Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Bases for Improved Technical Specifications

ML16330A416
Person / Time
Site:	Vogtle
Issue date:	11/02/2016
From:	Southern Nuclear Operating Co
To:	Office of Nuclear Reactor Regulation
Shared Package
ML16330A408	List: ML16330A389 ML16330A391 ML16330A392 ML16330A393 ML16330A394 ML16330A395 ML16330A396 ML16330A397 ML16330A398 ML16330A399 ML16330A404 ML16330A412 ML16330A415 ML16330A416 ML16330A425 ML16330A429 ML16330A433 ML16330A484 ML16330A485 ML16330A486 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2 - Resubmittal of Revision 20 to the Updated Final Safety Analysis Report Cd Roms NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Bases for Improved Technical Specifications NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Chapter 1, Introduction and General Description of Plant NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Chapter 2, Hydrologic Engineering NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figure 6.2.1-15 (Sheet 15 of 65) Through Figure 6.2.1-21 (Sheet 74 of 74) NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figure 7.6.5-1 (Sheet 1 of 2) Through Figure 8.3.1-1 (Sheet 4 of 34) NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figure 8.3.1-1 (Sheet 5 of 34) Through Figure 8.3.1-1 (Sheet 24 of 34) NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figures 3.7.B.2-27 Through 3D-17 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figures 3D-137 Through 4.3-41 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figures 3D-18 Through 3D-40 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figures 3D-41 Through 3D-65 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figures 3D-66 Through 3D-92 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Figures 3D-93 Through 3D-136 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Reference Drawings, Part 1 of 11 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Reference Drawings, Part 2 of 11 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Reference Drawings, Part 3 of 11 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Section 10.3 Through Section 15.1 NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Table 4.3-1 (Sheet 1 of 3) Through Figure 6-2.1-15 (Sheet 14 of 65) NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Technical Requirements Manual
References
NL-16-2280
Download: ML16330A416 (782)
v • d • e

Text

TABLE OF CONTENTS (continued)

Vogtle Units 1 and 2 i Rev. 1-3/99 B 2.0 SAFETY LIMITS (SLs).................................................................. B 2.1.1-1 B 2.1.1 Reactor Core SLs ......................................................................... B 2.1.1-1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL................................. B 2.1.2-1 B 3.0 LIMITING CONDITION FOR OPERATION (LCO)

APPLICABILITY.......................................................................... B 3.0-1 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY............ B 3.0-10 B 3.1 REACTIVITY CONTROL SYSTEMS............................................. B 3.1.1-1 B 3.1.1 SHUTDOWN MARGIN (SDM)....................................................... B 3.1.1-1 B 3.1.2 Core Reactivity............................................................................... B 3.1.2-1 B 3.1.3 Moderator Temperature Coefficient (MTC).................................... B 3.1.3-1 B 3.1.4 Rod Group Alignment Limits.......................................................... B 3.1.4-1 B 3.1.5 Shutdown Bank Insertion Limits..................................................... B 3.1.5-1 B 3.1.6 Control Bank Insertion Limits......................................................... B 3.1.6-1 B 3.1.7 Rod Position Indication.................................................................. B 3.1.7-1 B 3.1.8 PHYSICS TESTS Exceptions MODE 2...................................... B 3.1.8-1 B 3.2 POWER DISTRIBUTION LIMITS.................................................. B 3.2.1-1 B 3.2.1 Heat Flux Hot Channel Factor (F Q (Z)) (F Q Methodology).............. B 3.2.1-1 Nuclear Enthalpy Rise Hot Channel Factor (NH F......................B 3.2.2-1 B 3.2.3 Axial Flux Difference (AFD) (Relaxed Axial Offset Control (ROAC) Methodology)............................................... B 3.

2.3-1 B 3.2.4 Quadrant Power Tilt Ratio (QPTR)................................................. B 3.2.4-1 B 3.3 INSTRUMENTATION..................................................................... B 3.3.1-1 B 3.3.1 Reactor Trip System (RTS) Instrumentation.................................. B 3.3.1-1 B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation...................................................................... B 3.3.2-1 B 3.3.3 Post Accident Monitoring (PAM) Instrumentation........................... B 3.3.3-1 B 3.3.4 Remote Shutdown System............................................................. B 3.3.4-1 B 3.3.5 4.16 kV ESF Bus Loss of Power (LOP) Instrumentation................ B 3.3.5-1 B 3.3.6 Containment Ventilation Isolation Instrumentation......................... B 3.3.6-1 B 3.3.7 Control Room Emergency Filtration System (CREFS)

Actuation Instrumentation....................................................... B 3.3.7-1 B 3.3.8 High Flux at Shutdown Alarm (H FASA).......................................... B 3.3.8-1 TABLE OF CONTENTS (continued)

Vogtle Units 1 and 2 ii Rev. 3-9/06 B 3.4 REACTOR COOLANT SYSTEM (RCS)......................................... B 3.4.1-1

B 3.4.1 RCS Pressure, Temperature, and Flow Departure

from Nucleate Boiling (DNB) Limits........................................ B 3.4.1-1 B 3.4.2 RCS Minimum Temperature for Criticality...................................... B 3.4.2-1 B 3.4.3 RCS Pressure and Temperature (P/T) Limits................................. B 3.

4.3-1 B 3.4.4 RCS Loops MODES 1 and 2...................................................... B 3.

4.4-1 B 3.4.5 RCS Loops MODE 3.................................................................. B 3.4.5-1 B 3.4.6 RCS Loops MODE 4.................................................................. B 3.4.6-1 B 3.4.7 RCS Loops MODE 5, Loops F illed............................................. B 3.4.7-1 B 3.4.8 RCS Loops MODE 5, Loops Not Filled....................................... B 3.4.8-1 B 3.4.9 Pressurizer..................................................................................... B 3.4.9-1 B 3.4.10 Pressurizer Safety Valves.............................................................. B 3.4.10-1 B 3.4.11 Pressurizer Power Operated Relief Valves (PORVs)..................... B 3.4.11-1 B 3.4.12 Cold Overpressure Protection Systems (COPS)............................ B 3.4.12-1 B 3.4.13 RCS Operational LEAKAGE.......................................................... B 3.

4.13-1 B 3.4.14 RCS Pressure Isolation Valve (PIV) Leakage................................ B 3.4.14-1 B 3.4.15 RCS Leakage Detection Instrumentation....................................... B 3.

4.15-1 B 3.4.16 RCS Specific Activity...................................................................... B 3.4.16-1 B 3.4.17 Steam Generator (SG) Tube Integrity............................................ B 3.4.17-1

B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) ................... B 3.5.1-1

B 3.5.1 Accumulators................................................................................. B 3.5.1-1 B 3.5.2 ECCS Operating......................................................................... B 3.5.2-1 B 3.5.3 ECCS Shutdown......................................................................... B 3.5.3-1 B 3.5.4 Refueling Water Storage Tank (RWST)......................................... B 3.5.4-1 B 3.5.5 Seal Injection Flow......................................................................... B 3.5.5-1 B 3.5.6 Recirculation Fluid pH Control System........................................... B 3.5.6-1

B 3.6 CONTAINMENT SYSTEMS........................................................... B 3.6.1-1

B 3.6.1 Containment.................................................................................. B 3.6.1-1 B 3.6.2 Containment Air Locks................................................................... B 3.6.2-1 B 3.6.3 Containment Isolation Valves......................................................... B 3.6.3-1 B 3.6.4 Containment Pressure................................................................... B 3.6.4-1 B 3.6.5 Containment Air Temperature........................................................ B 3.6.5-1 B 3.6.6 Containment Spray and Cooling Systems (Atmospheric and Dual)............................................................................... B 3.6.6-1 B 3.6.7 Deleted ......................................................................................... B 3.6.7-1

TABLE OF CONTENTS (continued)

Vogtle Units 1 and 2 iii Rev. 2-3/05 B 3.7 PLANT SYSTEMS......................................................................... B 3.7.1-1

B 3.7.1 Main Steam Safety Valves (MSSVs).............................................. B 3.7.1-1 B 3.7.2 Main Steam Isolation Valves (MSIVs)............................................ B 3.7.2-1 B 3.7.3 Main Feedwater Isolation Valves (MFIVs) and Main

Feedwater Regulation Valves (MFRVs) and Associated Bypass Valves..................................................... B 3.7.3-1 B 3.7.4 Atmospheric Relief Valves (ARVs)................................................. B 3.7.4-1 B 3.7.5 Auxiliary Feedwater (AFW) System............................................... B 3.7.5-1 B 3.7.6 Condensate Storage Tank (CST)................................................... B 3.7.6-1 B 3.7.7 Component Cooling Water (CCW) System.................................... B 3.

7.7-1 B 3.7.8 Nuclear Service Cooling Water (NSCW) System........................... B 3.7.8-1 B 3.7.9 Ultimate Heat Sink (UHS).............................................................. B 3.7.9-1 B 3.7.10 Control Room Emergency Filtration System (CREFS) Both Units Operating.............................................................. B 3.7.10-1 B 3.7.11 Control Room Emergency Filtration System (CREFS) One Unit Operating................................................................ B 3.7.11-1 B 3.7.12 Control Room Emergency Filtration System (CREFS) Both Units Shut Down............................................................ B 3.7.12-1 B 3.7.13 Piping Penetration Area Filtration and Exhaust

System (PPAFES).................................................................. B 3.7.13-1 B 3.7.14 Engineered Safety Feature (ESF) Room Cooler and Safety-Related Chiller System................................................ B 3.7.14-1 B 3.7.15 Fuel Storage Pool Water Level...................................................... B 3.7.15-1 B 3.7.16 Secondary Specific Activity............................................................ B 3.7.16-1 B 3.7.17 Fuel Storage Pool Boron Concentration......................................... B 3.7.17-1 B 3.7.18 Fuel Assembly Storage in the Fuel Storage Pool........................... B 3.7.18-1

B 3.8 ELECTRICAL POWER SYSTEMS................................................ B 3.8.1-1

B 3.8.1 AC Sources Operating................................................................ B 3.8.1-1 B 3.8.2 AC Sources Shutdown............................................................... B 3.8.2-1 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air...................................... B 3.8.3-1 B 3.8.4 DC Sources Operating............................................................... B 3.8.4-1 B 3.8.5 DC Sources Shutdown............................................................... B 3.8.5-1 B 3.8.6 Battery Parameters........................................................................ B 3.8.6-1 B 3.8.7 Inverters Operating..................................................................... B 3.8.7-1 B 3.8.8 Inverters Shutdown..................................................................... B 3.8.8-1 B 3.8.9 Distribution Systems Operating.................................................. B 3.8.9-1 B 3.8.10 Distribution Systems Shutdown.................................................. B 3.8.10-1

TABLE OF CONTENTS (continued)

(continued)

Vogtle Units 1 and 2 iv Rev. 1-3/99 B 3.9 REFUELING OPERATIONS.......................................................... B 3.9.1-1 B 3.9.1 Boron Concentration...................................................................... B 3.9.1-1 B 3.9.2 Unborated Water Source Isolation Valves..................................... B 3.

9.2-1 B 3.9.3 Nuclear Instrumentation................................................................. B 3.9.3-1 B 3.9.4 Containment Penetrations.............................................................. B 3.

9.4-1 B 3.9.5 Residual Heat Removal (RHR) and Coolant Circulation High Water Level................................................................ B 3.9.5-1 B 3.9.6 Residual Heat Removal (RHR) and Coolant Circulation Low Water Level................................................................. B 3.9.6-1 B 3.9.7 Refueling Cavity Water Level......................................................... B 3.9.7-1

TABLE OF CONTENTS (continued)

LIST OF TABLES B 3.3.4-1 Remote Shutdown System Monitoring Instrumentation .................. B 3.3.4-6 B 3.8.4-1 DC Sources ..................................................................................... B 3.8.4-10 B 3.8.9-1 AC and DC Electrical Power Distribution Systems .......................... B 3.8.9-10

LIST OF FIGURES

B 2.1.1-1 Reactor Core Safety Limits vs. Boundary

of Protection ............................................................................ B 2.1.1-7 B 3.1.6-1 Rod Bank Insertion Limits versus Thermal Power ......................................................................................

B 3.1.6-8 B 3.2.1-1 K (Z) - Normalized F Q Z as a Function of Core Height ............................................................................. B 3.2.1-11 B 3.2.3-1 Axial Flux Difference Limits as a Function

of Rated Thermal Power for RAOC ......................................... B 3.2.3-5 B 3.5.5-1 Seal Injection Flow Limits ................................................................ B 3.5.5-5

Reactor Core SLs B 2.1.1 (continued)

Vogtle Units 1 and 2 B 2.1.1-5 REVISION 16 BASES SAFETY LIMIT 2.2.1 VIOLATIONS (continued) If the reactor core SL 2.1.1 is violated, the requirement to go to MODE 3 places the unit in a MODE in which this SL is not applicable.

The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> recognizes the importance of bringing the unit to a MODE of operation where this SL is not

applicable, and reduces the probability of fuel damage.

Reactor Core SLs B 2.1.1 Vogtle Units 1 and 2 B 2.1.1-6 REVISION 16 BASES (continued)

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. FSAR, Section 7.2.

3. WCAP-8746-A, March 1977.

4. WCAP-9272-P-A, July 1985.

RCS Pressure SL B 2.1.2 (continued)

Vogtle Units 1 and 2 B 2.1.2-3 REVISION 16 BASES SAFETY LIMITS Code,Section III, is 110% of design pressure. Therefore, the SL (continued) on maximum allowable RCS pressure is 2735 psig.

APPLICABILITY SL 2.1.2 applies in MODES 1, 2, 3, 4, and 5 because this SL could be approached or exceeded in these MODES due to overpressurization

events. The SL is not applicable in MODE 6 because the reactor

vessel head closure bolts are not fully tightened, making it unlikely

that the RCS can be pressurized.

SAFETY LIMIT VIOLATIONS

If the RCS pressure SL 2.2.2 is violated when the reactor is in

MODE 1 or 2, the requirement is to restore compliance and be in

MODE 3 within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

Exceeding the RCS pressure SL may cause immediate RCS failure

and create a potential for radioactive releases in excess of

10 CFR 100, "Reactor Site Criteria," limits (Ref. 4).

The allowable Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> recognizes the importance

of reducing power level to a MODE of operation where the potential

for challenges to safety systems is minimized.

RCS Pressure SL B 2.1.2 (continued)

Vogtle Units 1 and 2 B 2.1.2-4 REVISION 16 BASES SAFETY LIMIT 2.2.2.2 VIOLATIONS (continued) If the RCS pressure SL 2.2.2 is exceeded in MODE 3, 4, or 5, RCS pressure must be restored to within the SL value within 5 minutes.

Exceeding the RCS pressure SL in MODE 3, 4, or 5 is more severe

than exceeding this SL in MODE 1 or 2, since the reactor vessel

temperature may be lower and the vessel material, consequently, less

ductile. As such, pressure must be reduced to less than the SL within

5 minutes. The action does not require reducing MODES, since this

would require reducing temperature, which would compound the

problem by adding thermal gradient stresses to the existing pressure

stress.

RCS Pressure SL B 2.1.2 Vogtle Units 1 and 2 B 2.1.2-5 REVISION 16 BASES SAFETY LIMIT VIOLATIONS (continued)

REFERENCES 1. 10 CFR 50, Appendix A, GDC 14, GDC 15, and GDC 28.

2. ASME, Boiler and Pressure Vessel Code,Section III, Article NB-7000.

3. ASME, Boiler and Pressure Vessel Code,Section XI, Article IWB-5000.

4. 10 CFR 100.

5. FSAR, Section 7.2.

LCO Applicability B 3.0 Vogtle Units 1 and 2 B 3.0-1 Rev. 1- 9/06 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY

BASES LCOs LCO 3.0.1 through LCO 3.0.9 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification).

LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:

a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification;

and

b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met.

This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable.

(Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering

(continued)

LCO Applicability B 3.0 Vogtle Units 1 and 2 B 3.0-2 Revision No. 0 BASES LCO 3.0.2 ACTIONS.) The second type of Required Action specifies the (continued) remedial measures that permit continued operation of the unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.

Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications.

The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits." The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally.

The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems.

Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Alternatives that would not result in redundant equipment being inoperable should be used instead. Doing so limits the time both subsystems/trains of a safety function are inoperable and limits the time other conditions exist which result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.

When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable.

In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.

(continued)

LCO Applicability B 3.0 Vogtle Units 1 and 2 B 3.0-3 Revision No. 0 BASES LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and:

a. An associated Required Action and Completion Time is not met and no other Condition applies; or

b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.

This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.

Upon entering LCO 3.0.3, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the l oad dispatcher to ens ure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE.

This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.

(continued)

LCO Applicability B 3.0 Vogtle Units 1 and 2 B 3.0-4 Revision No. 0 BASES LCO 3.0.3 A unit shutdown required in accordance with LCO 3.0.3 may be (continued) terminated and LCO 3.0.3 exited if any of the following occurs:

a. The LCO is now met.

b. A Condition exists for which the Required Actions have now been performed.

c. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.

The time limits of Specification 3.0.3 allow 37 hours4.282407e-4 days <br />0.0103 hours <br />6.117725e-5 weeks <br />1.40785e-5 months <br /> for the unit to be in MODE 5 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is reached in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, then the time allowed for reaching MODE 4 is the next 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />, because the total time for reaching MODE 4 is not reduced from the allowable limit of 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed.

In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 5 and 6 because the unit is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, 3, or 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.7.15, "Fuel Storage Pool Water Level." LCO 3.7.15 has

(continued)

LCO Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-5 Rev. 2 - 6/05 BASES LCO 3.0.3 an Applicability of "During movement of irradiated fuel (continued) assemblies in the fuel storage pool." Therefore, this LCO can be applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.15 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of LCO 3.7.15 of "Suspend movement of irradiated fuel assemblies in the fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications.

LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with LCO 3.0.4a, LCO 3.0.4b, or LCO 3.0.4c.

LCO 3.04a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of ti me. Compliance with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change.

Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provisions of the Required Actions.

LCO 3.0.4b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.

The risk assessment may use quantitative, qualitative, or blended

approaches; and the risk assessment will be conduct ed using t he plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4b, must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope.

LCO Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-6 Rev. 2 - 6/05 BASES LCO 3.0.4 The risk assessments will be conducted using the procedures and (continued) guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance at Nuclear Power Plants."

Regulatory Guide 1.182 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." Both documents provide general guidance for conducting the risk assessment, such as quantitative and qualitative guidelines for establishing risk management actions and example risk management actions. They also include actions to plan and conduct other activities in a manner to control overall risk, increase risk awareness by shift and management personnel, reduce the duration of the condition, minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determine that the proposed MODE change is

acceptable. Cons ideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would

require abandoning the Applicability.

LCO 3.0.4b may be used with single or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to

consideration of simultaneous unavailability of multiple systems and components.

The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specifi ed condition in the Applicability, and any corresponding risk management actions. The LCO 3.0.4b risk assessments do not have to be documented.

The Technical Specifications allow continued operation with equipment unavailable in MODE 1 for the duration of the Completion Time. Since this is allowable, and in general, the risk impact in that particular MODE bounds the risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCO, the use of the LCO 3.0.4b allowance should be generally acceptable, as long as the risk is assessed and managed as stated above. However, there is a small subset of systems and components that have been determined to be more important to risk, and use of the LCO 3.0.4b allowance is prohibited. The LCOs governing these systems and components contain Notes prohibiting the use of LCO 3.0.4b by stating that LCO 3.0.4b is not applicable.

