for this configuration. The burnup requirements for the depleted assemblies in this configurationcan be reduced by crediting decay time.ln the third Unit 2 configuration, designated as "1-out-of-4 5.0 wio at15,000 MWD/MTU", Westinghouse 17x17 standard fuel assemblies can be stored in a repeating 2x2 matrix of storage cells with a fuel assemblyhaving an initial nominal enrichment of up to 5.0 w/o U-235 and a burnupof at least 15,000 MWD/MTU occupying one storage cell location and depleted fuel assemblies occupying the three remaining locations. Thedepleted fuel assemblies for this configuration must have an tnitial nominal enrichment of less than or equal to 1.569 w/o U-235, or satisfy aminimum burnup requirement for higher initial enrichments as shown inReference 4 for this configuration.Beaver Valley Units 1 and 2 B3.7 14-2 Revision 16 Spent Fuel Pool StorageB 3.7.14 BASES BACKG ROUN D (conti nued)In the fourth Unit 2 configuration, designated as "1-out-of-4 3.85 w/o with lFBA", Westinghouse 17x17 standard fuel assemblies can be stored in arepeating 2x2 matrix of storage cells with a fuel assembly having nominal initial enrichment up to 3.85 w/o U-235 occupying one of the four storage cell locations and depleted fuel assemblies occupying the three remaininglocations. The depleted fuel assemblies for this configuration must have an initial nominal enrichment of less than or equal to 1.279 Mo U-235, orsatisfy a minimum burnup requirement for higher initial enrichments as shown in Reference 4 for this configuration. The fresh fuel assemblymust have an initial nominal enrichment of less than or equal to 3.85 w/o U-235, or must contain a minimum number of IFBA pins for higher initial enrichments as shown in Reference 4 for this configuration. The IFBA stack in the fresh assemblies must be at least 120 inches long and have anominal loading of at least 1.5X to meet the requirements. For Unit 2, the interfaces between these four configurations must bemaintained such that only the depleted assemblies from each of theconfigurations are located along the interface. Using the depleted assemblies at the interface precludes locating the more highly reactive assemblies (fresh or 15,000 MWD/MTU) next to each other where the configurations meet. Each configuration has its own requirements for itsdepleted assemblies, which are identified in Reference 4. In the case of the "All-Cell" configuration, all of the assemblies are depleted and,therefore, can be located at the interface with any of the other configurations. For Unit 2, spent fuel racks have been analyzed in accordance with the methodology contained and documented in Reference 4. Thismethodology ensures the spent fuel rack multiplication factor, k"6, is< 0.95 as recommended by the April 1978 NRC letter (Ref. 3) and ANSI/ANS-57.2-1983 (Ref.6). The codes, methods, and techniques contained in the methodology are used to satisfy this ker criterion.The four storage configurations for the Unit 2 spent fuel storage racks are analyzed for a range of initial assembly enrichment up to 5.0 wio utilrzing credit for burnup, burnable absorbers, decay time and soluble boron, to ensure ken is maintained < 0.95, including uncertainties, tolerances, andaccident conditions. The Unit 2 spent fuel storage pool k"rr is maintained < 1.0, including uncertainties and tolerances on a 95/95 probabifity/confidence fevel, without crediting soluble boron.Therefore, the safe operation of the Unit 2 spent fuel storage pool with nomovement of assemblies necessitates both the storage requirements ofthis Specification as well as the fuel pool boron concentrationrequirements of LCO 3.7.16 be met.Beaver Valley Units 1 and 2B 3.7.14 - 3 Revision 21 Spent Fuel Pool StorageB 3.7.14 BASES BACKG ROUN D (continued) Metarnic Racks For Unit 2, the spent fuel storage racks are constructed, in part, from aboron carbide and aluminum-composite material with the trade name"Metamic." The Metamic material provides a neutron absorbing functionto maintain the stored fuel in a subcritical condition. The criticality analysis, documented in Holtec Report Hl-2084175 (Ref.5), demonstrates that the effective neutron multiplication factor (k"n) is lessthan 1.0 with the storage racks fully loaded with fuel of the highestanticipated reactivity and the pool flooded with unborated water at a temperature corresponding to the highest reactivity. The criticalityanalysis also demonstrates that ker is less than or equal to 0.95 with thestorage racks fully loaded with fuel of the highest anticipated reactivity and the pool flooded with borated water at a temperature correspondingto the highest reactivity. In addition, soluble boron is required in the Unit 2 spent fuel storage pool to provide negative reactivity for postulated accident conditions (i.e., a misplaced fuel assembly resulting from fuel movement) consistent with the guidelines of the April 1978 NRC letter (Ref. 3) and ANSI/ANS-57.2-1983 (Ref. 6).Therefore, as was the case for the Boraflex racks, the safe operation of the Unit 2 spent fuel storage pool with no movement of assemblies necessitates that both the storage requirements of this Specification as well as the fuel pool boron concentration requirements of LCO 3.7.16 be met.For the Unit 2 high-density Metamic racks, fuel storage locatrons aredictated by three different regions in each rack, associated with fuel type group (enriched blankets, natural blankets, or no blankets), enrichment, and burnup. Fuel assemblies must be characterized based on these three parameters, and stored in the regions specified in Table 3.7.14-1C (enriched blankets), Table 3.7.14-1D (natural blankets), Table 3.7.14-1E (no blankets), and Specification 4.3.1.1.e. In addition to the information provided in these specifications, details about the different fuel type groups and figures illustrating the storage location regions are provided in Reference 5.Beaver Valley Units 1 and 2B 3.7.14 - 4Revision 16 Spent Fuel Pool Storage8 3.7.14 BASES APPLICABLE SAFETY ANALYSESThe hypothetical accidents can only take place during or as a result of the movement of an assembly (Ref. 7). For these accident occurrences, the presence of soluble boron in the spent fuel storage pool (controlled by LCO 3.7.16, "Fuel Storage Pool Boron Concentration") prevents criticality in the spent fuel storage pool. By closely controlling the movement ofeach assembly and by checking the location of each assembly after movement, the time period for potential accidents may be limited to a small fraction of the total operating time. Conformance with the applicable spent fuel storage pool criticality analyses is assured through compliance with the accompanying LCO and refueling procedures. For Unit 1, during the remaining time period with no potential for accidents,the operation may be under the auspices of the accompanying LCO without reliance on soluble boron. For Unit 2, however, when no potential for an accident exists, safeoperation of the spent fuel storage pool must include the boronconcentration within the limit specified in LCO 3.7.16 as well as the fuelbeing stored in accordance with LCO 3.7.14. The boron concentration specified ln LCO 3.7.16, as well as the storage requirements ofLCO 3.7.14, are necessary to meet the requirement to maintain k"tr < 0.95 in the Unit 2 spent fuel storage pool under normal (i.e., static) conditions.Operation within the storage requirements of LCO 3.7.14 with no soluble boron in the Unit 2 spent fuel storage pool maintains ken < 1.0, including uncertainties and tolerances on a 95/95 probability/confidence level. In accordance with Reference 4, the interface boundaries between the various storage requirement configurations of the Boraflex racks are maintained such that only the depleted assemblies are at the boundary. In accordance with Reference 5, this restriction is not applicable to the assemblies stored in the Metamic racks.The configuration of fuel assemblies in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36(cX2xii) LCO For Unit 1, the restrictions on the placement of fuel assemblies within the spent fuel pool, in accordance with Table 3.7.14-1A, in the accompanyingLCO, ensures the k"r of the spent fuel storage pool will always remain< 0.95, assuming the pool to be flooded with unborated water.Boraflex Racks For Unit 2, operation within the storage requirements specified in Table 31.14-18 of the accompanying LCO or Specification 4.3.1.1.e, with no soluble boron in the spent fuel storage pool would only maintain k"r < 1.0, including uncertainties and tolerances on a 95/95 probabilityiconfidenceBeaver Valley Units 1 and 2 B3.7 14-5 Revision 16 Spent Fuel Pool StorageB 3.7.14 BASES LCO (continued)level. Therefore, Unit 2 must also maintain the spent fuel storage poolboron concentration within the limit specified in LCO 3.7.16, in order to meet the requirement to maintain ker < 0.95.Metamic Racks For Unit 2 storage of fuel in the Metamic racks, required locations are dictated by three different regions in each rack, associated with fuel type group (enriched blankets, natural blankets, or no blankets), enrichment,and burnup. Fuel assemblies must be characterized based on these three parameters, and stored in the regions specified in Table 3.7.14-1C (enriched blankets), Table 3.7.14-1D (natural blankets), Table 3.7.14-1E (no blankets), and Specification 4.3.1 .1 .e. For Unit 2, storage of fuel in the Metamic racks within the storage requirements specified in LCO 3.7 .14 and Specification 4.3.1.1.e, with nosoluble boron in the spent fuel storage pool, would only maintain k"n < 1.0, including uncertainties and tolerances on a 95i95 probability/confidence level. Therefore, Unit 2 must also maintain the spent fuel storage pool boron concentration within the limit specified in LCO 3.7.16, in order to meet the requirement to maintain ksx < 0.95.For Unit 2, Specification 4.3.1.1.e contains a requirement that two empty rows of storage cells shall exist between the fuel assemblies stored in aBoraflex rack and the fuel assemblies stored in an adjacent Metamic rack in the fuel storage pool. The need for the two empty rows is to ensurethat the fuel in the two types of racks is neutronically decoupled duringthe installation phase of the reracking project. ln order to also resolve a potential seismic interaction issue between the two different types ofracks, the two empty rows of storage cells must either both be in theBoraflex rack or may consist of a single empty row in each type of rack.This spacing requirement does not need to be imposed on fuel in racksadjacent to the same type of rack.The LCO is modified by a Note, applicable to Unit 2 only, stating that theTechnical Specification requirements applicable to the fuel storage pool are also applicable to the fuel cask area when a fuel assembly is in the fuel cask area during the installation phase of the Unit 2 reracking project.Beaver Valley Units 1 and 2B3.7 14-6 Revision 16 Spent Fuel Pool Storage B 3.7.14 BASES APPLlCABILIryThis LCO applies whenever any fuel assembly is stored in the fuel storage pool (also referred to in several locations within the specificationsas the spent fuel storage pool or the spent fuel pool).ACTlONS A.1Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.When the configuration of fuel assemblies stored in the spent fuel storage pool is not in accordance with Table 3.7.14-1A for Unit 1 and the LCO forUnit 2, the immediate action is to initiate action to make the necessaryfuel assembly movement(s) to bring the configuration into compliancewith Table 3.7.14-1A for Unit 1 and LCO 3.7.14 far Unit 2.The Required Actions are modified by a Note that takes exception toLCO 3.0.3. lf unable to move irradiated fuel assemblies while in MODE 5or 6, LCO 3.0.3 would not be applicable. lf unable to move irradiated fuelassemblies while in MODE 1,2,3, or 4, the action is independent of reactor operation. Therefore, inability to move fuel assemblles is notsufficient reason to require a reactor shutdown. SURVEILLANCE REQUlREMENTSsR 3.7.14.1 This SR verifies by administrative means that the initial ennchment andburnup of the fuel assembly is in accordance with Table 3.7.14-1A forUnit 1, and in accordance with the requirements of LCO 3.7.14 for Unit 2.Verification by administrative means may be accomplished through fuelreceipt records for new fuel or burnup analysis as necessary in accordance with refueling procedures. The Frequency of prior to storinga fuel assembly ensures that fuel assemblies are stored within the configurations analyzed in the spent fuel criticality analyses.Beaver Valley Units 1 and 2 B 3.7 14 -7Revision 16 Spent Fuel Pool StorageB 3.7.14 BASES REFERENCES1. Holtec Report H1-92791, Rev. 6, "Spent Fuel Pool Modification For lncreased Storage Capacity, Beaver Valley Power Station Unit 1," April 1992 as supplemented by Letter to the NRC (License ChangeRequest No. 202, Supplement 1, Spent Fuel Pool Rerack) dated June 28, 1993, and as further supplemented by calculation 8700-DMC-3664, Rev. 0.ANSI 16. 1-1 975 (ANS-8.1 ), Nuclear Criticality Safety In OperationsWith Fissionable Materials Outside Reactors.NRC Letter to All Power Reactor Licensees from B. K. Grimes, "OTPosition for Review and Acceptance of Spent Fuel Storage andHandling Applications," April 14, 1978.WCAP-16518-P, "Beaver Valley Unit 2 Spent Fuel Rack Criticality Analysis," Revision 2, July 2007.Holtec Report Hl-2084175, Revision 8, "Licensing Report for BeaverValley Unit 2 Rerack," as submitted to the NRC in support ofLicense Amendment No. 173, Unit 2 Fuel Storage Pool Rerack. ANSI/ANS-57.2-1 983, "Design Requirements for Light WaterReactor Spent Fuel Storage Facilities at Nuclear Power Stations."UFSAR Section 14 (Unit 1)and UFSAR Section 15 (Unit 2).2.3.4.5.6.7.Beaver Valley Units 1 and 2B 3.7.14 - 8 Revision 17 Fuef Storage Pool Water LevelB 3.7.1 5 B 3.7 PLANT SYSTEMSB 3.7.15 Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the fuel storage pool meets the assumptionsof iodine decontamination factors following a fuel handling accident (FHA). The specified water levef shields and minimizes the general areadose when the storage racks are filled to their maximum capacity. The water also provides shielding during the movement of spent fuel.A general description of the fuel storage pool design is given in the UFSAR, Section 9.12 (Unit 1) and Section 9.1.2 (Unit 2) (Ref. 1). A description of the Spent Fuel Pool Cooling and Cleanup System is given in the UFSAR, Section 9.5 (Unit 1) and Section 9.1.3 (Unit 2) (Ref. 2).The assumptions of the FHA are given in the UFSAR, Section 14.2.1 (Unit 1) and Section 15.7.4 (Unit 2) (Ref. 3).APPLlCABLE SAFETY ANALYSES The minimum water level in the fuel storage pool meets the assumptions of the FHA described in Regulatory Guide 1 . 183 (Ref. a). The resultant offsite and control room doses are within the 10 CFR 50.67 (Ref. 5) andReference 4 limits. According to Reference 3, there is 23 ft of water between the top of thedamaged fuel bundle and the fuel pool surface during a FHA. With 23 ftof water, the decontamination factors of Reference 4 can be used directly.ln practice, this LCO preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle dropped and lying horizontally on top of the spent fuel racks, however, there may be < 23 ft of water above the top of the fuel bundle and the surface, indicated by the width of the bundle. To offset this small nonconservatism, the analysisassumes that the maximum number of postulated fuel rods fail. This number of failed fuel rods is based on the worse case postulated fueldrop height occurring in the containment building. The postulated fuel drop height in the fuel building is significantly less than the postulated fueldrop height in the containment building.The FHA in the storage pool is described in Reference 3. With aminimum water level of 23 feet and a minimum decay time of 100 hours prior to fuel handling, the analyses demonstrate that the offsite andcontrol room doses are maintained within the llmits established inReferences 4 and 5.The fuel storage pool water level satisfies Criteria 2 and 3 of 10 CFR 50 36(c)(2xii). Beaver Valley Units 1 and 2 B37.15-1Revision 0 Fuel Storage Pool Water LevelB 3.7.15 BASES LCOThe fuel storage pool water level is required to be >23 ft over the top of irradiated fuel assemblies seated in the storage racks. The specifiedwater level preserves the assumptions of the fuel handling accident analysis (Ref. 3). As such, it is the minimum required for fuel movementwithin the fuef storage pool.As clarified in the LCO 3.7.14 NOTE, applicable to Unit 2 only,Specification 3.7.15 applies to the fuel cask area when a fuel assembly isin the cask area during the installation phase of the Unit 2 rerack project.APPLICABILIryThis LCO applies during movement of irradiated fuel assemblies in thefuel storage pool and during movement of fuel assemblies over irradiated fuel assemblies in the fuel storage pool, since the potential for a release of fission products exists.ACTIONS Condition A is modified by a Note indicating that LCO 3.0.3 does not apply. lf moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 woufd not specify any action. lf moving irradiated fuel assemblies while in MODES 1,2, 3, and 4, the fuel movement isindependent of reactor operations. Therefore, inability to suspendmovement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.When the initial conditions for prevention of an accident cannot be met,steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, themovement of rrradiated fuel assemblies in the fuel storage pool is immediately suspended to a safe position. This action effectively precludes the occurrence of a fuel handling accident. This does not preclude movement of a fuel assembly to a safe position.A.2When the fuel storage pool water level is lower than the required level, the movement of non-irradiated fuel assemblies over irradiated fuel assemblies in the fuel storage pool is immediately suspended to a safe position. This action effectively precludes the occurrence of a fuelhandling accident. This does not preclude movement of a fuel assembly to a safe position.Beaver Valley Units 1 and 2 B 3.7.15 - 2 Revision 16 Fuel Storage Pool Water LevelB 3.7.1 5 BASES SURVEILLANCE SR 3.7.15.1 REQUIREMENTS This SR verifies sufficient fuel storage pool water is available in the eventof a fuel handling accident. The water level in the fuel storage pool mustbe checked periodically. The 7 day Frequency is appropriate becausethe volume in the pool is normally stable. A stable volume in the pool is maintained by controlling water level changes by plant procedures, which is acceptable based on operating experience. ln addition to verifying the storage pool level every 7 days, during refueling operations, with the transfer tube open, the level in the fuel storage pool is in equilibrium with the refueling cavity, and the level in the refueling cavity is checked daily in accordance with SR 3.9.6.1 .REFERENCES 4.2.3.5.1.UFSAR, Section 9.12 (Unit 1)and Section 9.1.2 (Unit 2).UFSAR, Section 9.5 (Unit 1) and Section 9.1.3 (Unit 2).UFSAR, Section 14.2.1 (Unit 1) and Section 15.7.4 (Unit 2).Regulatory Guide 1.183, July 2000.10 cFR 50.67.Beaver Valley Units 1 and 2 B3715-3 Revision 0 Fuel Storage Pool Boron ConcentrationB 3.7.16 B 3.7 PLANT SYSTEMSB 3.7.16 Fuel Storage Pool Boron Concentration BASES BACKGROUND The spent fuel storage racks contain storage locations for 1627 fuel assemblies (Unit 1) and 1088 fuel assemblies when the spent fuel storage pool contains only Boraflex racks or 1690 fuel assemblies whenthe spent fuel storage pool contains only Metamic racks (Unit 2). Theracks are designed to store Westinghouse 17X17 fuel assemblies with nominal enrichment up to 5.0 weight percent.For Unit 1, the spent fuel storage racks are divided into three regions with different fuel burnup-enrichment limits associated with each region. Fuelassemblies may be stored in any location, as specified in Table3.7 .14-1A, provided the fuel burnup-enrichment combinations are within the limits specified for the associated storage rack region in LCO 3.7.14,"Spent Fuel Assembly Storage." For Unit 1, the spent fuel storage racks are constructed, in part, from aboron carbide and aluminum-composite material with the trade name"Boral." The Boral material provides a neutron absorbing function thathelps to maintain the stored fuel in a subcritical condition. Therefore,soluble boron is not required in the Unit 1 spent fuel pool to maintain the spent fuel rack multiplication factor, keff , < 0.95 when the fuel assembliesare stored in the correct fuel pool location in accordance with LCO 3.7.14and no fuel movement is in progress (i.e., the pool is in a static condition).The fact that soluble boron concentration is not required to maintain the Unit 1 spent fuel rack multiplication factor, kerr , < 0.95 is confirmed inHoltec Report Hl-92791 (Ref. 1). However, a boron concentration is maintained in the Unit 1 spent fuel pool to provide negative reactivity for postulated accident conditions (i.e., a misplaced fuel assembly resultingfrom fuel movement) consistent with the guidelines of ANSI 16.1-1975 (Ref. 2) and the April 1978 NRC letter (Ref. 3). The required Unit 1 spent fuel pool boron concentration for a reactivity excursion due to accident conditions is 1050 ppm.Safe operation of the Unit 1 spent fuel pool with no movement ofassemblies may therefore be achieved (without reliance on soluble boron)by controlling the location of each stored fuel assembly in accordancewith LCO 3.7.14. However, prior to fuel movement and during rnovementof fuel assemblies it is necessary to perform SR 3.7 .16.1 to assure the required boron concentration is available until fuel movement is finishedand a verification is complete that assures fuel assemblies are stored inaccordance with LCO 3.7.14.Beaver Valley Units 1 and 2 B 3.7.16 - 1 Revision 16 Fuef Storage Pool Boron ConcentrationB 3.7.16 BASES BACKG ROUN D (continued) Boraflex Racks For Unit 2, the Boraflex spent fuel racks have been analyzed inaccordance with the methodology contained and documented inReference 4. This methodology ensures the spent fuel rack multiplicationfactor, k"6, is < 0.95 as recommended by the April 1978 NRC letter (Ref. 3) and ANSI/ANS-57.2-1983 (Ref. 6). The codes, methods, and techniques contained in the methodology are used to satisfy this k"6 criterion.The four storage configurations for the Unit 2 Boraflex spent fuel storage racks are analyzed for a range of initial assembly enrichment up to 5.0 w/o utilizing credit for burnup, burnable absorbers, decay time and solubleboron, to ensure ks6 is maintained < 0.95, including uncertainties, tolerances, and accident conditions.Metamic Racks For Unit 2, the Metamic spent fuel racks have been analyzed in accordance with the methodology contained and documented inReference 5. This methodology ensures the spent fuel rack multiplicationfactor, ksff, is < 0.95 as recommended by the April 1978 NRC letter (Ref. 3) and ANSI/ANS-57.2-1983 (Ref. 6). The codes, methods, and techniques contained in the methodology are used to satisfy this keir criterion. The three storage regions for the Unit 2 Metamic spent fuel storage racksare analyzed for a range of initial assembly enrichment up to 5.0 w/outilizing credit for burnup, to ensure ker is maintained < 0.95, includinguncertainties, tolerances, and accident conditions. The three fuel storagelocation regions are described in Specification 4.3.1.1.e, and in Reference

5. i The soluble boron concentration required to maintain k"r < 0.95 in theUnit 2 spent fuel storage pool under normal conditions has been determined for when the spent fuel storage pool contains only Boraflex racks (Ref. 4) and when the spent fuel storage pool contains onlyMetamic racks (Ref. 5). When the spent fuel storage pool contains only Boraflex racks the required concentration is 450 ppm. When the spent fuel storage pool contains only Metamic racks the required concentrationis 495 ppm. For conservatism, 495 ppm is specified in Specification 4.3. 1 . 1 .c.Beaver Valley Units 1 and 2 B 3.7.16 - 2 Revision 21 Fuel Storage Pool Boron ConcentrationB 3.7.16 BASESBACKGROUND (continued)A spent fuel storage pool boron concentration of 2000 ppm ensures no credible boron dilution event will result in kuir exceeding 0.95. Safe operation of the Unit 2 spent fuel storage pool with either type of rack requires the specified fuel pool boron concentration be maintained at alltimes when fuel assemblies are stored in the spent fuel storage pool.Therefore, for Unit 2, SR 3.7.1 6.1 is applicable whenever fuel assembliesare stored in the spent fuel storage pool with either type of rack.During refueling, the water volume in the spent fuel storage pool, thetransfer canal, the refueling canal, the refueling cavity, and the reactorvessel form a single mass. As a result, the soluble boron concentration isrelatively the same in each of these volumes.APPLICABLE SAFETY ANALYSESThe most limiting reactivity excursion event evaluated in the spent fuel pool criticality analyses (for both Unit 1 and 2) is a misplaced new fuel assembly with the highest permissible U-235 enrichment (5.0 weight percent).For Unit 1, the amount of soluble boron required to maintain the spentfuel rack multiplication factor, kerr, < 0.95 with the worst case misplacednew fuel assembly is approximately 400 ppm. The > 1050 ppm boronconcentration specified in the Unit 1 LCO conservatively assures k"6 ismaintained within the limit for the worst case misplaced assembly accident.