LCO 3.0.4c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states that LCO 3.0.4c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for

LCO Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-7 Rev. 2 - 6/05 BASES LCO 3.0.4 continued operation for an unlimited period of time and a risk (continued) assessment has not been performed. This allowance may apply to all ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4b usually only consider systems and components. For this reason, LCO 3.0.4c is typically applied to Specifications which describe values and parameters (e.g., RCS Specific Activity), and may be applied to other Specifications based on NRC plant-specific approval.

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified

conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, MODE 3 to MODE 4, and MODE 4 to MODE 5.

Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, the LCO is met, or the unit is not within the Applicability of the Technical Specification.

Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.

LCO Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-8 Rev. 1 - 6/05 BASES (continued)

LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of SRs to demonstrate:

a. The OPERABILITY of the equipment being returned to service; or or

b. The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the allowed SRs. This Specification does not provide time to perform any other preventive or corrective maintenance.

An example of demonstrating the OPERABILITY of the equipment being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions and must be reopened to perform the SRs.

An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of an SR on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of an SR on another channel in the same trip system.

LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions.

LCO Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-9 Rev. 1 - 6/05 BASES LCO 3.0.6 When a support system is inoperable and there is an LCO specified for (continued) it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems' LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the support system's Required Actions.

However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.

Specification 5.5.15, "Safety Function Determination Program (SFDP),"

ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.

Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required.

The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.

LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to

LCO Applicability B 3.0 Vogtle Units 1 and 2 B 3.0-10 Rev. 2 - 9/06 BASES LCO 3.0.7 perform special evolutions. Test Exception LCO 3.1.8 allows specified (continued) Technical Specification requirements to be changed to permit performance of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these Technical Specifications. Unless otherwise specified, all the other Technical Specification requirements remain unchanged. This will ensure all appropriate requirements of the MO DE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.

The applicability of the Test Except ion LCO represent s a condition not necessarily in compliance with the normal requirements of the Technical Specification. Compliance with the Test Exception LCO is optional. A special operation may be performed either under the provisions of the Test Exception LCO or under the other applicable Technical Specification requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.

LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not capable of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical Specifications (TS) under licensee control. The snubber requirements do not meet the criteria in 10 CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee.

If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported system's LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.

LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single train or subsystem of a multiple train or subsystem supported system or to a single train or subsystem supported system. LCO 3.0.8.a allows 72

(continued)

LCO Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-11 Rev. 2 - 9/06 BASES LCO 3.0.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to restore the snubber(s) before declaring the supported system (continued) inoperable. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function and due to the availability of the redundant train of the supported system.

LCO 3.0.8.b applies when one or more snubbers are not capable of providing their associated support function(s) to more than one train or subsystem of a multiple train or subsystem supported system. LCO 3.0.8.b allows 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to restore the snubber(s) before declaring the supported system inoperable. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function.

LCO 3.0.8 requires that risk be assessed and managed. Industry and NRC guidance on the implementation of 10 CFR 50.65(a)(4) (the Maintenance Rule) does not address seismic risk. However, use of LCO 3.0.8 should be considered with respect to other plant maintenance activities, and integrated into the existing Maintenance Rule process to the extent possible so that maintenance on any unaffected train or subsystem is properly controlled, and emergent issues are properly addressed. The risk assessment need not be quantified, but may be a qualitative awareness of the vulnerability of systems and components when one or more snubbers are not able to perform their associated support function.

LCO 3.0.9 This LCO is provided to clarify the unit applicability of the LCOs and associated ACTION requirements, especially with respect to systems or components that are common to both units.

In the LCOs and Specifications, parentheses and footnotes are used to specifically identify the common systems to which individual LCOs and Specifications apply. They are considered an integral part of the applicable LCOs and Specifications and compliance with respect to the systems or components is required. In addition, parentheses and footnotes are used to identify requirements specific to one unit, and are considered an integral part of the LCOs and Specifications with which compliance is required.

LCO Applicability B 3.0 Vogtle Units 1 and 2 B 3.0-12 Rev. 3 - 9/06 BASES LCO 3.0.9 In the Bases, instrument loop numbers are stated in parentheses and (continued) are provided as information only, for the purpose of assisting the TS user. Compliance with the applicable LCO and Specifications may not be a requirement for the instrument loop stated within parentheses unless the stated loop is the method by which the unit is maintained in compliance with the applicable LCOs and Specifications.

SR Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-13 Rev. 3 - 9/06 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY

BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

SR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specifi ed conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO.

Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:

a. The systems or components are known to be inoperable, although still meeting the SRs; or

b. The requirements of the Surveillance(s) are known not to be met between required Surveillance performances.

Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the requirements of a Specification.

Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the rem edial measures that apply. Surveillances have to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status.

Upon completion of maintenance appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified

conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be SR Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-14 Rev. 4 - 9/06 BASES SR 3.0.1 considered OPERABLE provided testing has been satisfactorily (continued) completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per . . ." interval.

SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable for conducting the Surveill ance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).

The 25% extension does not significantly degr ade the reliability that results from performing the Surveillance at its specified Frequency.

This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS. Therefore, when a test interval is specified in the regulations, the test interval cannot SR 3.0.2 be extended by the TS, and the SR includes a Note in the Frequency stating that "SR 3.0.2 is not applicable." An example of an exception when the test interval is not specified in the regulations is the Note in the Containment Leakage Rate Testing Program, "SR 3.0.2 is not applicable." This exception is provided because the program already includes extension of test intervals.

As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per ..." basis. The 25% extension applies to each performance after the initial performance. The initial performance of

the Required Action, whether it is a particular Surveill ance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.

SR Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-15 Rev. 4 - 9/06 BASES SR 3.0.2 The provisions of SR 3.0.2 are not intended to be used repeatedly (continued) merely as an operational convenience to extend Surveillance intervals (other than those consistent with Refueling intervals) or periodic Completion Time intervals beyond those specified.

SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.

This delay period prov ides adequate time to co mplete Surv eillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial

measures that might preclude completion of the Surveillance.

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveill ance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or the limit of the specified Frequency is provided to perform SR Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-16 Rev. 1 - 9/06 BASES SR 3.0.3 the missed Surveillance, it is expected that the missed Surveillance (continued) will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of pers onnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action.

All missed Surveillances will be placed in the licensee's Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.

SR Applicability B 3.0 (continued)

Vogtle Units 1 and 2 B 3.0-17 Rev. 0 - 9/06 BASES SR 3.0.4 This Specification ensures that system and component OPERABILITY (continued) requirements and variable limits are met before entry into MODES or other specified conditi ons in the Applicability for which these systems and components ensure safe operation of the unit.

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

A provision is included to allow entry into a MODE or other specified condition in the Applicability w hen an LCO is not met due to a Surveillance not being met in accordance with LCO 3.0.4.

However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) is not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment.

When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s), since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability.

However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3.

The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified c onditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, MODE 3 to MODE 4, and MODE 4 to MODE 5.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in

SR Applicability B 3.0 Vogtle Units 1 and 2 B 3.0-18 Rev. 0 - 9/06 BASES SR 3.0.4 the Frequency, in the Surveillance, or both. This allows performance (continued) of Surveillances when the prerequi site condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LC O prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO's Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note as not required (to be met or performed) until a particular event, condition, or time has been, reached. Further discussion of the specific formats of SRs annotation is found in Section 1.4, Frequency.

SDM B 3.1.1 Vogtle Units 1 and 2 B 3.1.1-4 Rev. 3 - 6/05 BASES APPLICABLE SDM satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii). Even SAFETY ANALYSES though it is not directly observed from the control room, (continued) SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.

LCO SDM is a core design condition that can be ensured during operation through control rod positioning (control and shutdown banks) and through the soluble boron concentration.

The MSLB (Ref. 2) and the boron dilution (Ref. 3) accidents are the most limiting analyses that establish the SDM value of the LCO. For MSLB accidents, if the LCO is violated, there is a potential to exceed the DNBR limit and to exceed 10 CFR 100, "Reactor Site Criteria," limits (Ref. 4). For the boron dilution accident, if the LCO is violated, the minimum required time assumed for operator action to terminate dilution may no longer be applicable. The required SDM is specified in the COLR.

APPLICABILITY In MODES 3, 4, and 5, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above. In MODE 6, the shutdown reactivity requirements are given in LCO 3.9.1, "Boron Concentration." In MODES 1 and 2, SDM is ensured by complying with LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits."

ACTIONS The ACTIONS table is modified by a Note prohibiting transition to a lower MODE within the Applicability. LCO 3.0.4 already prohibits entry into MODE 5 from MODE 6, MODE 4 from MODE 5 and into MODE 3 from MODE 4 when SDM requirements are not met.

(continued)

SDM B 3.1.1 (continued)

Vogtle Units 1 and 2 B 3.1.1-5 Rev. 1 - 6/05 BASES ACTIONS A.1 (continued)

If the SDM requirements are not met, boration must be initiated promptly.

A Completion Time of 15 minutes is adequate for an operator to correctly

align and start the required systems and components. It is assumed that

boration will be continued until the SDM requirements are met.

In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be

satisfied. Since it is important to raise the boron concentration of the

RCS as soon as possible, the flowpath of choice would utilize a highly

concentrated solution, such as that normally found in the boric acid

storage tank, or the refueling water storage tank. However, the

operator should borate with the best source available for the plant

conditions.

In determining the boration flow rate, the time in core life must be considered. For instance, the most difficult time in core life to

increase the RCS boron concentration is at the beginning of cycle

when the boron concentration may approach or exceed 2000 ppm.

Assuming that a value of 1% k/k must be recovered and a boration flow rate of 30 gpm, it is possible to increase the boron concentration

of the RCS by 133 ppm in approximately 55 minutes using a boric

acid solution of 7000 ppm. If a boron worth of 7.5 pcm/ppm is

assumed, this combination of parameters will increase the SDM by

1% k/k. These boration parameters of 30 gpm and 7000 ppm represent typical values and are provided for the purpose of offering a

specific example.

SURVEILLANCE SR 3.1.1.1 REQUIREMENTS

In MODES 1 and 2, SDM is verified by observing that the requirements of LCO 3.1.5 and LCO 3.1.6 are met. In the event that a

rod is known to be untrippable, however, SDM verification must

account for the worth of the untrippable rod as well as another rod of

maximum worth.

In MODES 3, 4, and 5, the SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects:

SDM B 3.1.1 Vogtle Units 1 and 2 B 3.1.1-6 REVISION 14 BASES SURVEILLANCE SR 3.1.1.1 (continued)

REQUIREMENTS a. RCS boron concentration;

b. Control bank position;

c. RCS average temperature;

d. Fuel burnup based on gross thermal energy generation;

e. Xenon concentration;

f. Samarium concentration; and

g. Isothermal temperature coefficient (ITC).

Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical, and the fuel temperature will be

changing at the same rate as the RCS.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

2. FSAR, Subsection 15.4.9.

3. FSAR, Subsection 15.4.6.

4. 10 CFR 100.

Core Reactivity B 3.1.2 (continued)

Vogtle Units 1 and 2 B 3.1.2-5 Revision No. 0 BASES ACTIONS A.1 and A.2 (continued)

to determine their consistency with input to design calculations.

Measured core and process parameters are evaluated to determine

that they are within the bounds of the safety analysis, and safety

analysis calculational models are reviewed to verify that they are

adequate for representation of the core conditions. The required

Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is based on the low probability of a DBA

occurring during this period, and allows sufficient time to assess the

physical condition of the reactor and complete the evaluation of the

core design and safety analysis.

Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the

reactivity anomaly is a mismatch in core conditions at the time of RCS

boron concentration sampling, then a recalculation of the RCS boron

concentration requirements may be performed to demonstrate that

core reactivity is behaving as expected. If an unexpected physical

change in the condition of the core has occurred, it must be evaluated

and corrected, if possible. If the cause of the reactivity anomaly is in

the calculation technique, then the calculational models must be

revised to provide more accurate predictions. If any of these results

are demonstrated, and it is concluded that the reactor core is

acceptable for continued operation, then the boron letdown curve may

be renormalized and power operation may continue. If operational

restriction or additional SRs are necessary to ensure the reactor core

is acceptable for continued operation, then they must be defined.

The required Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is adequate for preparing whatever operating restrictions or Surveillances that may be required

to allow continued reactor operation.

B.1 If the core reactivity cannot be restored to within the 1% k/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6

hours. If the SDM for MODE 3 is not met, then the boration required by

Core Reactivity B 3.1.2 Vogtle Units 1 and 2 B 3.1.2-6 REVISION 14 BASES ACTIONS B.1 (continued)

LCO 3.1.1 Required Action A.1 would occur. The allowed Completion Time is reasonable, based on operating experience, for reaching

MODE 3 from full power conditions in an orderly manner and without

challenging plant systems.

SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made, considering that other core conditions are fixed or stable, including

control rod position, moderator temperature, fuel temperature, fuel

depletion, xenon concentration, and samarium concentration. The

Surveillance is performed prior to entering MODE 1 as an initial check

on core conditions and design calculations at BOL. The SR is modified by a Note. The Note indicates that the normalization of predicted core reactivity to the measured value must take place within

the first 60 effective full power days (EFPD) after each fuel loading.

This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29.

2. FSAR, Chapter 15.

MTC B 3.1.3 Vogtle Units 1 and 2 B 3.1.3-6 Revision No. 34 BASES SURVEILLANCE SR 3.1.3.1 (continued)

REQUIREMENTS The BOL MTC value for ARO will be inferred from isothermal

temperature coefficient measurements obtained during the physics

tests after refueling. The ARO value can be directly compared to the

BOL MTC limit of the LCO. If required, measurement results and

predicted design values can be used to establish administrative

withdrawal limits for control banks.

SR 3.1.3.2 In similar fashion, the LCO demands that the MTC be less negative

than the specified value for EOL full power conditions. This

measurement may be performed at any THERMAL POWER, but its

results must be extrapolated to the conditions of RTP and all banks

withdrawn in order to make a proper comparison with the LCO value.

Because the RTP MTC value will gradually become more negative

with further core depletion and boron concentration reduction, a 300

ppm SR value of MTC should necessarily be less negative than the

EOL LCO limit. The 300 ppm SR va lue is sufficiently less negative than the EOL LCO limit value to ensure that the LCO limit will be met

when the 300 ppm Surveillance criterion is met.

SR 3.1.3.2 is modified by four Notes that include the following requirements:

a. The 300 ppm Surveillance limit must be verified within 7 EFPD after reaching the equivalent of an equilibrium RTP ARO boron

concentration of 300 ppm. Seven effective full power days after

reaching an equivalent boron concentration of 300 ppm are

sufficient to ensure that the EOL limit will not be exceeded.

b. SR 3.1.3.2 is not required to be performed by measurement provided that the benchmark criteria in WCAP-13749-P-A (Ref. 4) are satisfied and the Revised Predicted MTC satisfies the 300 ppm surveillance limit specified in the COLR.

c. If the 300 ppm Surveillance limit is exceeded, it is possible that the EOL limit on MTC could be reached before the planned

EOL. Because the MTC changes slowly with core depletion, the

Frequency of 14 effective full power days is sufficient to avoid

exceeding the EOL limit.

(continued)

MTC B 3.1.3 Vogtle Units 1 and 2 B 3.1.3-7 Revision No. 34 BASES SURVEILLANCE SR 3.1.3.2 (continued)

REQUIREMENTS d. The Surveillance limit for RTP boron concentration of 60 ppm is conservative. If the measured MTC at 60 ppm is more positive

than the 60 ppm Surveillance limit, the EOL limit will not be

exceeded because of the gradual manner in which MTC

changes with core burnup.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 11.

2. FSAR, Chapter 15.

3. WCAP 9272-P-A, "Westinghouse Reload Safety Evaluation Methodology," July 1985.

4. WCAP-13749-P-A, "Safety Evaluation Supporting the Conditional Exemption of the Most Negative EOL Moderator Temperature Coefficient Measurement," March 1997.

Rod Group Alignment Limits B 3.1.4 (continued)

Vogtle Units 1 and 2 B 3.1.4-9 Revision No. 0 BASES ACTIONS C.1 (continued)

MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, which obviates concerns about the development of undesirable xenon or power distributions. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging the plant systems.

D.1.1 and D.1.2

More than one control rod becoming misaligned (but trippable) from its group average position is not expected, and has the potential to reduce SDM. Therefore, SDM must be evaluated. One hour allows the operator adequate time to determine SDM. Restoration of the required SDM, if necessary, requires increasing the RCS boron concentration required for potential xenon redistribution, the low probability of an accident to provide negative reactivity, as described in the Bases or LCO 3.1.1. The required Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for initiating boration is reasonable, based on the time occurring, and the steps required to complete the action. This allows the operator sufficient time to align the required valves and start the boric acid pumps. Boration will continue until the required SDM is restored.

D.2 If more than one rod is found to be misaligned or becomes misaligned because of bank movement, the unit conditions fall outside of the accident analysis assumptions. Since automatic bank sequencing would continue to cause misalignment, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The allowed Completion Time is reasonable, based on operating experience, for reaching MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

Rod Group Alignment Limits B 3.1.4 (continued)

Vogtle Units 1 and 2 B 3.1.4-10 REVISION 14 BASES (continued)

SURVEILLANCE SR 3.1.4.1 REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.4.2

Exercising each individual control rod provides confidence that all rods continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each control rod by 10 steps will not cause radial or axial power tilts, or oscillations, to occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Between required performances of SR 3.1.4.2 (determination of control rod OPERABILITY by movement), if a control rod(s) is discovered to be immovable, but remains trippable, the control rod(s) is considered to be OPERABLE. At any time, if a control rod(s) is immovable, a determination of the trippability (OPERABILITY) of the control rod(s) must be made, and appropriate action taken.

SR 3.1.4.3 Verification of rod drop times from the physical fully withdrawn position allows the operator to determine that the maximum rod drop time permitted is consistent with the assumed rod drop time used in the safety analysis. Measuring rod drop times prior to reactor criticality, after reactor vessel head removal, ensures that the reactor internals and rod drive mechanism will not interfere with rod motion or rod drop time, and that no degradation in these systems has occurred that would adversely affect

Shutdown Bank Insertion Limits B 3.1.5 Vogtle Units 1 and 2 B 3.1.5-5 REVISION 14 BASES SURVEILLANCE SR 3.1.5.1 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10, GDC 26, and GDC 28.

2. 10 CFR 50.46.

3. FSAR, Subsection 15.4.3.

Control Bank Insertion Limits B 3.1.6 (continued)

Vogtle Units 1 and 2 B 3.1.6-5 Revision No. 0 BASES (continued)

ACTIONS A.1.1, A.1.2, A.2, B.1.1, B.1.2, and B.2 When the control banks are outside the acceptable insertion limits, they must be restored to within those limits. This restoration can occur in two ways:

a. Reducing power to be consistent with rod position; or

b. Moving rods to be consistent with power.

Also, verification of SDM or initiation of boration to regain SDM is

required within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, since the SDM in MODES 1 and 2 normally ensured by adhering to the control and shutdown bank insertion limits (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)) has been upset. If control banks are not within their insertion limits, then SDM will be verified by performing a reactivity balance calculation, considering the effects listed in the Bases for SR 3.1.1.1.

Similarly, if the control banks are found to be out of sequence or in the wrong overlap configuration, they must be restored to meet the limits. Operation beyond the LCO limits is allowed for a short time period in order to take conservative action because the simultaneous occurrence of either a LOCA, loss of flow accident, ejected rod accident, or other accident during this short time period, together with an inadequate power distribution or reactivity capability, has an acceptably low probability.

The allowed Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for restoring the banks to within the insertion, sequence, and overlap limits provides an acceptable time for evaluating and repairing minor problems without allowing the plant to remain in an unacceptable condition for an extended period of time.