The Unit 1 boron concentration requirement of 1050 ppmincludes a conservative margin of 600 ppm with a 50 ppm allowance for uncertainties.Boraflex RacksFor Unit 2, with only Boraflex racks, the amount of soluble boron requiredto maintain the spent fuel storage rack multiplication factor, keff, < 0.95with the worst case misplaced new fuel assembly is > 837 ppm.Metamic RacksFor Unit 2, with only Metamic racks the amount of soluble boron requiredto maintain the spent fuel storage rack multiplication factor, kerf, < 0.95 forthe worst case accident, i.e., a misplaced new fuel assembly in the outer row of the rack in a Region 2location, is > 1212 ppm.When the spent fuel storage pool contains a combination of racks, theamount of soluble boron required to maintain the spent fuel storage rack multiplication factor, keff, < 0.95 with the worst case misplaced new fuel assembly is conservatively specified as > 1212 ppm.Beaver Valley Units 1 and 2 B3716-3 Revision 16 Fuel Storage Pool Boron ConcentrationB 3.7.16 BASES APPLICABLE SAFETY ANALYSES (continued) For either type of rack, the > 2000 ppm limit specified in the Unit 2 LCO conservatively assures k"6 is maintained within the limit for the worst casemisplaced fuel assembly accident. In addition, the > 2000 ppm limit specified in the Unit 2 LCO ensures no credible boron dilution event will reduce the boron concentration below the 495 ppm required duringnormal non-accident conditions to maintain k"6 < 0.95 for either type of rack.The concentration of dissolved boron in the fuel storage pool satisfiesCriterion 2 of 10 CFR 50.36(c)(2xii). LCOThe fuel storage pool boron concentration is required to be > 1050 ppm (Unit 1) and > 2000 ppm (Unit 2). The specified concentration ofdissolved boron in the fuel storage pool preserves the assumptions usedin the analyses of the potential criticality accidents as discussed in the UFSAR (Ref. 7). ln addition, for Unit 2, soluble boron is credited tomaintain ker s 0.95 during normal operating conditions whenever fuel is stored in the spent fuel storage pool.As clarified in the LCO 3.7.14 Note, applicable to Unrt 2 only, Specification 3.7.16 applies to the fuel cask area when a fuel assembly is in the cask area during the installation phase of the Unit 2 rerack project.APPLICABILITY For Unit 1 this LCO applies whenever fuel assemblies are stored in the spent fuel storage pool, until a complete spent fuel storage pool verification has been performed following the last movement of fuelassemblies in the spent fuel storage pool. This LCO does not apply toUnit 1 following the verification, since the verification would confirm thatthere are no misloaded fuel assemblies. With no further fuel assemblymovements in progress, there is no potential for a misloaded fuelassembly or a dropped fuel assembly.For Unit 2 this LCO applies whenever fuel assemblies are stored in the spent fuel storage pool to ensure k"6 is maintained < 0.95 during normaloperation as well as for potential criticality accident scenarios. ACTIONS4.1. 4.2.1 . and A.2.2The Required Actions are modified by a Note indicating that LCO 3.0.3 does not apply.Beaver Valley Units 1 and 2 B37.16-4Revision 16 Fuel Storage Pool Boron ConcentrationB 3.7.16 BASES ACTIONS (continued)In addition, Required Action A.2.2 is modified by a Note that statesRequired Action A.2.2 is only applicable to Unit 1. The Action is restrictedto Unit 1 because Unit 1 does not credit soluble boron during normal (non-accident) conditions to ensure k"n is maintained < 0.95.When the concentration of boron in the fuel storage pool is less thanrequired, immediate action must be taken to preclude the occurrence ofan accident or to mitigate the consequences of an accident in progress.This is most efficiently achieved by immediately suspending themovement of fuel assemblies. Action is also initiated to restore the boronconcentration simultaneously with suspending movement of fuelassemblies. Alternatively, for Unit 1 only, beginning a verification of thefuel storage pool fuel locations, to ensure proper locations of the fuel, can be performed. However, prior to resuming movement of fuel assemblies, the concentration of boron must be restored. This does not precludemovement of a fuel assembly to a safe position.The Required Actions are modified by a Note that takes exception toLCO 3.0.3. lf the LCO is not met while moving irradiated fuel assemblies in MODE 5 or 6, LCO 3.0.3 would not be applicable. lf moving irradiatedfuel assemblies while in MODE 1,2,3, or 4, the fuel movement is independent of reactor operation. Therefore, inability to suspend movement of fuel assemblies is not sufficient reason to require a reactor shutdown.SURVEILLANCE REQUIREMENTSsR 3.7.16.1 This SR verifies that the concentration of boron in the fuel storage pool iswithin the required limit. As long as this SR is met, the analyzedaccidents are fully addressed. The 7 day Frequency is appropriate because no major replenishment of pool water is expected to take placeover such a short period of time.For Unit 1 the Surveillance must be performed within the specified Frequency prior to initiating fuel movement and must continue to be performed at the specified Frequency until fuel movement is finished anda verification is complete that assures fuel assemblies are stored in accordance with LCO 3.7 .14.For Unit 2 the Surveillance must be performed within the specifiedFrequency whenever fuel assemblies are stored in the spent fuel storage pool.Beaver Valley Units 1 and 2B 3.7.16 - 5 Revision 16 Fuel Storage Pool Boron ConcentrationB 3.7.16 BASES REFERENCES1. Holtec Report Hl-92791, Rev. 6, "Spent Fuel Pool Modification For Increased Storage Capacity, Beaver Valley Power Station Unit 1,"April 1992 as supplemented by Letter to the NRC (License Change Request No. 202, Supplement 1, Spent Fuel Pool Rerack) dated June 28, 1993, and as further supplemented by calculation 8700-DMC-3664, Rev. 0.ANSI 16.1-1975 (ANS-8.1), Nuclear Criticality Safety In OperationsWith Fissionable Materials Outside Reactors.NRC Letter to All Power Reactor Licensees from B. K. Grimes, "OT Position for Review and Acceptance of Spent Fuel Storage and Handling Applications," April 14, 1978. WCAP-16518-P, "Beaver Valley Unit 2 Spent Fuel Rack Criticality Analysis," Revision 2, July 2047.Holtec Report Hl-2084175, Revision 8, "Licensing Report for Beaver Valley Unit 2 Rerack," as submitted to the NRC in support of License Amendment 173, Unit 2 Fuel Storage Pool Rerack.ANSI/ANS-57.2-1 983, "Design Requirements for Light Water Reactor Spent Fuel Storage Facilities at Nuclear Power Stations." UFSAR Sections 3.3.2.7 and 9.12.2.2 (Unit 1) and UFSAR Sections4.3 2.6 and 9 1.2 (Unit 2).2.3.4.5.6.7 Beaver Valley Units 1 and 2 B37.16-6Revision 17 AC Sources - OperatingB 3.8.1B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sourcesconsist of the offsite power sources (preferred power sources, normal and alternate(s)), and the onsite standby power sources (Train A and Train B diesel generators (DGs)). As discussed in Reference 1, the design of the AC electrical power system provides independence and redundancy toensure an available source of power to the Engineered Safety Feature (ESF) systems.The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not preventthe minimum safety functions from being performed. Each train has connections to one required offsite power source and a single DG.Offsite power is supplied to the switchyard from several 345kV and 138kV transmission lines. From the switchyard(s), two electrically and physically separated circuits provide AC power, through step down station service transformers, to the 4.16 kV ESF buses. A detailed description of the offsite power network and the circuits to the Class 1E ESF buses is found in the UFSAR, Chapter 8 (Ref. 2).An offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power fromthe offsite transmission network to the onsite Class 1E ESF bus(es). The onsite standby power source for each 4.16 kV ESF bus is adedicated DG. DGs 1-1 for Unit 1 and 2-1 for Unit 2 and 1-2far Unit 1and2-2 for Unit 2 are dedicated to ESF buses AE and DF, respectively.A DG starts automatically on a safety injection (Sl) signal (i.e., lowpressurizer pressure, steamline pressure - Jow, manual, or high containment pressure signals) or on an undervoltage signal (refer to LCO 3.3.5, "Loss of Power (LOP) Diesel Generator (DG) Start and Bus Separation Instrumentation"). After the DG has started, it will automatically tie to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independentof or coincident with an Sl signal. The DGs will also start and operate inthe standby mode without tying to the ESF bus on an Sl signal alone. Following the trip of offsite power, an undervoltage signal strips nonpermanent loads from the ESF bus. When the DG is tied to the ESFbus, loads are then sequentially connected to its respective ESF bus by the automatic load sequencer timer(s). The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloadingthe DG by automatic load application.Beaver Valley Units 1 and 2 B 3.8.1 - 1Revision 0 AC Sources - OperatingB 3.8.1 BASES BACKG ROUN D (continued )The sequence timer(s) provide a time delay for the individual componentto close its breaker to the associated emergency electrical bus. Each component is sequenced onto the emergency bus by an initiating signal.lmproper loading sequence may cause the emergency bus to become inoperable. The Unit 1 sequence timers are provided for each train of ESF components and may affect individual components and the associated DG. The Unit 2 sequence timers affect individual componentsand the associated DG.In the event of a loss of unit and system power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide forsafe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Within1 minute (Reference2\ after the initiating signal is received, all loads needed to recover the unit or maintain it in a safe condition are returned to service.Ratings for Bus AE Train A and Bus DF Train B DGs satisfy the requirements of Reference

3. The continuous service rating of each DGis for Unit 1 2600 kW and for Unit 2 4238 kW with a 2850 kW (Unit 1) and4535 kW (Unit 2) allowable for up to 2000 hours per year.

The ESF loadsthat are powered from the 4.16 kV ESF buses are listed in Reference 2.APPLICABLE SAFETY ANALYSESThe initial conditions of DBA and transient analyses in the UFSAR,Chapter 6 (Ref. 4) and Reference 5 assume ESF systems areOPERABLE. The AC electrical power sources are designed to providesufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, ReactorCoolant System (RCS), and containment design limits are not exceeded.These limits are discussed in more detail in the Bases for Section 3.2,Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);and Section 3.6, Containment Systems.The OPERABILITY of the AC electrical power sources is consistent withthe initial assumptions of the Accident analyses and is based uponmeeting the design basis of the unit. This results in maintaining at least one train of the onsite or offsite AC sources OPERABLE during Accidentconditions in the event of:

a. An assumed loss of all offsite power or all onsite AC power andBeaver Valley Units 1 and 2B 3.8 1-2Revision 0 AC Sources - Operating B 3.8.1 BASES APPLICABLE SAFETY ANALYSES (continued)b. A worst case single failure.The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2xii).

LCO Two qualified circuits between the offsite transmission network and theonsite Class 1E Electrical Power System and separate and independentDGs for each train ensure availability of the required power to shut downthe reactor and maintain it in a safe shutdown condition after ananticipated operational occurrence (AOO) or a postulated DBA.Qualified offsite circuits are those that are described are part of the licensing basis for the unit.the UFSAR and ln addition, required automatic load sequence timer(s) must be OPERABLE.Each offsite circuit must be capable of maintaining rated frequency andvoltage, and accepting required loads during an accident, while connected to the ESF buses.During normal plant operation, electrical power for the onsite circuits comes from either the main generator through 22 kV to 4.36 kV unit station service transformers or from the two independent offsite 138 kV buses through 138 kV to 4.36 kV system station service transformers.The secondary windings of the transformers are connected to four separate 4.16 kV normal buses, A, B, C and D. Buses A and D provide power for the two redundant Class 1E 4.16 kV emergency buses AE andDF, respectively. During plant shutdown, the emergency buses receive power from the system station service transformers, or may receive power from the unit station service transformers by backfeeding the main transformer. Automatic and manual transfer capabilities to the system station service transformers are avaifable when the offsite source(s) arerequired to be OPERABLE. Each DG must be capable of starting, accelerating to nominal speed andvoltage, and connecting to its respective ESF bus on detection of bus undervoltage. This will be accomplished within 10 seconds from the timethe signal is received by the DG starting circuit. Each DG must also becapabfe of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can berestored to the ESF buses. These capabilities are required to be metfrom a variety of initial conditions such as DG in standby with the engine hot and DG in standby with the engine at ambient conditions. Additional Beaver Valley Unlts 1 and 2 B38.1 -3Revision 0 AC Sources - OperatingB 3.8.1 BASES LCO (continued)DG capabilities must be demonstrated to meet required Surveillance,e.9., capability of the DG to revert to standby status on an EmergencyCore Cooling Systems (ECCS) signal while operating in parallel testmode for Unit 2 oily.Proper sequencing of loads, including tripping of nonessential loads, is arequired function for DG OPERABILITY. The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the DGs, electrical separation and independence are complete. For the offsite AC sources, separation and independence are to the extent practical. A circuit that is not connected to an ESF bus is required to have OPERABLE fast transfer capability to align that circuit to itsassociated ESF bus.APPLICABILlTYThe AC sources and sequencer timer(s) are required to be OPERABLE inMODES 1,2,3, and 4 to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundarylimits are not exceeded as a result of AOOs or abnormal transients andb. Adequate core cooling is provided and containment OPERABILITYand other vital functions are maintained in the event of a postulated DBA.The AC power requirements for MODES 5 and 6 are covered inLCO 3.8.2, "AC Sources - Shutdown." ACTIONSA Note prohibits the application of LCO 3.0.4.b to an inoperable DG.There is an increased risk associated with entering a MODE or otherspecified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or otherspecified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.Beaver Valley Units 1 and 2 B 3.8.1 - 4Revision 0 AC Sources - Operating B 3.8.1 BASES ACTIONS (continued) Requirements for applvinq the 14 dav DG Completion TimeThe ACTION Conditions for inoperable AC sources provide a 1 4 dayCompletion Time when one DG is inoperable. The 14 day CompletionTime includes the normalT2 hour Completion Time which is not riskinformed, followed by an 11 day extension period that is based on a plant specific risk analysis performed to establish the overall Completion Time (Ref 13).As a defense in depth measure, when the option of an extended Completion Time (i.e., a time beyond the normal 72 hours) for a DG isexercised, alternate AC (AAC) power will be provided with capability ofsupplying safe shutdown loads during a station blackout without the needfor rescheduling of safety system operation in the unaffected unit. Forunplanned DG outages, capability to supply AAC power will be availableupon entering the Completion Time extension (i.e. , by 72 hours into theCompletion Time). For outages planned to exceed an initial 72 hour Completion Time, AAC power will be provided within one hour of enteringthe Action Condition for an inoperable DG. ln any event, if AAC power ofthe required capacity is not available after entering the extendedCompletion Time (after 72 hours into the Completion Time), the actions of Required Action G become applicable (i.e., Be in MODE 3 in 6 hours and be in MODE 5 in 36 hours).The following criteria would apply to any AAC source used as a defensein depth measure: An AAC power source may be of a temporary or permanent nature and would not be required to satisfy Class 1E requirements. Dynamic effects of an AAC power source failure (GDC-4 events)would not adversely affect safety related plant equipment.An AAC power source would not be required to be protected against natural phenomena (GDC-2 events) or abnormal environmental ordynamic effects (GDC-4 events).An AAC power source would be capable of starting and carryingdesignated loads required for safe shutdown, including maintainingadequate voltage and frequency such that performance of poweredequipment is acceptable. 1.2.3.4.Beaver Valley Units B3.8 1-5 Revision 0 AC Sources - OperatingB 3.8.1 BASES ACTIONS (continued)Prior to relying on its availability, a temporary AAC power source wouldbe determined to be available by: (1) starting the AAC source and verifying proper operation; (2) verifying that sufficient fuel is available onsite to support24 hours of operation; and (3) ensuring that the AAC source is in the correct electrical alignment to supply power to designatedsafe shutdown loads. Subsequently, when not in operation, a status check for availability will also be performed once every 72 hours. This check consists of: (1) verifying the AAC source is mechanically and electrically ready for operation; (2) verifying that sufficient fuel is availableonsite to support 24 hours of operation; and (3) ensuring that the AAC source is in the correct electrical alignment to supply power to designatedsafe shutdown loads.Prior to relying on its availability, a permanent AAC power source wouldbe determined to be available by starting the AAC source and verifying proper operation. In addition, initial and periodic testing, surveillance, andmaintenance conform to NUMARC 87-00, Revision 1, Appendix B,"Alternate AC Power Criteria" guidelines. The guidelines include provisions for quarterly functional testing, timed starts and load capacitytesting on a fuel cycle basis, surveillance and maintenance consistentwith manufacturer's recommendations, and initial testing of capability to power required shutdown equipment within the necessary time.4.1To ensure a highly reliable power source remains with one offsite circuitinoperable, it is necessary to verify the OPERABILfTY of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1 .1 , the second offsite circuit is inoperable,and Condition C, for two offsite circuits inoperable, is entered.A.2 Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function of critical redundant required features.These redundant required features are those that are assumed tofunction to mitigate an accident, coincident with a loss of offsite power, inthe safety analyses, such as the Emergency Core Cooling System and Auxillary Feedwater System. These redundant required features do notinclude monitoring requirements, such as Post Accident Monitoring andRemote Shutdown. These features are powered from the redundant AC electrical power train.Beaver Valley Units 1 and 2B 3.8.1 - 6 Revision 25 AC Sources - OperatingB 3.8.1 BASESACTIONS (continued) A single motor driven auxiliary feedwater (AFW) pump does not provide sufficient flow to meet the most limiting accident analysis assumptions.Two out of the three AFW pumps are necessary to assure sufficient flowto meet the accident analyses. Therefore, in order to ensure the AFWsafety function is maintained, the turbine driven AFW pump must be considered a redundant required feature for the purposes of this Required Action.For Unit 2 only, the Train "8 (RHR) ADV cannot provide sufficient steam relief capacity in a prompt enough manner to meet the most limiting accident analysis assumptions upon the onset of a Steam Generator (SG)Tube Rupture until the ruptured SG is isolated from the Train B ADV flow path. Therefore, in order to ensure the ADV steam relief safety function is maintained for the purpose of preventing SG overfill with the "A" trainoffsite circuit inoperable, the three Train "A" ADVs must be considered aredundant required feature for the purposes of this Required Action.When determining if the required redundant feature(s) are available, as specified in this Required Action, the Train "A" ADVs are only required to be capable of local manual operation.The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action,the Completion Time only begins on discovery that both: The train has no offsite power supplying its loads andA required feature on the other trainlf at any time during the existence of Condition A (one offsite circuitinoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.Discovering no offsite powgr to one train of the onsite Class 1E ElectricalPower Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the CornpletionTimes for the Required Action. Twenty-four hours is acceptable becauseit minimizes risk while allowing time for restoration before subjecting theunit to transients associated with shutdown.The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour Completion Time takes into account the componentOPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour Completion Time takes into account thecapacity and capability of the remaining AC sources, a reasonable timefor repairs, and the low probability of a DBA occurring during this period.a.b.Beaver Valley Units 1 and 2 B38.1 -7 Revision 25 AC Sources - OperatingB 3.8.1 BASESACTIONS (continued)

4.3 According

to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours. With oneoffsite circuit inoperable, the reliability of the offsite system is degraded,and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequateto supply electrical power to the onsite Class 1E Distribution System.The 72 hour Completion Time takes into account the capacity andcapability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.The second Completion Time for Required Action A.3 establishes a limiton the maximum time alfowed for any combination of required AC powersources to be inoperable during any single contiguous occurrence offailing to meet the LCO. The following discussion and the 17 dayCompletion Time stated in the Action Condition assume the extended14 day DG Completion Time is applied (see the requirements for applying the extended DG Completion Time discussed at the beginning of theActions section of the Bases). lf the Normal 72 hour DG Completion Time is applied, the limiting Completion Time for not meeting the LCOdiscussed below would be 144 hours (72 hours plus 72 hours) instead of 17 days (72 hours plus 14 days).lf Condition A is entered while, for instance, a DG is inoperable and thatDG is subsequently returned OPERABLE, the LCO may already havebeen not met for up to 14 days. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the offsite circuit. At thistime, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The"AND" connector between the 72 hour and 17 day Completion Timesmeans that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.As in Required Action A.2, the Completion fime allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."This will result in establishing the "time zera" at the time that the LCO was initially not met, instead of at the time Condition A was entered. Beaver Valley Units 1 and 2 B38.1 -8Revision 13 AC Sources - OperatingB 3.8.1 BASES ACTIONS (continued) 8.1To ensure a highly reliable power source remains with an inoperable DG,it is necessary to verif,7 the availability of the offslte circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered. 8.2Required Action 8.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in acomplete loss of safety function of critical redundant required features.Redundant required feature failures consist of inoperable features associated with a train, redundant to the train that has an inoperable DG. A single motor-driven AFW pump does not provide sufficient ffow to meetthe most limiting accident analysis assumptions. Two out of the three AFW pumps are necessary to assure sufficient flow to meet the accident analyses. Therefore, in order to ensure the AFW safety function ismaintained, the turbine-driven AFW pump must be considered aredundant required feature for the purposes of this Required Action.For Unit 2 only, the Train "8" (RHR) ADV cannot provide sufficient steam relief capacity in a prompt enough manner to meet the most limitingaccident analysis assumptions upon the onset of a Steam Generator (SG)Tube Rupture until the ruptured SG is isolated from the Train B ADV flow path. Therefore, in order to ensure the ADV steam relief safety function ismaintained for the purpose of preventing SG overfill with the "A" train DG inoperable, the three Train "A" ADVs must be considered a redundantrequired feature for the purposes of this Required Action. When determining if the required redundant feature(s) are available, as specified in this Required Action, the Train "A" ADVs are only required tobe capable of local manual operation. The Completion Time for Required ActionB.2 is intended to allow theoperator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exceptron to the normal "time zera" for beginning the allowed outage time "clock." ln this Required Action,the Completion Time only begins on discovery that both:Beaver Valley Units 1 and 2 B 3.8.1 - I Revision 25 AC Sources - OperatingB 3.8.1 BASES ACTIONS (continued) a.b.An inoperable DG exists andA required feature on the other train (Train A or Train B) is inoperable. lf at any time during the existence of this Condition (one DG inoperable) arequired feature subsequently becomes inoperable, this Completion Timewould begin to be tracked. Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG, results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is Acceptable because it minimizes risk whileallowing time for restoration before subjecting the unit to transientsassociated with shutdown. In this Condition, the remaining OPERABLE DG and offsite circuits areadequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for therequired feature's function may have been lost; however, function has notbeen lost. The 4 hour Completion Time takes into account the OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour Completion Time takes into account thecapacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.8.3.1 and B.3.2 Required Action 8.3.1 provides an allowance to avoid unnecessarytesting of OPERABLE DG. lf it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 doesnot have to be performed. Examples of these activities, which do not require performance of SR 3.8.1.2 for the OPERABLE DG, include testing, preplanned preventative maintenance, and individual testable components. lf the cause of inoperability exists on another DG, the otherDG would be declared inoperable upon discovery and Condition E ofLCO 3.8.1 would be entered. Once the failure is repaired, the common cause failure no longer exists, and Required Action 8.3.1 is satisfied. lfthe cause of the initial inoperable DG cannot be confirmed not to exist onthe remaining DG, performance of SR 3.8.1.2 suffices to provideassurance of continued OPERABILITY of that DG.Beaver Valley Units 1 and 2 B 3.8.1 - 10Revision 13 AC Sources - OperatingB 3.8.1 BASES ACTIONS (continued) ln the event the inoperable DG is restored to OPERABLE status prior tocompleting either 8.3.1 or B.3.2, the plant corrective action program willcontinue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour constraint imposed while in Condition B.According to Generic Letter 84-15 (Ref. 7\,24 hours is reasonable to confirm that the OPERABLE DG(s) is not affected by the same problem as the inoperable DG.8.4 In Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 1 4 day Completion Time is risk informed and based on a plant specific risk analysis and includes the normal T2 hour Completion Time which is not risk informed. The Completion Time also takes intoaccount the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurringduring this period. The Completion Time specified for Required Action8.4 is the extended 1 4 day DG Completion Time (see the requirements for applying the extended DG Completion Time discussed at thebeginning of the Actions section of the Bases). lf the requirements for the 14 day Completion Time are not met, the normal 72 hour Completion Time applies. lf the 14 day Completion Time is applied, and if at any timeduring this extended Completion Time the requirements for using the 14 day Completion Time are not met, the 72 hour Completion Time becomes applicable unless the 72 hour Completion Time has expired, in which case the shutdown requirements of Required Action G would apply. The second Completion Time for Required Action 8.4 establishes a limiton the maximurn time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. The following discussion and the CompletionTimes specified for Required Action 8.4 assume the extended 14 day DG Completion Time is applied (see the requirements for applying the extended DG Completion Time discussed at the beginning of the Actions section of the Bases). lf the normal 72 hour DG Completion Time isapplied, the limiting Completion fime for not meeting the LCO discussed below would be 144 hours (72 hours plus 72 hours) instead af 17 days (72 hours plus 14 days).Beaver Valley Units 1 and 2 B3.8 1-11 Revision 13 AC Sources - OperatingB 3.8.1 BASES ACTIONS (continued)lf Condition B is entered while, for instance, an offsite circuit is inoperableand that circuit is subsequently restored OPERABLE, the LCO mayalready have been not met for up to 72 hours. This could lead to a total of 17 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restoredOPERABLE, and an additionalT2 hours (for a total of 20 days) allowed prior to complete restoration of the LCO. The 17 day Completion Time provides a limit on time allowed in a specified condition after discovery offailure to meet the LCO. This limit is considered reasonable for situationsin which Conditions A and B are entered concurrently. The "AND"connector between the 14 day and 17 day Completion Times means thatboth Completion Times apply simultaneously, and the more restrictiveCompletion Time must be met.As in Required Action 8.2, the Completion Time allows for an exceptionto the normal "time zeto" for beginning the allowed time "clock." This willresult in establishing the "time zero" at the time that the LCO was initiallynot met, instead of at the time Condition B was entered.C.1 and C.2Required Action C.1, which applies when two offsite circuits areinoperable, is intended to provide assurance that an event with acoincident single failure will not result in a complete loss of redundantrequired features. These redundant required features are those that areassumed to function to mitigate an accident, coincident with a loss of offsite power, in the safety analyses, such as the Emergency Core Cooling System and Auxiliary Feedwater System. These redundantrequired features do not include monitoring requirements, such as PostAccident Monitoring and Remote Shutdown. These features are poweredfrom redundant AC safety trains. The Completion Time for this failure ofredundant required features is reduced to 12 hours from that allowed forone train without offsite power (Required Action A.2). The rationale forthe reduction to 12 hours is that Regulatory Gulde 1 .93 (Ref. 6) allows a Completion Time of 24 hours for two required offsite circuits inoperable,based upon the assumption that two complete safety trains areOPERABLE. When a concurrent redundant required feature failureexists, this assumption is not the case, and a shorter Completion Time of12 hours is appropriate. The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero"for beginning the allowed outage time "clock." ln this Required Action the Completion Time only begins on discovery that both:a. All required offsite circuits are inoperable andb. A required feature is inoperable.Beaver Valley Units 1 and 2B 3.8.1 - 12Revision 25 AC Sources - OperatingB 3.8.1 BASES ACTIONS (continued)lf at any time during the existence of Condition C (two offsite circuits inoperable) a required feature becomes inoperable, this Completion Time begins to be tracked.According to Regulatory Guide 1.93 (Ref. 6), operation may continue inCondition C for a period that should not exceed 24 hours. This level ofdegradation means that the offsite electrical power system does not havethe capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. Thislevel of degradation generally corresponds to a total loss of theimmediately accessible offsite power sources.Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations oftwo AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this level of degradation: The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure andThe time required to detect and restore an unavailable offsite power source is generally much less than that required to detect andrestore an unavailable onsite AC source.With both of the required offsite circuits inoperable, sufficient onsite ACsources are available to maintain the unit in a safe shutdown condition inthe event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.According to Reference 6, with the available offsite AC sources, two less than required by the LCO, operation may continue for 24 hours. lf twooffsite sources are restored within 24 hours, unrestricted operation may continue. lf only one offsite source is restored within 24 hours, poweroperation continues in accordance with Condition A.a.b.Beaver Valley Units 1 and 2B 3 8.1 - 13 Revision 13 AC Sources - OperatingB 3.8.1 BASESACTIONS (continued)D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not beentered even if all AC sources to it were inoperable, resulting inde-energization. Therefore, the Required Actions of Condition D aremodified by a Note to indicate that when Condition D is entered with no AC source to any train, the Conditions and Required Actions for LCO 3.8.9, "Distribution Systems - Operating," must be immediately entered. This allows Condition D to provide requirements for the loss ofone offsite circuit and one DG, without regard to whether a train isde-energized. LCO

3.8.9 provides

the appropriate restrictions for ade-energized train.According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 12 hours.In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appearhigher than that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour Completion Time takes into account the capacity and capability of the remaining ACsources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.E.1With Train A and Train B DGs inoperable, there are no remaining standby AC sources. Thus, with an assumed loss of offsite electrical power,insufficient standby AC sources are available to power the minimumrequired ESF functions. Since the offsite electrical power system is theonly source of AC power for this level of degradation, the risk associatedwith continued operation for a very short time could be less than that associated with an immediate controlled shutdown (the immediateshutdown could cause grid instability, which could result in a total loss of AC power). Since any inadvertent generator trip could also result in atotal loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here rs to avoid the riskassociated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.According to Reference 6, with both DGs inoperable, operation may continue for a period that should not exceed 2 hours.Beaver Valley Units 1 and 2 B3.8 1-14 13 AC Sources - OperatingB 3.8.1 BASES ACTIONS (continued)F.1 .1 . F.1 .2, and F.2Condition F is entered any time a required sequence timer(s) becomes inoperable. Required Action F.1.1 requires that action be taken immediately to place the affected component (ESF equipment) in a condition where it can not be automatically loaded to its emergency bus.Required Action F.1.1 provides assurance that the DG loading sequence will not be adversely affected by the inoperable sequence timer(s) (i.e., the component will not be loaded onto an emergency bus at an incorrecttime). Therefore, rendering a component with an inoperable sequence timer(s) incapable of loading to the emergency bus prevents a possibleoverload condition. Required Action F .1 .2 requires that the appropriateCondition and Required Actions associated with the affected individualcomponent(s) made inoperable by the inoperable sequence timer(s) beapplied immediately. Thus, Required Actions F .1 .1 and F.1 .2 serve toisolate the affected component(s) from the emergency bus and assurethe appropriate remedial measures for the affected component(s) are taken in a timely manner. Required Action F.2 provides an alternativeoption to Required Actions F.1.1 and F.1.2. Required Action F.2 simplyrequires that the associated DG be immediately declared inoperable.A Note modifies Condition F. The Note states that separate Condition entry is allowed for each inoperable sequence timer(s) for a DG.G.1 and G.2 lf the inoperable AC electric power sources cannot be restored toOPERABLE status within the required Completion Time, the unit must bebrought to a MODE in which the LCO does not apply. To achieve thisstatus, the unit must be brought to at least MODE 3 within 6 hours and toMODE 5 within 36 hours. The allowed Completion Times are reasonable,based on operating experierrce, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.H.1Condition H corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system willcause a loss of function. Therefore, no additional time is justified forcontinued operation. The unit is required by LCO 3.0.3 to commence acontrolled shutdown. Beaver Valley Units 1 and 2B 3.8.1 - 15 Revision 13 AC Sources - OperatingB 3.8.1 BASES SURVEILLANCE REQUIREMENTS The AC sources are designed to permit inspection and testing of all important areas and features, especially those that have a standby function, as discussed in Reference 8. Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating theOPERABILITY of the DGs are in accordance with the recommendationsof Reference 3, Regulatory Guide 1.108 (Ref.9), and Regulatory Guide 1.137 (Ref. 10), as addressed in the UFSAR.Where the SRs discussed herein specify voltage and frequency tolerances, the following is applicable. The minimum steady state outputvoltage for Unit 1 is 4106 V and for Unit 2 is 3994 V. The SR value bands specified for voltage and frequency for each Unit are analysis values, except for the frequency values of 58.8 Hz to 61.2 Hz specified for Unit 1 in SRs 3.8.1 .2 and 3.8.1.8. These Unit 1 Frequency tolerances areRegulatory Guide 1 .9 recommendations. NOTE: The voltage and frequency values specified in each SR need to be reduced or increased, as appropriate, to account for measurement uncertainties. The specified maximum steady state output voltage of 4368 V is equal to the maximum operating voltage specified for 4000 V motors. lt ensuresthat for a lightly loaded distribution system, the voltage at the terminals of4000 V motors is no more than the maximum rated operating voltages.NOTE: The kW and power factor requirements specified in the SRs areindicated values.sR 3.8.1 . 1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker isin its correct position to ensure that distribution buses and loads are connected to their preferred power source, and that appropriateindependence of offsite circuits is maintained. The 7 day Frequency isadequate since breaker position is not likely to change without theoperator being aware of it and because its status is displayed in the control room.sR 3.8.1 .2 The SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and to maintain the unit in a safe shutdown condition. Beaver ValleyB 3.8.1 - 16 Revision 13 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUI REMENTS (continued)To minimize the wear on moving parts that do not get lubricated when the engine is not running, the SR is modified by Note 1 to indicate that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup period prior to loading.For the purpose of SR 3.8.1.2 testing, the DGs are started from standbyconditions. Standby conditions for a DG mean that the diesel enginecoolant and oil are being continuously circulated and temperature is beingmaintained consistent with manufacturer recommendations. Barring of the engine may be performed prior to DG start without invalidating SR for starting from standby conditions. In order to reduce stress and wear on diesel engines, some manufacturers recommend a modified start in which the starting speed ofDGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 2, which is only applicable when suchmodified start procedures are recommended by the manufacturer. The 31 day Frequency for SR 3.8.1 .2 is consistent with Reference 3. The Frequency provides adequate assurance of DG OPERABILITY, whileminimizing degradation resulting from testing.sR 3.8.1 .3 This Surveillance verifies that the DGs are capable of synchronizing with the offsite electrical system and accepting loads equivalent to thecontinuous duty rating of the DG. A minimum run time of 60 minutes isrequired to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1 .0.The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routineoverloading may result in more frequent teardown inspections inaccordance with vendor recommendations in order to maintain DG OPERABlLITY The 31 day Frequency for this Surveillance is consistent with the recommendations of Reference 3. Beaver Valley Units 1 and 2B 3.8.1 - 17 Revision 13 AC Sources - OperatingB 3.8.1 BASES SURVEILLANCE REQU I REMENTS (continued) This SR is modified by four Notes. Note 1 indicates that diesel engineruns for this Surveillance may include gradual loading, as recommended by the manufacturer so that mechanical stress and wear on the dieselengine are minimized. Note 2 states that momentary transients, because of changing bus loads, do not invalidate this test. Similarly, momentary power factor transients outside the normal operating range do notinvalidate the test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common causefailures that might result from offsite circuit or grid perturbations. Note 4stipulates a prerequisite requirement for performance of this SR. Asuccessful DG start must precede this test to credit satisfactory performance.SR 3.8.1.4.1 and SR 3.8.1.4.2 For Unit 1, this SR provides verification that the inventory of fuel oil in theday tank in combination with the engine mounted tank is greater than orequal to the required fuel oil inventory. The required Unit 1 inventory is expressed as an equivalent usable volume in gallons and is selected toensure the DG can operate for more than t hour at full load plus 10%.For Unit 2, this SR provides verification that the inventory of fuel oil in theday tank is greater than or equal to the required fuel oil inventory. The required Unit 2 inventory is expressed as an equivalent usable volume in gallons and is selected to ensure adequate fuel oil for a minimum oft hour of DG operation at full load plus 10%.The 31 day Frequency is adequate to assure that a sufficient supply of fuel oil is available, since low level alarms are provided and facilityoperators would be aware of any large uses of fuel oil during this period.The SRs are modified by Notes that specify the applicable unit.SR 3.8.1 .,5.1 and SR 3.8. 1 .5.2 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from these fuel oil tanks once every 31 days eliminates the necessaryenvironment for bacterial survival. This is the most effective means ofcontrolling microbiological fouling. In addition, it eliminates the potentialfor water entrainment in the fuel oil during DG operation. Water maycome from any of several sources, including condensation, ground water,rain water, contaminated fuel oil, and breakdown of the fuel oil bybacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity ofBeaver Valley Units 1 and 2 B 3.8.1 - 1B Revision 13 AC Sources - OperatingB 3.8.1 BASES SURVEILLANCE REQU I REMENTS (continued)the fuel oil system. The Surveillance Frequencies are consistent with Regulatory Guide 1 .137 (Ref. 10). This SR is for preventativemaintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during the performance of this Suweillance.sR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump (only one pump required per DG) operates and transfers fuel oil from itsassociated storage tank to its associated day tank. This is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping not obstructed, and the controls and control systems for fuel transfer systems are OPERABLE.The Frequency for this SR is 92 days. The 92 day Frequency corresponds to the testing requirements for pumps as contained in theASME Code (Ref. 1 1).sR 3.8.1 .7 Transfer of each 4.16 kV ESF bus power supply from the unit circuit to the system offsite circuit demonstrates the OPERABILITY of the alternatecircuit distribution network to power the shutdown loads. The 18 monthFrequency of the Surveillance is based on engineering judgment, takinginto consideration the unit conditions required to perform the Surveillance,and is intended to be consistent with expected fuel cycle lengths.Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, theFrequency was concluded to be acceptable from a reliability standpoint.sR 3.8.1.8Each DG is provided with an engine overspeed trip to prevent damage to the engrne. Recovery from the transient caused by the loss of a largeload could cause diesel engine overspeed, which, if excessive, mightresult in a trip of the engine. This Surveillance demonstrates the DG loadresponse characteristics and capability to reject the largest single loadwithout exceeding predetermined frequency and while maintaining a specified margin to the overspeed trip. The single load for each DG is asfollows: For Unit 1 615 kW with a frequency limit of 66.2 Hz (993 RPM).For Unit 2 825 kW with a frequency limit ot 64.4 Hz (552 RPM). This Surveillance may be accomplished by either:Beaver Valley Units 1 and 2 B 3.8.1 - 19 Revision 13 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQU I REMENTS (continued) Tripping the DG output breaker or tripping the emergency feeder breaker with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or Tripping its associated single largest post-accident load with the DG solely supplying the bus. Consistent with the recommendations of Reference 12, the load rejectiontest is acceptable if the increase in diesel speed does not exceed 75o/o ofthe difference between synchronous speed and the overspeed trip setpoint, or 15o/o above synchronous speed, whichever is lower.The time, voltage, and frequency tolerances specified in this SR are derived from Reference 3 recommendations for response during loadsequence intervals. The 3 and 4 seconds specified are equal to 60% and80%, respectively, of a typical 5 second load sequence interval associated with sequencing of the largest load. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG. SR 3.8.1.8.a corresponds to the maximum frequency excursion, while SR 3.8.1 .8.b and SR 3.8.1.8.c are steadystate voltage and frequency values to which the system must recover following load rejection. The 18 month Frequency is consistent with the recommendation of Regulatory Guide 1.108 (Ref. 9).This SR is modified by two Notes. The reason for Note 1 is that during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restriction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.9. post work testing following corrective maintenance, corrective modifi cation, deficient or incompletesurveillance testing, and other unanticipated OPERABILITY concerns)provided an assessment determines plant safety is maintained orenhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintalned orenhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment. Credit may be taken for unplanned events that satisfy this SR. a.b.Beaver Valley Units 1 and 2 B 3.8 1-20 Revision 13 AC Sources - OperatingB 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)Note 2 ensures that the DG is tested under load conditions that are asclose to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of < 0.89.This power factor is representative of the actual inductive loading a DG would see under design basis accident conditions. Under certain conditions, however, Note 2 allows the surveillance to be conducted at a power factor other than < 0.89. These conditions may occur, for example,when the grid voltage is such that the DG excitation levels needed toobtain a power factor of 0.89 are in excess of those recommended for theDG. In cases such as this, the power factor shall be maintained as close as practicable to 0.89 without exceeding any applicable limits.sR 3.8.1 .9This Surveillance demonstrates that DG noncritical protective functions (e g., high jacket water temperature if they exist) are bypassed on a loss of voltage emergency start signal. The noncritical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.The 1B month Frequency is based on engineering judgment, taking intoconsideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency. Therefore, the Frequency wasconcluded to be acceptable from a reliability standpoint. The SR is modified by a Note. The reason for the Note is that performingthe Surveillance would remove a required DG from service. Thisrestriction from normally performing the Surveillance in MODE 1 or 2 isfurther amplified to allow the Surveillance to be performed for the purposeof reestablishing OPERABILITY (e g post work testing followingcorrective maintenance, corrective modification, deficient or incomplete su rvei llance testing, and other unantici pated OPERAB I L ITY concerns)provided an assessment determines plant safety is maintained orenhanced. This assessment shall, as a minimum, consider the potentialoutcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for theSurveillance; as well as the operator procedures available to cope withthese outcomes. These shall be measured against the avoided risk of aBeaver Valley Units 1 and ?B 3.8 1-21 Revision 13 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQU lREMENTS (continued) plant shutdown and startup to determine that plant safety is maintained orenhanced when the Surveillance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment.Credit may be taken for unplanned events that satisfy this SR. sR 3.8.1.10 This Surveillance demonstrates that the DGs can start and run continuously at or near full load conditions for not less than 8 hours. The Surveillance requires that each DG be run for > 2 hours loaded from a minimum of the calculated accrdent load for Unit 1, and the continuousduty rating of the DG for Unit 2, up to a maximum loading of the 2000 hour rating for each DG. Additionally, the Surveillance requires that each DG be run for the remainder of the 8-hour requirement loaded to theequivalent of the continuous duty rating of the DG. The required runduration of 8 hours is consistent with the recommendations of IEEEStandard 387-1995 (Ref .14). The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelubricating and warmup, discussed in SR 3.8.1 .2, and for gradual loading, discussed in SR 3.8.1 ,3, are applicable to this SR. The load band is provided to avoid routine overloading of the DG.Routine overloading may result in more frequent teardown inspections inaccordance with vendor recommendations in order to maintain DG OPERABlLITY. The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1 .108 (Ref. 9), paragraph 2.a.(3'5, takes into consideration unit condltions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.This Surveillance is modified by three Notes. Note 1 provides anallowance such that momentary transients due to changing bus loads do not invalidate this test. The allowance provided by Note 1 includes the transition between the required load ranges specified in SR 3.8.1 .10 part a and part b. Similarly, momentary power factor transients outside of the power factor required range will not invalidate the test.The reason for Note 2 is that during operatron with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, unit safety systems. This restrrction from normally performing the Surveillance in MODE 1 or 2 is further amplified to allow the Surveillance to be performed for the purpose of reestablishingBeaver Valley Units 1 and 2B 3.8 1-22 Revision 13 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUI REMENTS (continued) OPERABILITY (e.g., post work testing following corrective maintenance,corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transientsassociated with afailed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. fhese shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveilfance is performed in MODE 1 or 2. Risk insights or deterministic methods may be used for this assessment. Credit may be taken for unplanned events that satisfy this SR.Note 3 ensures that the DG is tested under load conditions that are as close to design basis conditions as possible. When synchronized with offsite power, testing should be performed at a power factor of < 0.89.This power factor is representative of the actual inductive loading a DG would see under design basis accident conditions. Under certain conditions, however, Note 3 allows the Surveillance to be conducted at a power factor other than < 0.89. These conditions rnay occur, for example, when the grid voltage is such that the DG excitation levels needed to obtain a power factor of 0.89 are in excess of those recommended for the DG. In cases such as this, the power factor shall be maintained close as practicable to 0.89 without exceeding any applicable limits.sR 3.8.1 .1 1Consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9), paragraph 2.a.(6), this Surveillance ensures that the manual synchronization and load trans','er from the DG to the offsite source can be made. For Unit 1, the Surveillance also verifies that the DG proceedsthrough its normal shutdown sequence after transferring its load. For Unit 2, the Surveillance verifies that the DG can be returned to ready to load status when offsite power is restored. lt also ensures that theautostart logic is reset to allow the Unit 2 DG to reload if a subsequent loss of offsite power occurs. The Unit 2 DG is considered to be in readyto load status when the DG is at nominal speed and voltage, the outputbreaker is open and can receive an autoclose signal on bus undervoltage, and the load sequence timer(s) are reset. The Frequency of Regulatory Guide consideration unit18 months is consistent with the recommendations of1 .108 (Ref. 9), paragraph 2.a.(6), and takes into conditions required to perform the Surveillance.Beaver Valley Units 1 and 2B 3.8.1 - 23Revision 13 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQU I REMENTS (continued) This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safetysystems. This restriction from normally performing the Surveillance in MODE 1,2,3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing fol lowing corrective maintenance, corrective modification, deficient or incomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsiteor onsite system when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope with these outcomes. These shall be measured against the avoided riskof a plant shutdown and startup to determine that plant safety is maintained or enhanced when the Surveillance is performed in MODE 1, 2,3, or 4. Risk insights or deterministic methods may be used for thisassessment. Credit may be taken for unplanned events that satisfy this SR.sR 3.8.1 .12 For the Unit 2 DGs, demonstration of the test mode override ensures that the DG availability under accident conditrons will not be compromised as the result of testing and the DG will automatically reset to ready to loadoperatlon if a LOCA actuation signal is received during operation in the test mode. Ready to load operation ls defined as the DG running at nominal speed and voltage with the DG output breaker open. These provisions for automatic switchover are consistent with the recommendations of IEEE-308 (Ref . 12r, paragraph 6.2.6(2).The 18 month Frequency is consistent with the recommendations of Regulatory Guide 1 .108 (Ref. 9), paragraph 2.a.(8), takes intoconsideration unit conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths.This SR is modified by two Notes. Note 1 states that the SR is applicable to Unit 2 only. The reason for Note 2 is that performing the Surveillance may perturb the electrical distribution system, and challenge safetysystems. This restriction from normally performing the Surveillance in MODE 1 , 2, 3, or 4 is further amplified to allow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.9., post work testing following corrective maintenance, Beaver Valley Units 1 and 2B 3.8 1-24Revision 13 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE REQUI REM ENTS (continued) corrective modification, deficient or incomplete surveillance testing, andother unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessmentshall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partialSurveillance, and a perturbation of the offsite or onsite system when they are tied together or operated independently for the partial Surveillance; aswell as the operator procedures available to cope with these outcomes.These shall be measured against the avoided risk of a plant shutdownand startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE1,2,3, or4.Risk insights or deterministic methods may be used for the assessment.Credit may be taken for unplanned events that satisfy this SR.sR 3.8.1.13Under accident with loss of offsite power conditions loads are sequentially connected to the bus by the automatic load sequence timer(s). The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The verification that each automatic load sequence time iswithin x 1Oo/o of the required value ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment timedelays are not violated. Reference 2 provides a summary of the automatic loading of ESF buses.The Frequency of 18 months is consistent with the recommendations ofRegulatory Guide 1 .108 (Ref. 9), paragraph 2.a.(2), takes intoconsideration unit conditions required to perform the Surveillance, andintended to be consistent with expected fuel cycle lengths.This SR is modified by a Note. The reason for the Note is that performingthe Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.This restriction from normally performing the Surveillance in MODE 1 , 2,3, or 4 is further amplified to allow the Surveillance to be performed for the purpose of reestablishing OPERABILTTY (e.g., post work testingfollowing corrective maintenance, corrective modification, deficient orincomplete surveillance testing, and other unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintainedor enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed Surveillance, a successful Surveillance, and a perturbation of the offsite or onsite systemBeaver Valley UnitsB 3.8 1-25 Revision 13 AC Sources - OperatingB 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) when they are tied together or operated independently for the Surveillance; as well as the operator procedures available to cope withthese outcomes. These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained orenhanced when the Surveillance is performed in MODE 1,2,3, or 4.Risk insights or deterministic methods may be used for this assessment.Credit may be taken for unplanned events that satisfy this SR.sR 3.8.1.14ln the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.This Surveillance demonstrates the DG operation during a loss of offsite power actuation test signal in conjunction with an ESF actuation signal.The requirement to verify the connection and power supply of permanentand autoconnected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. ln certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or high pressure injection systems are not capable of being operated at full flow.ln lieu of actual demonstration of connection and loading of loads, testingthat adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.The 10 seccnd start requirement supports the assumptions of the designbasis accident analyses described in the UFSAR (Ref. 5). The 10 second timing requirement begins when the DG start srgnal is received by the DGstart circuit and does not include the time it takes the instrumentation to detect a loss of voltage on the emergency busses.The Frequency of 18 months takes into consideration unit conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 1B months. Beaver Valley Units 1 and 2 B 3.8.1 - 26 Revision 13 AC Sources - OperatingB 3.8.1 BASES SURVEILLANCE REQUI REMENTS (continued) This SR is modified by two Notes. The reason for Note 1 is to minimizewear on the DGs during testing. For the purpose of this testing, the DGsmust be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations for DGs. Barring of the engine may be performed prior to DG start without invalidating the requirement for starting from standby conditions. The reason for Note 2 is that the performance of the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This restriction from normally performing the Surveillance in MODE 1,2,3, or 4 is further amplified to alfow portions of the Surveillance to be performed for the purpose of reestablishing OPERABILITY (e.g., post work testing following corrective maintenance, corrective modification, deficient or incomplete surveillance testing, andother unanticipated OPERABILITY concerns) provided an assessment determines plant safety is maintained or enhanced. This assessment shall, as a minimum, consider the potential outcomes and transients associated with a failed partial Surveillance, a successful partiafSurveillance, and a perturbation of the offsite or onsite system when theyare tied together or operated independently for the partial Surveillance; as well as the operator procedures available to cope with these outcomes.These shall be measured against the avoided risk of a plant shutdown and startup to determine that plant safety is maintained or enhanced when portions of the Surveillance are performed in MODE 1,2,3, or 4.Risk insights or deterministic methods may be used for the assessment. Credit may be taken for unplanned events that satisfy this SR.sR 3.8.1 15 This Surveillance demonstrates that the DG starting independence hasnot been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGsare started simultaneously.The 10 year Frequency is consistent with the recommendations ofRegulatory Guide 1.108 (Ref. 9).This SR is modified by two Notes. Note 1 states that the SR is applicable to Unit 2 only. The reason for the second Note is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oilcontinuously circulated and temperature maintained consistent with manufacturer recommendations. Barring of the engine may be performed prior to DG start without invalidating the requirement for starting fromstandby conditions. Beaver Valley Units 1 and 2 B 3.8.1 - 27Revision 13 AC Sources - OperatingB 3.8.1 BASES REFERENCES 1.4.5.6.7.8.2.3.Unit 1 UFSAR Appendix 1A, "1971AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance with U. S. Nuclear Regulatory Commission General Design Criteria." UFSAR, Chapter 8.Regulatory Guide 1.9, UFSAR Section 8.5 for Unit 1 and UFSAR Chapter 1.8 - 1 for Unit 2.UFSAR, Chapter 6. UFSAR, Chapter 14for Unit 1 and Chapter 15 for Unit 2.Regulatory Guide 1.93, Rev. 0, December 1974.Generic Letter 84-15, "Proposed Staff Actions to lmprove andMaintain Diesel Generator Reliability," July 2, 1984.Unit 1 UFSAR Appendix 1A, "1971 AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance withU. S. Nuclear Regulatory Commission General Design Criteria."Regulatory Guide 1 .108, Rev. 1 , August 1977 (Unit 2).Regulatory Guide 1.137, Rev. 1, October 1979 (Unit 2).ASME code for Operation and Maintenance of Nuclear Power Plants.IEEE Standard 308 Unit 1-1971and Unit 2-1974.License Amendment Nos. 268 (Unit 1 ) and 150 (Unit 2) andassociated NRC Safety Evaluation Report issued September 29, 9.10 11.12.13.2005.14. IEEE Standard 387-1995 Beaver Valley Units 1 and 2 B 3.8.1 - 28 Revision 13 AC Sources - ShutdownB 3.8.2B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources - Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1,"AC Sources - Operating." APPLICABLE SAFETY ANALYSESThe OPERABILITY of the minimum AC sources during MODES 5 and 6and during movement of irradiated fuel assemblies or movement of fuel assemblies over irradiated fuel assemblies for Unit 1 (which includesrecently irradiated fuel) and during movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies for Unit 2 ensure that: The unit can be maintained in the shutdown or refueling condition for extended periods, Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status, and Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident. The current fuel handling accident safety analysis does not rely on the automatic actuation of any systems or components to mitigate the accident. Furthermore, the current fuel handling accident analysis doesnot assume isolation or filtration to mitigate the event. However, in orderto limit the control room dose following a fuel handling accident, Unit 1 must purge the control room atmosphere for 30 minutes following termination of the release (2 hours after the accident). The requiredUnit 1 purge is a manual action for which the Technical Specifications require power (LCO 3.8.2) and ventilation system (LCO 3.7.11)OPERABILITY when moving any irradiated fuel assemblies or fuel assemblies over any irradiated fuel assemblies. The Unit 1 requirement to purge the control room after a fuel handling accident involving any type of irradiated fuel is the reason for the difference in the fuel movementapplicability for each unit in LCO 3.8.2 and LCO 3.7.11.Although not a specific assumption of the safety analyses, thisSpecification requires that the DG automatrcally start, connect to the emergency bus, and automatically sequence the required loads. Thiscapability in conjunction with the loss of voltage relays requiredOPERABLE by LCO 3.3.5, "Loss of Power (LOP) DG Start and BusSeparation Instrumentation," assures that a reliable source of AC power a.b.c.Beaver Valley Units 1 and 2 B3.82-1 Revision 0 AC Sources - ShutdownB 3.8.2 BASES APPLICABLE SAFETY ANALYSES (continued) is promptly available in the event offsite power is lost. In addition, capability provides automatic protection against degraded voltage conditions (via the degraded voltage sensing relays required OPERABLE in LCO 3.3.5) that could damage equipment required to maintain the unitin a safe shutdown condition. Therefore, the prompt availability of reliablebackup emergency power provides additional assurance that the unit canbe maintained in a safe shutdown condition in the event the grid becomes unstable.Current requirements based on the decay time of the fuel prevent the movement of recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours). However, the Technical Specifications continue to address fuel movement involvingrecently irradiated fuel to support requirements for isolation or filtrationthat may be necessary to mitigate a fuel handling accident involvingrecently irradiated fuel. The retention of requirements within the Technical Specifications, in case the requirements are necessary tosupport fuel movement involving recently irradiated fuel, is consistent with the guidance of Reference 1.In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate theconsequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required.The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed ln MODES 1, 2, 3, and 4 have nospecific analyses in MODES 5 and 6. Worst case bounding events are deemed not credible in MODES 5 and 6 because the energy containedwithin the reactor pressure boundary, reactor coolant temperature and pressure, and the corresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimalconsequences. These deviations from DBA analysis assumptions anddesign requirements during shutdown condrtions are allowed by theLCO for required systems. During MODES 1,2,3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the Required Actions. This allowance is in recognition that certain testing and maintenance activities must be conducted provided an acceptable level ofrisk is not exceeded. During MODES 5 and 6, performance of a significant number of required testing and maintenance activities is also required. ln MODES 5 and 6, the activrties are generally planned and administratively controlled. Relaxations frorn MODE 1 , 2,3, and 4LCO requirements are acceptable during shutdown modes based on:Beaver Valley Units 1 and 2 B 3.8.2 - 2 Revision 0 AC Sources - Shutdown B 3.8.2 BASES APPLICABLE SAFETY ANALYSES (continued)The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance onsystems that do not necessarily meet typical design requirementsapplied to systems credited in operating MODE analyses, or both.Prudent utility consideration of the risk associated with multipleactivities that could affect multiple systems.Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1,2,3, and 4 OPERABILITY requirements) with systems assumed to function during an event.In the event of an accident during shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite diesel generator (DG) power.The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). a.b.d.LCO One offsite circuit capable of supplying the onsite Class 1E power distribution subsystem(s) of LCO 3.8.10, "Distribution Systems -Shutdown," ensures that all required loads are powered from offsite power. An OPERABLE DG, associated with the distribution system train required to be OPERABLE by LCO 3.8.10, ensures a diverse powersource is available to provide electrical power support, assuming a loss ofthe offsite circuit. Together, OPERABILITY of the required offsite circuitand DG ensures the availability of sufficient AC sources to operate theunit in a safe manner and to mitigate the consequences of postulatedevents during shutdown (e.g , fuel handling accidents involving irradiated fuel (Unit 1) and recently irradiated fuel (Unit 2)).The qualified offsite circuit must be capable of maintaining nominal frequency and voltage, and accepting required loads during an accident, while connected to the Engineered Safety Feature (ESF) bus(es).Qualified offsite circuits are those that are described in the UFSAR and are part of the licensing basis for the unit.During normal plant operation, electrical power for the onsite circuitscomes from either the main generator through 22 kV to 4.36 kV unit station service transformers or from the two independent offsite 138 kV buses through 138 kV to 4.36 kV system station servrce transformers. Beaver Valley Units 1 and 2 B 3.8.2 - 3 Revision 0 AC Sources - Shutdown B 3.8.2 BASES LCO (continued) The secondary windings of the transformers are connected to fourseparate 4.16 kV normal buses, A, B, C, and D. Buses A and D provide power for the two redundant Class 1E 4.16 kV emergency buses AE and DF, respectively. During plant shutdown, the emergency buses receive power from the system station service transformers, or may receive power from the unit station service transformers by backfeeding the main transformer. The DG must be capable of starting, accelerating to nominal speed and voltage, and connecting to its respective ESF bus on detection of busundervoltage. This sequence must be accomplished within 10 seconds. The 10 second timing requirement begins when the DG start signal is received by the DG start circuit and does not include the time it takes the instrumentation to detect a loss of voltage on the emergency busses. The DG must be capable of accepting required loads within the assumed loading sequence intervals, and continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to bemet from a variety of initial conditions such as DG in standby with the engine hot and DG in standby at ambient conditions. Proper sequencing of required loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.It is acceptable for trains to be cross tied during shutdown conditions, allowing a single offsite power circuit to supply all required trains. APPLlCABILITY The AC sources required to be OPERABLE in MODES 5 and 6 andduring movement of irradiated fuel or movement of fuel assemblies over irradiated fuel assemblies for Unit 1 (which includes recently irradiated fuel) and during movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies forUnit 2 provide assurance that: a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core.Systems needed to mitigate a fuel handling accident involvingirradiated fuel (Unit 1 ) and recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours (Unit 2'1 are available, Systems necessary to mitigate the effects of events that can lead tocore damage during shutdown are available, and b.C.Beaver Valley Units 1 and 2B 3.8.2 - 4Revision 4 AC Sources - ShutdownB 3.8.2 BASES APPLICABI Llry (continued)