C.1 If Required Actions A.1 and A.2, or B.1 and B.2 cannot be completed within the associated Completion Times, the plant must be brought to MODE 3, where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching the required MODE from

Control Bank Insertion Limits B 3.1.6 (continued)

Vogtle Units 1 and 2 B 3.1.6-6 REVISION 14 BASES ACTIONS C.1 (continued) full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.6.1 REQUIREMENTS This Surveillance is required to ensure that the reactor does not achieve criticality with the control banks below their insertion limits.

Among the factors that impact the estimated critical position (ECP) is Xenon concentration, which varies with time, either increasing or decreasing depending on the amount of time since the trip occurred. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> limit within which the ECP must be verified within the insertion limits ensures that changes in Xenon concentration will be limited and, hence, it ensures that criticality will not occur with control rods outside of the insertion limits due to Xenon decay.

SR 3.1.6.2 The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. If the insertion limit monitor becomes inoperable, verification of the control bank position at a Frequency of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is sufficient to detect control banks that may be approaching the insertion limits.

SR 3.1.6.3 When control banks are maintained within their insertion limits as checked by SR 3.1.6.2 above, it is unlikely that their sequence and overlap will not be in accordance with requirements provided in the COLR. This surveillance is accomplished from the control room by verifying via the

Control Bank Insertion Limits B 3.1.6 Vogtle Units 1 and 2 B 3.1.6-7 REVISION 14 BASES SURVEILLANCE SR 3.1.6.3 (continued) REQUIREMENTS demand step counters that, for the plant conditions at that time, the sequence and overlap limits are satisfied. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. For the purposes of this surveillance, "fully withdrawn" is the defined all rods out (ARO) position.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10, GDC 26, and GDC 28.

2. 10 CFR 50.46.

3. FSAR, Subsection 15.4.3.

Control Bank Insertion Limits B 3.1.6 Vogtle Units 1 and 2 B 3.1.6-8 Revision No. 0 Figure B 3.1.6-1 (page 1 of 1) Rod Bank Insertion Limits vs. Thermal Power

Rod Position Indication B 3.1.7 (continued)

Vogtle Units 1 and 2 B 3.1.7-5 Revision No. 0 BASES ACTIONS B.1 and B.2 (continued) These Required Actions ensure that when one or more rods with inoperable digital rod position indicators have been moved in excess of 24 steps in one direction, since the position was last determined, prompt action is taken to begin verifying that these rods are still properly positioned, relative to their group positions.

Either the rod positions must be determined within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, or THERMAL POWER must be reduced to 50% RTP within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to avoid undesirable power distributions that could result from continued operation at > 50% RTP, if one or more rods are misaligned by more than 24 steps. The allowed Completion Time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> provides an acceptable period of time to verify the rod positions using the moveable incore detectors.

C.1.1 and C.1.2 With one demand position indicator per bank inoperable, the rod positions can be determined by the DRPI System. Since normal power operation does not require excessive movement of rods, verification by administrative means that the rod position indicators are OPERABLE and the most withdrawn rod and the least withdrawn

rod are 12 steps apart within the allowed Completion Time of once every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is adequate. This verification can be an examination of logs, administrative controls, or other information that all DRPIs in the affected bank are OPERABLE.

Reduction of THERMAL POWER to 50% RTP puts the core into a condition where rod position will not cause core peaking to approach core peaking factor limits. The allowed Completion Time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> provides an acceptable period of time to verify the rod positions per Required Actions C.1.1 and C.1.2 or reduce power to 50% RTP.

D.1 If the Required Actions cannot be completed within the associated Completion Time, the plant must be brought to a MODE in which the requirement does not apply. To achieve

Rod Position Indication B 3.1.7 Vogtle Units 1 and 2 B 3.1.7-6 REVISION 14 BASES ACTIONS D.1 (continued) this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.7.1 REQUIREMENTS Verification that the DRPI agrees with the demand position within 12 steps ensures that the DRPI is operating correctly.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 13.

2. FSAR, Chapter 15.

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 (continued)

Vogtle Units 1 and 2 B 3.1.8-7 REVISION 14 BASES SURVEILLANCE SR 3.1.8.1 (continued) REQUIREMENTS

core protection during the performance of the PHYSICS TESTS. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is sufficient to ensure that the instrumentation is OPERABLE shortly before initiating PHYSICS TESTS.

SR 3.1.8.2

Verification that the RCS lowest loop Tavg is 541°F (TI-0412, TI-0422, TI-0432, and TI-0442) will ensure that the unit is not operating in a condition that could invalidate the safety analyses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.8.3 The SDM is verified by performing a reactivity balance calculation, considering the following reactivity effects:

a. RCS boron concentration;

b. Control bank position;

c. RCS average temperature;

d. Fuel burnup based on gross thermal energy generation;

e. Xenon concentration;

f. Samarium concentration; and

g. Isothermal temperature coefficient (ITC).

Using the ITC accounts for Doppler reactivity in this calculation because reactor operation is relatively steady-state, and the fuel temperature will be changing at the same rate as the RCS.

PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 Vogtle Units 1 and 2 B 3.1.8-8 REVISION 14 BASES SURVEILLANCE SR 3.1.8.3 (continued) REQUIREMENTS

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix B, Section XI.

2. 10 CFR 50.59.

3. Regulatory Guide 1.68, Revision 2, August 1978.

4. WCAP-9272-P-A, "Westinghouse Reload Safety Evaluation Methodology Report," July 1985.

5. WCAP-11618, including Addendum 1, April 1989.

6. WCAP-13360-P-A, "Westinghouse Dynamic Rod Worth Measurement Technique," January 1996.

F Q (Z) B 3.2.1 (continued)

Vogtle Units 1 and 2 B 3.2.1-3 REVISION 15 BASES LCO (continued)

where: F RTP Q is the F Q(Z) limit at RTP provided in the COLR, K(Z) is the normalized F Q(Z) as a function of core height provided in the COLR, and RTP POWER THERMAL = P For this facility, the actual values of F RTP Q and K(Z) are given in the COLR; however, F RTP Qis normally a number on the order of 2.50, and K(Z) is a function that looks like the one provided in Figure B 3.2.1-1.

An F Q(Z) evaluation requires obtaining an incore flux map in MODE 1. From the incore flux map results we obtain the measured value

(F M Q (Z)) of F Q (Z). Then, when using 44 detector thimbles:

F Q (Z) = F M Q(Z) X 1.0815 where 1.0815 is a factor that accounts for fuel manufacturing tolerances (3%) and flux map measurement uncertainty (5%), or when using 29 and < 44 thimbles:

F Q (Z) = F M Q (Z) x 1.03 x [1.05 + [2.0 {3-T/(14.5)}]/100], where 1.03 accounts for fuel manufacturing tolerances with a more conservative flux map measurement uncertainty factor to account for the fewer detector thimbles available, and T is the number of thimbles being used. A bounding measurement uncertainty of 7.0 %, which is based on 29 thimbles, can be used for 29 and < 44 detector thimbles, if desired. F Q(Z) evaluations for comparison to the steady

()()0.5 > P for ZK P F Z F RTP Q Q()()0.5 P for ZK 0.5 F Z F RTP Q Q F Q (Z) B 3.2.1 (continued)

Vogtle Units 1 and 2 B 3.2.1-4 REVISION 15 BASES LCO state limits are applicable in all axial core regions, i.e., from 0 to 100% (continued) inclusive.

Because flux maps are taken in steady state conditions, the variations

in power distribution resulting from normal operational maneuvers are not present in the flux map data. These variations are, however, conservatively calculated by considering a wide range of unit maneuvers in normal operation. The maximum peaking factor increase over steady state values, calculated as a function of core elevation, Z, is called W(Z).

The W(Z) curve is provided in the COLR for discrete core elevations.

FQ(Z) evaluations for comparison to the transient limits are not applicable for the following axial core regions, measured in percent of core height:

a. Lower core region, from 0 to 8% inclusive; and

b. Upper core region, from 92 to 100% inclusive.

The top and bottom 8% of the core are excluded from the evaluation because of the low probability that these regions would be more limiting in the safety analyses and because of the difficulty of making

a precise measurement in these regions.

To account for power distribution transients encountered during normal operation, the transient limits for F Q(Z) are established utilizing the cycle dependent function W(Z). To ensure that F Q (Z) will not become excessively high if a normal operational transient occurs, F Q(Z) shall be limited by the following relationships which define the transient limits:

()()()()0.5 P for 0.5W(Z)ZK F Z F0.5 > P for PW(Z)ZK F Z F RTP Q Q RTP Q Q The F Q(Z) limits define limiting values for core power peaking that precludes peak cladding temperatures above 2200

°F during either a large or small break LOCA.

This LCO requires operation within the bounds assumed in the safety analyses. Calculations are performed in the core design process to confirm that the core can be controlled in such a manner during F Q (Z) B 3.2.1 (continued)

Vogtle Units 1 and 2 B 3.2.1-5 REVISION 15 BASES LCO operation that it can stay within the LOCA F Q(Z) limits. If F Q(Z) cannot (continued) be maintained within the LCO limits, reduction of the core power is required.

Violating the LCO limits for F Q (Z) produces unacceptable consequences if a design basis event occurs while F Q(Z) is outside its specified limits.

APPLICABILITY The F Q(Z) limits must be maintained in MODE 1 to prevent core power distributions from exceeding the limits assumed in the safety analyses. Applicability in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require a limit on the distribution of core power.

ACTIONS A.1 Reducing THERMAL POWER by 1% RTP for each 1% by which F Q(Z) exceeds its steady state limit, maintains an acceptable absolute power density. F Q(Z) is F M Q(Z) multiplied by a factor accounting for manufacturing tolerances and measurement uncertainties. F M Q (Z) is the measured value of F Q(Z). The Completion Time of 15 minutes provides an acceptable time to reduce power in an orderly manner and without allowing the plant to remain in an unacceptable condition for an extended period of time.

A.2 A reduction of the Power Range Neutron Flux-High trip setpoints by 1% of RTP for each 1% by which F Q(Z) exceeds its steady state limit, is a conservative action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is sufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER in accordance with Required

Action A.1.

A.3 Reduction in the Overpower T trip setpoints (value of K

4) by 1% (in %RTP) for each 1% by which F Q(Z) exceeds its limit, is a conservative

F Q (Z) B 3.2.1 (continued)

Vogtle Units 1 and 2 B 3.2.1-6 Revision No. 0 BASES ACTIONS A.3 (continued) action for protection against the consequences of severe transients with unanalyzed power distributions. The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is sufficient considering the small likelihood of a severe transient in this time period and the preceding prompt reduction in THERMAL POWER in accordance with Required Action A.1.

A.4 Verification that F Q(Z) has been restored to within its limit, by performing SR 3.2.1.1 prior to increasing THERMAL POWER above the limit imposed by Required Action A.1, ensures that core conditions during operation at higher power levels are consistent with safety analyses assumptions.

B.1 If it is found that F Q(Z) exceeds its specified transient limits, there exists a potential for F Q(Z) to become excessively high if a normal operational transient occurs. Reducing the AFD limit by 1% for each 1% by which F Q(Z) exceeds its transient limits within the allowed Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, restricts the axial flux distribution such that even if a transient occurred, core peaking factors are not exceeded (Ref. 5). The percent F Q(Z) exceeds its transient limit is calculated based on the following expressions:

0.5Pfor100x1 P(Z)KF(Z)W(Z)FZover maximum RTP Q Q>

F Q (Z) B 3.2.1 (continued)

Vogtle Units 1 and 2 B 3.2.1-7 Revision No. 0 BASES ACTIONS B.1 (continued) 0.5Pfor100x1 0.5(Z)KF(Z)W(Z)FZover maximum RTP Q Q C.1 If Required Actions A.1 through A.4 or B.1 are not met within their associated Completion Times, the plant must be placed in a mode or condition in which the LCO requirements are not applicable. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

This allowed Completion Time is reasonable based on operating experience regarding the amount of time it takes to reach MODE 2 from full power operation in an orderly manner and without challenging plant systems.

SURVEILLANCE During power ascension following a refueling, the first determination REQUIREMENTS of F Q(Z) is not required until after achieving equilibrium conditions at any power level above 50% RTP. This Frequency condition, together with the Frequency condition requiring verification of F Q (Z) and following a power increase of more than 20%, ensures that F Q (Z) is verified as soon as RTP (or any other level for extended operation) is achieved. In the absence of these Frequency conditions, it is possible to increase power to RTP and operate for 31 days without verification

of F Q(Z). The Frequency condition is not intended to require verification of these parameters after every 20% increase in power level above the last verification. It only requires verification after a power level is achieved for extended operation that is at least 20% higher than that power at which F Q (Z) was last measured.

F Q (Z) B 3.2.1 (continued)

Vogtle Units 1 and 2 B 3.2.1-8 REVISION 17 BASES SURVEILLANCE SR 3.2.1.1 REQUIREMENTS (continued) Verification that F Q(Z) is within its specified limits involves increasing F M Q(Z) to allow for manufacturing tolerance and measurement uncertainties in order to obtain F Q(Z). Specifically, F M Q(Z) is the measured value of F Q(Z) obtained from incore flux map results. When using 44 detector thimbles, F Q (Z) = F M Q (Z) X 1.0815 (Ref. 4), and when using 29 and < 44 thimbles, F Q (Z) = F M Q (Z) x 1.03 x [1.05 + [2.0 {3-T/(14.5)}]/100], where T = the number of detector thimbles used (Ref. 6). A bounding measurement uncertainty of 7.0 %, which is based on 29 thimbles, can be used for 29 and < 44 detector thimbles, if desired. During the initial startup after a refueling outage up to and including performance of the first flux map at 100% RTP, 44 detector thimbles, with 2 detector thimbles per core quadrant as identified in TRM Figure 13.3.1-1 are required. This Note does not have to be met for Vogtle Unit 1, Cycle 17 based on the successful performance of the flux map at 30% RTP. F Q (Z) is then compared to its steady state and transient limits specified in the COLR.

Performing this Surveillance in MODE 1 after exceeding 50% RTP following refueling ensures that the F Q(Z) limit is met when RTP is achieved, because peaking factors generally decrease as power level is increased. In addition, at power levels above 50% RTP, equilibrium Xenon conditions approach those more closely at RTP. Therefore, performing the Surveillance at a power level

above 50% RTP ensures a more accurate measurement of F Q (Z). If THERMAL POWER has been increased by 20% RTP since the last determination of F Q(Z), another evaluation of this factor is required after achieving equilibrium conditions at this higher power level (to ensure that F Q(Z) values are being reduced sufficiently with power increase to stay within the LCO limits).

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

SR 3.2.1.2 This surveillance determines if F Q(Z) will remain within its limit during a normal operational transient. If F Q(Z) is determined to exceed the transient limit, Action B.1 requires that the AFD limit be reduced 1% for each 1% F Q(Z) exceeds the transient limit. This

F Q (Z) B 3.2.1 (continued)

Vogtle Units 1 and 2 B 3.2.1-9 REVISION 15 BASES SURVEILLANCE SR 3.2.1.2 (continued) REQUIREMENTS will ensure that F Q(Z) will not exceed the transient limit during a normal operational transient within the reduced AFD limit.

Demonstrating that F Q(Z) is within the transient limit or reducing the AFD limit if the transient F Q(Z) limit was initially exceeded, only ensures that the transient F Q(Z) limit will not be exceeded at the time F Q(Z) was evaluated. This does not ensure that the limit will not be exceeded during the following surveillance interval. Both the steady state and transient F Q(Z) change as a function of core burnup.

If the two most recent F Q(Z) evaluations show an increase in the quantity maximum over z k(Z)(Z)F Q , it is not guaranteed that F Q(Z) will remain within the transient limit during the following surveillance interval. SR 3.2.1.2 is modified by a Note to determine if there is sufficient margin to the transient F Q (Z) limit to ensure that the limit will not be exceeded during the following surveillance interval. This is accomplished by increasing F Q(Z) by a penalty specified in the COLR and comparing this value to the

transient F Q(Z) limit. If there is insufficient margin, i.e., this value exceeds the limit, SR 3.2.1.2 must be repeated once per 7 EFPD until

either F Q(Z) increased by the penalty factor is within the transient limit or, two successive (i.e., subsequent consecutive) flux maps indicate maximum over z k(Z)(Z)F Q , has not increased.

Performing the Surveillance in MODE 1 after exceeding 50% RTP following refueling ensures that the F Q(Z) limits are met when RTP is achieved, because peaking factors are generally decreased as power level is increased. In addition, at power levels above 50% RTP, equilibrium Xenon conditions approach more closely those at RTP.

Therefore, performing the Surveillance at a power level above 50%

RTP ensures a more accurate measurement of F Q (Z). F Q(Z) is verified at power levels 20% RTP above the THERMAL POWER of its last verification, after achieving

F Q (Z) B 3.2.1 Vogtle Units 1 and 2 B 3.2.1-10 REVISION 15 BASES SURVEILLANCE SR 3.2.1.2 (continued) REQUIREMENTS equilibrium conditions to ensure that F Q(Z) is within its limit at higher power levels.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

REFERENCES 1. 10 CFR 50.46, 1974.

2. FSAR Subsection 15.4.8.

3. 10 CFR 50, Appendix A, GDC 26.

4. WCAP-7308-L-P-A, "Evaluation of Nuclear Hot Channel Factor Uncertainties," June 1988.

5. WCAP-10216-P-A, Revision 1A, "Relaxation of Constant Axial Offset Control FQ Surveillance Technical Specification,"

February 1994.

6. GP-18735, "Evaluation of a Reduction in the Required Number of Movable Incore Detector Thimbles," January 31, 2011.

7. GP-18767, "Southern Nuclear Operating Company, Vogtle Electric Generating Plant Units 1 and 2, Cycle 17 Movable Incore Detector Thimble Evaluation," April 4, 2011.

NH F B 3.2.2 Vogtle Units 1 and 2 B 3.2.2-7 REVISION 17 BASES ACTIONS B.1 (continued)

MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience regarding the time required to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.2.2.1 REQUIREMENTS The value of F N H is determined by using the movable incore detector system to obtain a flux distribution map. A data reduction computer program then calculates the maximum value of F N H from the measured flux distributions. Before making comparisons to the F N Hlimit, the measured value of F N H must be multiplied by a measurement uncertainty factor. When using 44 detector thimbles, the measured value of F N H must be multiplied by 1.04. When using 29 and < 44 detector thimbles, the measured value of F N H must be multiplied by 1.04 + [2.0 {3-T/(14.5)}]/100, where T = the number of detector thimbles used. A bounding measurement uncertainty of 6.0 %, which is based on 29 thimbles, can be used for 29 and < 44 detector thimbles, if desired. During the initial startup after a refueling outage up to and including performance of the first flux map at 100%

RTP, 44 detector thimbles, with 2 detector thimbles per core quadrant as identified in TRM Figure 13.3.1-1 are required. This Note does not have to be met for Vogtle Unit 1, Cycle 17 based on the successful performance of the flux map at 30% RTP.

After each refueling, F N H must be determined in MODE 1 prior to exceeding 75% RTP. This requirement ensures that F N H limits are met at the beginning of each fuel cycle.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR Subsection 15.4.8.

2. 10 CFR 50, Appendix A, GDC 26.

3. 10 CFR 50.46.

AFD (RAOC Methodology) B 3.2.3 (continued)

Vogtle Units 1 and 2 B 3.2.3-3 Rev. 1-1/00 BASES LCO (continued)

Signals are available to the operator from the Nuclear Instrumentation System (NIS) excore neutron detectors (NI-0041B, NI-0042B, NI-0043B, NI-0044B). Separate signals are taken from the top and bottom detectors. The AFD is defined as the difference in normalized flux signals between the top and bottom excore detectors in each detector well multiplied by nuclear gain such that AFD equals core average axial offset at Rated Thermal Power.

The AFD limits are provided in the COLR. Figure B 3.2.3-1 shows typical RAOC AFD limits. The AFD limits for RAOC do not depend on the target flux difference. However, the target flux difference may be used to minimize changes in the axial power distribution.

Violating this LCO on the AFD could produce unacceptable consequences if a Condition 2, 3, or 4 event occurs while the AFD is outside its specified limits.

APPLICABILITY The AFD requirements are applicable in MODE 1 above 50% RTP when the combination of THERMAL POWER and core peaking factors are of primary importance in safety analysis.

For AFD limits developed using RAOC methodology, the value of the AFD does not affect the limiting accident consequences with THERMAL POWER < 50% RTP and for lower operating power MODES.

ACTIONS A.1 As an alternative to restoring the AFD to within its specified limits, Required Action A.1 requires a THERMAL POWER reduction to < 50% RTP. This places the core in a condition for which the value of the AFD is not important in

AFD (RAOC Methodology) B 3.2.3 Vogtle Units 1 and 2 B 3.2.3-4 REVISION 14 BASES ACTIONS A.1 (continued) the applicable safety analyses. A Completion Time of 30 minutes is reasonable, based on operating experience, to reach 50% RTP without challenging plant systems.

SURVEILLANCE SR 3.2.3.1 REQUIREMENTS The AFD is monitored on an automatic basis using the unit process computer, which has an AFD monitor alarm. The computer determines the 1-minute average of each of the OPERABLE excore detector outputs and provides an alarm message immediately if the AFD for two or more OPERABLE excore channels is outside its specified limits.

This Surveillance verifies that the AFD, as indicated by the NIS excore channel, is within its specified limits and is consistent with the status of the AFD monitor alarm. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. With the AFD monitor alarm inoperable, the AFD is monitored every hour to detect operation outside its limit. The Frequency of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience regarding the amount of time required to vary the AFD, and the fact that the AFD is closely monitored.

REFERENCES 1. WCAP-8403 (nonproprietary), "Power Distribution Control and Load Following Procedures," Westinghouse Electric Corporation, September 1974.

2. R. W. Miller et al., "Relaxation of Constant Axial Offset Control:

F Q Surveillance Technical Specification," WCAP-10216(NP), June 1983.

QPTR B 3.2.4 Vogtle Units 1 and 2 B 3.2.4-1 Revision No. 0 B 3.2 POWER DISTRIBUTION LIMITS

B 3.2.4 QUADRANT POWER TILT RATIO (QPTR)

BASES BACKGROUND The QPTR limit ensures that the radial power distribution remains consistent with the design values used in the safety analyses. The power density at any point in the core must be limited so that the fuel design criteria are maintained. Together, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO 3.2.4, and LCO 3.1.7, "Control Rod Insertion Limits," provide limits on process variables that characterize and control the three dimensional power distribution of the reactor core. Control of these variables ensures that the core operates within the fuel design criteria and that the power distribution remains within the bounds used in the safety analyses.

APPLICABLE This LCO precludes core power distributions that violate SAFETY ANALYSES the following fuel design criteria:

a. During a large break loss of coolant accident, the peak cladding temperature must not exceed 2200F (Ref. 1);

b. During a loss of forced reactor coolant flow accident, there must be at least 95% probability at the 95% confidence level (the 95/95 departure from nucleate boiling (DNB) criterion) that the hot fuel rod in the core does not experience a DNB condition;

c. During an ejected rod accident, the fission energy input to the fuel will be below 200 cal/gm (Ref. 2); and

d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod stuck fully withdrawn (Ref. 3).

The LCO limits on the AFD, the QPTR, the Heat Flux Hot Channel Factor (F Q(Z)), the Nuclear Enthalpy Rise Hot Channel Factor ( )and control bank insertion are

(continued)

NH F QPTR B 3.2.4 Vogtle Units 1 and 2 B 3.2.4-2 Rev. 1-10/01 BASES APPLICABLE established to preclude core power distributions that exceed SAFETY ANALYSES the safety analyses limits.

(continued) The QPTR limits ensure that and F Q(Z) remain below their limiting values by preventing an undetected change in the radial power distribution.

In MODE 1, the and F Q(Z) limits must be maintained to preclude core power distributions from exceeding design limits assumed in the safety analyses.

The QPTR satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO The QPTR limit of 1.02, at which corrective action is required, provides a margin of protection for both the DNB ratio and linear heat generation rate contributing to excessive power peaks resulting from X-Y plane power tilts. The value of 1.02 was selected because the purpose of the LCO is to limit, or require detection of, gross changes in core power distribution between monthly incore flux maps. In addition, it is the lowest value of quadrant power tilt that can be used for an alarm without spurious actuation.

APPLICABILITY The QPTR limit must be maintained in MODE 1 with THERMAL POWER > 50% RTP to prevent core power distributions from exceeding the design limits.

Applicability in MODE 1 50% RTP and in other MODES is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the reactor coolant to require the implementation of a QPTR limit on the distribution of core power. The QPTR limit in these conditions is, therefore, not important. Note that the F NH and F Q(Z) LCOs still apply, but allow progressively higher peaking factors at 50% RTP or lower.

(continued)

NH F NH F QPTR B 3.2.4 Vogtle Units 1 and 2 B 3.2.4-3 Revision No. 0 BASES (continued)

ACTIONS A.1 With the QPTR exceeding its limit, limiting THERMAL POWER to 3% below RTP for each 1% by which the QPTR exceeds 1.00 is a conservative tradeoff of total core power with peak linear power. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> allows sufficient time to identify the cause and correct the tilt. Note that the power reduction itself may cause a change in the tilted condition.

A.2.1 and A.2.2 Because the QPTR alarm is already in its alarmed state, any additional changes in the QPTR are detected by requiring a check of the QPTR once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. If the QPTR continues to increase, THERMAL POWER has to be reduced accordingly within the following 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. A Note clarifies that the Completion Time of Required Action A.2.2 begins after Required Action A.2.1 is complete.

These Completion Times are sufficient because any additional change in QPTR would be relatively slow.

A.3 The peaking factors and F Q(Z) are of primary importance in ensuring that the power distribution remains consistent with the initial conditions used in the safety analyses.

Performing SRs on and F Q(Z) within the Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after achieving equilibrium conditions with THERMAL POWER limited by Required Action A.1 or A.2.2 ensures that these primary indicators of power distribution are within their respective limits. The above Completion Time takes into consideration the rate at which peaking factors are likely to change, and the time required to stabilize the plant and perform a flux map. If these peaking factors are not within their limits, the Required Actions of these Surveillances provide an appropriate response for the abnormal condition. If the QPTR remains above its specified limit, the peaking factor surveillances are required each 7 days thereafter to evaluate and

(continued)

NH F NH F NH F QPTR B 3.2.4 Vogtle Units 1 and 2 B 3.2.4-4 Revision No. 0 BASES ACTIONS A.3 (continued)

F Q(Z) with changes in power distribution. Relatively small changes are expected due to either burnup and xenon redistribution or correction of the cause for exceeding the QPTR limit.

A.4 When the QPTR exceeds its limit, it does not necessarily mean a safety concern exists. It does mean that there is an indication of a change in the radial power distribution that requires an investigation and evaluation that is accomplished by examining the power distribution using the incore detectors. Specifically, the core peaking must be evaluated because they are the factors that best characterize the core power distribution. This reevaluation is required to ensure that, for the duration of operation in accordance with Condition A of this LCO, before increasing THERMAL POWER to above the limit of Required Action A.1 and A.2.2, the reactor core conditions (peaking factors) are consistent with the assumptions in the safety analyses and will remain so after the return to RTP.

However, if prior to performing SR 3.2.1.1 and SR 3.2.2.1, QPTR is restored to within the limit, either due to prior completion of Required Actions or due to core performance characteristics that result in the QPTR out-of-limit condition correcting itself, Required Action A.3 and any other required actions would no longer apply because Condition A of LCO 3.2.4 would be exited in accordance with LCO 3.0.2 due to restoration of full compliance with LCO 3.2.4.

If it is determined that a sustained change in the radial power distribution has occurred, and Required Action A.3 has been completed with satisfactory results, an increase in THERMAL POWER above the limit of Required Action A.1 may be appropriate.

The necessary sequence of Required Actions, beginning with Required Action A.4, would be as follows prior to increasing THERMAL POWER above the limit of Required Action A.1 and A.2.2.

(continued)

QPTR B 3.2.4 Vogtle Units 1 and 2 B 3.2.4-5 Revision No. 0 BASES ACTIONS A.4 (continued)

1. Verify by the reevaluation of the safety analyses that after the sustained change in radial power distribution, the core conditions remain within the assumptions of the safety analyses and will remain so after return to RTP (Required Action A.4), and

2. Recalibrate the power range detectors to reset QPTR to 1.00 (Required Action A.5).

If these actions are completed with satisfactory results, THERMAL POWER may be increased above the limit of Required Action A.1 and A.2.2. After power is increased, the peaking factors are again verified to be within limits. Upon the satisfactory completion of Required Action A.6, Condition A of LCO 3.2.4 can be exited.

A.5 If the QPTR has exceeded the 1.02 limit and a reevaluation of the safety analysis is completed and shows that safety requirements are met, the excore detectors are recalibrated to show a QPTR of 1.00 prior to increasing THERMAL POWER to above the limit of Required Action A.1 and A.2.2. This is done to detect subsequent changes in QPTR. For tilted conditions caused by power reduction, allowing time to pass may permit QPTR to return to 1.02, thus avoiding the need to recalibrate the power range detectors.

Required Action A.5 is modified by a Note that states that the QPTR is not recalibrated to 1.00 until after the reevaluation of the safety analysis has determined that core conditions at RTP are within the safety analysis assumptions (i.e., Required Action A.4). This Note is intended to prevent any ambiguity about the required sequence of actions.

A.6 Once QPTR is recalibrated to 1.00 (i.e., Required Action A.5 is performed), it is acceptable to return to full power operation. However, as an added check that the core

(continued)

QPTR B 3.2.4 Vogtle Units 1 and 2 B 3.2.4-6 Revision No. 0 BASES ACTIONS A.6 (continued) power distribution at RTP is consistent with the safety analysis assumptions, Required Action A.6 requires verification that F Q(Z) and are within their specified limits within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of reaching RTP.

As an added precaution, if the core power does not reach RTP within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, but is increased slowly, then the peaking factor surveillances must be performed within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> of the time when the ascent to power was begun. These Completion Times are intended to allow adequate time to increase THERMAL POWER to above the limit of Required Action A.1 and A.2.2, while not permitting the core to remain with unconfirmed power distributions for extended periods of time. Required Action A.6 is modified by a Note that states that the peaking factor surveillances may only be done after the excore detectors have been calibrated to show QPTR = 1.00 (i.e., Required Action A.5). The intent of this Note is to have the peaking factor surveillances performed at operating power levels, which can only be accomplished after the excore detectors are calibrated to show QPTR = 1.00 and the core returned to power.

B.1 If Required Actions A.1 through A.6 are not completed within their associated Completion Times, the unit must be brought to a MODE or condition in which the requirements do not apply. To achieve this status, THERMAL POWER must be reduced to < 50% RTP within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is reasonable, based on operating experience regarding the amount of time required to reach the reduced power level without challenging plant systems.

SURVEILLANCE SR 3.2.4.1 REQUIREMENTS SR 3.2.4.1 is modified by a Note that allows QPTR to be calculated with three power range channels if one power range channel is inoperable.

(continued)

NH F QPTR B 3.2.4 (continued)

Vogtle Units 1 and 2 B 3.2.4-7 REVISION 14 BASES SURVEILLANCE SR 3.2.4.1 (continued) REQUIREMENTS This Surveillance verifies that the QPTR, as indicated by the Nuclear Instrumentation System (NIS) excore channels, is within its limits.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Valid inputs to the detector current comparator from the upper and lower sections from 3 or 4 power range channels are required for the QPTR alarm to be OPERABLE.

When the QPTR alarm is inoperable, the Frequency is increased to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. This Frequency is adequate to detect any relatively slow changes in QPTR, because for those causes of QPTR that occur quickly (e.g., a dropped rod), there typically are other indications of abnormality that prompt a verification of core power tilt.

SR 3.2.4.2 This Surveillance is modified by a Note, which states that the surveillance is only required to be performed if input to QPTR from one or more Power Range Neutron Flux channels is inoperable with THERMAL POWER 75% RTP. With an NIS power range channel inoperable, tilt monitoring for a portion of the reactor core becomes degraded. Large tilts are likely detected with the remaining channels, but the capability for detection of small power tilts in some quadrants is decreased. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

When one power range channel is inoperable, the incore detectors are used to confirm that the normalized symmetric power distribution is consistent with the indicated QPTR. The incore detector monitoring is performed with a full incore flux map or two sets of four thimble locations with quarter core symmetry. The two sets of four symmetric thimbles is a set of eight unique detector locations. These locations

are C-8, E-5, E-11, H-3, H-13, L-5, L-11, and N-8.

QPTR B 3.2.4 Vogtle Units 1 and 2 B 3.2.4-8 Revision No. 0 BASES SURVEILLANCE SR 3.2.4.2 (continued) REQUIREMENTS The flux map can be used to generate power tilt. This can be compared to a reference tilt, from the most recent calibration flux map.

Therefore, the incore detectors can be used to confirm the accuracy of the QPTR as indicated by the excore detectors.

REFERENCES 1. 10 CFR 50.46.

2. FSAR Subsection 15.4.8.

3. 10 CFR 50, Appendix A, GDC 26.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-1 Rev. 1 - 9/03 B 3.3 INSTRUMENTATION

B 3.3.1 Reactor Trip System (RTS) Instrumentation

BASES BACKGROUND The RTS initiates a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and Reactor Coolant System (RCS) pressure boundary during anticipated operational occurrences (AOOs) and to assist the Engineered Safety Features (ESF) Systems in mitigating accidents.

The protection and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RTS, as well as specifying LCOs on other reactor system parameters and equipment performance.

The LSSS, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits during Design Basis Accidents (DBAs).

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the Safety Limit (SL) value to prevent departure from nucleate boiling (DNB);

2. Fuel centerline melt shall not occur; and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 20 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-2 REVISION 20 BASES BACKGROUND limits. Different accident categories are allowed a different fraction (continued) of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The RTS instrumentation is segmented into four distinct but interconnected modules as illustrated in Figure 7.1.1-1, FSAR, Chapter 7 (Ref. 1), and as identified below:

1. Field transmitters or process sensors: provide a measurable electronic signal based upon the physical characteristics of the

parameter being measured;

2. Signal Process Control and Protection System, including Analog Protection System, Nuclear Instrumentation System (NIS), field contacts, and protection channel sets: provides signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system channels, and control board/control room/miscellaneous indications;

3. Solid State Protection System (SSPS), including input, logic, and output bays: initiates proper unit shutdown and/or ESF actuation in accordance with the defined logic, which is based on the bistable outputs from the signal process control and protection system; and

4. Reactor trip switchgear, including reactor trip breakers (RTBs) and bypass breakers: provides the means to interrupt power to the control rod drive mechanisms (CRDMs) and allows the rod cluster control assemblies (RCCAs), or "rods," to fall into the core and shut down the reactor. The bypass breakers allow testing of the RTBs at power.

Field Transmitters or Sensors To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. To account for the calibration tolerances and instrument drift, which

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-3 REVISION 20 BASES BACKGROUND Field Transmitters or Sensors (continued)

are assumed to occur between calibrations, statistical allowances are provided in the Nominal Trip Setpoint (NTSP) and Allowable Values. The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.

Signal Process Control and Protection System

Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with NTSPs derived from Analytical Limits established by the safety analyses. Analytical Limits are defined in FSAR, Chapter 7 (Ref. 1), Chapter 6 (Ref. 2), and Chapter 15 (Ref. 3). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails, such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-4 REVISION 20 BASES BACKGROUND Signal Process Control and Protection System (continued)

the other channels providing the protection function actuation.

Again, a single failure will neither cause nor prevent the protection function actuation. These requirements are described in IEEE-279-1971 (Ref. 4). The actual number of channels required for each unit parameter is specified in Reference 1.

Two logic channels are required to ensure no single random failure of a logic channel will disable the RTS. The logic channels are designed such that testing required while the reactor is at power may be accomplished without causing trip.

Provisions to allow removing logic channels from service during maintenance are unnecessary because of the logic system's designed reliability.

Nominal Trip Setpoints and Allowable Values The trip setpoints used in the bistables are based on the analytical limits stated in Reference 1. The calculation of the Nominal Trip Setpoints specified in Table 3.3.1-1 is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RTS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 5), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values and NTSPs, including their explicit uncertainties, is provided in the "RTS/ESFAS Setpoint Methodology Study" (Ref. 6). The as-left and as-found tolerance band methodology is provided in NMP-ES-033-006, Vogtle Setpoint Uncertainty Methodology and Scaling Instructions. The magnitudes of these uncertainties are factored into the determination of each NTSP and corresponding Allowable Value. The trip setpoint entered into the bistable is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a COT. The Allowable Value serves as the as-found Technical Specification OPERABILITY limit for the purpose of the COT.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-5 REVISION 20 BASES BACKGROUND Trip Setpoints and Allowable Values (continued)

Nominal Trip Setpoints in conjunction with the use of as-found and as-left tolerances, together with the requirements of the Allowable Value ensure that SLs are not violated during AOOs (and that the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed). For the purpose of

demonstrating compliance with 10 CFR 50.36 to the extent that the Technical Specifications are required to specify Limiting Safety System Settings (LSSS), the LSSS for VEGP are comprised of the Nominal Trip Setpoints specified in Table 3.3.1-1. The Nominal Trip Setpoint is the expected value to be achieved during calibrations. The Nominal Trip Setpoint considers all factors which may affect channel performance by statistically combining rack drift, rack measurement and test equipment effects, rack calibration accuracy, rack comparator setting accuracy, rack temperature effects, sensor measurement and test equipment effects, sensor calibration accuracy, primary element accuracy, and process measurement accuracy. The Nominal Trip Setpoint is the value that will always ensure that safety analysis limits are met (with margin) given all of the above effects. The Allowable Value has been established by considering the values assumed for rack effects only. Note that the Allowable Values listed in Table 3.3.1-1 are the least conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, CHANNEL OPERATIONAL TESTS, or a TRIP ACTUATING DEVICE OPERATIONAL TEST that requires a trip setpoint verification.

Each channel of the process control equipment can be tested on line to verify that the signal or setpoint accuracy is within the specified allowance requirements of Reference 2. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SRs section.

The Nominal Trip Setpoints and Allowable Values listed in Table 3.3.1-1 are based on the methodology described in Reference 6, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each Nominal Trip Setpoint. All field sensors and signal

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-6 Rev. 1-6/98 BASES BACKGROUND Trip Setpoints and Allowable Values (continued) processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes.

Solid State Protection System The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide reactor trip and/or ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-7 Revision No. 0 BASES BACKGROUND Solid State Protection System (continued) requirements. The system has been designed to trip in the event of a loss of power, directing the unit to a safe shutdown condition.