d. lnstrumentation and control capability is available for monitoring andmaintaining the unit in a cold shutdown condition or refueling condition.The AC power requirements for MODES 1,2,3, and 4 are covered LCO 3.8.1 .ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since fuel assembly movement can occur in MODE 1,2,3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable.

lf moving fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. lf moving fuel assemblies while in MODE 1,2,3, or 4,the fuel movement is independent of reactor operations. EnteringLCO 3.0.3, while in MODE 1,2,3, or4 would require the unit to beshutdown unnecessarily. A.1 An offsite circuit would be considered inoperabfe if it were not available tothe necessary portions of the electrical power distribution subsystem(s). One train with offsite power available may be capable of supportingsufficient required features to allow continuation of CORE ALTERATIONSand fuel movement. By the allowance of the option to declare required features inoperable, with no offsite power available, appropriaterestrictions will be lmplemented in accordance with the affected required features LCO's ACTIONS.4.2.1, A.2.2, A.2.3. A.2.4, A.2.5,8.1,8.2,8.3,8.4, and B-5 With the offsite circuit not available to afl required trains, the option woufdstill exist to declare all required features inoperable. Since this optionmay involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required DG inoperable, the minimum required diversity of AC power sources is not available. lt is,therefore, required to suspend CORE ALTERATIONS, movement of fuelassemblies, and operations involving positive reactivity additions thatcould result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDM or boron concentration llmit is requiredto assure continued safe operation.Beaver Valley Units 1 and 2B 3.8.2 - 5 Revision 0 AC Sources - Shutdown B 3.8.2 BASESACTIONS (continued) Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the RCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction of temperaturechanges including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability or the occurrence of postulated events. lt is further required toimmediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the unit safety systems. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time durlng which the unit safety systems may be without sufficient power.Pursuant to LCO 3.0.6, the Distribution System's ACTIONS would not be entered even if all AC sources to it are inoperable, resulting inde-energization. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A is entered with no AC power to any required ESF bus, the ACTIONS for LCO 3.8.10 mustbe immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit, whether or not a train is de-energized. LCO 3.8.10 would provide the appropriate restrlctions for the situation involving a de-energized train.SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary forensuring the OPERABILITY of the AC sources in other than MODES 1, 2, 3, and 4. SR 3.8.1 .7 is not required to be met since power is normallysupplied by the offsite circuit. SR 3.8.1 . 12 is not required to be metbecause the required OPERABLE DG(s) is not required to undergo periods of being synchronized to the offsite circuit. SR 3.8.1 .15 is excepted because starting independence is not required with the DG(s)that is not required to be operable. Beaver Valley Units 1 and 2 B 3.8.2 - 6Revision 0 AC Sources - Shutdown B 3.8.2 BASES SURVEILLANCE REQUIREMENTS (continued) This SR is modified by three Notes. The reason for Note 1 is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or othenryise rendered inoperable during performance of SRs, and to preclude deenergizing a required 4160 V ESF bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG. lt is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit is required to beOPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR. Note 2 limits the scope of the requirement to verify the automatic loadsequencing functions. The Note recognizes that the majority ofequipment automatically sequenced on the emergency bus is not required to assure safe operation of the plant in shutdown MODES. The Note limits the verifications required by SR 3.8.1.13 and SR 3.8.1.14 to those loads required in the Applicable MODES of LCO 3.8.2. The required loads are the loads required OPERABLE by Technical Speciflcations and loads necessary to support the OPERABILITY of the loads required OPERABLE by Technical Specifications. Prior to entry into MODE 4, the verifications required by SR 3.8.1.13 and SR 3.8.1.14 must be complete for all loads required in MODES 1, 2, 3, and 4 inaccordance with SR 3.0.4.Note 3 clarifies the requirements of SR 3.8.1 .14 such that only the DG response to the loss of offsite power must be verified to confirmOPERABILITY in the shutdown conditions addressed by LCO 3.8.2. No ESF (i.e., safety injection) actuation of the DG is required to be verified during the shutdown conditions addressed by LCO 3.8.2. Note 3 does not preclude the verification of ESF actuations and is only intended toclarify that an ESF actuation is not required to confirm DG or emergency bus OPERABILITY during the shutdown conditions addressed by LCO 3.8.2.REFERENCES 1.NUREG-1431, "Standard Technical Specifications for Westinghouse Plants," Rev. 2, April 2441.Beaver Valley Units 1 and 2 B 3.8.2 - 7 Revision 0 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oi1, Lube Oil, and Starting Air BASES BACKGROUNDA required Unit 2 diesel generator (DG) is provided with a storage tank having a fuel oil capacity sufficient to operate that diesel for a period of 7 days while the DG is supplying maximum post loss of coolant accident load demand discussed in Reference 1. Unit 1's fuel oil requirement provides three and one-half days of inventory for the associated storagetank. The maximum load demand is calculated using the assumption one DG is operated at full load for 7 days. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsrte supply from outside sources. Fuel oil is transferred from storage tank to day tank by either of two transfer pumps associated with each storage tank. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve or tank to result in the loss of more than one DG. All outside tanks and piping are located underground. For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addressesthe recommended fuel oil practices as supplemented by Reference 3.The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity), and impurity level.The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading conditions. The system rs required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction duringoperation. The required lube oil inventory for each DG is sufficient toensure 7 days of continuous operation. This supply is sufficient to allow the operator to replenish lube oil from outside sources,Each DG has an air start system with adequate capacity for five successive start attempts on the DG without recharging the air start receiver(s). For Unit 1, the required air start capacity for each DG is met with two out of three air tanks in one of the two air banks at the specified air pressure. For Unit 2, one out of the two air banks (consisting of a single air tank) supplies sufficient volume at the specified pressure to meet the required capacity for each DG. Beaver Valley Units 1 and 2 B38.3-1Revision 0 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES APPLlCABLE SAFETY ANALYSESThe initial conditions of Design Basis Accident (DBA) and transientanalyses in the UFSAR, Chapter 6 (Ref. 4), and in Reference 5,assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy,and reliability to ensure the availability of necessary power to ESFsystems so that fuel, Reactor Coolant System and containment design limits are not exceeded. These limits are discussed in more detail in theBases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.Since diesel fuel oil, lube oil, and the air start subsystem support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 cFR s0.36(c)(2Xii). LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation for Unit 2 DGs. Unit 1 DGs have a three and one-half daysupply at a full load operation. lt is also required to meet specific standards for quality. Additionally, sufficient lubricating oil supply must be available to ensure the capability to operate at full load for the requireddays. This requirement, in conjunction with an ability to obtain replacement supplies within the required days, supports the availability ofDGs required to shut down the reactor and to maintain it in a safecondition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. DG day tank and (engine mounted tank for Unit 1 only) fuel requirements, as well as transfer capability from thestorage tank to the day tank, are addressed in LCO 3.8.1 , "AC Sources -Operating," and LCO 3.8.2, "AC Sources - Shutdown." The starting air system is required to have a minimum capacity for fivesuccessive DG start attempts without recharging the air start receivers. APPLICABILITYThe AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure theavailability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated DBA. Sincestored diesel fuel oil, lube oil, and the starting air subsystem supportLCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting airare required to be within limits when the associated DG is required to be OPERABLE.Beaver Valley Units 1 and 2B 3.8.3 - 2 Revision 0 Diesel Fuel Oil, Lube Oil, and Starting AirB 3.8.3 BASES ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatoryactions for each inoperable DG subsystem. Complying with the RequiredActions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(q) are governed by separate Condition entry and application of associated Required Actions.A.1 ln this Condition, the 7 day fuel oil supply for a DG is not available forUnit 2. In this condition, the three and one-half day fuel oil supply for aDG is not available for Unit 1. However, the Condition is restricted to fueloil level reductions that maintain at least a 6 day supply for Unit 2 and athree day supply for Unit 1. These circumstances may be caused by events, such as full load operation required after an inadvertent start while at minimum required level, or feed and bleed operations, which maybe necessitated by increasing particulate levels or any number of other oil quality degradations. This restriction allows sufficient time for obtainingthe requisite replacement volume and performing the analyses required prior to addition of fuel oil to the tank. A period of 48 hours is considered sufficient to complete restoration of the required level prior to declaringthe DG inoperable. This period is acceptable based on the remaining capacity (> 6 days for Unit 2 and a three day supply for Unit 1 ), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.8.1With lube oil inventory < 330 gal, sufficient lubricating oil to support7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time to obtain the requisite replacement volume. A period of48 hours is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.c.1 This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prror to reaching the limitof acceptability. Poor sample procedures (bottom sampling), Beaver Valley Units 1 and 2 B3.83-3 Revision 0 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS (continued)contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. Since the presence of particulates does not mean faifure of the fuel oil to burn properly in thediesel engine, and particulate concentration is unlikely to changesignificantly between Surveillance Frequency intervals, and proper engine performance has been recently demonstrated (within 92 days), it is prudent to allow a brief period prior to declaring the associated DGinoperable. The 7 day Completion Time allows for further evaluation,resampling and re-analysis of the DG fuel oil. D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring thestored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or cornbinations of these procedures. Even if a DG start andload was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of performing its intended function. E.1With starting air receiver pressure < 165 psig for Unit 1 and < 380 psig for Unit 2, sufficient capacity for five successive DG start attempts does notexist. However, as long as the receiver pressure is > 125 psig for Unit 1 and 2 285 psig for Unit 2, there is adequate capacity for at least one startattempt, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required 1imit. A period of 48 hours is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based onthe remaining air start capacity, the fact that most DG starts areaccomplished on the first attempt, and the low probability of an event during this brief period.F.1 With a Required Action and associated Completion Time not met,or more DG's fuel oil, lube oil, or starting air subsystem not withinfor reasons other than addressed by Conditions A through E, theassociated DG may be incapable of performing its intended function and must be immediately declared inoperable.Beaver Valley Units 1 and 2 B38.3-4 Revision 0 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.1 REQUlREMENTS This SR provides verification that there is an adequate usable inventory of fuel oil in the storage tanks to support a DG's operation for three and one-half days for Unit 1 and 7 days for Unit 2. This is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location. The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.sR 3.8.3.2 This Surveillance ensures that sufficient lube oil inventory is available to support at least 7 days of full load operation for each DG. The required inventory for each DG is confirmed by verifying that a lube oil volume of 330 gallons (six 55 gallon oil drums) is available, in storage, for each DG.This required inventory is in addition to the lube oil in the DG sump required to maintain the manufacturer's recommended minimum sump level. lf necessary to meet the required inventory, credit may be taken for lube oil in the DG sump above the manufacturer's recommendedminimum sump level to supplement the required storage volume. The 330 gal requirement is based on the DG manufacturer consumption values for the run time of the DG. lmplicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to theDG, when the DG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer recommended minimum level.A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since DG starts and run time are closely monitored by the unit staff.sR 3.8.3.3The tests of fuel oil prior to addition to the storage tanks (listed below) are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have animmediate, detrimental impact on diesel engine combustion. lf results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume offuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between receipt of new fuel and conducting the tests to exceed 31 days.The tests, limits, and applicable ASTM Standards for the tests identified in TS 5.5.9, "Diesel Fuel Oil Testing Program," are as follows: Beaver Valley Units 1 and 2 B38.3-5Revision 1 Diesel Fuel Oil, Lube Oil, and Starting AirB 3.8.3 BASES SURVEILLANCE REQU IREMENTS (continued)Sample the new fuel oil in accordance with ASTM D4057-81 (Ref. 6),Verify in accordance with the tests specified in ASTM D1298-80 (Ref. 6) that the sample has an absolute specific gravity at 60160'F of > 0.83 and < 0.89 or an API gravity at 60"F of > 27 degrees and< 39 degrees or an API gravity of within 0.3 degrees at 60oF, or a specific gravity of within 0.0016 at 60/60"F when compared to the suppl ier's certifi cate,Verify in accordance with the tests specified in ASTM D975-81 (Ref. 6), a flash point of > 125"F; and, if gravity was not determinedby a comparison with the supplier's certification, a kinematic viscosity at 40'C of > 1.9 centistokes and < 4.1 centistokes; Verify that the new fuel oil has water and sediment content of lessthan or equal to 0.05% when tested in accordance with ASTM D1796-83 (Ref. 6).Failure to meet any of the above limits is cause for rejecting the new fueloil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks.Within 31 days following the initial new fuel oil sample, the fuel oil isanalyzed to establish that the other properties specified in Table 1 ofASTM D975-81 (Ref. 7) are met for new fuel oil when tested in accordance with ASTM D975-81 (Ref. 6), except that the analysis forsulfur may be performed in accordance with ASTM D1552-79 (Ref. 6) orASTM D2622-82 (Ref.6). The 31 day period is acceptable because thefuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation. This Surveillanceensures the availability of high quality fuel oil for the DGs. , Fuel oil degradation during long term storage shows up as an increase in particulate, due mostly to oxidation. The presence of particulate does notmean the fuel oil will not burp properly in a diesel engine. The particulatecan cause fouling of filters and fuel oil injection equipment, however,which can cause engine failure.Particulate concentrations should be determined in accordance withASTM D2276-78, Method A (Ref. 6). This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/1. lt is acceptable to obtain a field sample for subsequentlaboratory testing in lieu of field testing. Stored fuel oil volume is contained in more than one tank (i.e., day tanks and storage tanks); eachtank is considered and tested separately. a.b.c.d.Beaver Valley Units 1 and 2 B3.83-6 Revision 1 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASESSURVEI LLANCE REQU I REM ENTS (continued)The Frequency of this test takes into consideration fuel oil degradationtrends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals. sR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design requirements provide for a minimum of five engine start cycles without recharging. A start cycle is defined by the DG vendor, but usually is measured in terms of time (seconds of cranking) or engine crankingspeed. The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished. The air receiver volume that ensures the required air start capacity is met, at the specified pressures, consists of the following:For Unit 1, two out of three air tanks in one of the two air banks for each DG, and For Unit 2, one out of the two air banks (consisting of a single air tank) for each DG.The 31 day Frequency takes into account the capacity, capability, redundancy, and diversity of the AC sources and other indicationsavailable in the control room, including alarms, to alert the operator tobelow normaf air start pressure.sR 3.8.3.5Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but atl must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 92 days eliminates the necessaryenvironment for bacterial survival. This is the most effective means ofcontrolling microbiological fouling. In addition, it eliminates the potentiat for water entrainment in the fuel oil during DG operation. Water maycome from any of several sources, including condensation, ground water, rain water, and contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated waterminimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent with the recommendations of Regulatory Guide 1.137 (Ref. 2). This SR is for preventative maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance. Beaver Valley Units 1 and 2B 3.8.3 - 7 Revision 1 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES REFERENCES 1.2.3.4.5.6.UFSAR, Section 9.14.4 for Unit 1 and Section 9.5.4 for Unit 2.Regulatory Guide 1.137 .UFSAR Section 9.14.6 for Unit 1 and UFSAR Section 9.5.4 for Unit 2.UFSAR, Chapter 6.UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2. ASTM Standards: D4057-81, D1298-80, D975-81, D1796-83, D1552-79, D2622-82, and D2276-78, Method A.ASTM Standards. D975-81, Table 1.7.Beaver Valley Units 1 and 2 B 3.8.3 - I Revision 1 DC Sources - OperatingB 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating BASES BACKGROUND The station DC electrical power system provides the AC emergency power system with control power. lt also provides both motive and control power to selected safety related equipment and preferred AC vital bus power (via inverters). As described by Reference 1, the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure.The DC electrical power system also conforms to the recommendationsof Regulatory Guide 1.6 (Ref.2) and IEEE-308 (Ref. 3) as addressed inthe UFSAR.The 125 VDC electrical power system consists of two independent and redundant safety related Class 1E DC electrical power subsystems (Train A and Train B). Each subsystem consists of two 125 VDC batteries (each battery 100% capacity for that portion of the subsystem), the associated battery charger(s) for each battery, and all the associated control equipment and interconnecting cabling. For Unit 1, the required battery banks are Banks 1-1 and 1-3 on the orange bus and Banks 1-2 and 1-4 on the purple bus. The Unit 1 battery chargers are designated 1-1 and 1-3 on the orange bus and 1-2 and 1-4on the purple bus. The Unit 1 battery chargers designated 1-1 ,1-2, 1-3, and 1 -4 are each comprised of two redundant chargers, designated as 1-1A and 1-18, 1-2A and 1-28,1-3A and 1-38 and 1-4A and 1-48. Eachof these redundant chargers can supply the full range of required loadsfor the 125 VDC bus. Only one of the two redundant battery chargersassociated with each battery bank is required to be operable.The required Unit 2 battery banks are Banks 2-1 and 2-3 on the orange bus and Banks 2-2 and 2-4 on the purple bus. The Unit 2 battery chargers are designated 2-1 and 2-3 on the orange bus and 2-2 and 2-4on the purple bus. In addition, for Unit 2, spare chargers (2-T and 2-9)are also provided. Spare battery chargers 2-7 and 2-9 are each fully qualified as a substitute for a primary battery charger. For Unit 2, one safety switch is provided for each DC bus to provide a backup method for battery charging and bus supply if the primary charger is out of service. This is discussed in the UFSAR, Section 8.3.2.1 (Ref a).For Unit 1 and Unit 2, a spare charger that is fully qualified as describedin the UFSAR and that meets applicable surveillance requirements, maybe substituted as an operable charger.During normal operation, the 125 VDC load is powered from the batterychargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC load is automatically powered from the station batteries.Beaver Valley Units 1 and 2 B 3.8.4 - 1Revrsion 27 DC Sources - Operating B 3.8.4 BASESBACKG ROUN D (continued )The Train A and Train B DC electrical power subsystems provide the control powerfor its associated Class 1E AC power load group,4.16 kV switchgear, and 480 V load centers. The DC electrical power subsystems also provide DC electrical power to the inverters, which in turn power the AC vital buses.The DC power distribution system is described in more detail in Bases for LCO 3.8.9, "Distribution System - Operating," and LCO 3.8.10,"Distribution Systems - Shutdown." Each 125 VDC battery is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from the other subsystem to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class 1E subsystems, such as batteries, battery chargers, or distribution panels.Each battery has adequate storage capacity to meet the duty cycle(s) discussed in Reference 4. The battery is designed with additional capacity above that required by the design duty cycle to allow fortemperature variations and other factors.The batteries for Train A and Train B DC electrical power subsystems aresized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100%design demand. The minimum design voltage limit for each battery cell is 1.84 volts for batteries 1-1, 1-2,2-1,2-2,2-3, and 2-4 and 1.864 volts forbatteries 1-3 and 1-4.Based on battery sizing calculations, a 5% design margin is maintained for the Enersys 2GN-13 model batteries (2-3 and 2-4) and a 2o/o design margin is maintained for the Enersys 2GN-21 model batteries (1-1, 1-2, 2-1, and 2-2). This margin is reserved for the batteries listed above in ' accordance with the battery vendor recommendations and NRC commltment in order to use the value of < 2 amps float current to determlne a fully charged battery (Ref. 11).The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit battery voltage of approximately 124 V for a 60 cell battery (i.e.,cell voltage of 2.A7 volts per cell (Vpc)) The open circuit voltage is the voltage maintained when there is no charging or discharging. Optimal long term performance, however, is obtained by maintaining a float voltage 2.25 Vpc. This provides adequate over-potential, which limits the formation of lead sulfate and self discharge. The nominal float voltage of2.25 Vpc corresponds to a total float voltage output of 135 V for a 60 cell battery as discussed in Reference 4. Beaver Valley Units 1 and 2 B 3.8.4 - 2Revision 27 DC Sources - Operating B 3.8.4 BASES BACKG ROUN D (continued) Each Train A and Train B DC electrical power subsystem battery charger has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient excess capacity to restore the battery from the design minimum charge to its fully charged state within 24 hours while suppfying normal steady state loads discussed in Reference 4. The battery charger is normally in the float-charge mode. Float-charge is the condition in which the charger is supplying the connected loads and the battery cells are receiving adequate current to optimally charge the battery. This assures the internal losses of a battery are overcome and the battery is maintained in a fully charged state. When desired, the charger can be placed in the equalize mode. Theequalize mode is at a higher voltage than the float mode and chargingcurrent is correspondingly higher. The battery charger is operated in the equalize mode after a battery discharge or for routine maintenance. Following a battery discharge, the battery recharge characteristic accepts current at the current limit of the battery charger (if the discharge was significant, e.9., following a battery service test) until the battery terminal voltage approaches the charger voltage setpoint. Charging current then reduces exponentially during the remainder of the recharge cycle. Lead-calcium batteries have recharge efficiencies of greater than 95o/o, so once at least 105% of the ampere-hours discharged have been returned, the battery capacity would be restored to the same condition as it was prior to the discharge. This can be monitored by direct observation of the exponentially decaying charging current or by evaluating the amp-hoursdischarged from the battery and amp-hours returned to the battery. APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and transientanalyses in the UFSAR, Chapter 6 (Ref. 5) and Reference 6, assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxillaries, and control and switching during all MODES of operation. The OPERABILITY of the DC sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the DC sources OPERABLE during accident conditions in the event of:An assumed loss of all offsite AC power or all onsrte AC power andA worst-case single failure.The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). a.b.Beaver Valley Units 1 and 2 B 3.8.4 - 3Revision 27 DC Sources - OperatingB 3.8.4 BASES LCOThe DC electrical power subsystems, each subsystem consisting of two batteries, battery charger for each battery and the corresponding control equipment and interconnecting cabling supplying power to the associatedbus within the train are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Loss of any train DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. a).An OPERABLE DC electrical power subsystem requires afl required batteries and respective chargers to be operating and connected to the associated DC bus(es). APPLICABILITYThe DC electrical power sources are required to be OPERABLE in MODES 1 , 2, 3, and 4 to ensure safe unit operation and to ensurea. Acceptable fuel design limits and reactor coolant'pressure boundary limits are not exceeded as a result of AOOs or abnormal transients andb. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LCO 3.8.5. "DC Sources - Shutdown." ACTIONS A and A.3 Condition A represents one train with one or two battery chargers inoperable (e.9., the voltage limit of SR 3.8.4.1 is not maintained). The ACTIONS provide a tiered time response that focuses on returning the battery to the fully charged state and restoring a fully qualified charger to OPERABLE status in a reasonable time period. Required Action A.1 requires that the battery terminal voltage be restored to greater than or equal to the minimum established float voltage within 2 hours. The minimum established float voltage, measured at the battery terminals, is 2.13 volts per cell multiplied by the number of connected cells. The required number of connected cells is established in the battery srzing calculations (Ref. 12 through 19). The 2 hour limit provides for returning the inoperable charger to OPERABLE status or providing an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage. Restoring the battery terminal voltage to greater than or equal to the minimum established float voltage providesBeaver Valley Units 1 and 2 B384-4Revision 23 DC Sources - OperatingB 3.8.4 BASES ACTIONS (continued) reasonable assurance that, within 12 hours, the battery will be restored toits fully charged condition (Required Action A.2\ from any discharge thatmight have occurred due to the charger inoperability. A discharged battery having terminal voltage of at least the minimumestablished float voltage indicates that the battery is on the exponentialcharging current portion (the second part) of its recharge cycle. The timeto return a battery to its fully charged state under this condition is simply afunction of the amount of the previous discharge and the rechargecharacteristic of the battery. Thus there is reasonable assurance of fullyrecharging the battery within 12 hours, avoiding a premature shutdown with its own attendant risk.lf established battery terminal float voltage cannot be restored to greater than or equal to the minimum established float voltage within 2 hours, and the charger is not operating in the current-limiting mode, a faulty chargeris indicated. A faulty charger that is incapable of maintaining establishedbattery terminal float voltage does not provide assurance that it can revertto and operate properly in the current limit mode that is necessary duringthe recovery period following a battery discharge event that the DC system is designed for.lf the charger is operating in the current limit mode after 2 hours that is anindication that the battery is partially discharged and its capacity margins will be reduced. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, theamount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. Thecharge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours (Required Action A.2)Required Action A.2 requires that the battery float current be verified asless than or equal to 2 amps. This indicates that, if the battery had beendischarged as the result of the inoperable battery charger, it has nowbeen fully recharged. lf at the expiration of the initial 12 hour period the battery float current is not less than or equal to 2 amps this indicatesthere may be additional battery problems and the battery must be declared inoperable.Required Action A.3 limits the restoration time for the lnoperable batterycharger to 72 hours. This action is applicable if an alternate means ofrestoring battery terminal voltage to greater than or equal to the minimum established float voltage has been used (e g , balance of plant non-Class 1E battery charger). The 72-hour Completion Time reflects a reasonabletime to effect restoration of the qualified battery charger to OPERABLE Beaver Valley Units 1 and 2 B3.84-5 Revision 23 DC Sources - OperatingB 3.8.4 BASESACTIONS (continued) status. In addition, the 72-hour Completion Tlme takes into account thecapacity and capability of the remaining DC sources, and the low probability of a DBA occurring during this period.Condition B represents one train with one or two batteries inoperable. With one or two batteries inoperable, the DC bus is being supplied by theOPERABLE battery charger. Any event that results in a loss of the ACbus supporting the battery charger will also result in loss of DC to thattrain. Recovery of the AC bus, especially if it is due to a loss of offsite power, will be hampered by the fact that many of the componentsnecessary for the recovery (e.g., diesel generator control and field flash,AC load shed and diesel generator output circuit breakers, etc.) likely relyupon the batteries. In addition the energization transients of any DCloads that are beyond the capability of the battery charger and normallyrequire the assistance of the batteries will not be able to be brought online. The 2 hour limit allows sufficient time to effect restoration of an inoperable battery given that the majority of the conditions that lead to battery inoperability (e.9., loss of battery charger, battery cell voltage lessthan 2.07 V, etc.) are identified in Specifications 3.8.4, 3.8.5, and 3.8.6together with additional specific Completion Times.Condition C represents one train with a loss of ability to completelyrespond to an event, and a potential loss of ability to remain energizedduring normal operation. lt is therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected train. The2 hour limit is consistent with the allowed time for an inoperable DC distribution system train.lf one of the required DC electrical power subsystems is inoperable for reasons other than Condition A or B (e.g , inoperable battery charger and associated inoperable battery), the remaining DC electrical powersubsystem has the capacity to support a safe shutdown and to mitigatean accident condrtion. Since a subsequent worst-case single failurecould, however, result in the loss of minimum necessary DC electricalsubsystems to mitigate a worst case accident, continued power operationshould not exceed 2 hours. The 2 hour Completion Time is based on Regulatory Guide 1.93 (Ref. 7) and reflects a reasonable time to assessunit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLEstatus, to prepare to effect an orderly and safe unit shutdown. Beaver Valley Units 1 and 2 B3.84-6Revision 0 DC Sources - OperatingB 3.8.4 BASES ACTIONS (continued) D.1 and D.2lf the inoperable DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must bebrought to a MODE in which the LCO does not apply. To achieve thisstatus, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable,based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plantsystems. The Completion Time to bring the unit to MODE 5 is consistentwith the time recommended in Regulatory Guide 1.93 (Ref 7).SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verlfying battery terminal voltage while on float charge helps to ensurethe effectiveness of the battery chargers, which support the ability of thebatteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in afulty charged state while supplying the continuous steady state loads of the associated DC subsystem. On float charge, battery cells will receive adequate current to optimally charge the battery. The voltage requirements are based on the nominal design voltage of the battery andare consistent with the minimum float voltage, measured at the battery terminals, established by the battery manufacturer (i.e.,2.13 volts per cell multiplied by the number of connected cells). This voltage maintains the battery plates in a condition that supports maintaining the grid life (expected to be approximately 20 years). The 7 day Frequency is consistent with IEEE-450 (Ref. 8).sR 3.8 4.2This SR verifies the design capacity of the battery chargers. According to Regulatory Guide 1.32 (Ref. 9), the battery charger supply is recommended to be based on the largest combined demands of thevarious steady state loads and the charging capacity to restore thebattery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences.The minimum required amperes and duration ensure that these requirements can be satisfied.Beaver Valley Units 1 and 2 B3.84-7 Revision 23 DC Sources - OperatingB 3.8.4 BASES SURVEILLANCE REQU lREMENTS (continued) This SR provides two options. One option requires that each batterycharger be capable of supplying 100 amps at the minimum establishedfloat voltage for 4 hours. The ampere requirements are based on the output rating of the chargers. The voltage requirements are based on thecharger voltage level after a response to a loss of AC power. The charger voltage requires a minimum output of 140 volts. The 4-hour time period is sufficient for the charger temperature to have stabilized, The minimum established float voltage, measured at the battery terminals, is2.13 volts per cell multiplied by the number of connected cells.The other option requires that each battery charger be capable ofrecharging the battery after a service test coincident with supplying thelargest combined demands of the various continuous steady state loads (irrespective of the status of the plant during which these demands occur). This level of loading may not normally be available following thebattery service test and will need to be supplemented with additionalloads. The duration for this test may be longer than the charger sizingcriteria since the battery recharge is affected by float voltage, ternperature, and the exponential decay in charging current. The batteryis recharged when the measured charging current is < 2 amps.The Surveillance Frequency is acceptable, given the unit conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance during these 18 month intervals. In addition, this Frequency is intended to be consistent with expected fuelcycle lengths.sR 3.8.4.3 A battery service test is a special test of the battery capability, as found,to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle of 2 hours, using actual or simulated emergency loads as specified in Reference 4.The Surveillance Frequency of 18 months is consistent with the recommendations of Regulatory Guide 1.32 (Ref. 9) and Regulatory Guide 1 .129 (Ref. 10), which state that the battery service test should be performed during refueling operations, or at some other outage, withintervals between tests not to exceed the SR Frequency plus any allowed extension. This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test.Beaver Valley Units 1 and 2B 3.8.4 - 8Revision 23 DC Sources - OperatingB 3.8.4 BASES SURVEILLANCE REQU I REMENTS (continued)The reason for Note 2 is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems. Creditmay be taken for unplanned events that satisfy this SR.REFERENCES 1.Unit 1 UFSAR Appendix 1A, "1971AEC General Design Criteria Conformance" and Unit 2 UFSAR Section 3.1, "Conformance withU. S. Nuclear Regulatory Commission General Design Criteria."Safety Guide 6 (Unit 1) and Regulatory Guide 1.6, March 10, 1971 (Unit 2).IEEE-308-1971 for Unit 1 and 1974 for Unit 2.UFSAR, Chapter 8.UFSAR, Chapter 6.UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.Regulatory Guide 1.93, December 1974. tEEE-450-1995.