The SSPS performs the decision logic for actuating a reactor trip or ESF actuation, generates the electrical output signal that will initiate the required trip or actuation, and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various unit upset and accident transients. If a required logic matrix combination is completed, the system will initiate a reactor trip or send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Reactor Trip Switchgear

The RTBs are in the electrical power supply line from the control rod drive motor generator set power supply to the CRDMs. Opening of the RTBs interrupts power to the CRDMs, which allows the shutdown rods and control rods to fall into the core by gravity. Each RTB is equipped with a bypass breaker to allow testing of the RTB while the unit is at power. During normal operation the output from the SSPS is a voltage signal that energizes the undervoltage coils in the RTBs and bypass breakers, if in use. When the required logic matrix combination is completed, the SSPS output voltage signal is removed, the undervoltage coils are de-energized, the breaker trip lever is actuated by the de-energized undervoltage coil, and the RTBs and bypass breakers are tripped open. This allows the shutdown rods and control rods to fall into the core. In addition to the de-energization of the undervoltage coils, each breaker is also equipped with a shunt trip device that is energized to trip the breaker open upon receipt of a reactor trip signal from the SSPS. Either the undervoltage coil or the shunt

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-8 REVISION 20 BASES BACKGROUND Reactor Trip Switchgear (continued)

trip mechanism is sufficient by itself, thus providing a diverse trip mechanism.

The decision logic matrix Functions are described in the functional diagrams included in Reference 1. In addition to the reactor trip or ESF, these diagrams also describe the various "permissive interlocks" that are associated with unit conditions. Each train has a built in testing device that can automatically test the decision logic matrix Functions and the actuation channels while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

APPLICABLE The RTS functions to preserve the SLs during all AOOs and SAFETY ANALYSES, mitigates the consequences of DBAs in all MODES in LCO, and LCO, and which the RTBs are closed.

APPLICABILITY Each of the analyzed accidents and transients can be detected by one or more RTS Functions. The accident analysis described in Reference 3 takes credit for most RTS trip Functions. RTS trip Functions that are retained yet not specifically credited in the accident analysis are implicitly credited in the safety analysis and the NRC staff approved licensing basis for the unit. These RTS trip Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. They may also serve as backups to RTS trip Functions that were credited in the accident analysis.

Permissive and interlock setpoints allow the blocking of trips during plant startups and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis before preventative or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.

The LCO requires all instrumentation performing an RTS Function, listed in Table 3.3.1-1 to be OPERABLE. The Allowable Value specified in Table 3.3.1-1 is the least conservative value of the as-found setpoint that the channel can have when tested, such that a

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-9 REVISION 20 BASES APPLICABLE channel is OPERABLE if the as-found setpoint is within the as- SAFETY ANALYSES, found tolerance and is conservative with respect to the Allowable LCO, and Value during a CHANNEL CALIBRATION or CHANNEL APPLICABILITY OPERATIONAL TEST (COT). As such, the Allowable Value (continued) differs from the NTSP by an amount greater than or equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the channel (NTSP) will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond expected tolerances during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTSP (within the allowed tolerance), and evaluating the channel response. If the channel is functioning as required and is expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance. After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

A trip setpoint may be set more conservative than the NTSP as necessary in response to plant conditions. However, in this case, the operability of this instrument must be verified based on the field setting and not the NTSP. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

The conservative direction is established by the direction of the inequality applied to the Allowable Value. It is consistent with the setpoint methodology for the as-left trip setpoint to be outside the calibration tolerance but in the conservative direction with respect to the Nominal Trip Setpoint. For example, the Power Range Neutron Flux High trip setpoint may be set to a value less than 109% during initial startup following a refueling outage until a

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-10 REVISION 20 BASES APPLICABLE sufficiently high reactor power is achieved so that the power SAFETY ANALYSES, range channels may be calibrated. In addition, certain Required LCO, and Actions may require that the Power Range Neutron Flux High trip APPLICABILITY setpoints and/or the Overpower Delta-T setpoints be reduced (continued) based on plant conditions.

The LCO generally requires OPERABILITY of four or three channels in each instrumentation Function, two channels of Manual Reactor Trip in each logic Function, and two trains in each Automatic Trip Logic Function. Four OPERABLE instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possib ility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with random failure of one of the other three protection channels. Three operable instrumentation channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip. If an instrument channel is equipped with installed bypass capability, such that no jumpers or lifted leads are required to place the channel in bypass and annunciation of the bypass condition is available in the control room, corrective maintenance and testing of that channel may be performed in the bypass condition.

Bypassing a channel renders that channel inoperable and the associated Required Actions for that channel are applicable.

Specific exceptions to the above general philosophy exist and are discussed below.

Reactor Trip System Functions

The safety analyses and OPERABILITY requirements applicable to each RTS Function are discussed below:

1. Manual Reactor Trip

The Manual Reactor Trip ensures that the control room operator can initiate a reactor trip at any time by using either of two reactor trip switches in the control room. A Manual Reactor Trip accomplishes the same results as any one of the automatic trip Functions. It is used by the reactor operator to shut down the reactor whenever any parameter is rapidly trending toward its Trip Setpoint.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-11 REVISION 20 BASES APPLICABLE 1. Manual Reactor Trip (continued) SAFETY ANALYSES, LCO, and The LCO requires two Manual Reactor Trip channels to be APPLICABILITY OPERABLE. Each channel is controlled by a manual reactor trip switch. Each channel actuates the reactor trip breakers in both trains. Two independent channels are required to be OPERABLE so that no single random failure will disable the Manual Reactor Trip Function.

In MODE 1 or 2, manual initiation of a reactor trip must be OPERABLE. These are the MODES in which the shutdown rods and/or control rods are partially or fully withdrawn from the core. In MODE 3, 4, or 5, the manual initiation Function must also be OPERABLE if the shutdown rods or control rods are

withdrawn or the Rod Control System is capable of withdrawing the shutdown rods or the control rods. In this condition, inadvertent control rod withdrawal is possible. In MODE 3, 4, or 5, manual initiation of a reactor trip does not have to be OPERABLE if the Rod Control System is not capable of withdrawing the shutdown rods or control rods. If the rods cannot be withdrawn from the core, there is no need to be able to trip the reactor because all of the rods are inserted. In MODE 6, neither the shutdown rods nor the control rods are permitted to be withdrawn and the CRDMs are disconnected from the control rods and shutdown rods. Therefore, the manual initiation Function is not required.

2. Power Range Neutron Flux

The NIS power range detectors (NI-0041B & C, NI-0042B & C, NI-0043B & C, NI-0044B & C) are located external to the reactor vessel and measure neutrons leaking from the core. The NIS power range detectors provide input to the Rod Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip. Limiting further rod withdrawal may terminate the transient and eliminate the need to trip the reactor.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-12 Revision No. 0 BASES APPLICABLE a. Power Range Neutron Flux - High SAFETY ANALYSES, LCO, and The Power Range Neutron Flux-High trip Function APPLICABILITY ensures that protection is provided, from all power levels, (continued) against a positive reactivity excursion leading to DNB during power operations. These can be caused by rod withdrawal or reductions in RCS temperature.

The LCO requires all four of the Power Range Neutron Flux - High channels to be OPERABLE.

In MODE 1 or 2, when a positive reactivity excursion could occur, the Power Range Neutron Flux-High trip must be OPERABLE. This Function will terminate the reactivity excursion and shut down the reactor prior to reaching a power level that could damage the fuel. In MODE 3, 4, 5, or 6, the NIS power range detectors cannot detect neutron levels in this range. In these MODES, the Power Range Neutron Flux-High does not have to be OPERABLE because the reactor is shut down and reactivity excursions into the power range are extremely unlikely. Other RTS Functions and administrative controls provide protection against reactivity additions when in MODE 3, 4, 5, or 6.

b. Power Range Neutron Flux - Low

The LCO requirement for the Power Range Neutron Flux - Low trip Function ensures that protection is provided against a positive reactivity excursion from low power or subcritical conditions.

The LCO requires all four of the Power Range Neutron Flux - Low channels to be OPERABLE.

In MODE 1, below the Power Range Neutron Flux (P-10 setpoint), and in MODE 2, the Power Range Neutron Flux -

Low trip must be OPERABLE. This Function may be manually blocked by the operator when two out of four power range channels are greater than approximately 10% RTP (P-10

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-13 REVISION 13 BASES APPLICABLE b. Power Range Neutron Flux - Low (continued) SAFETY ANALYSES, LCO, and setpoint). This Function is automatically unblocked when APPLICABILITY three out of four power range channels are below the P-10 setpoint. Above the P-10 setpoint, positive reactivity additions are mitigated by the Power Range Neutron Flux - High trip Function.

In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - Low trip Function does not have to be OPERABLE because the reactor is shut down and the NIS power range detectors cannot detect neutron levels in this range. Other RTS trip Functions and administrative controls provide protection against positive reactivity additions or power excursions in MODE 3, 4, 5, or 6.

3. Power Range Neutron Flux - High Positive Rate

The Power Range Neutron Flux - High Positive Rate trip uses the same channels as discussed for Function 2 above.

The Power Range Neutron Flux - High Positive Rate trip Function ensures that protection is provided against rapid increases in neutron flux that are characteristic of an RCCA drive rod housing rupture and the accompanying ejection of the RCCA. This Function compliments the Power Range Neutron Flux - High and Low Setpoint trip Functions to ensure that the criteria are met for reactivity excursions such as an inadvertent control rod withdrawal or a rod ejection from the power range.

The LCO requires all four of the Power Range Neutron Flux - High Positive Rate channels to be OPERABLE.

In MODE 1 or 2, when there is a potential to add a large amount of positive reactivity from a rod ejection accident (REA), the Power Range Neutron Flux - High Positive Rate trip must be OPERABLE. In MODE 3, 4, 5, or 6, the Power Range Neutron Flux - High Positive Rate trip Function does not have to be

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-14 Revision No. 0 BASES APPLICABLE 3. Power Range Neutron Flux - High Positive Rate (continued) SAFETY ANALYSES, LCO, and OPERABLE because other RTS trip Functions and APPLICABILITY administrative controls will provide protection against positive reactivity additions. In MODE 6, no rods are withdrawn and the SDM is increased during refueling operations. The reactor vessel head is also removed or the closure bolts are detensioned preventing any pressure buildup. In addition, the NIS power range detectors cannot detect neutron levels present in this mode.

4. Intermediate Range Neutron Flux

The Intermediate Range Neutron Flux (NI-035B, D, & E, NI-036B, D, & G) trip Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux-Low Setpoint trip Function. The NIS intermediate range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS intermediate range detectors do not provide any input to control systems. Note that this Function also provides a signal to prevent automatic and manual rod withdrawal prior to initiating a reactor trip.

The LCO requires two channels of Intermediate Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip

Function.

Because this trip Function is important only during startup, there is generally no need to disable channels for testing while the Function is required to be OPERABLE. Therefore, a third channel is unnecessary.

In MODE 1 below the P-10 setpoint, and in MODE 2, when there is a potential for an uncontrolled RCCA bank rod withdrawal accident during reactor startup, the Intermediate Range Neutron Flux trip must be OPERABLE.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-15 Rev. 1-3/99

BASES APPLICABLE 4. Intermediate Range Neutron Flux (continued) SAFETY ANALYSES, LCO, and Above the P-10 setpoint, the Power Range Neutron APPLICABILITY Flux-High Setpoint trip and the Power Range Neutron Flux-High Positive Rate trip provide core protection for a rod withdrawal accident. In MODE 3, 4, or 5, the Intermediate Range Neutron Flux trip does not have to be OPERABLE because the reactor cannot be started up in this condition. The core also has the required SDM to mitigate the consequences of a positive reactivity addition accident. In MODE 6, all rods are fully inserted and the core has a required increased SDM. Also, the NIS intermediate range indication is typically low off-scale in this MODE.

5. Source Range Neutron Flux

The LCO requirement for the Source Range Neutron Flux trip (NI-0031B, D, & E, NI-0032B, D, & G) Function ensures that protection is provided against an uncontrolled RCCA bank rod withdrawal accident from a subcritical condition during startup. This trip Function provides redundant protection to the Power Range Neutron Flux - Low Setpoint and Intermediate Range Neutron Flux trip Functions. In MODES 3, 4, and 5, administrative controls also prevent the uncontrolled withdrawal of rods. The NIS source range detectors are located external to the reactor vessel and measure neutrons leaking from the core. The NIS source range detectors do not provide any inputs to control systems. The source range trip is the only RTS automatic protection function required in MODES 3, 4, and 5. Therefore, the functional capability at the specified Trip Setpoint is assumed to be available.

The LCO requires two channels of Source Range Neutron Flux to be OPERABLE. Two OPERABLE channels are sufficient to ensure no single random failure will disable this trip Function. The LCO also requires two channels of the Source Range Neutron Flux to be OPERABLE in MODE 3, 4, or 5 with RTBs closed.

The Source Range Neutron Flux Function provides protection for control rod withdrawal from

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-16 Rev. 1-3/99 BASES APPLICABLE 5. Source Range Neutron Flux (continued) SAFETY ANALYSES, LCO, and subcritical, boron dilution (see LCO 3.3.8) and control APPLICABILITY rod ejection events. The Function also provides visual neutron flux indication in the control room.

In MODE 2 when below the P-6 setpoint during a reactor startup, the Source Range Neutron Flux trip must be OPERABLE. Above the P-6 setpoint, the Intermediate Range Neutron Flux trip and the Power Range Neutron Flux - Low Setpoint trip will provide core protection for reactivity accidents. Above the P-6 setpoint, the Source Range Neutron Flux trip is blocked. In MODE 3, 4, or 5 with the reactor shut down, the Source Range Neutron Flux trip Function must also be OPERABLE. If the Rod Control System is capable of rod withdrawal, the Source Range Neutron Flux trip must be OPERABLE to provide core protection against a rod withdrawal accident. If the Rod Control System is not capable of rod withdrawal, the source range detectors are not required to trip the reactor. Source range detectors also function to monitor for high flux at shutdown. This function is addressed in Specification 3.3.8. Requirements for the source range detectors in MODE 6 are addressed in LCO 3.9.3.

6. Overtemperature T The Overtemperature T trip Function (TDI-0411C, TDI-0421C, TDI-0431C, TDI-0441C, TDI-0411A, TDI-0421A, TDI-0431A, TDI-0441A) is provided to ensure that the design limit DNBR is met. This trip Function also limits the range over which the Overpower T trip Function must provide protection. The inputs to the Overtemperature T trip include pressure, coolant temperature, axial power distribution, and reactor power as indicated by loop T assuming full reactor coolant flow. Protection from violating the DNBR limit is assured for those transients that are slow with respect to delays from the core to the measurement system. The Function monitors both variation in power and flow since a decrease in flow

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-17 Rev. 1-8/02 BASES APPLICABLE 6. Overtemperature T (continued) SAFETY ANALYSES, LCO, and has the same effect on T as a power increase. The APPLICABILITY Overtemperature T trip Function uses each loop's T as a measure of reactor power and is compared with a setpoint that is automatically varied with the following parameters:

reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; pressurizer pressure - the Trip Setpoint is varied to correct for changes in system pressure; and axial power distribution - f(AFD)x, the f(AFD) Function is used in the calculation of the Overtemperature T trip. It is a function of the indicated difference between the upper and lower NIS power range detectors. This Function measures the axial power distribution. The Overtemperature T Trip Setpoint is varied to account for imbalances in the axial power distribution as detected by the NIS upper and lower power range detectors. If axial peaks are greater than the design limit, as indicated by the difference between the upper and lower NIS power range detectors, the Trip Setpoint is reduced in accordance with Note 1 of Table 3.3.1-1.

Dynamic compensation is included for RTD response time delays. The Overtemperature T trip Function is calculated for each loop as described in Note 1 of Table 3.3.1-1. A trip occurs if Overtemperature T is indicated in two loops. Since the pressure and temperature signals are used for other control functions, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-18 Rev. 1-6/98 BASES APPLICABLE 6. Overtemperature T (continued) SAFETY ANALYSES, LCO, and This results in a two-out-of-four trip logic. Section 7.2.2.3 of APPLICABILITY Reference 1 discusses control and protection system interactions for this function. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Trip Setpoint. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overtemperature T condition and may prevent a reactor trip.

Delta-T 0, as used in the overtemperature and overpower T trips, represents the 100% RTP value as measured for each loop. This normalizes each loop's T trips to the actual operating conditions existing at the time of measurement, thus forcing the trip to reflect the equivalent full power conditions as assumed in the accident analyses. These differences in RCS loop T can be due to several factors, e.g., differences in RCS loop flows and slightly asymmetric power distributions between quadrants. While RCS loop flows are not expected to change with cycle life, radial power redistribution between quadrants may occur, resulting in small changes in loop specific T values. Therefore, loop specific T 0 values are measured as needed to ensure they represent actual core conditions.

The parameter K 1 is the principal setpoint gain, since it defines the function offset. The parameters K 2 and K 3 define the temperature gain and pressure gain, respectively. The values for T' and P' are key reference parameters corresponding directly to plant safety analyses initial conditions assumptions for the Overtemperature T function. For the purposes of performing a CHANNEL CALIBRATION, the values for K 1 , K 2 , K 3, T', and P' are utilized in the safety analyses without explicit tolerances, but should be considered as nominal values for instrument settings. That is, while an exact setting is not expected, a setting as close as reasonably possible is desired.

Note that for T', the value for the hottest RCS loop will be set

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-19 Rev. 4-9/06 BASES APPLICABLE 6. Overtemperature T (continued) SAFETY ANALYSES, LCO, and as close as possible to 588.4

º F. The instrument uncertainty APPLICABLITY calculations and safety analyses, in combination, have accounted for loop variation in loop specific, full power, indicated T and T avg. With respect to T avg, a value for T' common to all four loops is permissible within the limits identified in the uncertainty calculations. Outside of those limits, the value of T' will be set appropriately to reflect indicated, loop specific, full power values. In the case of decreasing temperature, the compensated temperature difference shall be no more negative than 3

ºF to limit the increase in the setpoint during cooldown transients. The engineering scaling calculations use each of the referenced parameters as an exact gain or reference value. Tolerances are not applied to the individual gain or reference parameters.

Tolerances are applied to each calibration module and the overall string calibration. In order to ensure that the Overtemperature T instrument channel is performing in a manner consistent with the assumptions of the safety analyses, it is necessary to verify during the CHANNEL OPERATIONAL TEST that the magnitude of instrument drift from the as-left condition is within limits, and that the input parameters to the trip function are within the appropriate calibration tolerances for the defined calibration conditions (Ref. 7).

The LCO requires all four channels of the Overtemperature T trip Function to be OPERABLE. Note that the Overtemperature T Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overtemperature T trip must be OPERABLE to prevent DNB. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about DNB.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-20 Revision No. 0 BASES APPLICABLE 7. Overpower T SAFETY ANALYSES, LCO, and The Overpower T trip Function (TDI-0411B, TDI-0421B, APPLICABILITY TDI-0431B, TDI-0441B, TDI-0411A, TDI-0421A, TDI-0431A, (continued) TDI-0441A) ensures that protection is provided to ensure the integrity of the fuel (i.e., no fuel pellet melting and less than 1% cladding strain) under all possible overpower conditions. This trip Function also limits the required range of the Overtemperature T trip Function and provides a backup to the Power Range Neutron Flux - High Setpoint trip. The Overpower T trip Function ensures that the allowable heat generation rate (kW/ft) of the fuel is not exceeded. It uses the T of each loop as a measure of reactor power with a setpoint that is automatically varied with the following parameters:

reactor coolant average temperature - the Trip Setpoint is varied to correct for changes in coolant density and specific heat capacity with changes in coolant temperature; and rate of change of reactor coolant average temperature - including dynamic compensation for RTD response time delays. The Overpower T trip Function is calculated for each loop as per Note 2 of Table 3.3.1-1. Trip occurs if Overpower T is indicated in two loops. Since the temperature signals are used for other control functions, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation and a single failure in the remaining channels providing the protection function actuation. This results in a two-out-of-four trip logic. Section 7.2.2.3 of Reference 1 discusses control and protection system interactions for this function. Note that this Function also provides a signal to generate a turbine runback prior to reaching the Allowable Value. A turbine runback will reduce turbine power and reactor power. A reduction in power will normally alleviate the Overpower T condition and may prevent a reactor trip.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-21 Rev. 3-9/06 BASES APPLICABLE 7. Overpower T (continued) SAFETY ANALYSES, LCO, and Delta-T 0, as used in the overtemperature and overpower APPLICABILITY T trips, represents the 100% RTP value as measured for each loop. This normalizes each loop's T trips to the actual operating conditions existing at the time of measurement, thus forcing the trip to reflect the equivalent full power conditions as assumed in the accident analyses. These differences in RCS loop T can be due to several factors, e.g., difference in RCS loop flows and slightly asymmetric power distributions between quadrants. While RCS loop flows are not expected to change with cycle life, radial power redistribution between quadrants may occur, resulting in small changes in loop specific T values. Therefore, loop specific T 0 values are measured as needed to ensure they represent actual core conditions.