Regulatory Guide 1 .32, February 1977. Regulatory Guide 1.129, December 1974. NRC Regulatory Commitment documented in FENOC Letter L 162, "Supplement to License Amendment Request Nos. 296 and169, lmproved Standard Technical Specification Conversion," datedDecember 7 ,2006.12. 8700-E-201 , DC System Management - BAT-1-1/BAT-CHG1-1 .13. 8700-E-202, DC System Management - BAT-1-2itsAT-CHG1-2.14. 8700-E-203, DC System Management - BAT-1-3/BAT-CHG1-3.15. 8700-E-204, DC System Management - BAT-1-4IBAT-CHG1-4. 1 6. 1 0080-E-201 , DC System Management - BAT-2-1/BAT-CH G2-1 .17 . 10080-E-202, DC System Management - BAT-?-ZlBAT-CHG2-2.

18. 10080-E-203, DC System Management - BAT-2-3/BAT-CHG2-3.1 9. 1 0080-E-204, DC System Management - BAT-24lBAT-CHG2-4.Beaver Valley Units 1 and 2B 3.8.4 - 9 Revision 23 DC Sources - ShutdownB 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources - Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4,"DC Sources - Operating." APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and transientanalyses in the UFSAR, Chapter 6 (Ref. 1) and Reference 2, assume that Engineered Safety Feature systems are OPERABLE.

The DC electrical power system provides normal and emergency DC electrical power forthe diesel generators, emergency auxiliaries, and control and switchingduring all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initiaf assumptions 6f the accident analyses and the requirements for the supported systems' OPERABILITY. The OPERABILITY of the minimum DC electrical power sources during MODES 5 and 6 and during movement of irradiated fuel assemblies or movement of fuel assemblies over irradiated fuel assemblies for Unit 1 or movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies for Unit 2 ensure that: The unit can be maintained in the shutdown or refueling condition for extended periods,Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status, andAdequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling irradiated fuel. For Unit 2 only, due to radioactive decay, DC electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel (i.e., fuel thathas occupied part of a critical reactor core within the previous100 hours. In future discussions. the term fuel assemblies will include "irradiated" and "recently irradiated" as applicable for each unit.ln general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required.The rationale for this is based on the fact that many DBAs that are a.b.Beaver Valley Units 1 and 2B 3.8.5 - 1 Revision 0 DC Sources - ShutdownB 3.8.5 BASES APPLICABLE SAFETY ANALYSES (continued)analyzed in MODES 1, 2, 3, and 4 have no specific analyses in MODES 5and 6 because the energy contained within the reactor pressureboundary, reactor coolant temperature and pressure, and thecorresponding stresses result in the probabilities of occurrence being significantly reduced or eliminated, and in minimal consequences. These deviations from DBA analysis assumptions and design requirementsduring shutdown conditions are allowed by the LCO for required systems. The shutdown Technical Specification requirements are designed to ensure that the unit has the capability to mitigate the consequences of certain postulated accidents. Worst case DBAs which are analyzed for operating MODES are generally viewed not to be a significant concernduring shutdown MODES due to the lower energies involved. The Technical Specifications therefore require a lesser complement ofelectrical equipment to be available during shutdown than is requiredduring operating MODES. More recent work completed on the potentialrisks associated with shutdown, however, have found significant riskassociated with certain shutdown evolutions. As a result, in addition tothe requirements established in the Technical Specifications, the industry has adopted NUMARC 91-06, "Guidelines for lndustry Actions to Assess Shutdown Management," as an Industry initiative to manage shutdowntasks and associated electrical support to maintain risk at an acceptablelow level. This may require the availability of additional equipmentbeyond that required by the shutdown Technical Specifications.The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). LCOThe DC electrical power subsystem, the required subsystem consisting oftwo batteries, one battery charger per battery, and the corresponding control equipment and interconnecting cabling within the train, is requiredto be OPERABLE to support one train of the distribution systems required OPERABLE by LCO 3.8.10, "Distribution Systems - Shutdown." Thisensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.9., fuel handling accidents involvinghandling fuel). Beaver Valley Units 1 and 2 B385-2 Revisron 0 DC Sources - Shutdown B 3.8.5 BASES APPLICABlLITYThe DC electrical power sources required to be OPERABLE in MODES 5and 6, and during movement of fuel assemblies, provide assurance that: a. Required features to provide adequate coolant inventory makeupare available for the irradiated fuel assemblies in the core,b. Required features needed to mitigate a fuel handling accidentinvolving handling fuel are available, c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available, andd. lnstrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition. The DC electrical power requirements for MODES 1,2, 3, and 4 arecovered in LCO 3.8.4.ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, since irradiated fuel assembly movement can occur in MODE 1, 2, 3, or 4, theACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. lf moving irradiated fuel assemblies while in MODE 5 or 6,LCO 3.0.3 would not specify any action. lf moving fuel assemblies whilein MODE 1,2,3, or 4, the fuel movement is independent of reactoroperations. Entering LCO 3.0.3, while in MODE 1,2,3, or 4 would require the unit to be shutdown unnecessarily.4.1, 4.2.1, 4.2.2. A.2.3, A.2.4, and 4.2.5 By allowing the option to declare required features inoperable with the associated DC power source(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required featuresLCO ACTIONS. In many instances tllis option may involve undesired administrative efforts. Therefore, the allowance for sufflcientlyconservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of fuel assemblies, and operations involving positive reactivityadditions) that could result in loss of required shutdown margin (SDM)(MODE 5) or boron concentration (MODE 6). Suspending positive reactivity additions that could result in failure to meet the minimum SDMor boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources thathave a boron concentration greater than what would be required in the Reactor Coolant System (RCS) for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margln to maintainingBeaver Valley Units 1 and 2 B 3.8.5 - 3Revision 0 DC Sources - ShutdownB 3.8.5 BASESACTIONS (continued)subcritical operation. Introduction of temperature changes includingtemperature increases when operating with a positive MTC must also beevaluated to ensure they do not result in a loss of required SDM.Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize probability of the occurrence of postulated events. lt is further required to immediately initiate action to restore the required DC electrical powersubsystem and to continue this action until restoration is accomplished inorder to provide the necessary DC electrical power to the unit safety systems.The Completion Time of immediately is consistent with the required timesfor actions requiring prompt attention. The restoration of the required DC electrical power subsystem should be completed as quickly as possible inorder to minimize the time during which the unit safety systems may be without sufficient power.SURVEILLANCE SR 3.8.5.1 REQUIREMENTSSR 3.8.5.1 requires performance of all Surveillances required bySR 3.8.4.1 through SR 3.8.4.3. Therefore, see the corresponding Basesfor LCO 3.8.4 for a discussion of each SR.This SR is modified by a Note. The reason for the Note is to precluderequiring the OPERABLE DC sources from being discharged below theircapabifity to provide the required power supply or othenvise rendered inoperable during the performance of SRs. lt is the intent that these SRs must still be capable of being met, but actual performance is not required. REFERENCES 2 1.UFSAR, Chapter 6. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.Beaver Valley Units 1 and 2B 3.8.5 - 4Revision 0 Battery ParametersB 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Parameters BASES BACKGROUNDThis LCO delineates the limits on battery float current as well aselectrolyte temperature, level, and float voltage for the DC powersubsystem batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources - Operating," and LCO 3.8.5, "DC Sources - Shutdown." lnaddition to the limitations of this Specification, the Battery Monitoring and Maintenance Program also implements a program specified inSpecification 5.5.13 for monitoring various battery parameters that isbased on the recommendations of IEEE Standard 450-1995, "IEEERecommended Practice For Maintenance, Testing, And Replacement OfVented Lead-Acid Batteries For Stationary Applications" (Ref. 3).The battery cells are of flooded lead acid constructlon with a nominal specific gravity of 1.215. This specific gravity corresponds to an opencircuit battery voltage of approximately 124 V for 60 cell battery (i.e., cellvoltage of 2.07 volts per cell (Vpc)) The open circuit voltage is the voltage maintained when there is no charging or discharging. Optimallong term performance, however, is obtained by maintaining a floatvoltage 2.25 Vpc. This provides adequate over-potential which limits the formation of lead sulfate and self discharge. The nominal float voltage of2.25 Vpc corresponds to a total float voltage output of 135 V for a 60 cellbattery as discussed in the UFSAR, Chapter 8 (Ref. 5).APPLICABLE SAFETY ANALYSESThe initial conditions of Design Basis Accident (DBA) and transientanalyses in the UFSAR, Chapter 6 (Ref. 1) and Reference 2, assume thatEngineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power forthe DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initlalassumptions of the accident analyses and is based upon meeting thedesign basis of the unit. This includes maintaining at least one train ofDC sources OPERABLE during accident conditions, in the event of:An assumed loss of all offsite AC power or all onsite AC power and A worst-case single failure.Battery parameters satisfy Criterion 3 of 10 CFR 50.36(c)(2xii). a.b Beaver Valley Units 1 and 2B 3.8.6 - 1 Revision 0 Battery Parameters B 3.8.6 BASES LCO Battery parameters must remain within acceptable limits to ensureavailability of the required DC power to shut down the reactor andmaintain it in a safe condition after an anticipated operational occurrenceor a postulated DBA. Battery parameter limits are conservativelyestablished, allowing continued DC electrical system function even withlimits not met. Additional preventative maintenance, testing, and monitoring performed in accordance with the Battery Monitoring andMaintenance Program is conducted as specified in Specification 5.5.13.APPLICABILIry The battery parameters are required solely for the support of the associated DC electrical power subsystems. Therefore, battery parameter limits are only required when the DC power source is requiredto be OPERABLE. Refer to the Applicability discussion in Bases for LCO 3.8.4 and LCO 3.8.5.ACTIONS A.1 4.2 and A.3 With one or more cells in one or more batteries in one train < 2.07 V, thebattery cell is degraded. Within 2 hours verification of the required batterycharger OPERABILITY is made by monitoring the battery terminal voltage (SR 3.8.4.1) and of the overall battery state of charge by monitoring the battery float charge current (SR 3.8.6.1). This assures that there is stillsufficient battery capacity to perform the intended function. Therefore,. the affected battery is not required to be considered inoperable solely as a result of one or more cells in one or more batteries < 2.OT V, andcontinued operation is permitted for a limited period up to 24 hours. Since the Required Actions only specify "perform," a failure of SR 3.8.4.1 or SR 3.8.6.1 acceptance criteria does not result in this Required Actionnot met. However, if one of the SRs is failed the appropriate Condition(s), depending on the cause of the failures, is entered. lf SR 3.8.6.1 is failedthen there is not assurance that there is still sufficient battery capacity to perform the intended function and the battery must be declaredinoperable immediately. 8.1 and B.2One or more batteries in one train with float current > 2 amps indicatesthat a partial discharge of the battery capacity has occurred. This may bedue to a temporary loss of a battery charger or possibly due to one ormore battery cells rn a low voltage condition reflecting some loss ofcapacity. Within 2 hours verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage. lf the terminal voltaqe is found to be less than the minimum established float Beaver Valley Units 1 and 2 B38.6-2Revision 0 Battery Parameters B 3.8.6 BASES ACTIONS (continued) voltage there are two possibilities, the battery charger is inoperable or isoperating in the current limit mode. Condition A addresses charger inoperability. lf the charger is operating in the current limit mode after2 hours that is an indication that the battery has been substantially discharged and likely cannot perform its required design functions. Thetime to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on theassociated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive,and there is not adequate assurance that it can be recharged within12 hours (Required Action 8.2). The battery must therefore be declared inoperable.lf the float voltage is found to be satisfactory but there are one or morebattery celfs with float voltage less than 2.07 V, the associated "OR"statement in Condition F is applicable and the battery must be declared inoperable immediately. lf float voltage is satisfactory and there are no cells less than 2.07 V there is reasonable assurance that, within 12 hours,the battery will be restored to its fully charged condition (Required Action8.2) from any discharge that might have occurred due to a temporary lossof the battery charger.A discharged battery with float voltage (the charger setpoint) across itsterminals indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return abattery to its fully charged state under this condition is simply a functlon ofthe amount of the previous discharge and the recharge characteristic ofthe battery. Thus there is reasonable assurance of fully recharging thebattery within 12 hours, avoiding a premature shutdown with its ownattendant risk.lf the condition is due to one or more cells in a low voltage condition but still greater than 2.07 V and float voltage is found to be satisfactory, this isnot indication of a substantially discharged battery and 12 hours is a reasonable time prior to declaring the battery inoperable.Since Required Action 8.1 only specifies "perform," a failure of SR 3.8.4.1 acceptance criteria does not result in the Required Action not met.However, if SR 3.8.4.1 is failed, the appropriate Condition(s), dependingon the cause of the failure. is entered. Beaver Valley Units 1 and 2 B 3.8.6 - 3 Revision 0 Battery ParametersB 3.8.6 BASES ACTIONS (continued)C.1, C.2, and C.3With one or more batteries in one train with one or more cells electrolytelevel above the top of the plates, but below the minimum established design limits, the battery still retains sufficient capacity to perform the intended function. Therefore, the affected battery is not required to beconsidered inoperable solely as a result of electrolyte level not met. In accordance with Required Action C.3, the minimum established designlimits for electrolyte level (i.e., > minimum fevel indication mark) must bere-established within 31 days. Condition C is modified by a Note that requires the completion of Required Action C.2 rt the electrolyte level was found below the top of the plates. ln this case, the visual inspection forleakage specified in Required Action C.2 must be performed prior toexiting Condition C even if the electrolyte level is restored to greater thanor equal to the minimum established design limit. With electrolyte level below the top of the plates there is a potential fordryout and plate degradation. Required Actions C.1 and C.2 address this potential (as well as provisions in Speclfication 5.5.13, Battery Monitoring and Maintenance Program). They are modified by a Note that indicates they are only applicable if electrolyte level is below the top of the plates.Within 8 hours level is required to be restored to above the top of the plates. The Required Action C.2 requirement to verify that there is noleakage by visual inspection and the Specification 5.5.13.b item to initiate action to equalize and test in accordance with manufacturer's recommendation are taken from Annex D of IEEE Standard 450-1995.The visual inspection and requirements of Specification 5.5.13.b are typically performed following the restoration of the electrolyte level toabove the top of the plates. Based on the results of the manufacturer's recommended testing the batteries may have to be declared inoperableand the affected cells replaced.D.1With one or more batteries in one train with pilot cell temperature lessthan the minimum established design limit of 50"F, 12 hours is allowed torestore the temperature to within limits. A low electrolyte temperaturelimits the current and power available. Since the battery is sized withmargin, while battery capacity is degraded, sufficlent capacity exists to perform the intended function and the affected battery is not required to be considered inoperable solely as a result of the pilot cell temperaturenot met.Beaver Valley Units 1 and 2 B 3.8.6 - 4Revision 0 Battery Parameters B 3.8.6 BASES ACTIONS (continued) E.1 With one or more batteries in redundant trains with battery parametersnot within limits there is not sufficient assurance that battery capacity has not been affected to the degree that the batteries can still perform their required function, given that redundant batteries are involved. With redundant batteries involved this potential could result in a total loss of function on multiple systems that rely upon the batteries. The longer Completion Times specified for battery parameters on non-redundant batteries not within limits are therefore not appropriate, and the parameters must be restored to within limits on at least one train within2 hours.F.1 With one or more batteries with any battery parameter outside the allowances of the Required Actions for Condition A, B, C, D, or E, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding battery must be declared inoperable. Additionally, discovering one or more batteries in one train with one ormore battery cells float voltage less than 2.07 V and float current greaterthan 2 amps indicates that the battery capacity may not be sufficient to perform the intended functions. The battery must therefore be declared inoperable immediately. SURVEILLANCE SR 3.8.6.1 REQUIREMENTS Verifying battery float current while on float charge is used to determine the state of charge of the battery. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in a charged state.. The float current requirements are based on the float current indicative of a charged battery. Use of float current to determine the state of charge of the battery is consistent with IEEE-450 (Ref. 3). The 7 day Frequency is consistent with IEEE-450 (Ref. 3).This SR is modified by a Note that states the float current requirement isnot required to be met when battery terminal voltage is less than the minimum established float voltage of SR 3.8.4.1. When this float voltageis not maintained the Required Actions of LCO 3.8.4 ACT1ON A are beingtaken, which provide the necessary and appropriate verifications of the battery condition. Furthermore, the float current limit of 2 amps is established based on the nominal float voltage value and is not directlyapplicable when this voltage is not maintained.Beaver Valley Units 1 and 2 B38.6-5 Revision 0 Battery ParametersB 3.8.6 BASES SURVEILLANCE REQUI REM ENTS (continued)SR 3.8.6.2 and SR 3.8.6.5Optimal long term battery performance is obtained by maintaining a float voltage greater than or equal to the minimum established design limits provided by the battery manufacturer. The minimum established float voltage, measured at the battery terminals, is 2.13 volts per cell multipliedby the number of connected cells. This provides adequate over-potential,which limits the formation of lead sulfate and self discharge, which could eventually render the battery inoperable. Float voltages in this range orless, but greater than 2.07 Vpc, are addressed in Specification 5.5.13.SRs 3.8.6.2 and 3.8.6.5 require verification that the cell float voltages are equal to or greater than the short term absolute minimum voltage of2.07 V. The Frequency for cell voltage verification every 31 days for pilotcell and 92 days for each connected cell is consistent with IEEE-450 (Ref. 3).sR 3.8.6.3The limit specified for electrolyte level (i.e., t minimum level indicationmark) ensures that the plates suffer no physical damage and maintainsadequate electron transfer capability. The Frequency is consistent with IEEE-450 (Ref. 3).sR 3.8.6.4This Surveillance verifies that the pilot cell temperature rs greater than orequal to the minimum established design limit (i.e., 50'F). Pilot cellelectrolyte temperature is maintained above this temperature to assure the battery can provide the required current and voltage to meet the design requirements. Temperatures lower than assumed in battery sizingcalculations act to inhibit or reduce battery capacity. The Frequency is consistent with IEEE-450 (Ref. 3).sR 3.8.6.6 A battery performance discharge test is a test of constant current capacityof a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity determined by theacceptance test. The test is intended to determine overall batterydegradation due to age and usage. Beaver Valley Units I and 2 B 3.8.6 - 6 Revision 23 Battery Parameters B 3.8.6 BASES SURVEILLANCE REQUI REMENTS (continued) Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.6.6; however, only the modified performance discharge test may be used tosatisfy the battery service test requirements of SR 3.8.4.3.A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.It may consist of just two rates; for instance the one minute rate for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the peformance test withoutcompromising the results of the performance discharge test. The batteryterminal voltage for the modified performance discharge test must remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 3) and IEEE-485 (Ref. a). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer'srating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements. Furthermore, the battery is sized to meet the assumed duty cycle loads when the battery design capacity reaches this 80% lirnit. The Surveillance Frequency for this test is normally 60 months. lf the battery shows degradation, or if the battery has reached 85% of itsexpected life, the Surveillance Frequency is reduced to 18 months.Degradation is indicated, according to IEEE-450 (Ref. 3), when thebattery capacity drops by more than 1A% relative to its capacity on the previous performance test or when it is ) 10% below the manufacturer's rating. These Frequencies are consistent with the recommendations in IEEE-450 (Ref. 3).This SR is modified by a Note. The reason for the Note is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems. Credit may be taken forunplanned events that satisfy this SR.Beaver Valley Units 1 and 2B 3.8.6 - 7Revision 0 Battery ParametersB 3.8.6 BASES REFERENCES1. UFSAR, Chapter 6.2. UFSAR, Chapter 14for Unit 1 and Chapter 15 for Unit 2.3. tEEE-450-1995.

4. IEEE-485-1983, June 1983.5. UFSAR, Chapter 8 (Unit 2).Beaver Valley Units 1 and 2B 3.8.6 - 8 Revision 0 Inverters - Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.7 lnverters - Operating BASES BACKGROUNDThe inverters are the preferred source of power for the AC vital busesbecause of the stability and reliability they achieve. The function of the inverter is to provide AC electrical power to the vital buses. The inverterscan be powered from an internal AC source/rectifier, a battery charger orfrom the station battery. The battery chargers have sufficient capacity to supply the required vital bus loads and may be used in lieu of the internalrectified AC source to power inverters. However, inverters with backup power available from the station battery provide the required uninterruptible power source for the instrumentation and controls for theReactor Protective System (RPS) and the Engineered Safety Feature Actuation System (ESFAS). Specific details on inverters and their operating characteristics are found in the UFSAR, Chapter 8 (Ref. 1).APPLICABLE SAFETY ANALYSESThe initial conditions of Design Basis Accident (DBA) and transient analyses in the UFSAR, Chapter 6 (Ref. 2) and Reference 3, assume Engineered Safety Feature systems are OPERABLE.

Theinverters are designed to provide the required capacity, capability,redundancy, and reliability to ensure the availability of necessary power to the RPS and ESFAS instrumentation and controls so that the fuel,Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.The OPERABILITY of the inverters is consistent with the initialassumptions of the accident analyses and is based on meeting the designbasis of the unit. This includes maintaining required AC vital buses OPERABLE during accident conditions in the event of: An assumed loss of all offsite AC electrical power or all onsite AC electrical power andA worst case single failure.lnverters are a part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50 36(c)(2xii). a.b.Beaver Valley Units 1 and 2 B38.7-1Revision 0 lnverters - OperatingB 3.8.7 BASES LCOThe inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA.Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is maintained. The four inverters (two per train) ensure an uninterruptible supply of AC electrical power to the ACvital buses even if the 4.16 kV safety buses are de-energized. OPERABLE inverters require the associated vital bus to be powered by the inverter with output voltage within tolerances, and power input to theinverter from a 125 VDC station battery. Alternatively, power supply maybe a battery charger or from an internal AC source via rectifier as long as the station battery is available as the uninterruptible power supply.This LCO is modified by a Note that allows one inverter to bedisconnected from a battery for < 24 hours, if the vital bus is powered from a Class 1E constant voltage transformer or inverter using internal AC source during the period and all other inverters are OPERABLE. Thisallows an equalizing charge to be placed on one battery. Under certain conditions, if the inverters were not disconnected, the resulting voltage condition might damage the inverter. These provisions minimize the loss of equipment that would occur in the event of a loss of offsite power. The24 hour time period for the allowance minimizes the time during which a loss of offsite power could result in the loss of equipment energized from the affected AC vital bus while taking into consideration the time required to perform an equalizing charge on the battery bank.The intent of this Note is to limit the number of inverters that may bedisconnected. Only the inverter associated with the single batteryundergoing an equalizing charge may be disconnected. All other inverters must be aligned to their associated batteries, regardless of thenumber of inverters'or unit design.APPLICABILITY The inverters are required to be OPERABLE in MODES 1,2,3, and 4 toensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundarylimits are not exceeded as a result of AOOs or abnormal transients and Beaver Valley Units 1 and 2 B38.7 -2 Revision 0 Inverters - OperatingB 3.8.7 BASES APPLICABI Llry (continued)

b. Adequate core cooling is provided, and containment OPERABILITYand other vital functions are maintained in the event of a postulated DBA.lnverter requirements for MODES 5 and 6 are covered in the Bases forLCO 3.8.8, "lnverters - Shutdown." ACTIONS A.1 With a required inverter inoperable, its associated AC vital bus becomesinoperable until it is re-energized from its Class 1E constant voltage source transformer or inverter using internal AC source or battery charger.For this reason a Note has been included in Condition A requiring the entry into the Conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating." This ensures that the vital bus is re-energizedwithin 2 hours.Required Action A.1 allows 24 hours to fix the inoperable inverter andreturn it to service. The 24 hour limit is based upon engineering judgment, taking into consideration the time required to repair an inverterand the additional risk to which the unit is exposed because of theinverter inoperability. This has to be balanced against the risk of animmediate shutdown, along with the potential challenges to safetysystems such a shutdown might entail. When the AC vital bus is powered from a source other than an inverter with battery backup, it is relying uponinterruptible AC electrical power sources (offsite and onsite). The uninterruptible inverter source to the AC vital buses is the preferredsource for powering instrumentation trip setpoint devices.8.1 and B.2lf the inoperable devices or components cannot be restored toOPERABLE status within the required Completion Time, the unit must bebrought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable,based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.Beaver Valley Units 1 and 2B 3.8.7 - 3Revision 0 Inverters - OperatingB 3.8.7 BASES SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from theinverter. The verification of correct voltage output ensures that the required power is readily avarlable for the instrumentation of the RPS and ESFAS connected to the AC vital buses. The 7 day Frequency takes intoaccount the redundant capability of the inverters and other indicationsavailable in the control room that alert the operator to inverter malfunctions.

REFERENCES 2.3.1.UFSAR, Chapter 8.UFSAR, Chapter 6.UFSAR, Chapter 14for Unit 1 and Chapter 15 for Unit 2.Beaver Valley Units 1 and 2 B3.87-4 Revision 0 lnverters - Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 lnverters - Shutdown BASES BACKGROUND A description of the inverters is provided in the Bases for LCO 3.8.7,"lnverters - Operating." APPLICABLE SAFETY ANALYSESThe initial conditions of Design Basis Accident (DBA) and transientanalyses in the UFSAR, Chapter 6 (Ref. 1) and Reference 2, assume Engineered Safety Feature systems are OPERABLE. The DC to ACinverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the Reactor Protective System and Engineered Safety Features ActuationSystem instrumentation and controls so that the fuel, Reactor CoolantSystem, and containment design limits are not exceeded. The OPERABILITY of the inverters is consistent with the lnitialassumptions of the accident analyses and the requirements for thesupported systems' OPERABILITY. The OPERABILITY of the minimum inverters to each AC vital bus during MODES 5 and 6 and during fuel movement ensures that:The unit can be maintained in the shutdown or refueling condition for extended periods, Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status, and Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident involving handling irradiated fuel or movement of fuel assemblies over irradiated fuelassemblies for Unit 1 or movement of recently irradiated fuel assemblies or movement of fuel assemblies over recently irradiated fuel assemblies for Unit 2. For Unit 2 only, due to radioactive decay,the inverters are only required to mitigate fuel handling accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours.In future discussions, the term fuel assemblies will include"irradiated" and "recently irradiated" as applicable for each unit. ln general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or all onsite power is not required. a.b.c.Beaver Valley Units 1 and 2 B388-1 Revlsion 0 Inverters - ShutdownB 3.8.8 BASES APPLICABLE SAFETY ANALYSES (continued)The rationale for this is based on the fact that many DBAs that areanalyzed in MODES 1 , 2, 3, and 4 have no specific analyses in MODES 5and 6 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and thecorresponding stresses result in the probabilities of occurrence beingsignificantly reduced or eliminated, and in minimal consequences. Thesedeviations from DBA analysis assumptions and design requirementsduring shutdown conditions are allowed by the LCO for required systems.The shutdown Technical Specification requirements are designed toensure that the unit has the capability to mitigate the consequences of certain postulated accidents. Worst case DBAs which are analyzed for operating MODES are generally viewed not to be a significant concernduring shutdown MODES due to the lower energies involved. TheTechnical Specifications therefore require a lesser complement ofelectrical equipment to be available during shutdown than is requiredduring operating MODES. More recent work completed on the potential rlsks associated with shutdown, however, have found significant risk associated with certain shutdown evolutions. As a result, in addition tothe requirements established in the Technical Specifications, the industry has adopted NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management," as an lndustry initiative to manage shutdown tasks and associated electrical support to maintain risk at an acceptablelow level. This may require the availability of additional equipmentbeyond that required by the shutdown Technical Specifications.The inverters were previously identified as part of the distribution systemand, as such, satisfy Criterion 3 of '10 CFR 50.36(c)(2xii). LCOThe inverters ensure the availability of electrlcal power for the instrumentation for systems required to shut down the reactor andmaintain it in a safe condition after an anticipated operational occurrenceor a postulated DBA. The inverters with battery backup power provideuninterruptible supply of AC electrical power to the AC vital buses even ifthe 4.16 kV safety buses are de-energized. OPERABILITY of the inverters require that the AC vital bus be powered by the inverter. Thisensures the availability of sufficient inverter power sources to operate theunit in a safe manner and to mitigate the consequences of postulatedevents during shutdown (e g , fuel handling accidents involving handling fuel).Beaver Valley Units 1 and 2B 3.8.8 - 2 Revision 0 lnverters - Shutdown B 3.8.8 BASES APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6 and during movement of fuel assemblies provide assurance that: Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core,Systems needed to mitigate a fuel handling accident involving handling fuel are available, Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available, and Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.lnverter requirements for MODES 1, 2, 3, and 4 are covered inLCO 3.8.7. a.b.d.ACTIONSLCO 3.0.3 is not applicable while in MODE 5 or

6. However, since irradiated fuel assembly movement can occur in MODE 1 , 2, 3, or 4, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is notapplicable. lf moving fuel assemblies while in MODE 5 or 6, LCO 3.0.3would not specify any action. lf moving fuel assemblies while in MODE 1, 2,3, or 4, the fuel movement is independent of reactor operations.

Entering LCO 3.0.3, while in MODE 1,2,3, or4 would require the unit tobe shutdown unnecessarily. A.2A.2.2A.2.3 A.2.4 and A.2.5 lf two trains are required by LCO 3.8.10, "Distribution Systems -Shutdown," the remaining OPERABLE Inverters may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and oporations with a potential for positive reactivity additions. By the allowance of the option to declare required features inoperable with the associated inverter(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCOs' Required Actions. "ln many instances,this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspendCORE ALTERATIONS, movement of fuel assemblies, and operations involving positive reactivity additions) that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positive A1 Beaver Valley Units 1 and 2 B 3.8.8 - 3Revision 0 lnverters - ShutdownB 3.8.8 BASES ACTIONS (continued) reactivity additions that could result in failure to meet the minimum SDM or boron concentration limit is required to assure continued safeoperation. lntroduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in theRCS for minimum SDM or refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but providesacceptable margin to maintaining subcritical operation. lntroduction of ternperature changes including temperature increases when operatingwith a positive MTC must also be evaluated to ensure they do not resultin a loss of required SDM.Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. lt is further required to immediately initiate action to restore the required inverters and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems.The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required inverters should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power or powered from aconstant voltage source transformer. SURVEILLANCE SR 3 8.8.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly withall required circuit breakers closed and AC vital buses energized from the inverter. The verification of correct voltage output ensures that the required power is readily available for the instrumentation connected to the AC vital buses. The 7 day Frequency takes into account the redundant capability of the inverters and other indications available in the control room that alert the operator to inverter malfunctions. REFERENCES 2.1.UFSAR, Chapter 6.UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.Beaver Valley Units 1 and 2 B3.88-4Revision 0 Distribution Systems - OperatingB 3.8.9 B 3.8 ELECTR]CAL POWER SYSTEMS B 3.8.9 Distribution Systems - Operating BASES BACKGROUND The onsite Class 1E AC, DC, and AC vital bus electrical power distribution systems are divided by train into two redundant and independent AC, DC, and AC vital bus electrical power distribution subsystems. The AC electrical power subsystem for each train consists of a primary Engineered Safety Feature (ESF) 4.16 kV bus and secondary 480 V buses and load centers. Each 4.16 kV ESF bus has at least one separate and independent offsite source of power as well as a dedicated onsite diesel generator (DG) source. Each 4.16 kV ESF bus is normally connected to a unit source. After a loss of the unit power source to a 4.16 kV ESF bus, a transfer to the system offsite source is accomplishedby utilizing a time delayed bus undervoltage relay. lf all offsite sourcesare unavailable, the onsite emergency DG supplies power to the 4.16 kV ESF bus. Control power for the 4.16 kV ESF breakers is supplied from the Class 1E batteries. Additional description of this system may be found ln the Bases for LCO 3.8.1 , "AC Sources - Operating," and the Bases for LCO 3.8.4, "DC Sources - Operating." The secondary AC electrical power distribution subsystem for each train includes the safety related buses and load centers shown in Table B 3.8.9-1 The 120 VAC vital buses are arranged in two load groups per train and are normally powered from the inverters. The alternate power supply for the vital buses are Class 1E constant voltage source transformers powered from the same train as the associated inverter, and its use is governed by LCO 3.8.7, "lnverters - Operating." Each constant voltage source transformer is powered from a Class 1E AC bus.The DC electrical power distribution subsystem consists of 125 V bus(es). The list of all required DC and vital AC distribution buses is presented inTable B 3.8.9-1Beaver Valley Units 1 and 2 B38.9-1 Revision 0 Distribution Systems - Operating B 3.8.9 BASES APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and transientanalyses in the UFSAR, Chapter 6 (Ref. 1), and in Reference2,assume ESF systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor CoolantSystem, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); andSection 3.6, Containment Systems.The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution systems is consistent with the initial assumptions of theaccident analyses and is based upon meeting the design basis of the unit.This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power andb. A worst case single failure.The distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2xii).

LCOThe required power distribution subsystems listed in Table B 3.8.9-1ensure the availability of AC, DC, and AC vital bus electrical power for the systems required to shut down the reactor and maintain it in a safecondition after an anticipated operational occurrence (AOO) or a postulated DBA. The AC, DC, and AC vital bus electrical power distribution subsystems are required to be OPERABLE. Maintaining the Train A and Train B AC, DC, and AC vital bus electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a singlefailure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.OPERABLE AC electrical power distribution subsystems require the associated buses and load centers to be energized to their correct voltages. OPERABLE DC electrical power distribution subsystems require the associated buses and distribution panels to be energized to their correct voltage from either the associated battery or charger.OPERABLE vital bus electrical power distribution subsystems require the associated buses to be energized to their correct voltage from theassociated inverter via inverted DC voltage, inverter using internal ACsource, or Class 1E constant voltage transformer. Beaver Valley Units I and 2 B38.9-2Revision 0 Distribution Systems - OperatingB 3.8.9 BASES LCO (continued) In addition, tie breakers between redundant safety related AC, DC, andAC vital bus power distribution subsystems, if they exist, must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, that couldcause the failure of a redundant subsystem and a loss of essential safetyfunction(s). lf any tie breakers are closed, the affected redundant electrical power distribution subsystems are considered inoperable. Thisapplies to the onsite, safety related redundant electrical power distribution subsystems. lt does not, however, preclude redundant Class 1E 4.16 kVbuses from being powered from the same offsite circuit. APPLICABILITYThe electrical power distribution subsystems are required to be OPERABLE in MODES 1,2,3, and 4 to ensure that:Acceptable fuel design limits and reactor coolant pressure boundarylimits are not exceeded as a result of AOOs or abnormal transients andAdequate core cooling is provided, and containment OPERABILITYand other vital functions are maintained in the event of a postulated DBA.Electrical power distribution subsystem requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.10, "Distribution Systems -Shutdown." a.b.ACTIONS A.1 With one or more Train A and B required AC buses and load centers (except AC vital buses), in one train inoperable and a loss of function has not occurred, the remaining AC electrical power distribution subsystemsare capable of supporting the minimum safety functions necessary to shutdown the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore,the required AC buses and load centers must be restored to OPERABLE status within 8 hours.Condition A worst scenario is one train without AC power (i.e., no powerfrom the unit and system station service transformers to the tratn and the associated DG inoperable). In this Condition, the unit is more vulnerableto a complete loss of AC power. lt is, therefore, imperative that the unitBeaver Valley Units 1 and 2 B 3.8.9 - 3 Revision 0 Distribution Systems - OperatingB 3.8.9 BASES ACTIONS (continued) a.b.operator's attention be focused on minimizing the potential for loss of power to the remaining train by stabilizing the unit, and on restoring power to the affected train. The 8 hour time limit before requiring a unit shutdown in this Condition is acceptable because of: The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit and The potential for an event in conjunction with a single failure of a redundant component in the train with AC power.The second Completion Time for Required Action A.1 establishes a limiton the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence offailing to meet the LCO. lf Condition A is entered while, for instance, aDC bus is inoperable and subsequently restored OPERABLE, the LCO may already have been not met for up to 2 hours. This could lead toa total of 10 hours, since initial failure of the LCO, to restore the AC distribution system. At this time, a DC circuit could again become inoperable, and AC distribution restored OPERABLE. This could conti nue i ndefinitely. The Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." Thls will result in establishing the "time zero" at the time the LCO was initially not met, instead of thetime Condition A was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely. Required Action A.1 is modified by a Note that requires the applicableConditions and Required Actions of LCO 3.8.4, "DC Sources - Operating,"to be entered for DC trains made inoperable by inoperable powerdistribution subsystems. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. Inoperability of adistribution system can result in loss of charging power to batteries and eventual loss of DC power. This Note ensures'that the appropriate attention is given to restoring charging power to batteries, if necessary, after loss of distribution systems.Beaver Valley Units 1 and 2 B3.89-4Revision 0 Distribution Systems - OperatingB 3.8.9 BASES ACTIONS (continued) 8.1 With one or more AC vital buses inoperable, and a loss of function has not yet occurred, the remaining OPERABLE AC vital buses are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability isreduced, however, since an additional single failure could result in the minimum required ESF functions not being supported. Therefore, therequired AC vital bus must be restored to OPERABLE status within2 hours by powering the bus from the associated inverter via inverted DC, inverter using internal AC source, or Class 1E constant voltage transformer. Condition B represents one or more AC vital buses without power;potentially both the DC source and the associated AC source are nonfunctioning. ln this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptible power. lt is, therefore, imperative that the operator's attention focus on stabilizing the unit,minimizing the potential for loss of power to the remaining vital buses and restoring power to the affected vital bus.This 2 hour limit is more conservative than Completion Times allowed forthe vast majority of components that are without adequate vital AC power.Taking exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter than 2 hours if declared inoperable, is acceptable because of: The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue, The potential for decreased safety by requiring entry into numerous Applicable Conditions and Required Actions for components withoutadequate vital AC power and not provlding sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train, and The potential for an event in conjunction with a single failure of a redundant component.The 2 hour Completion Time takes into account the importance to safety of restoring the AC vital bus to OPERABLE status, the redundantcapability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period.a.b.c.Beaver Valley Units 1 and 2 B38.9-5 Revision 0 Distribution Systems - OperatingB 3.8.9 BASES ACTIONS (continued) The second Completion Time for Required Action B.1 establishes a limit on the maximum allowed for any combination of required distributionsubsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. lf Condition B is entered while, for instance, anAC bus is inoperable and subsequently returned OPERABLE, theLCO may already have been not met for up to 8 hours. This could lead toa total of 10 hours, since initial failure of the LCO, to restore the vital bus distribution system. At this time, an AC train could again become inoperable, and vital bus distribution restored OPERABLE. This couldconti nue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met,instead of the time Condition B was entered. The 16 hour CompletionTime is an acceptable limitation on this potential to fail to meet the LCO indefinitely. c.1 With one or more DC buses inoperable, and a loss of function has not yet occurred, the remaining DC electrical power distribution subsystems arecapable of supporting the minimum safety functions necessary to shutdown the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because asingle failure in the remaining DC electrical power distribution subsystem coufd result in the minimum required ESF functions not being supported.Therefore, the required DC buses must be restored to OPERABLE statuswithin 2 hours by powering the bus from the associated battery or charger.Condition C represents one or more DC buses wrthout adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. ln this situation, the unit is significantly more vulnerable to a complete loss of all DC power. lt is,therefore, imperative that the operator's attention focus on stabilizing theunii, minimizing the potential for loss of power to the remaining trains and restoring power to the affected train.This 2 hour limit is more conservative than Completion Times allowed for the vast majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power,which would have Required Action Completion Times shorter than 2 hours, is acceptable because of:Beaver Valley Units 1 and 2 B3.89-6Revision 0 Distribution Systems - Operating B 3.8.9 BASES ACTIONS (continued) a.b.The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue, The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring powerto the affected train, and The potential for an event in conjunction with a srngle failure of a redundant component.The 2 hour Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. 3). The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable duringany single contiguous occurrence of failing to meet the LCO. lf Condition C is entered while, for instance, an AC bus is inoperable andsubsequently returned OPERABLE, the LCO may already have been notmet for up to 8 hours. This could lead to a total of 10 hours, since initial failure of the LCO, to restore the DC distribution system. At this time, an AC train could again become inoperable, and DC distribution restored OPERABLE. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time the LCO was initially not met,instead of the time Condition C was entered. The 16 hour CompletionTime ls an acceptable limitation on this potential to fail to meet theLCO indefinitely.D.1 and D.2 ,lf the inoperable distribution subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must bebrought to a MODE in which the LCO does not apply. To achieve thisstatus, the unit must be brought to at least MODE 3 within 6 hours and to MODE 5 within 36 hours. The allowed Completion Times are reasonable,based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.c.Beaver Vatley Units 1 and 2 B 3.8.9 - 7Revision 0 Distribution Systems - OperatingB 3.8.9 BASES ACTIONS (continued) E.1Condition E corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost.When more than one inoperable electrical power distribution subsystemresults in the loss of a required function, the plant is in a condition outsidethe accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately tocommence a controlled shutdown.SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the required AC, DC, and AC vital bus electrical power distribution systems are functioning properly, with thecorrect circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical divisions ismaintained, and the appropriate voltage is available to each required bus.The verification of correct voltage availability on the buses ensures that the required voltage is readily available for motive as well as controlfunctions for critical system loads connected to these buses. The 7 dayFrequency takes into account the redundant capability of the AC, DC, andAC vital bus electrical power distribution subsystems, and otherindications available in the control room that alert the operator to subsystem malfunctions. REFERENCES 2.3.1.UFSAR, Chapter 6. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2. Regulatory Guide 1 .93, December 1974.Beaver Valley Units 1 and 2 B3.89-8 Revision 0 Distribution Systems - OperatingB 3.8.9 Table B 3.8.9-1 (page 1 of 1)AC and DC Electrical Power Distribution Systems

• Each train of the AC and DC electrical power distribution systems is a subsystem.