The value for T" is a key reference parameter corresponding directly to plant safety analyses initial conditions assumptions for the Overpower T function. For the purposes of performing a CHANNEL CALIBRATION, the values for K 4 , K 5 , K 6, and T" are utilized in the safety analyses without explicit tolerances, but should be considered as nominal values for instrument settings. That is, while an exact setting is not expected, a setting as close as reasonably possible is desired. Note that for T", the value for the hottest RCS loop will be set as close as possible to 588.4º F. The instrument uncertainty calculations and safety analyses, in combination, have accounted for loop variation in loop specific, full power, indicated T and T avg. With respect to Tavg, a value for T" common to all four loops is permissible within the limits identified in the uncertainty calculations. Outside of those limits, the value of T" will be set appropriately to reflect indicated, loop specific, full power values. The engineering scaling calculations use each of the referenced parameters as an exact gain or reference value. Tolerances are not applied to the individual gain or reference parameters. Tolerances are applied to each calibration module and the overall string calibration. In order to ensure that the Overpower T instrument channel is performing in a manner consistent with the assumptions of the safety analyses, it is necessary to verify during the CHANNEL OPERATIONAL TEST that the magnitude of instrument drift from the as-left condition is within limits, and that the input parameters to the trip function are within the appropriate calibration tolerances for defined calibration conditions (Ref. 7). Note that for the parameter K 5, in the case of RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-22 Rev. 2-6/03 BASES APPLICABLE 7. Overpower T (continued) SAFETY ANALYSES, LCO, and decreasing temperature, the gain setting must be 0 to APPLICABILITY prevent generating setpoint margin on decreasing temperature rates. Similarly, the setting for K 6 is required to be equal to 0 for conditions where T T". The LCO requires four channels of the Overpower T trip Function to be OPERABLE. Note that the Overpower T trip Function receives input from channels shared with other RTS Functions. Failures that affect multiple Functions require entry into the Conditions applicable to all affected Functions.

In MODE 1 or 2, the Overpower T trip Function must be OPERABLE. These are the only times that enough heat is generated in the fuel to be concerned about the heat generation rates and overheating of the fuel. In MODE 3, 4, 5, or 6, this trip Function does not have to be OPERABLE because the reactor is not operating and there is insufficient heat production to be concerned about fuel overheating and fuel damage.

8. Pressurizer Pressure

The same sensors (PI-0455A, B, & C, PI-0456, PI-0456A, PI-0457, PI-0457A, PI-0458, PI-0458A) provide input to the Pressurizer Pressure - High and -Low trips and the Overtemperature T trip. Since the Pressurizer Pressure channels are also used to provide input to the Pressurizer Pressure Control System, the actuation logic must be able to withstand an input failure to

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-23 Revision No. 0 BASES APPLICABLE 8. Pressurizer Pressure (continued) SAFETY ANALYSES, LCO, and the control system, which may then require the protection APPLICABILITY function actuation, and a single failure in the other channels providing the protection function actuation. Section 7.2.2.3 of Reference 1 discusses control and protection system interactions for this function.

a. Pressurizer Pressure Low The Pressurizer Pressure-Low trip Function ensures that protection is provided against violating the DNBR limit due to low pressure.

The LCO requires four channels of Pressurizer Pressure - Low to be OPERABLE.

In MODE 1, when DNB is a major concern, the Pressurizer Pressure - Low trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock (NIS power range P-10 or turbine impulse pressure greater than approximately 10% of full power equivalent (P-13)). On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, no conceivable power distributions can occur that would cause DNB concerns.

b. Pressurizer Pressure High The Pressurizer Pressure - High trip Function ensures that protection is provided against overpressurizing the RCS. This trip Function operates in conjunction with the pressurizer relief and safety valves to prevent RCS overpressure conditions.

The LCO requires four channels of the Pressurizer Pressure -High to be OPERABLE.

The Pressurizer Pressure - High LSSS is selected to be below the pressurizer safety valve actuation pressure and above the power operated relief valve (PORV) setting. This setting

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-24 Revision No. 0 BASES APPLICABLE b. Pressurizer Pressure - High (continued) SAFETY ANALYSES, LCO, and minimizes challenges to safety valves while APPLICABILITY avoiding unnecessary reactor trip for those pressure increases that can be controlled by the PORVs.

In MODE 1 or 2, the Pressurizer Pressure - High trip must be OPERABLE to help prevent RCS overpressurization and minimize challenges to the relief and safety valves. In MODE 3, 4, 5, or 6, the Pressurizer Pressure - High trip Function does not have to be OPERABLE because transients that could cause an overpressure condition will be slow to occur. Therefore, the operator will have sufficient time to evaluate unit conditions and take corrective actions.

Additionally, low temperature overpressure protection systems provide overpressure protection when below MODE 4.

9. Pressurizer Water Level - High

(LI-0459A, LI-460A, LI-0461A)

NOTE: Pressurizer Water Level channels are also required OPERABLE by the Post Accident Monitoring Technical Specification. Setpoints are given in percent of instrument span.

The Pressurizer Water Level - High trip Function provides a backup signal for the Pressurizer Pressure - High trip and also provides protection against water relief through the pressurizer safety valves. These valves are designed to pass steam in order to achieve their design energy removal rate. A reactor trip is actuated prior to the pressurizer becoming water solid. The LCO requires three channels of Pressurizer Water Level - High to be OPERABLE. The pressurizer level channels are used as input to the Pressurizer Level Control System. A fourth channel is not required to address control/protection interaction concerns. The level channels do not actuate the safety valves, and the high pressure reactor trip is

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-25 Rev. 1-02/02 BASES APPLICABLE 9. Pressurizer Water Level High (continued) SAFETY ANALYSES, LCO, and set below the safety valve setting. Therefore, with APPLICABILITY the slow rate of charging available, pressure overshoot due to level channel failure cannot cause the safety valve to lift before reactor high pressure trip.

In MODE 1, when there is a potential for over filling the pressurizer, the Pressurizer Water Level - High trip must be OPERABLE. This trip Function is automatically enabled on increasing power by the P-7 interlock. On decreasing power, this trip Function is automatically blocked below P-7. Below the P-7 setpoint, transients that could raise the pressurizer water level will be slow and the operator will have sufficient time to evaluate unit conditions and take corrective actions.

10. Reactor Coolant Flow - Low

(LOOP 1 LOOP 2 LOOP 3 LOOP 4 FI-0414 FI-0424 FI-0434 FI-0444 FI-0415 FI-0425 FI-0435 FI-0445 FI-0416 FI-0426 FI-0436 FI-0446)

NOTE: The setpoints are given in percent of Loop flow.

a. Reactor Coolant Flow - Low (Single Loop)

The Reactor Coolant Flow - Low (Single Loop) trip Function ensures that protection is provided against violating the DNBR limit due to low flow in one or more RCS loops, while avoiding reactor trips due to normal variations in loop flow. Above the P-8 setpoint, which is approximately 48% RTP, a loss of flow in any RCS loop will actuate a reactor trip. Each RCS loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-26 Revision No. 0 BASES APPLICABLE a. Reactor Coolant Flow - Low (Single Loop)

SAFETY ANALYSES, (continued) LCO, and APPLICABILITY The LCO requires three Reactor Coolant Flow - Low channels per loop to be OPERABLE in MODE 1 above P-8. In MODE 1 above the P-8 setpoint, a loss of flow in one RCS loop could result in DNB conditions in the core. In MODE 1 below the P-8 setpoint, a loss of flow in two or more loops is required to actuate a reactor trip (Function 10.b) because of the lower power level and the greater margin to the design limit DNBR.

b. Reactor Coolant Flow - Low (Two Loops)

The Reactor Coolant Flow - Low (Two Loops) trip Function ensures that protection is provided against violating the DNBR limit due to low flow in two or more RCS loops while avoiding reactor trips due to normal variations in loop flow.

Above the P-7 setpoint and below the P-8 setpoint, a loss of flow in two or more loops will initiate a reactor trip. Each loop has three flow detectors to monitor flow. The flow signals are not used for any control system input.

The LCO requires three Reactor Coolant Flow - Low channels per loop to be OPERABLE.

In MODE 1 above the P-7 setpoint and below the P-8 setpoint, the Reactor Coolant Flow - Low (Two Loops) trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on low flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on low flow in two or more RCS loops is automatically enabled. Above the P-8 setpoint, a loss of flow in any one loop will actuate a reactor trip because of the higher

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-27 Revision No. 0 BASES APPLICABLE b. Reactor Coolant Flow - Low (Two Loops)

SAFETY ANALYSES, (continued) LCO, and APPLICABILITY power level and the reduced margin to the design limit DNBR.

11. Undervoltage Reactor Coolant Pumps

The Undervoltage RCPs reactor trip Function ensures that protection is provided against violating the DNBR limit due to a loss of flow in two or more RCS loops. The voltage to each RCP is monitored. Above the P-7 setpoint, a loss of voltage detected on two RCP buses will initiate a reactor trip. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops) Trip Setpoint is reached. Time delays are incorporated into the Undervoltage RCPs channels to prevent reactor trips due to momentary electrical power transients.

Two undervoltage relays (train A and B) sense the voltage on the motorside of each RCP breaker. Actuation of either relay provides a single channel input for that pump (bus) to the 2/4 reactor trip logic consisting of a combination of RCP No. 1 or RCP No. 2 and RCP No. 3 or RCP No. 4.

The Trip Setpoint is equal to 70% of bus voltage and the Allowable Value is equal to 69% of bus voltage.

The LCO requires two Undervoltage RCPs channels per bus to be OPERABLE (one per RCP).

In MODE 1 above the P-7 setpoint, the Undervoltage RCP trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on low voltage in two or more RCS loops is automatically enabled.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-28 Revision No. 0 BASES APPLICABLE 12. Underfrequency Reactor Coolant Pumps SAFETY ANALYSES, LCO, and The Underfrequency RCPs reactor trip Function ensures APPLICABILITY that protection is provided against violating the DNBR (continued) limit due to a loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following a pump trip. The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Above the P-7 setpoint, a loss of frequency detected on two RCP buses will initiate a reactor trip and open the reactor coolant pump breakers. This trip Function will generate a reactor trip before the Reactor Coolant Flow-Low (Two Loops)

Trip Setpoint is reached. Time delays are incorporated into the Underfrequency RCPs channels to prevent reactor trips due to momentary electrical power transients.

Two underfrequency relays (train A and B) sense the frequency on the motorside of each RCP breaker. Actuation of either relay provides a single channel input for that pump (bus) to the 2/4 reactor trip logic consisting of a combination of RCP No. 1 or RCP No. 2 and RCP No. 3 or RCP No. 4.

The LCO requires two Underfrequency RCPs channels per bus to be OPERABLE (one per RCP).

In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would cause a DNB concern at this low power level. Above the P-7 setpoint, the reactor trip on underfrequency in two or more RCS loops is automatically enabled.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-29 Revision No. 0 BASES APPLICABLE 13. Steam Generator Water Level - Low Low SAFETY ANALYSES, LCO, and (LOOP1 LOOP2 LOOP3 LOOP4 APPLICABILITY LI-0517 LI-0527 LI-0537 LI-0547 (continued) LI-0518 LI-0528 LI-0538 LI-0548 LI-0519 LI-0529 LI-0539 LI-0549 LI-0551 LI-0552 LI-0553 LI-0554)

NOTE: SG Water Level channels are also required OPERABLE by the Post Accident Monitoring Technical Specification. The setpoints are given in percent of narrow range instrument span.

The SG Water Level - Low Low trip Function ensures that protection is provided against a loss of heat sink and actuates the AFW System prior to uncovering the SG tubes. The SGs are the heat sink for the reactor. In order to act as a heat sink, the SGs must contain a minimum amount of water. A narrow range low low level in any SG is indicative of a loss of heat sink for the reactor. The level transmitters provide input to the SG Level Control System. Therefore, the actuation logic must be able to withstand an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. This Function also performs the ESFAS function of starting the AFW pumps on low low SG level.

The LCO requires four channels of SG Water Level - Low Low per SG to be OPERABLE for four loop units in which these channels are shared between protection and control.

In MODE 1 or 2, when the reactor requires a heat sink, the SG Water Level - Low Low trip must be OPERABLE. The normal source of water for the SGs is the Main Feedwater (MFW) System (not safety related). The MFW System is only in operation in MODE 1 or 2. The AFW System is the safety related backup source of water to ensure that the SGs remain the heat sink for the reactor. During normal startups and shutdowns, the AFW System provides feedwater to maintain SG level. In MODE 3, 4, 5, or 6, the SG Water Level - Low Low

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-30 REVISION 30 BASES APPLICABLE 13. Steam Generator Water Level - Low Low (continued) SAFETY ANALYSES, LCO, and Function does not have to be OPERABLE because the MFW APPLICABILITY System is not in operation and the reactor is not operating or even critical. Decay heat removal is accomplished by the AFW System in MODE 3 and by the Residual Heat Removal (RHR)

System in MODE 4, 5, or 6.

14. Turbine Trip

(PT-6161, PT-6162, PT-6163)

a. Turbine Trip - Low Fluid Oil Pressure The Turbine Trip - Low Fluid Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor. Any turbine trip from a power level below the P-9 setpoint, approximately 40% power, will not actuate a reactor trip. Three pressure switches monitor the control oil pressure in the Turbine Electrohydraulic Control System. A low pressure condition sensed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the control system. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High trip Function and RCS integrity is ensured by the pressurizer safety valves.

The LCO requires three channels of Turbine Trip - Low Fluid Oil Pressure to be OPERABLE in MODE 1 above

P-9.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-31 REVISION 30 BASES APPLICABLE a. Turbine Trip Low Fluid Oil Pressure (continued) SAFETY ANALYSES, LCO, and Below the P-9 setpoint, a turbine trip does not actuate a APPLICABILITY reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the Turbine Trip-Low Fluid Oil Pressure trip Function does not need to be OPERABLE.

b. Turbine Trip - Turbine Stop Valve Closure

The Turbine Trip - Turbine Stop Valve Closure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip from a power level above the P-9 setpoint, approximately 40% power. Below the P-9 setpoint this action will not actuate a reactor trip. The trip Function anticipates the loss of secondary heat removal capability that occurs when the stop valves close. Tripping the reactor in anticipation of loss of secondary heat removal acts to minimize the pressure and temperature transient on the reactor. This trip Function will not and is not required to operate in the presence of a single channel failure. The unit is designed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure limitations. Core protection is provided by the Pressurizer Pressure - High Trip Function, and RCS integrity is ensured by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip - Low Fluid Oil Pressure trip Function. Each turbine stop valve is equipped with one limit switch that inputs to the RTS. If all four limit switches indicate that the stop valves are all closed, a reactor trip is initiated.

The Nominal Trip Setpoint for this Function is set to assure channel trip occurs when the associated stop valve is not fully open (approximately 3.3% closed).

Since the stop valves are designed to fully close once tripped, any indication that the valve is no longer fully open is sufficient to determine the trip status. Because the stop valves close so quickly, any indication near the fully open position (such as 90% open) provides sufficient assurance that the stop valve is going closed. Therefore, for this function, the allowable value was established as an operability limit for the channel operational test.

The LCO requires four Turbine Trip - Turbine Stop Valve Closure channels, one per valve, to be

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-32 Revision No. 0 BASES APPLICABLE b. Turbine Trip - Turbine Stop Valve Closure (continued) SAFETY ANALYSES, LCO, and OPERABLE in MODE 1 above P-9. All four channels must APPLICABILITY trip to cause reactor trip.

Below the P-9 setpoint, a load rejection can be accommodated by the Steam Dump System. In MODE 2, 3, 4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip - Stop Valve Closure trip Function does not need to be OPERABLE.

15. Safety Injection Input from Engineered Safety Feature Actuation System The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation logic will initiate a reactor trip upon any signal that initiates SI. Reactor trip is not credited in the large break LOCA analysis. However, other transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Therefore, a reactor trip is initiated every time an SI signal is present.

Trip Setpoint and Allowable Values are not applicable to this Function. The SI Input is provided by relay in the ESFAS.

Therefore, there is no measurement signal with which to associate an LSSS.

The LCO requires two channels of SI Input from ESFAS to be OPERABLE in MODE 1 or 2.

A reactor trip is initiated every time an SI signal is present. Therefore, this trip Function must be OPERABLE in MODE 1 or 2, when the reactor is critical, and must be shut down in the event of an accident. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-33 Rev. 1-3/99

BASES APPLICABLE 16. Reactor Trip System Interlocks SAFETY ANALYSES, LCO, and Reactor protection interlocks are provided to ensure reactor trips APPLICABILITY are in the correct configuration for the current unit status.

(continued) They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety analysis assumes the Functions are not bypassed. Therefore, the interlock Functions do not need to be OPERABLE when the associated reactor trip functions are outside the applicable MODES. These are:

a. Intermediate Range Neutron Flux, P-6 The Intermediate Range Neutron Flux, P-6 interlock (NI-0035B, D, & E, NI-0036B, D, & G) is actuated when any NIS intermediate range channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P-6 interlock ensures that the following Functions are performed:

on increasing power, the P-6 interlock allows the manual block of the NIS Source Range, Neutron Flux reactor trip. This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source range.

on decreasing power, the P-6 interlock automatically enables the NIS Source Range Neutron Flux reactor trip. The LCO requires two channels of Intermediate Range Neutron Flux, P-6 interlock to be OPERABLE in MODE 2 when below the P-6 interlock setpoint.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-34 Revision No. 0

BASES APPLICABLE a. Intermediate Range Neutron Flux, P-6 (continued) SAFETY ANALYSES, LCO, and Above the P-6 interlock setpoint, the NIS Source APPLICABILITY Range Neutron Flux reactor trip will be blocked, and this Function will no longer be necessary. In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core protection.

b. Low Power Reactor Trips Block, P-7

The Low Power Reactor Trips Block, P-7 interlock is actuated by input from either the Power Range Neutron Flux, P-10, or the Turbine Impulse Pressure, P-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:

(1) on increasing power, the P-7 interlock automatically enables reactor trips on the following Functions:

Pressurizer Pressure - Low; Pressurizer Water Level - High; Reactor Coolant Flow - Low (Two Loops);

Undervoltage RCPs; and Underfrequency RCPs.

These reactor trips are only required when operating above the P-7 setpoint (approximately 10% power). The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.

(2) on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-35 Revision No. 0 BASES APPLICABLE b. Low Power Reactor Trips Block, P-7 (continued) SAFETY ANALYSES, LCO, and Pressurizer Pressure - Low; APPLICABILITY

Pressurizer Water Level - High; Reactor Coolant Flow - Low (Two Loops);

Undervoltage RCPs; and Underfrequency RCPs.