Unit 1 Only Unit 2 Only (Orange)(Purple)(Orange)(Purple)TYPE VOLTAGETRAIN A-TRA]N B" TRAIN A-TRAIN B-AC emergency buses4160 V480 V 1AE 1N 1DF 1P 2AE 2N 2DF 2P DC buses125 V 1-1 1-3 1-2 1-4 2-1 2-3 2-2 2-4 AC vital buses120 V I ill 1l IV I il1 ll 1VBeaver Valley Units 1 and 2 B389-9 Distribution Systems - ShutdownB 3.8.10 B 3.8 ELECTRICAL POWER SYSTEMSB 3.8.10 Distribution Systems - Shutdown BASES BACKGROUND A description of the AC, DC, and AC vital bus electrical power distribution systems is provided in the Bases for LCO 3.8.9, "Distribution Systems -Operating." APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident and transient analyses in the UFSAR, Chapter 6 (Ref. 1) and Reference 2, assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC, DC, and AC vital bus electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure theavailability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. The OPERABILITY of the AC, DC, and AC vital bus electrical power distrlbution system is consistent with the initial assumptions of theaccident analyses and the requirements for the supported systems'OPERABILITY. The OPERABILITY of the rninimum AC, DC, and AC vital bus electrical power distribution subsystems during MODES 5 and 6, and during movement of irradiated fuel assemblies or movement of fuel assemblies over irradiated fuel assemblies for Unit 1 or movement of recentlyirradiated fuel assemblies or movement of fuel assemblies over recentlyirradiated fuel assemblies for Unit 2 ensure that.The unit can be maintained in the shutdown or refueling conditionfor extended periods, Sufficient instrumentation and conirol capability is available for monitoring and maintaining the unit status, and Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling irradiated fuel (Unit 1). For Unit 2 only, due to radioactive decay, AC and DC electrical power is only required to mitigate fuel handlingaccidents involving handling recently irradiated fuel (i.e., fuel thathas occupied part of a critical reactor core within the previous 100 hours). ln future discussions, the term fuel assemblies will include "irradiated" and "recently irradiated" as applicable for each unit.The AC and DC electrical power distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2xii) a.b.Beaver Valley Units 1 and 2 B 3.8.10 - 1Revision 0 Distribution Systems - Shutdown B 3.8.10 BASES LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. lmplicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requiresenergization of the portions of the electrical distribution system necessaryto support OPERABILITY of required systems, equipment, and components - all specifically addressed in each LCO and implicitly required via the definition of OPERABILITY. Maintaining these portions of the distribution system energized ensuresthe availability of sufficient power to operate the unit in a safe manner tomitigate the consequences of postulated events during shutdown (e.9.,fuel handling accidents involving handling fuel). APPLICABILITYThe AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 5 and 6, and during movement of fuel assemblies, provide assurance that:a. Systems to provide adequate coofant inventory makeup are available for the irradiated fuel in the core,b. Systems needed to mitigate a fuel handling accident involvinghandling fuel are available,c. Systems necessary to mitigate the effects of events that can lead tocore damage during shutdown are available, and d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition and refueling condition.The AC, DC, and AC vital bus electrical power distribution subsystemsrequirements for MODES 1,2,3, and 4 are covered in LCO 3.8.9. ACTIONS LCO 3.0.3 is not applicable while in MODE 5 or 6. However, sinceirradiated fuel assembly movement can occur in MODE 1,2,3, or 4, theACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. lf moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. lf moving irradiated fuel assemblles while in MODE 1,2,3, or 4, the fuel movement is independent of reactor operations. Entering LCO 3.0.3, while in MODE 1 ,2,3, or 4 would require the unit to be shutdown unnecessarily.Beaver Valley Units 1 and 2 B3.8 10-2Revision 0 Distribution Systems - Shutdown B 3.8.10 BASES ACTIONS (continued) 4.1. 4.2.1. 4.2.2. A.2.3. A.2.4. A.2.5. and A.2.6 Although redundant required features may require redundant trains of electrical power distribution subsystems to be OPERABLE, oneOPERABLE distribution subsystem train may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. By allowing the option to declare required featuresassociated with an inoperable distribution subsystem inoperabfe, appropriate restrictions are implemented in accordance with the affecteddistribution subsystem LCO's Required Actions. ln many instances, this option may involve undesired administrative efforts. Therefore, the alJowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of fuel assemblies, and operations involving positive reactivity additions that could result in loss of required SDM (MODE 5) or boron concentration (MODE 6). Suspending positivereactivity additions that could result in failure to meet the minimum SDMor boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in theRCS for minimum SDM or refueling boron concentration. This may resultin an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Introduction oftemperature changes including temperature increases when operating with a positive MTC must also be evaluated to ensure they do not result in a loss of required SDM.Suspension of these activities does not preclude completion of actions toestablish a safe conservative condition. These actions minlmize the probability of the occurrence of postulated events. lt is further required toimmediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety systems. \Notwithstanding performance of the above conservative RequiredActions, a required residual heat removal (RHR) subsystem may be inoperable. ln this case, Required Actions A.2.1 through 4.2.5 do notadequately address the concerns relating to coolant circulation and heatremoval. Pursuant to LCO 3.0.6, the RHR ACTIONS would not be entered. Therefore, Required Action A.2.6 is provided to direct declaringRHR inoperable, which results in taking the appropriate RHR actions.The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the requireddistribution subsystems should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power.Beaver Valley Units 1 and 2B 3 8.10 - 3Revision 0 Distribution Systems - ShutdownB 3.8.1 0 BASES SURVEILLANCE REQUIREMENTSsR 3.8.10.1This Surveillance verifies that the required AC, DC, and AC vital bus electrical power distribution subsystems are functioning properly, with allthe required buses energized. The verification of correct voltageavailability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loadsconnected to these buses. The 7 day Frequency takes into account thecapability of the electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions. REFERENCES 1, 2.UFSAR, Chapter 6. UFSAR, Chapter 14 for Unit 1 and Chapter 15 for Unit 2.Beaver Valley Units 1 and 2B 3.8.10 - 4 Revision 0 Boron Concentration B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Boron Concentration BASES BACKGROUND The limit on the boron concentrations of the Reactor Coolant System (RCS), the refueling canal, and the refueling cavity during refueling ensures that the reactor remains subcritical during MODE 6. Refueling boron concentration is the soluble boron concentration in the coolant in each of these volumes having direct access to the reactor core during refueling. The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the coolant in each of the volumes. The refueling boron concentration limit is specified in the COLR. Plant procedures ensure the specified boron concentration maintains an overall core reactivity of k*x < 0.95 during fuel handling, with control rods and fuel assemblies assumed to be in the most adverse configuration (least negative reactivity) allowed by plant procedures. GDC 26 of 10 CFR 50, Appendix A, requires that two independent reactivity control systems of different design principles be provided (Ref. 1). One of these systems must be capable of holdlng the reactor core subcritical under cold conditions. The Chemical and Volume Control System (CVCS) is the system capable of maintaining the reactor subcritical in cold conditions by maintaining the boron concentration. The reactor is brought to shutdown conditions before beginning operations to open the reactor vessel for refueling. After the RCS is cooled and depressurized and the vessel head is unbolted, the head is slowly removed from the refueling cavity. The refueling canal and the refueling cavity are then flooded with borated water from the refueling water storage tank through the open reactor vessel by gravity feeding or by the use of the Low Head Safety lnjection System pumps.The pumping action of the Residual Heat Removal (RHR) System in the RCS and the natural circulation due to thermal driving heads in the reactor vessel and refueling cavity mix the added concentrated boric acid with the water in the refueling canal. The RHR System is in operationduring refueling (see LCO 3.9.4, "Residual Heat Removal (RHR) andCoolant Circulation - High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level") to provideforced circulation in the RCS and assist in maintaining the boron concentrations in the RCS, the refueling canal, and the refueling cavityabove the COLR limit.Beaver Valley Units 1 and 2B 3.9.1 - 1Revision 0 Boron ConcentrationB 3.9.1 BASES APPLICABLE SAFETY ANALYSESDuring refueling operations, the reactivity condition of the core iscontrolled by isolating unborated water sources and maintaining the required refueling boron concentration in the RCS. The boron concentration specified in the COLR for MODE 6 is an operatingrestriction necessary to maintain at least a 5% Aldk margin of safetyduring refueling. The resulting core reactivity is conservative for MODE 6.The boron concentration limit specified in the COLR is based on the core reactivity at the beginning of each fuel cycle (the end of refueling) and includes an uncertainty allowance.The required boron concentration and the plant refueling procedures that verify the correct fuel loading plan (including full core mapping) ensurethat the kg6 of the core will remain < 0.95 during the refueling operation. Hence, at least a 5o/o Ak/k margin of safety is established during refueling.During refueling, the water volume in the spent fuel pool, the transfercanal, the refueling canal, the refueling cavity, and the reactor vessel forma single mass. As a result, the soluble boron concentration is relatively the same in each of these volumes.The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCOThe LCO requires that a minimum boron concentration be maintained inthe RCS, the refueling canal, and the refueling cavity while in MODE 6.The boron concentration limit specified in the COLR ensures that a coreks6 of < 0.95 is maintained during fuel handling operations. Violation ofthe LCO could lead to an inadvertent criticafity during MODE 6.APPLICABILITY This LCO is applicable in MODE 6 to ensure that the fuel in the reactorvessel will remain subcritical. The required boron concentration ensures o k"tr < 0.95. Above MODE 6, LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," ensures that an adequate amount rsf negative reactivity isavailable to shut down the reactor and maintain it subcritical. The Applicability is modified by a Note. The Note states that the limits onboron concentration are only applicabfe to the refueling canal and the refueling cavity when those volumes are connected (hydraulicallycoupled) to the RCS. When the refueling canal and the refueling cavityare isolated from the RCS, no potential path for boron dilution exists.Beaver Valley Units 1 and 2B 3.9.1 - 2Revision 0 Boron ConcentrationB 3.9.1 BASES ACTIONSA.1 and A.2Continuation of CORE ALTERATIONS or positive reactivity additions (including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. lf the boronconcentration of any coolant volume in the RCS, the refueling canal, orthe refueling cavity is less than its limit, all operations involving CORE ALTERATIONS or positive reactivity additions must be suspended immediately.Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position. Operationsthat individually add limited positive reactivity (e.9. temperaturefluctuations from inventory addition or temperature control fluctuations),but when combined with all other operations affecting core reactivity (e.g., intentional boration) result in overall net negative reactivity addition, are not precluded by this action. 4.3 ln addition to immediately suspending CORE ALTERATIONS and positive reactivity additions, boration to restore the concentration must beinitiated immediately. ln determining the required combination of boration flow rate andconcentration, no unique Design Basis Event must be satisfied. The onlyrequirement is to restore the boron concentration to its required value assoon as possible. In order to raise the boron concentration as soon as possible, the operator should begin boration with the best sourceavailable for unit conditions. Once actions have been initiated, they must be continued until the boronconcentration is restored. The restoration time depends on the amount ofboron that must be injected to reach the required concentration. SURVEILLANCE SR 3.9.1 .1 REQUIREMENTS This SR ensures that the coolant boron concentration in the RCS, and connected portions of the refueling canal and the refueling cavity, is withinthe COLR limits. The boron concentration of the coolant in each requiredvolume is determined periodically by chemical analysis. Prior to reconnecting portions of the refueling canal or the refueling cavity to the RCS, this SR must be met per SR 3.0.1, lf any dilution activity has occurred while the cavity or canal were disconnected from the RCS, thisSR ensures the correct boron concentration prior to communication withthe RCS.Beaver Valley Units 1 and 2B 3.9.1 - 3Revision 0 Boron ConcentrationB 3.9.1 BASES SURVEILLANCE REQUIREMENTS (continued)A minimum Frequency of once every 72 hours is a reasonable amount oftime to verify the boron concentration of representative samples. The Frequency is based on operating experience, which has shown 72 hoursto be adequate. REFERENCES 1.Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria." Beaver Valley Units 1 and 2 B 3.9.1 - 4Revision 0 Nuclear I nstru mentationB 3.9.2 B 3.9 REFUELING OPERATIONS B 3.9.2 BASESNuclea r I nstrumentation BACKGROUND The source range neutron flux monitors are used during refuelingoperations to monitor the core reactivity condition. The installed or primary source range neutron flux monitors are part of the Nuclear lnstrumentation System (NlS). These detectors are located external to the reactor vessel and detect neutrons leaking from the core.The primary source range neutron flux monitors are boron-baseddetectors operating in the proportional region of the gas filled detector characteristic curve. The detectors monitor the neutron flux in counts persecond. The instrument range covers six decades of neutron flux (1E+6 cps). The detectors also provide continuous visual indication in the control room. The NIS is designed in accordance with the criteria presented in Reference 1. In addition to the primary source range monitors described above,alternate source range monitors may be used to meet the LCO requirement. The alternate monitors may be either installed sparedetectors or portable monitors with sufficient sensitivity to adequatelymonitor reactivity changes in the core during refueling operations. APPLICABLE SAFETY ANALYSES Two OPERABLE source range neutron flux monitors (primary oralternate) are required to provide a signal to alert the operator to unexpected changes in core reactivity such as an improperly loaded fuel assembly. The Technical Specifications require that unborated watersources be isolated in MODES 4, 5, and 6. The requirement to isolateunborated water sources is considered to preclude a boron dilutionaccident. Therefore, no boron dilution accident analysis is necessary forthese MODES. The source range neutron flu* tonitors satisfy Criterion 3 of 10 CFR 50 36(c)(2xii). LCOThis LCO requires that two source range neutron flux monitors be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity. The LCO may be met by using anycombination of primary or alternate source range monitors. To be OPERABLE, each monitor must provide continuous visual indication inthe control room.Beaver Valley Units 1 and 2 B 3.9.2 - 1Revision 0 Nuclear I nstrumentationB 3.9.2 BASES APPLICABILITY ln MODE 6, the source range neutron flux monitors must be OPERABLE to determine changes in core reactivity. There are no other direct means available to check core reactivity levels. In MODES 2, 3, 4, and 5, the primary source range detectors and circuitry are also required to be OPERABLE by LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." In addition, one source range detector is required to be OPERABLE inMODES 3,4, and 5 when afl rods are fully inserted and without rod withdrawal capability by LCO 3.3.8, "Boron Dilution Detection lnstrumentation. " ACTIONS A.1 and A.2With only one source range neutron ffux monitor OPERABLE,redundancy has been lost. Since these instruments are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONSand introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1must be suspended immediately. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of coolant inventory must be from sources that have a boron concentration greater than that which would be required in the RCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. Performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.8.1With no source range neutron flux monitor OPERABLE, action to restorea monitor to OPERABLE status shall be initiated immediately. Once initiated, action shall be continued until a source range neutron fluxmonitor is restored to OPERABLE status.8.2 With no source range neutron flux monitor OPERABLE, there are no direct means of detecting changes in core reactivity. However, since CORE ALTERATIONS and positive reactivity additions are not to be made (as specified in Required Actions A.1 and A.2), the core reactivity condition is stabilized until the source range neutron flux monitors are OPERABLE. This stabilized condition is determined by performingSR 3.9.1 .1 to ensure that the required boron concentration exists.Beaver Valley Units 1 and 2 B 3.9.2 - 2Revision 0 Nuclear lnstrumentationB 3.9.2 BASESACTIONS (continued) The Completion Time of once per 12 hours is sufficient to obtain andanalyze a reactor coolant sample for boron concentration and ensuresthat unplanned changes in boron concentration would be identified. The 12 hour Frequency is reasonable, considering the low probability of a change in core reactivity during this time period.SURVEILLANCE REQUIREMENTSsR 3.9.2.1SR 3.9.2.1 is the performance of a CHANNEL CHECK, which is a comparison of the parameter indicated on one channel to a similar parameter on other channels. lt is based on the assumption that the two indication channels should be consistent with core conditions. Changesin fuel loading and core geometry can result in significant differencesbetween source range channels, but each channel should be consistent with its local conditions.The Frequency af 12 hours is consistent with the CHANNEL CHECK Frequency specified similarly for the same instruments in LCO 3.3.1.sR 3.9.2.2SR 3.9.2.2 is the performance of a CHANNEL CALIBRATION every18 months. This SR is modified by a Note stating that neutron detectorsare excluded from the CHANNEL CALIBRATION. The calibration methodfor neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS) lnstrumentation." The 18 month Frequency is based on the need to perform this Surveillance under the conditions that applyduring a plant outage. However, this does not preclude performance ofthis Surveillance at power when it can be accomplished in a safe manner.Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency. REFERENCES

1. Unit 1 and Unit 2 UFSAR Section 7.Beaver Valley Units 1 and 2B 3.9.2 - 3Revision 0 Conta inment Penetrations B 3.9.3 B 3.9 REFUELING OPERATIONS B 3.9.3 Containment Penetrations BASES BACKGROUNDDuring movement of fuel involving recently irradiated fuel assemblies within containment, a release of fission product radioactivity within containment will be restricted from escaping to the environment when the LCO requirements are met. In MODES 1,2,3, and 4, restricting therefease of radioactivity from containment is accomplished by maintainingcontainment OPERABLE as described in LCO 3.6.1, "Containment." In MODE 6, the potential for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the containmentfrom the outside atmosphere can be less stringent.