Trip Setpoint and Allowable Value are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.

The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.

The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below 10% power, which is in MODE 1.

c. Power Range Neutron Flux, P-8 The Power Range Neutron Flux, P-8 interlock (NI-0041B & C, NI-0042B & C, NI-0043B & C, NI-0044B & C) is actuated at approximately 48% power as determined by two-out-of-four NIS power range detectors. The P-8 interlock automatically enables the Reactor Coolant Flow - Low (Single Loop) reactor trip on low flow in one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could result in DNB conditions in the core

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-36 Rev. 1-2/08 BASES APPLICABLE c. Power Range Neutron Flux, P-8 (continued) SAFETY ANALYSES, LCO, and when greater than approximately 48% power. On APPLICABILITY decreasing power, the reactor trip on low flow in any loop is automatically blocked.

The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.

In MODE 1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to be concerned about DNB conditions.

d. Power Range Neutron Flux, P-9

The Power Range Neutron Flux, P-9 interlock (NI-0041B & C, NI-0042B & C, NI-0043B & C, NI-0044B & C) is actuated at approximately 40% power as determined by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip - Low Fluid Oil Pressure and Turbine Trip - Turbine Stop Valve Closure reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor.

The LCO requires four channels of Power Range Neutron Flux, P-9 interlock to be OPERABLE in MODE 1.

In MODE 1, a turbine trip could cause a load rejection beyond the capacity of the Steam Dump System, so the Power Range Neutron Flux interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-37 Rev. 1-3/99

BASES APPLICABLE d. Power Range Neutron Flux, P-9 (continued) SAFETY ANALYSES, LCO, and reactor is not at a power level sufficient to have a load APPLICABILITY rejection beyond the capacity of the Steam Dump System.

e. Power Range Neutron Flux, P-10 The Power Range Neutron Flux, P-10 interlock (NI-0041B & C, NI-0042B & C, NI-0043B & C, NI-0044B & C) is actuated at approximately 10% power, as determined by two-out-of-four NIS power range detectors. If power level falls below 10% RTP on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are performed:

on increasing power, the P-10 interlock allows the operator to manually block the Intermediate Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks the signal to prevent automatic and manual rod withdrawal; on increasing power, the P-10 interlock allows the operator to manually block the Power Range Neutron Flux - Low reactor trip; on increasing power, the P-10 interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip; the P-10 interlock provides one of the two inputs to the P-7 interlock; and on decreasing power, the P-10 interlock automatically enables the Power Range Neutron Flux - Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-38 Revision No. 0

BASES APPLICABLE e. Power Range Neutron Flux, P-10 (continued) SAFETY ANALYSES, LCO, and The LCO requires four channels of Power Range APPLICABILITY Neutron Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.

OPERABILITY in MODE 1 ensures the Function is available to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux - Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.

f. Turbine Impulse Pressure, P-13

The Turbine Impulse Pressure, P-13 interlock (PI-0505, PI-0506) is actuated when the pressure in the first stage of the high pressure turbine is greater than approximately 10% of the rated full load pressure. This is determined by one-out-of-two pressure detectors. The LCO requirement for this Function ensures that one of the inputs to the P-7 interlock is available.

The LCO requires two channels of Turbine Impulse Pressure, P-13 interlock to be OPERABLE in MODE 1.

The Turbine Impulse Chamber Pressure, P-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not required OPERABLE in MODE 2, 3, 4, 5, or 6 because the reactor trips enabled by P-7 are not required.

17. Reactor Trip Breakers

This trip Function applies to the RTBs exclusive of individual trip mechanisms. The LCO requires two OPERABLE trains of trip breakers. A trip breaker

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-39 Revision No. 0 BASES APPLICABLE 17. Reactor Trip Breakers (continued) SAFETY ANALYSES, LCO, and train consists of all trip breakers associated with a single RTS APPLICABILITY logic train that are racked in, closed, and capable of supplying power to the Rod Control System. Thus, the train may consist of the main breaker, bypass breaker, or main breaker and bypass breaker, depending upon the system configuration. Two OPERABLE trains ensure no single random failure can disable the RTS trip capability.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and the Rod Control System is capable of rod withdrawal.

18. Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service. The trip mechanisms are not required to be OPERABLE for trip breakers that are open, racked out, incapable of supplying power to the Rod Control System, or declared inoperable under Function 17 above. OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.

These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs and associated bypass breakers are closed, and the Rod Control System is capable of rod withdrawal.

19. Automatic Trip Logic The LCO requirement for the RTBs (Functions 17 and 18) and Automatic Trip Logic (Function 19) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core. Each RTB is equipped with an undervoltage coil and a shunt trip

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-40 REVISION 20 BASES APPLICABLE 19. Automatic Trip Logic (continued) SAFETY ANALYSES, LCO, and coil to trip the breaker open when needed. Each RTB APPLICABILITY is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The reactor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.

The LCO requires two channels of RTS Automatic Trip Logic to be OPERABLE. Having two OPERABLE channels ensures that random failure of a single logic channel will not prevent reactor

trip. These trip Functions must be OPERABLE in MODE 1 or 2 when the reactor is critical. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and the Rod Control System is capable of rod withdrawal.

The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1.

In the event a channel's NTSB is found nonconservative with respect to the Allowable Value, or the channel is not functioning as required, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection function(s) affected.

When the number of inoperable channels in a trip Function exceed those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-41 Revision No. 0 BASES ACTIONS A.1 (continued) Condition A applies to all RTS protection functions. Condition A addresses the situation where one or more required channels for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

B.1 and B.2

Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function. With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable considering that there are two automatic actuation channels and another manual initiation channel OPERABLE, and the low probability of an event occurring during this interval.

If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be brought to a MODE in which Condition B is no longer applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The 6 additional hours to reach MODE 3 is reasonable, based on operating experience, to reach MODE 3 from full power operation in an orderly manner and without challenging unit systems. With the unit in MODE 3, Condition C applies to this trip function.

C.1 and C.2

Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal:

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-42 Rev. 4-8/06 BASES ACTIONS C.1 and C.2 (continued)

Manual Reactor Trip; RTBs; RTB Undervoltage and Shunt Trip Mechanisms; and Automatic Trip Logic.

This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, the inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the affected Function(s) cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, the RTBs must be opened within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner. With the RTBs open, these Functions are no longer required. This Condition is modified by a Note that prohibits closing the RTBs in MODES 3, 4, or 5 if any of the above Functions (Function 1, 17, 18, or 19 of Table 3.3.1-1) are not met.

The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE channel or train is adequate to perform the safety function, and given the low probability of an event occurring during this interval.

D.1 and D.2 Condition D applies to the Power Range Neutron Flux-High Function. This Condition contains bypass times and Completion Times that are risk-informed. The Configuration Risk Management Program (CRMP) is used to assess changes in core damage frequency resulting from applicable plant configurations.

The CRMP uses the equipment out of service risk monitor, a computer based tool that may be used to aid in the risk assessment of on-line maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-43 Rev. 3-9/06 BASES ACTIONS D.1 and D.2 (continued)

The NIS power range detectors provide input to the CRD System and the SG Water Level Control System and, therefore, have a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in WCAP-14333-P-A (Ref. 8).

The Required Actions have been modified by two Notes. Note 1 allows a channel to be placed in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. With one channel inoperable, the Note also allows routine surveillance testing of another channel with a channel in bypass. The Note also allows placing a channel in the bypass condition to allow setpoint adjustments when required to reduce the Power Range Neutron Flux-High setpoint in accordance with other Technical Specifications. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8.

Note 2 refers the user to LOC 3.2.4 for additional requirements that may apply for an inoperable power range channel.

If Required Action D.1 cannot be met within the specified Completion Time, the unit must be placed in a MODE where this Function is no longer required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> beyond the Completion Time for Required Action D.1 is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-44 Rev. 2-8/06 BASES ACTIONS E.1 and E.2 (continued) Condition E applies to the following reactor trip Functions:

Power Range Neutron Flux- Low; Overtemperature T; Overpower T; Power Range Neutron Flux - High Positive Rate; Pressurizer Pressure-High; and SG Water Level-Low Low.

This Condition contains bypass times and Completion Times that are risk-informed. The Configuration Risk Management Program (CRMP) is used to assess changes in core damage frequency resulting from applicable plant configurations. The CRMP uses the equipment out of service risk monitor, a computer based tool that may be used to aid in the risk assessment of on-line maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-45 Rev. 3-7/08 BASES ACTIONS E.1 and E.2 (continued)

A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips.

The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 8.

If the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows placing a channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. With one channel inoperable, the Note also allows routine surveillance testing of another channel with a channel in bypass.

The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8.

F.1 and F.2 Condition F applies to the Intermediate Range Neutron Flux trip

when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. If THERMAL POWER is greater than the P-6 setpoint but less than the P-10 setpoint, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-46 Rev. 1-1/01 BASES ACTIONS F.1 and F.2 (continued) into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic.

Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.

G.1 and G.2

Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. With no intermediate range channels OPERABLE, the Required Actions are to suspend operations involving positive reactivity additions immediately. However, this does not preclude actions to maintain or increase reactor vessel inventory or place the unit in a safe conservative condition provided the required SDM is maintained.

The suspension of positive reactivity additions will preclude any power level increase since there are no OPERABLE Intermediate Range Neutron Flux channels. The operator must also reduce THERMAL POWER below the P-6 setpoint within two hours.

Below P-6, the Source Range Neutron Flux channels will be able to monitor the core power level. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will allow a slow and controlled power reduction to less than the P-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.

H.1 Condition H applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is below the P-6 setpoint and one or two channels are inoperable. Below the P-6 setpoint, the NIS source range performs the monitoring and protection functions.

The inoperable NIS intermediate range channel(s) must be returned to OPERABLE status prior to increasing power above the P-6 setpoint. The NIS intermediate range channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-47 Rev. 2-9/06 BASES ACTIONS I.1 (continued) Condition I applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P-6 setpoint, and performing a reactor startup. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately.

This will preclude any power escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately. However, this does not preclude actions to maintain or place the unit in a safe conservative condition provided the required SDM is maintained.

J.1 Condition J applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and performing a reactor startup, or in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With both source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition and the unit enters Condition L.

K.1 and K.2

Condition K applies to one inoperable source range channel in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs the monitoring and protection functions. With one of the source range channels inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, 1 additional hour is allowed to open the RTBs. Once the RTBs are open, the core is in a more stable condition and the unit enters Condition L.

The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore the channel to OPERABLE status, and the additional hour to open the RTBs, are justified in Reference 9.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-48 Rev. 1-1/01 BASES ACTIONS L.1 (continued) Condition L applies when the required number of OPERABLE Source Range Neutron Flux channels is not met in MODE 3, 4, or 5 with the RTBs open. With the unit in this Condition, the NIS source range performs the monitoring and protection functions.

With less than the required number of source range channels OPERABLE, operations involving positive reactivity additions shall be suspended immediately. This will preclude any power escalation. However, this does not preclude actions to maintain or increase reactor vessel inventory or place the unit in a safe conservative condition provided the required SDM is maintained.

Note that the source range also continues to provide input to the high flux at shutdown alarm (HFASA - LCO 3.3.8). LCO 3.3.8 requires that the HFASA receive input from two source range channels for the HFASA to be OPERABLE.

M.1 and M.2

Condition M applies to the following reactor trip Functions:

Pressurizer Pressure-Low; Pressurizer Water Level-High; Reactor Coolant Flow-Low (Two Loops);

Undervoltage RCPs; and Underfrequency RCPs.

This Condition contains bypass times and Completion Times that are risk-informed. The Configuration Risk Management Program (CRMP) is used to assess changes in core damage frequency resulting from applicable plant configurations. The CRMP uses the equipment out of service risk monitor, a computer based tool that may be used to aid in the risk assessment of on-line maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition.

With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one additional channel to initiate a reactor trip above the P-7 setpoint (and below the P-8 setpoint for the Reactor Coolant Flow - Low - Two Loops

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-49 Rev. 2-9/06 BASES ACTIONS M.1 and M.2 (continued) function). These Functions do not have to be OPERABLE below the P-7 setpoint because for the Pressurizer Water Level - High transients are slow enough for manual action, and for the other functions DNB is not as serious a concern due to the Low Power Level. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped condition is justified in Reference 8. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time.

Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with Condition M.

The Required Actions have been modified by two Notes. Note 1 applies only to the RCP undervoltage and underfrequency instrument functions. These functions do not have installed bypass capability. Therefore, the allowance to place these instrument channels in bypass is more limited. Note 1 allows the inoperable undervoltage or underfrequency instrument channel to be bypassed for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for surveillance testing of other channels.

Note 2 allows placing a channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. Note 2 applies to all Condition M instrument functions except RCP undervoltage and underfrequency. With one channel inoperable, Note 2 also allows routine surveillance testing of another channel with a channel in bypass. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit of both Notes is justified in Reference 8.

N.1 and N.2

Condition N applies to the Reactor Coolant Flow - Low (Single Loop) reactor trip Function. This Condition contains bypass times and Completion Times that are risk-informed. The Configuration Risk Management Program (CRMP) is used to assess changes in core damage frequency resulting from

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-50 Rev. 2-9/06 BASES ACTIONS N.1 and N.2 (continued) applicable plant configurations. The CRMP uses the equipment out of service risk monitor, a computer based tool that may be used to aid in the risk assessment of on-line maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition. With one channel inoperable, the inoperable channel must be placed in trip within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If the channel cannot be restored to OPERABLE status or the channel placed in trip within the 72 hours, then THERMAL POWER must be reduced below the P- 8 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. This places the unit in a MODE where the LCO is no longer applicable. This trip Function does not have to be OPERABLE below the P-8 setpoint because other RTS trip Functions provide core protection below the P-8 setpoint. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to restore the channel to OPERABLE status or place in trip and the 4 additional hours allowed to reduce THERMAL POWER to below the P-8 setpoint are justified in Reference 8.

The Required Actions have been modified by a Note that allows placing a channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. With one channel inoperable, the Note allows routine surveillance testing of another channel with a channel in bypass. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8.

O.1 and O.2

Condition O applies to Turbine Trip on Low Fluid Oil Pressure. This Condition contains bypass times and Completion Times that are risk-informed. The Configuration Risk Management Program (CRMP) is used to assess changes in core damage frequency resulting from applicable plant configurations. The CRMP uses the equipment out of service risk monitor, a computer based tool that may be used to aid in the risk assessment of on-line maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition. With one channel inoperable, the inoperable channel must be placed in the trip

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-51 Rev. 2-9/06 BASES ACTIONS O.1 and O.2 (continued) condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If placed in the tripped condition, this results in a partial trip condition requiring only one additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in Reference 8.

The Required Actions have been modified by a Note that allows placing a channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. With one channel inoperable, the Note also allows routine surveillance testing of another channel with a channel in bypass. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 8.

P.1 and P.2

Condition P applies to the Turbine Trip on Stop Valve Closure. This Condition contains bypass times and Completion Times that are risk-informed. The Configuration Risk Management Program (CRMP) is used to assess changes in core damage frequency resulting from applicable plant configurations. The CRMP uses the equipment out of service risk monitor, a computer based tool that may be used to aid in the risk assessment of on-line maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition. With one or more channels inoperable, the inoperable channels must be placed in the trip condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Since all the valves must be tripped (not fully open) in order for the reactor trip signal to be generated, it is acceptable to place more than one Turbine Stop Valve Closure channel in the tripped condition. If a channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place an inoperable channel in the tripped condition and the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed for reducing power are justified in Reference 8.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-52 Rev. 2-9/06 BASES ACTIONS Q.1 and Q.2 (continued) Condition Q applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. This Condition contains bypass times and Completion Times that are risk-informed. The Configuration Risk Management Program (CRMP) is used to assess changes in core damage frequency resulting from applicable plant configurations. The CRMP uses the equipment out of service risk monitor, a computer based tool that may be used to aid in the risk assessment of on-line maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.

The Required Actions have been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit for testing the RTS Automatic Trip Logic train may include testing the RTB also, if both the Logic test and RTB test are conducted within the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 8.

The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit for the RTS Automatic Trip Logic train testing is greater than the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time limit for the RTBs, which the Logic train supports. The longer time limit for the Logic train (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) is acceptable based on Reference 10.

R.1 and R.2

Condition R applies to the P-6 interlock. With one or more channels inoperable for one-out-of-two coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-53 Rev. 2-9/06 BASES ACTIONS R.1 and R.2 (continued) in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.

S.1 and S.2

Condition S applies to the P-7, P-8, P-9, P-10, and P-13 interlocks. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or THERMAL POWER must be reduced to less than the affected interlock setpoint within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. These actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.

T.1 and T.2 Condition T applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for train corrective maintenance to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is justified in Reference 11. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. Placing the unit in MODE 3 results in Condition C entry while RTBs are inoperable.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-53a Rev. 1-9/06 BASES ACTIONS T.1 and T.2 (continued)

The Required Actions have been modified by a Note. The Note allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 11.

U.1 and U.2

Condition U applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the unit must be placed in a MODE where Condition U is no longer applicable. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. With the unit in MODE 3, Condition C applies to this trip function. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features. The allowable time for performing maintenance of the diverse features is 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the reasons stated under Condition T.

If two diverse trip features become inoperable in the same RTB, that RTB becomes inoperable upon discovery of the second inoperable trip feature.

The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for Required Action U.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-53b Rev. 0-1/01 BASES ACTIONS (continued) V.1

Condition V corresponds to a level of degradation in the RTS that causes a required safety function to be lost. When more than one Condition of this LCO is entered, and this results in the loss of automatic reactor trip capability, the unit is in a condition outside the accident analysis.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-54 REVISION 14 BASES ACTIONS V.1 (continued)

Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled

shutdown.

SURVEILLANCE The SRs for each RTS Function are identified by the SRs REQUIREMENTS column of Table 3.3.1-1 for that Function.

A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.

Note that each channel of process protection supplies both trains of the RTS. When testing Channel I, Train A and Train B must be examined. Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.

SR 3.3.1.1

Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-55 REVISION 14 BASES SURVEILLANCE SR 3.3.1.1 (continued) REQUIREMENTS outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.2

SR 3.3.1.2 compares the calorimetric heat balance calculation to the power range channel output. If the calorimetric heat balance results exceed the power range channel output by more than

+2% RTP, the power range channel is not declared inoperable, but must be adjusted consistent with the calorimetric heat balance results. If the power range channel output cannot be properly adjusted, the channel is declared inoperable.

If the calorimetric is performed at part power (< 50% RTP), adjusting the power range channel indication in the increasing direction will assure a reactor trip below the safety analysis limit of 118% RTP. Making no adjustment to the power range channel in the decreasing power direction due to a part-power calorimetric assures a reactor trip consistent with the safety analyses.