The LCO requirements are referred to as "containment closure" rather than"containment OPERABILITY." Containment closure means that all potential escape paths are closed or capable of being closed. Since there is no potential for containment pressurization, the Appendix J leakage criteria and tests are not required.The containment serves to contain fission product radioactivity that may be released from the reactor core following an accident, such that offsiteradiation exposures are maintained within the requirements of 10 CFR 50.67. Additionally, the containment provides radiation shieldingfrom the fission products that may be present in the containment atmosphere following accident conditions.The containment equipment hatch, which is part of the containment pressure boundary, provides a means for moving large equipment and components into and out of containment. During movement of fuelinvolving recently irradiated fuel assemblies within containment, the equipment hatch must be held in place by at least four bolts. Good engineering practice dictates that the bolts required by this LCO be approximately equally spaced.The containment air locks, which are also part of the containment pressure boundary, provide a means for personnel access during MODES 1,2,3, and 4 unit operation in accordance with LCO 3.6.2,"Containment Air Locks." Each air lock has a door at both ends. Thedoors are normally interlocked to prevent simultaneous opening whencontainment OPERABILITY is required. During periods of unit shutdownwhen containment closure is not required, the door interlock mechanismmay be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. Duringmovement of recently irradiated fuel assemblies or the movement of fuelassemblies over recently irradiated fuel assemblres within containment,containment closure is required; therefore, the door interlock mechanismmay remain disabfed, but one air lock door must always remain closed.Beaver Valley Units 1 and 2B 3.9.3 - 1 Revision 0 Contai n ment PenetrationsB 3.9.3 BASES BACKGROU N D (continued)The requirements for containment penetration closure ensure that arelease of fission product radioactivity within containment will be restricted to within regulatory limits.The Containment Purge and Exhaust System includes a 42 inch purge penetration and a 42 inch exhaust penetration. During MODES 1,2,3,and 4, the two valves in each of the purge and exhaust penetrations are secured in the closed position. The Containment Purge and Exhaust System is not subject to a Specification in MODE 5.ln MODE 6, the Containment Purge and Exhaust System is used for contai n ment ventilation.The radiation monitors associated with the Unit 1 Containment Purge and Exhaust System are not mounted in a seismically qualified ventilation duct. Therefore, Unit 1 can not credit containment isolation whennecessary to mitigate the radiological consequences of a design basesfuel handling accident. Unit 1 must rely on filtration of the purge exhaustby an OPERABLE Supplemental Leak Collection and Release System (SLCRS) filter train.The Unit 2 Containment Purge and Exhaust System credits containmentisolation when necessary to mitigate the radiological consequences of adesign bases fuel handling accident. The limit placed on the containment purge and exhaust flow (7500 cfm) ensures the Unit 2 purge and exhaustisolation valves close before any radioactivity is released from containment. The other containment penetrations that provide direct access fromcontainment atmosphere to outside atmosphere must be isolated on at least one side. lsolation may be achieved by an OPERABLE automaticisolation valve, or by a manual isolation valve, blind flange, or equivalent. Functionally equivalent isolation methods must be approved by anengineering evaluation and may include use of a material that can providea temporary, atmospheric pressure, ventilation barrier for the other containment penetrations during recently irradiated fuel movements and the movement of fuel assemblies over recently irradiated fuel assemblies (Reference 1).Beaver Valley Units 1 and 2 B 3.9.3 - 2 Revision 0 Contai n ment PenetrationsB 3.9.3 BASES APPLICABLE SAFETY ANALYSESDuring refueling operations, the postulated event that results in the mostsevere radiological consequences is a fuel handling accident (Ref. 2).The limiting fuel handling accident analyzed in Reference 2, includes dropping a single irradiated fuel assembly and handling tool (conservatively estimated at 2500 pounds) directly onto another irradiated fuel assembly resulting in both assemblies being damaged. The analysis assumes a 100 hour decay time prior to moving irradiated fuel. The applicable limits for offsite and control room dose from a fuel handling accident are specified in 10 CFR 50.67. Standard Review Plan, Section 15.0.1 , Rev 0 (Ref. 3) provides an additional offsite dose criteriaof 6.3 rem total effective dose equivalent (TEDE) for fuel handling accidents.The water level requirements of LCO 3.9.6, "Refueling Cavity Water Level," in conjunction with a minimum decay time of 100 hours prior to irradiated fuel movement, ensure that the resulting offsite and control room dose from the limiting fuel handling accident is within the limits required by 10 CFR 50.67 and within the acceptance criteria of Reference 3 without the need for containment closure.Therefore, the containment closure requirements of LCO 3.9.3,"Containment Penetrations," are only applicable during refuelingoperations involving recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours). Current requirements based on the decay time of the fuel prevent the movement of recently irradiated fuel. However, the requirements for containment closure are retained in the Technical Specifications in case these requirements are necessary to support fuel movement involving recently irradiated fuel consistent with the guidance of Reference 4. Containment penetrations satisfy Criterion 3 of 10 CFR 50.36(c)(2Xii). LCO This LCO limits the consequences of a fuel handling accident involving handling recently irradiated fuel in containment by limiting the potential escape paths for fission product radioactivity released within containment. The LCO requires any penetratron providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge and exhaust penetrations which may be open if the exhaust airflow is lined up to an OPERABLE SLCRS train (Unit 1) or capable of being closed by an OPERABLE Containment Purge and Exhaust lsolation System (Unit 2).For Unit 2, an OPERABLE Containment Purge and Exhaust lsolationSystem includes purge and exhaust valves that isolate within the required time and a purge exhaust flow that is within the required limit. The Unit 2Beaver Valley Units 1 and 2B 3.9.3 - 3 Revision 0 Contain ment PenetrationsB 3.9.3 BASES LCO (continued) purge and exhaust valve isolation time and purge exhaust flow requirements provide assurance that, in the event of a limiting fuelhandling accident, the purge and exhaust penetrations will be isolated prior to the resulting radioactivity being released from containment. For the OPERABLE containment purge and exhaust penetrations forUnit 2, this LCO ensures that these penetrations are isolable by theContainment Purge and Exhaust lsolation System and for Unit 1 that the purge exhaust is lined up to an OPERABLE SLCRS train when movingrecently irradiated fuel and during movement of fuel assemblies overrecently irradiated fuel assemblies. The OPERABILITY requirements forthis LCO ensure that the Unit 2 automatic purge and exhaust valveclosure times specified in the Licensing Requirements Manual (LRM) canbe achieved and, therefore, meet the assumptions used in the safetyanalysis to ensure that releases through the valves are prevented, or for Unit 1, that the releases are filtered such that radiological doses are within the acceptance limit. APPLICABILITY The containment penetration requirements are applicable duringmovement of recently irradiated fuel assemblies or the movement of fuelassemblies over recently irradiated fuel assemblies within containment because this is when there is a potential for the limiting fuel handling accident. In MODES 1 ,2,3, and 4, containment penetration requirements are addressed by LCO 3.6.1, "Containment Operability" andLCO 3.6.3, "Containment lsolation Valves." ln MODES 5 and 6, whenmovement of irradiated fuel assemblies within containment is not beingconducted, the potential for a fuel handling accident does not exist. Additionally, due to radioactive decay, a fuel handling accident that doesnot involve recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 100 hours) will result in doses that are well within the guideline values specified in 10 CFR 50.67 evenwithout containment closure capability. Therefore, under these conditionsno requirements are placed on containment penetration status.Although movement of recently irradiated fuel is not currently permitted,the requirements for containment closure are retained in the TechnicalSpecifications in case these requirements are necessary to support fuel movement involving recently irradiated fuel consistent with the guidanceof Reference 4. Beaver Valley Units I and 2B 3.9.3 - 4Revision 0 Contain ment PenetrationsB 3.9.3 BASES ACTIONSA.1 and A.2 lf the containment equipment hatch, air locks, or any containment penetration that provides direct access from the containment atmosphereto the outside atmosphere is not in the required status, including theUnit 2 Containment Purge and Exhaust lsolation System not capable ofautomatic actuation when the purge and exhaust valves are open or theUnit 1 purge exhaust not lined up to an OPERABLE SLCRS train, the unit must be placed in a condition where the isolation or filtration function isnot needed. This is accomplished by immediately suspending movementof recently irradiated fuel assemblies and the movement of any fuel assemblies over recently irradiated fuel assemblies within containment. Performance of these actions shall not preclude completion of movement of a component to a safe position.SURVEILLANCE SR 3.9.3.1 REQUIREMENTS The Surveillance requires that the Unit 2 containment purge exhaust flowrate be verified to be < 7500 cfm. The Surveillance is necessary to verify the Containment Purge and Exhaust lsolation System is OPERABLE. LCO 3.9.3.c.2 requires that the containment purge and exhaust penetrations are capable of being isolated by an OPERABLEContainment Purge and Exhaust lsolation System. Verifying the purgeexhaust flow is within the limit provides assurance that, in the event of alimiting fuel handling accident, the purge and exhaust penetrations will be isolated prior to the resulting radioactivity being released from containment. The Surveillance is performed every 24 hours during refueling operationsinside containment involving recently irradiated fuel when an OPERABLEContainment Purge and Exhaust lsolation System is required byLCO 3.9.3.c.2. The Frequency of 24 hours has been shown to be adequate by operating experience to verify the purge exhaust airflow ismaintained within the required limit.The Surveillance is modified by two Notes that specify the Surveillance isonly applicable to Unit 2 and that the Surveillance is only required to bemet when the containment purge and exhaust is operating in accordancewith LCO 3.9.3.c.2. The Surveillance is only applicable to Unit 2 because Unit 1 does not credit purge and exhaust isolation and rnstead relies onfiltration of the purge exhaust flow.sR 3.9.3.2This Surveillance demonstrates that each of the containment penetrationsrequired to be in its closed position is in that position. The Surveillanceon the open Unit 2 purge and exhaust valves will demonstrate that the Beaver Valley Units 1 and 2B 3.9,3 - 5 Revision 0 Containment PenetrationsB 3.9.3 BASES SURVEILLANCE REQUI REMENTS (continued) valves are not blocked from closing and that each valve operator has motive power, which will ensure that each valve is capable of being closed by an OPERABLE automatic containment purge and exhaust isolation signal. The Surveillance on the open Unit 1 purge and exhaustvalves will confirm that the purge exhaust is lined up to an OPERABLE SLCRS filtration train.The Surveillance is performed every 7 days during movement of recentlyirradiated fuel assemblies within containment and the movement of any fuel assemblies over recently irradiated fuel assemblies. TheSurveillance interval is adequate considering the procedural andadministrative controls in place to ensure the containment penetrations are maintained in the required status during refueling operations involvingrecently irradiated fuel, As such, this Surveillance ensures that a postulated fuel handling accident involving handling recently irradiated fuel that releases fission product radioactivity within the containment willnot result in a release of significant fission product radioactivity to the environment in excess of those recommended by Standard Review Plan Section 15.0.1 (Reference 3).sR 3.9.3.3 This Surveillance demonstrates that each Unit 2 containment purge and exhaust valve actuates to its isolation position on manual initiation and on an actual or simulated high radiation signal. The 18 month Frequency maintains consistency with other similar ESFAS instrumentation andvalve testing requirements. The Unit 2 LCO 3.3.6, for the containment purge and exhaust isolation instrumentation requires a CHANNEL CHECK every 12 hours and a COT every 92 days to ensure the channel OPERABI LITY during refueling operations involving recently irradiated fuel assemblies. lt also requires that every 18 months a CHANNEL CALIBRATION is performed. These Surveillances ensure that the valvesare capable of closing afte a postulated fuel handling accident involvinghandling recently irradiated fuel to limit a release of fission productradioactivity from the containment. The SR is modified by two Notes stating that this Surveillance is onlyapplicable to Unit 2 and that this Surveillance is not required to be met forvalves in isolated penetrations. The LCO provides the option to close penetrations in lieu of requiring automatic actuation capability. The Surveillance is not applicable to Unit 1 because Unit 1 does not credit purge and exhaust isolation and relies on filtration instead.Beaver Vaf ley Units 1 and 2 B 3.9.3 - 6Revision 0 Contain ment PenetrationsB 3.9.3 BASESSURVEI LLANCE REQU IREMENTS (continued)sR 3.9.3.4The Surveillance requires that the Unit 2 containment purge and exhaustvalve isolation time be verified within the limit. The required isolation timefor the containment purge and exhaust valves is specified in the LRM.The Surveillance is necessary to verify the Containment Purge andExhaust lsolation System is OPERABLE. LCO 3.9.3.c.2 requires that the containment purge and exhaust penetrations are capable of being isolated by an OPERABLE Containment Purge and Exhaust lsolation System. Verifying the purge and exhaust valve isolation time is within the limit provides assurance that, in the event of a limiting fuel handlingaccident, the purge and exhaust penetrations will be isolated prior to theresulting radioactivity being released from containment. The Surveillance is performed every 18 months during refuelingoperations inside containment involving recently irradiated fuel when anOPERABLE Containment Purge and Exhaust lsolation System is required by LCO 3.9.3.c.2. The Frequency of 18 months is adequate to verify the purge exhaust valve isolation time is maintained within the required limit. The Surveillance is modified by two Notes that specify the Survelllance isonly applicable to Unit 2 and that the Surveillance is only required to bemet when the containment purge and exhaust is operating in accordancewith LCO 3.9.3,c.2. The Surveillance is only applicable to Unit 2 because Unit 1 does not credit purge and exhaust isolation and instead relies onfiltration of the purge exhaust flow.REFERENCES 2.1.GPU Nuclear Safety Evaluation SE-0002000-001, Rev. 0,May 20, 1 988.UFSAR, Section 14.2.1 (Unit 1) andUFSAR, Section 15.7.4 (Unit 2).NUREG-0800, Section 15.0.1 , Rev. 0, July 2000.NUREG- 1431, "Standard Technical Specifications for Westinghouse Plants," Rev. 2, April 2OO1 . 3.4.Beaver Valley Units 1 and 2B 3.9.3 - 7 Revision 0 RHR and Coolant Circulation - High Water LevelB 3.9.4 B 3.9 REFUELING OPERATIONS B 3.9.4 Residual Heat Removal (RHR) and Coolant Circulation - High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchanger(s), where the heat istransferred to the Component Cooling Water System. The coolant is thenreturned to the RCS via the RCS cold leg(s). Operation of the RHRSystem for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heatexchanger(s) and the bypass. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.APPLICABLE SAFETY ANALYSES lf the reactor coolant temperature is not maintained below 200"F, boilingof the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to boron platingout on components near the areas of the boiling activity. The loss ofreactor coolant and the reduction of boron concentration in the reactorcoolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One train of the RHR System is required to be operational in MODE 6, with the water level >23 ft above the top of thereactor vessel flange, to prevent this challenge. The LCO does permit the RHR pump to be removed from operation for short durations, under thecondition that the boron concentration is not diluted. This conditionalstopping of the RHR pump does not result in a challenge to the fission product barrier.The RHR System satisfies Criterion 4 of 10 CFR 50.36(c)(2xii). , LCOOnly one RHR loop is required for decay heat removal in MODE 6, withthe water level > 23 ft above the top of the reactor vessel flange. Only one RHR loop is required to be OPERABLE, because the volume of water above the reactor vessel flange provides backup decay heatremoval capability. At least one RHR loop must be OPERABLE and inoperation to provide: Removal of decay heat,Mixing of borated coolant to minimize the possibility of criticality, and lndication of reactor coolant temperature. a.b.C.Beaver Valley Units 1 and 2 B 3.9.4 - 1 Revision 0 RHR and Coolant Circulation - High Water LevelB 3.9.4 BASES LCO (continued) An OPERABLE RHR loop includes an RHR pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the RCS temperature. The normal recirculation flow path starts in one of the RCS hot legs and is returned to the RCScold legs. The LCO is modified by two Notes. Notes 1 and 2 allow the required operating RHR loop to be removed from operation for up to t hour per8 hour period or up to 4 hours per 8 hour period, provided no operations are permitted that would dilute the RCS boron concentration by the introduction of coolant into the RCS with boron concentration less than required to meet the minimum boron concentration of LCO 3.9.1. Boronconcentration reduction with coolant at boron concentrations less than required to assure the RCS boron concentration is maintained is prohibited because uniform concentration distribution cannot be ensured without forced circulation. The one hour allowance permits operations such as core mapping or alterations in the vicinity of the reactor vessel hot leg nozzles and RCS to RHR isolation valve testing. The four hourallowance is used solely for the performance of ultrasonic inserviceinspection inside the reactor vessel nozzles. During the time the RHR is not in operation, decay heat is removed by natural convection to the large mass of water in the refueling cavity. APPLICABILITYOne RHR loop must be OPERABLE and in operation in MODE 6, with the water level > 23 ft above the top of the reactor vessel flange, to provide decay heat removal. The 23 ft water level was selected because itcorresponds to the 23 ft requirement established for fuel movement in LCO 3.9.6, "Refueling Cavity Water Level." Requirements for the RHRSystem in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR loop requirements in MODE 6 with thewater level < 23 ft are located in LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level." ACTIONSRHR loop requirements are met by having one RHR loop OPERABLEand in operation, except as permitted in the Notes to the LCO.4.1 lf RHR loop requirements are not met, there be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet theminimum boron concentration limit is required to assure continued safeoperation. lntroduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in the Beaver Valley Units 1 and 2B 3.9.4 - 2Revision 0 RHR and Coolant Circulation - High Water LevelB 3.9.4 BASES ACTIONS (continued)RCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. 4.2lf RHR loop requirements are not met, actions shall be taken immediately to suspend loading of irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core.A minimum refueling water level of 23 ft above the reactor vessel flange provides an adequate available heat sink. Suspending any operation thatwould increase decay heat load, such as loading a fuel assembly, ls a prudent action under this condition. A.3lf RHR loop requirements are not met, actions shall be initiated and continued in order to satisfy RHR loop requirements. With the unit inMODE 6 and the refueling water level >23 ft above the top of the reactorvessel flange, corrective actions shall be inltiated immediately.A.4. A.5. 4.6.1. and 4.6.2lf no RHR is in operation, the following actions must be taken:The equipment hatch must be closed and secured with four bolts,One door in each installed air lock must be closed, and Each penetration providing direct access from the containmentatmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust lsolation System. The safetyfunction of the Containment Purge and Exhaust fsolation Systemrequired for OPERABILITY of the system in order to satisfy Action A.6.2 consists of the capability to close at least one isolation valve in each penetration by either automatic actuation on high radiation ormanually from the control room.With RHR loop requirements not met, the potential exists for the coolantto boil and release radioactive gas to the containment atmosphere.Performing the actions described above ensures that all contalnment penetrations are either closed or can be closed so that the dose limits are not exceeded.a.b.c.Beaver Valley Units 1 and 2 B 3.9.4 - 3 Revision 0 RHR and Coolant Circulation - High Water LevelB 3.9.4 BASES ACTIONS (continued) The Completion Time of 4 hours allows fixing of most RHR problems andis reasonable, based on the low probability of the coolant boiling ln that time.SURVEILLANCE SR 3.9.4.1 REQUIREMENTS This Surveillance verifies that the RHR loop is circulating reactor coolantat the specified flow rate of > 3,000 gpm. The verification of the specified flow rate provides additional assurance of adequate forced circulation and mixing of the RCS during operations involving the addition of coolant into the RCS with a boron concentration that is less than required to maintain the required SHUTDOWN MARGIN. The Surveillance is modified by a Note that specifies the conditions under which the Surveillance is required to be met. The Note states that the Surveillance is only required to be met prior to the start of (i.e., within an hour before) and during operations that cause the introduction of coolant into the RCS with boron concentration less than that required to meet theminimum required boron concentration of LCO 3.9.1. The Frequency of one hour ensures the required RHR flow is maintained during the specified operations and has been shown to be adequate by operating experience. sR 3.9.4.2 This Surveillance demonstrates that the RHR loop is in operation andcirculating reactor coolant. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal and to prevent thermal and boron stratification in the core. The Frequency of 12 hours is sufficient considering other indications and alarms availabfe to the operator in the control room to monitor RHR loop performance. , REFERENCES 1.Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design CriteriaConformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria."Beaver Valfey Units 1 and 2 B 3.9.4 - 4 Revision 0 RHR and Coolant Circulation - Low Water Level B 3.9.5B 3.9 REFUELING OPERATIONSResidual Heat Removal (RHR) and Coolant Circulation - Low Water Level B 3.9.5 BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant, and to prevent boron stratification (Ref. 1). Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s). Operation of the RHR System for normal cooldown decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchange(s) and the bypass lines. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.APPLlCABLE SAFETY ANALYSES lf the reactor coolant temperature is not maintained below 200'F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity. The lossof reactor coolant and the reduction of boron concentration in the reactor coolant will eventually challenge the integrity of the fuel cladding, which isa fission product barrier. Two trains of the RHR System are required to be OPERABLE, and one train in operatibn, in order to prevent this challenge.The RHR System satisfies Criterion 4 of 10 CFR 50.36(c)(2xii). LCO ln MODE 6, with the water level < 23 ft above the top of the reactor vesselflange, both RHR loops must be OPERABLE. Additionally, one loop ofRHR must be in operation in order to provide.a. Removal of decay heat,b. Mixing of borated coolant to minimize the possibility of criticality, and c. lndication of reactor coolant temperature.This LCO is modified by two Notes. Note 1 permlts the RHR pumps to beremoved from operation for < 15 minutes when switching from one train to another.Beaver Valley Units 1 and 2 B 3.9.5 - 1Revision 0 RHR and Coofant Circulation - Low Water LevelB 3.9.5 BASES LCO (continued)The circumstances for stopping both RHR pumps are to be limited to situations when the outage time is short and the core outlet temperatureis maintained > 10 degrees F below saturation temperature. The Note prohibits boron dilution or draining operations when RHR forced flow is stopped.Note 2 allows one RHR loop to be inoperable for a period of 2 hours provided the other loop is OPERABLE and in operation. Prior todeclaring the loop inoperable, consideration should be given to the existing plant configuration. This consideration should include that thecore time to boil is short, there is no draining operation to further reduceRCS water level and that the capability exists to inject borated water intothe reactor vessel. This permits surveillance tests to be performed on the inoperable loop during a time when these tests are safe and possible.An OPERABLE RHR loop consists of an RHR pump, a heat exchanger, valves, piping, instruments and controls to ensure an OPERABLE flow path and to determine the RCS temperature. The normal recirculation flow path starts in one of the RCS hot legs and is returned to the RCS cold legs.Both RHR pumps may be aligned to the refueling water storage tank tosupport draining the refueling cavity or for performance of required testing.APPLICABILITY Two RHR loops are required to be OPERABLE, and one RHR foop mustbe in operation in MODE 6, with the water level < 23 ft above the top ofthe reactor vessel flange, to provide decay heat removal. Requirements for the RHR System in other MODES are covered by LCOs inSection 3.4, Reactor Coolant System (RCS). RHR loop requirements inMODE 6 with the water level >23 ft are located in LCO 3.9.4, "ResidualHeat Removal (RHR) and Coolant Circulation - High Water Level."Beaver Valley Units 1 and 2B 3.9.5 - 2 Revision 0 RHR and Coolant Circulation - Low Water LevelB 3.9.5 BASES ACTIONS A.1 and A.2lf less than the required number of RHR loops are OPERABLE, actionshall be immediately initiated and continued until the RHR loop is restoredto OPERABLE status and to operation or until > 23 ft of water level isestablished above the reactor vessel flange. When the water level is>23 ft above the reactor vessel flange, the Applicability changes to that of LCO 3.9.4, and only one RHR loop is required to be OPERABLE and inoperation. An immediate Completion Time is necessary for an operatorto initiate corrective actions.8.1lf no RHR loop is in operation, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. lntroduction of coolant inventory must be from sources that have a boron concentration greater than what would be required in theRCS for minimum refueling boron concentration. This may result in an overall reduction in RCS boron concentration, but provides acceptable margin to maintaining subcritical operation. 8.2lf no RHR loop is in operation, actions shall be initiated immediately, andcontinued, to restore one RHR loop to operation. Since the unit is inConditions A and B concurrently, the restoration of two OPERABLE RHR loops and one operating RHR loop should be accomplished expeditiously.8.3, 8.4, B.5.1 . and 8.5.2lf no RHR is in operation, the following actions must be taken:

a. The equipment hatch must be closed and secured with four bolts,b. One door in each installed air lock must be closed, andc. Each penetration providing direct access from the containment atmosphere to the outside atmosphere must be either closed by a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE Containment Purge and Exhaust lsolation System. The safety function of the Containment Purge and Exhaust lsolation System required for OPERABILITY of the system in order to satisfyBeaver Valley Units 1 and 2B 3.9.5 - 3 Revision 0 RHR and Coolant Circulation - Low Water Level B 3.9.5 BASES LCO (continued)

Action B.5.2 consists of the capability to close at least one isolationvalve in each penetration by either automatic actuation on high radiation or manually from the control room.With RHR loop requirements not met, the potential exists forthe coolantto boil and release radioactive gas to the containment atmosphere. Performing the actions stated above ensures that all containment penetrations are either closed or can be closed so that the dose limits are not exceeded.The Completion Time of 4 hours allows fixing of most RHR problems and is reasonable, based on the low probability of the coolant boiling in that time.SURVEILLANCE SR 3.9.5.1 REQUIREMENTSThis Surveillance verifies that the RHR loop is circulating reactor coolantat the specified flow rate of > 3,000 gpm. The verification of the specifiedflow rate provides additional assurance of adequate forced circulation andmixing of the RCS during operations involving the addition of coolant intothe RCS with a boron concentration that is less than required to maintainthe required SHUTDOWN MARGIN.The Surveillance is modified by a Note that specifies the conditions under which the Surveillance is required to be met. The Note states that the Surveillance is only required to be met prior to the start of (i.e., within anhour before) and during operations that cause the introduction of coolant into the RCS with boron concentration less than that required to meet theminimum required boron concentration of LCO 3.9.1. The Frequency of one hour ensures the required RHR flow is maintained during thespecified operations and has been shown to be adequate by operating experience. sR 3.9.5.2 This Surveillance verifies that the RHR loop is circulating reactor coolantat the specified flow rate of > 1,000 gpm. The verification of the specifiedflow rate provides additional assurance of adequate forced circulation ofthe RCS when the RCS water level is more than three feet below thereactor vessel flange.The Surveillance is modified by a Note that specifies the conditions underwhich the Surveillance is required to be met. The Note states that theSurveillance is only required to be met when RCS water level is > three Beaver Valley Units I and 2B 3.9.5 - 4Revision 0 RHR and Coolant Circulation - Low Water LevelB 3.9.5 BASESSU RVEI LLANCE REQU I REM ENTS (continued)feet below the reactor vessel flange. The Frequency of six hours ensuresthe required RHR flow is maintained during low water level conditions andhas been shown to be adequate by operating experience. sR 3.9.5.3 This Surveillance demonstrates that one RHR loop is in operation and circulating reactor coolant. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal and to prevent thermal and boron stratification in the core.In addition, during operation of the RHR loop with the water level in the viclnity of the reactor vessel nozzles, the RHR pump suction requirementsmust be met. The Frequency of 12 hours is sufficient considering other indications and alarms available to the operator in the control room to monitor RHR loop performance,sR 3.9.5.4 Verification that the required pump is OPERABLE ensures that anadditional RHR pump can be placed in operation, if needed, to maintaindecay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power available tothe required pump. The Frequency of 7 days is considered reasonable in view of other administrative controls available and has been shown to be acceptable by operating experience.This SR is modified by a Note that states the SR is not required to be performed until 24 hours after a required pump is not in operation. REFERENCES 1.Unit 1 UFSAR, Appendix 1A, "1971 AEC General Design Criteria Conformance." Unit 2 UFSAR, Section 3.1, "Conformance with NRC General Design Criteria." ,Beaver Valley Units 1 and 2 B 3.9.5 - 5Revision 0 Refueling Cavity Water Level B 3.9.6 B 3.9 REFUELING OPERATIONS B 3.9.6 Refueling Cavity Water Level BASES BACKGROUND The movement of irradiated fuel assemblies or the movement of any fuel assemblies over irradiated fuel assemblies within containment requires aminimum water level of 23 ft above the top of the reactor vessel flange.During refueling, this maintains sufficient water level in the refueling canal, fuel transfer canal, and refueling cavity. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuef handling accident (Refs. 1 and 2). Sufficient iodine activity wouldbe retained to limit offsite doses and the control room dose from theaccident to within the limits of 10 CFR 50.67 (Ref. 4), as provided by the guidance of Reference 3.APPLICABLE SAFETY ANALYSES During movement of irradiated fuel assemblies or the movement of any fuef assemblies over irradiated fuel assemblies, the water level in therefueling canal and the refueling cavity is an initial condition design parameter in the analysis of a fuel handling accident in containment, as postulated by Regulatory Guide 1.183 (Ref. 1). A minimum water level of 23 ft allows a decontamination factor of 200 (Appendix B of Ref. 1) to beused in the accident analysis for iodine.The fuel handling accident analysis inside containment is described inReference 2. With a minimum water level of 23 ft and a minimum decaytime of 100 hours prior to fuel handling, the analysis and test programsdemonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and offsite doses and the control room dose are maintained within allowable limits (Refs. 2 and 4).Refueling cavity water level satisfies Criterion 2 of 10 CFR 50.36(c)(2xii). LCOA minimum refueling cavity water level of 23 ft above the reactor vesselflange is required to ensure that the radiological consequences of a postulated fuel handling accident inside containment are within acceptable limits, as provided by the guidance of References 3 and 4.Beaver Valley Units 1 and 2B 3.9.6 - 1 Revision 0 Refueling Cavity Water LevelB 3.9.6 BASES APPLICABILITY LCO 3.9.6 is applicable when moving irradiated fuel assemblies or when moving any fuel assemblies over irradiated fuel assemblies withincontainment. The LCO minimizes the possibility of a fuel handlingaccident in containment that is beyond the assumptions of the safetyanalysis. lf irradiated fuel assemblies are not present in containment, there can be no significant radioactivity release as a result of a postulatedfuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO 3.7.15, "Fuel Storage Pool Water Level." ACTIONS A.1 and A.2 With a water level of < 23 ft above the top of the reactor vessel flange, alloperations involving moving irradiated fuel assemblies or moving fuel assemblies over irradiated fuel assemblies within the containment shall be suspended immediately to ensure that a fuel handling accident cannot occur.The suspension of fuel movement shall not preclude completion of movement of a component to a safe position.SURVElLLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the reactor vessel flange ensures that the design basis for the analysis of the postulated fuel handling accident during refueling operations is met. Water at the required level above the top of the reactor vessel flange limits the consequences of damaged fuel rods that are postulated toresult from a fuel handling accident inside containment (Ref. 2).The Frequency of 24 hours is based on engineering judgment and isconsidered adequate in view of the large volume of water and the normal procedural controls of valve positions, which make significant unplannedlevel changes unlikely.REFERENCES1 . Regulatory Guide 1 .183, July 2000. UFSAR, Section 14.2.1 (Unit 1) and UFSAR, Section 15.7.4 (Unit 2).NUREG-0800, Section 15.0.1 .10 cFR 50.67. 2.3.4.Beaver Valley Units 1 and 2B 3.9.6 - 2 Revision 0}}