This allowance does not preclude making indication power adjustments, if desired, when the calorimetric heat balance calculation is less than the power range channel output. To provide close agreement between indicated and calorimetric power and to preserve operating margin, the power range channels are normally adjusted when operating at or near full power during steady-state conditions. However, discretion must be exercised if the power range channel output is adjusted in the decreasing power direction due to a part-power calorimetric

(< 50% RTP). This action may introduce a nonconservative bias at higher power levels which may result in an NIS reactor trip above the safety analysis limit of 118% RTP. The cause of the potential nonconservative bias is the decreased accuracy of the calorimetric at reduced power conditions. The primary error

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-56 REVISION 14 BASES SURVEILLANCE SR 3.3.1.2 (continued) REQUIREMENTS contributor to the instrument uncertainty for a secondary side power calorimetric measurement is the feedwater flow measurement which is typically a P measurement across a feedwater venturi. While the measurement uncertainty remains constant in P as power decreases, when translated into flow, the uncertainty increases as a square term. Thus a 1% flow error at 100% RTP can approach a 10% error at 30% RTP even though the P error has not changed. An evaluation of extended operation at part-power conditions would conclude that it is prudent to administratively adjust the setpoint of the Power Range Neutron Flux - High bistables to 90% RTP for a calorimetric power determined below 50% RTP, and to 75% RTP for a calorimetric power determined below 20% RTP when: 1) the power range channel output is adjusted in the decreasing power direction due to a part-power calorimetric; or 2) for a post-refueling startup. While the part-power calorimetric uncertainty based on a feedwater flow measurement from the leading-edge flow meter (LEFM) is less than that based on the feedwater venturi, it is prudent to continue to apply the same adjustments to the setpoint.

Before the Power Range Neutron Flux - High bistables are reset to the nominal value in Table 3.3.1-1 of Specification 3.3.1, the power range channel adjustment must be confirmed based on a calorimetric performed at a power level 50% RTP. The Note clarifies that this Surveillance is required only if reactor power is 15% RTP and that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are inaccurate.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.3 SR 3.3.1.3 compares the incore system to the NIS channel output.

EXCORE Detector Recalibration Using Quarter-Core Flux Maps

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-58 REVISION 14 BASES SURVEILLANCE SR 3.3.1.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.4

SR 3.3.1.4 is the performance of a TADOT on a STAGGERED TEST BASIS. This test shall verify OPERABILITY by actuation of the end devices.

The RTB test shall include separate verification of the undervoltage and shunt trip mechanisms. Independent verification of RTB undervoltage and shunt trip function is not required for the bypass breakers. No capability is provided for performing such a test at power. The independence test for bypass breakers is included in SR 3.3.1.13. The bypass breaker test shall include a local shunt trip. A Note has been added to indicate that this test must be performed on the bypass breaker prior to placing it in service.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.5 SR 3.3.1.5 is the performance of an ACTUATION LOGIC TEST.

The SSPS is tested on a STAGGERED TEST BASIS, using the semiautomatic tester. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-59 REVISION 20 BASES SURVEILLANCE SR 3.3.1.6 REQUIREMENTS (continued) SR 3.3.1.6 is a calibration of the excore channels to the incore channels. If the measurements do not agree, the excore channels are not declared inoperable but must be calibrated to agree with the incore detector measurements. If the excore channels cannot be adjusted, the channels are declared inoperable. This surveillance is primarily performed to verify the f(AFD) input to the overtemperature T function.

Two Notes modify SR 3.3.1.6. Note 1 states that this Surveillance is required only if reactor power is > 75% RTP and that 7 days is allowed for performing the first surveillance after reaching 75% RTP. Note 2 states that neutron detectors are excluded from the calibration.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

SR 3.3.1.7 SR 3.3.1.7 is the performance of a COT.

A COT is performed on each required channel to ensure the entire channel will perform the intended Function. Setpoints must be conservative with respect to the Allowable Values specified in Table 3.3.1-1.

The difference between the current "as found" values and the previous test "as left" values must be consistent with the drift allowance used in the setpoint methodology. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.

The "as-found" and "as-left" values must also be recorded and reviewed for consistency with the assumptions of Reference 6.

This Surveillance Requirement is modified by two Notes that apply only to the Source Range instrument channels. Note 1 requires that the COT include verification that interlocks P-6 and P-10 are in the required state for the existing unit

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-60 REVISION 20 BASES SURVEILLANCE SR 3.3.1.7 (continued) REQUIREMENTS conditions. Note 2 provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this surveillance for source range instrumentation when entering Mode 3 from Mode 2. This Note allows a normal shutdown to proceed without delay for the performance of this SR to meet the applicability requirements in Mode 3. This delay allows time to open the RTBs in Mode 3 after which this SR is no longer required to be performed. If the unit is to be in Mode 3 with the RTBs closed for greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, this surveillance must be completed prior to the expiration of the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

SR 3.3.1.7 is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances be in NMP-ES-033-006, Vogtle Setpoint Uncertainty Methodology and Scaling Instructions.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-61 REVISION 20 BASES SURVEILLANCE SR 3.3.1.8 REQUIREMENTS (continued) SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, except the frequency is prior to reactor startup. This SR is not required to be met when reactor power is decreased below P-10 (10% RTP) or when MODE 2 is entered from MODE 1 during controlled shutdowns. The Surveillance is modified by a Note that specifies this surveillance can be satisfied by the performance of a COT within 31 days prior to reactor startup. This test ensures that the NIS source range, intermediate range, and power range low setpoint channels are OPERABLE prior to taking the reactor critical.

SR 3.3.1.8 is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances be in NMP-ES-033-006, Vogtle Setpoint Uncertainty Methodology and Scaling Instructions.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-62 REVISION 20 BASES SURVEILLANCE SR 3.3.1.9 REQUIREMENTS (continued) SR 3.3.1.9 is the performance of a TADOT. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that excludes verification of setpoints from the TADOT. Since this SR applies to RCP undervoltage and underfrequency relays, setpoint verification requires elaborate bench calibration and is accomplished during the CHANNEL CALIBRATION.

SR 3.3.1.10 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The difference between the current "as-found" values and the previous test "as-left" values must be consistent with the drift allowance used in the setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Operating experience has shown these components usually pass the Surveillance when

performed on the 18 month Frequency.

SR 3.3.1.10 is modified by a Note stating that this test shall include verification that the time constants are adjusted to the prescribed values where applicable.

SR 3.3.1.10 is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-63 REVISION 20 BASES SURVEILLANCE For channels determined to be OPERABLE but degraded, after REQUIREMENTS returning the channel to service the channels will be evaluated (continued) under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances be in NMP-ES-033-006, Vogtle Setpoint Uncertainty Methodology and Scaling Instructions.

SR 3.3.1.11 SR 3.3.1.11 is the performance of a CHANNEL CALIBRATION, as described in SR 3.3.1.10. This SR is modified by a Note that states that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the power range neutron detectors includes a normalization of the detectors based on a power calorimetric and flux map performed above 75% RTP.

The CHANNEL CALIBRATION for the source range neutron detectors includes obtaining the detector preamp discriminator

curves and evaluating those curves.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

SR 3.3.1.11 is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-64 REVISION 20 BASES SURVEILLANCE SR 3.3.1.11 (continued) REQUIREMENTS returning the channel to service the channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the NTSP. Where a setpoint more conservative than the NTSP is used in the plant surveillance procedures (field setting), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable.

The second Note also requires that the methodologies for calculating the as-left and the as-found tolerances be in NMP-ES-033-006, Vogtle Setpoint Uncertainty Methodology and Scaling Instructions.

SR 3.3.1.12

SR 3.3.1.12 is the performance of a COT of RTS interlocks.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.13 SR 3.3.1.13 is the performance of a TADOT of the Manual Reactor Trip and the SI Input from ESFAS. This TADOT is as described in SR 3.3.1.4.

The manual reactor trip TADOT shall independently verify the OPERABILITY of the undervoltage and shunt trip circuits for the manual reactor trip function. This test shall also verify the OPERABILITY of the Bypass breaker trip circuit(s), including the

automatic undervoltage trip.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-65 REVISION 26 BASES SURVEILLANCE SR 3.3.1.13 (continued) REQUIREMENTS The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with them.

SR 3.3.1.14

SR 3.3.1.14 is the performance of a TADOT of the turbine stop valve closure Turbine Trip Functions. This TADOT is as described in SR 3.3.1.4, except that this test is performed after each entry into MODE 3 for a unit shutdown and prior to exceeding the P-9 interlock trip setpoint. Note 1 states that this Surveillance is not required if it has been performed within the previous 31 days. Note 2 states that verification of the Trip Setpoint does not have to be performed for this Surveillance.

Performance of this test ensures that the reactor trip on turbine trip Function is OPERABLE prior to entering the Mode of Applicability (above the P-9 power range neutron flux interlock) for this instrument function. The frequency is based on the known reliability of the instrumentation that generates a reactor trip after the turbine trips, and has been shown to be acceptable through operating experience.

SR 3.3.1.15 SR 3.3.1.15 verifies that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria are included in FSAR, Chapter 7 (Ref. 1). Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (i.e., control and shutdown rods fully inserted in the reactor core).

For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer function set to one or with the time constants set to their nominal value. The results must be compared to properly defined acceptance criteria. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-66 REVISION 26 BASES SURVEILLANCE SR 3.3.1.15 (continued) REQUIREMENTS Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements; or by the summation of allocation sensor, signal processing, and actuation logic response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) using vendor engineering specifications. WCAP-13632-P-A Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements,"

(Ref. 12), provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP.

Response time verification for other sensor types must be

demonstrated by test.

WCAP-14036-P Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," (Ref. 13), provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electrical repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where response time could be affected is replacing the sensing assembly of a transmitter.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-67 REVISION 20 BASES SURVEILLANCE SR 3.3.1.15 (continued) REQUIREMENTS SR 3.3.1.15 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

SR 3.3.1.16 SR 3.3.1.16 is the performance of a COT for the low fluid oil pressure portion of the Turbine Trip Functions as described in SR 3.3.1.7 except that the Frequency is after each entry into MODE 3 for a unit shutdown and prior to exceeding the P-9 interlock trip setpoint. The surveillance is modified by two Notes. Note 1 states that the surveillance may be satisfied if performed within the previous 31 days. Note 2 states that verification of the setpoint is not required. Performance of this test ensures that the reactor trip on turbine trip function is OPERABLE prior to entering the Mode of Applicability (above the P-9 power range neutron flux interlock) for this instrument function. The frequency is based on the known reliability of the instrumentation that generates a reactor trip after the turbine trips, and has been shown to be acceptable through operating experience.

REFERENCES 1. FSAR, Chapter 7.

RTS Instrumentation B 3.3.1 (continued)

Vogtle Units 1 and 2 B 3.3.1-68 REVISION 20 BASES REFERENCES 2. FSAR, Chapter 6. (continued) 3. FSAR, Chapter 15.

4. IEEE-279-1971.

5. 10 CFR 50.49.

6. WCAP-11269, Westinghouse Setpoint Methodology for Protection Systems; as supplemented by:

• Amendments 34 (Unit 1) and 14 (Unit 2), RTS Steam Generator Water Level Low Low, ESFAS Turbine Trip and Feedwater Isolation SG Water Level High High, and ESFAS AFW SG Water Level Low Low.

• Amendments 48 and 49 (Unit 1) and Amendments 27 and 28 (Unit 2), deletion of RTS Power Range Neutron

Flux High Negative Rate Trip.

• Amendments 60 (Unit 1) and 39 (Unit 2), RTS Overtemperature T setpoint revision.

• Amendments 57 (Unit 1) and 36 (Unit 2), RTS Overtemperature and Overpower T time constants and Overtemperature T setpoint.

• Amendments 43 and 44 (Unit 1) and 23 and 24 (Unit 2), revised Overtemperature and Overpower T trip setpoints and allowable values.

• Amendments 104 (Unit 1) and 82 (Unit 2), revised RTS Intermediate Range Neutron Flux, Source Range Neutron Flux, and P-6 trip setpoints and allowable

values.

• Amendments 127 (Unit 1) and 105 (Unit 2), revised Overtemperature T trip setpoint to limit value of the compensated temperature difference and revised the modifier for axial flux difference.

• Amendments 128 (Unit 1) and 106 (Unit 2), revised Overtemperature T and Overpower T trip setpoints to increase the fundamental setpoints K 1 and K 4 , and to modify coefficients and dy namic compensation terms.

• Amendments 149 (Unit 1) and 129 (Unit 2), revised P-9 setpoint and allowable value.

7. Westinghouse Letter GP-16696, November 5, 1997.

RTS Instrumentation B 3.3.1 Vogtle Units 1 and 2 B 3.3.1-69 REVISION 26 BASES REFERENCES 8. WCAP-14333-P-A, Rev. 1, October 1998. (continued) 9. WCAP-10271-P-A, Supplement 1, May 1986.

10. WCAP-10271-P-A, Supplement 2, Rev. 1, June 1990.

11. WCAP-15376-P-A, Rev. 1, March 2003.

12. WCAP-13632-P-A Revision 2, "Elimination of Periodic Sensor Response Time Testing Requirements," January 1996.

13. WCAP-14036-P-A Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," October 1998.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-1 REVISION 20 B 3.3 INSTRUMENTATION

B 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation

BASES BACKGROUND The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the Reactor Coolant System (RCS) pressure boundary, and to mitigate accidents. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ESFAS, as well as specifying LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions. LSSS are defined by the regulation as "Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a protective action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.

The Nominal Trip Setpoint (NTSP) specified in Table 3.3.2-1 is a predetermined setting for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the NTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the NTSP ensures that SLs are not exceeded. Therefore, the NTSP meets the definition of an LSSS (Ref. 1).

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety functions(s)." Relying solely on the NTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-2 REVISION 20 BASES BACKGROUND the "as-found" value of a protection channel setting during a (continued) surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the NTSP due to some drift of the setting may still be OPERABLE since drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the NTSP and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE since it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around the NTSP to account for further drift during the next surveillance interval.

During AOOs, which are those events expected to occur one or more times during the unit life, the acceptable limits are:

1. The Departure from Nucleate Boiling Ratio (DNBR) shall be maintained above the SL value to prevent departure from nucleate boiling (DNB), 2. Fuel centerline melt shall not occur, and

3. The RCS pressure SL of 2750 psia shall not be exceeded.

Operation within the SLs of Specification 2.0, "Safety Limits (SLs)," also maintains the above values and assures that offsite dose will be within the 10 CFR 50 and 10 CFR 100 criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the unit life. The acceptable limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits. Different accident categories are allowed a different fraction of these limits, based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The ESFAS instrumentation is segmented into four distinct but interconnected modules as identified below:

• Field transmitters or process sensors and instrumentation: provide a measurable electronic signal based on the physical characteristics of the parameter being measured;

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-3 REVISION 20 BASES BACKGROUND

• Signal processing equipment including analog protection system, (continued) field contacts, and protection channel sets: provide signal conditioning, bistable setpoint comparison, process algorithm actuation, compatible electrical signal output to protection system channels, and control board/control room/miscellaneous indications; and

• Solid State Protection System (SSPS) including input, logic, and output bays: initiates the proper unit shutdown or engineered safety feature (ESF) actuation in accordance with the defined logic and based on the bistable outputs from the signal process control and protection system.

• Sequencer output relays which change state upon the applicable ESFAS signal to energize ESF loads powered by the 4160-V ESF bus:

these relays are required to change state upon the applicable ESFAS signal to energize ESF loads powered by the 4160-V ESF bus and in this way they function as ESFAS actuation relays.

Field Transmitters or Sensors

To meet the design demands for redundancy and reliability, more than one, and often as many as four, field transmitters or sensors are used to measure unit parameters. In many cases, field transmitters or sensors that input to the ESFAS are shared with the Reactor Trip System (RTS). In some cases, the same channels also provide control system inputs. To account for calibration tolerances and instrument drift, which are assumed to occur between calibrations, statistical allowances are provided in the NTSP and Allowable Values. The OPERABILITY of each transmitter or sensor can be evaluated when its "as found" calibration data are compared against its documented acceptance criteria.

Signal Processing Equipment

Generally, three or four channels of process control equipment are used for the signal processing of unit parameters measured by the field instruments. The process control equipment provides signal conditioning, comparable output signals for instruments located on the main control board, and comparison of measured input signals with NTSPs derived from Analytical Limits established by the safety analyses. Analytical Limits are discussed in FSAR, Chapter 6 (Ref. 2), Chapter 7 (Ref. 3), and Chapter 15 (Ref. 4). If the measured value of a unit parameter exceeds the predetermined setpoint, an output from a bistable is forwarded to the SSPS for ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-4 REVISION 20 BASES BACKGROUND Signal Processing Equipment (continued)

decision evaluation. Channel separation is maintained up to and through the input bays. However, not all unit parameters require four channels of sensor measurement and signal processing. Some unit parameters provide input only to the SSPS, while others provide input to the SSPS, the main control board, the unit computer, and one or more control systems.

Generally, if a parameter is used only for input to the protection circuits, three channels with a two-out-of-three logic are sufficient to provide the required reliability and redundancy. If one channel fails in a direction that would not result in a partial Function trip, the Function is still OPERABLE with a two-out-of-two logic. If one channel fails such that a partial Function trip occurs, a trip will not occur and the Function is still OPERABLE with a one-out-of-two logic.

Generally, if a parameter is used for input to the SSPS and a control function, four channels with a two-out-of-four logic are sufficient to provide the required reliability and redundancy. The circuit must be able to withstand both an input failure to the control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation.

Again, a single failure will neither cause nor prevent the protection function actuation.

These requirements are described in IEEE-279-1971 (Ref. 5). The actual number of channels required for each unit parameter is specified in Reference 2.

NTSPs and Allowable Values The setpoints used in the bistables are based on the analytical limits stated in Reference 3. The calculation of the Nominal Trip Setpoints specified in Table 3.3.2-1 is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those ESFAS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), the Allowable Values specified in Table 3.3.2-1 in the accompanying LCO are conservatively adjusted with respect to the analytical limits. A detailed description of the methodology used to calculate the Allowable Values and NTSPs, including their explicit uncertainties, is provided in the "RTS/ESFAS ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-5 REVISION 20 BASES BACKGROUND NTSPs and Allowable Values (continued)

Setpoint Methodology Study" (Ref. 7) which incorporates all of the known uncertainties applicable to each channel. The as-left tolerance and as-found tolerance band methodology is provided in NMP-ES-033-006, Vogtle Setpoint Uncertainty Methodology and Scaling Instructions. The magnitude of these uncertainties are factored into the determination of each NTSP and corresponding Allowable Value. The actual nominal setpoint entered into the bistable is more conservative than that specified by the NTSP to account for measurement errors detectable by a COT. The Allowable Value serves as the as-found Technical Specification OPERABILITY limit for the purpose of the COT.

The NTSP is the value at which the bistables are set and is the expected value to be achieved during calibration. The NTSP value is the LSSS and ensures the safety analysis limits are met for the surveillance interval selected when a channel is adjusted based on stated channel uncertainties. Any bistable is considered to be properly adjusted when the "as-left" NTSP value is within the as-left tolerance for Channel Calibration uncertainty allowance (i.e., rack calibration and comparator setting uncertainties). The NTSP value is therefore considered a "nominal value" (i.e., expressed as a value without inequalities) for the purposes of the COT and CHANNEL CALIBRATION.

NTSPs in conjunction with the use of as-found and as-left tolerances together with the requirements of the Allowable Value ensure that the consequences of Design Basis Accidents (DBAs) will be acceptable, providing the unit is operated from within the LCOs at the onset of the DBA and the equipment functions as designed.

Note that the Allowable Values listed in Table 3.3.2-1 are the least conservative value of the as-found setpoint that a channel can have during a periodic CHANNEL CALIBRATION, COT, or a TADOT. Each channel can be tested on line to verify that the signal processing equipment and setpoint accuracy is within the specified allowance requirements of Reference 3. Once a designated channel is taken out of service for testing, a simulated signal is injected in place of the field instrument signal. The process equipment for the channel in test is then tested, verified, and calibrated. SRs for the channels are specified in the SR section.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-6 REVISION 20 BASES BACKGROUND Solid State Protection System (continued) The SSPS equipment is used for the decision logic processing of outputs from the signal processing equipment bistables. To meet the redundancy requirements, two trains of SSPS, each performing the same functions, are provided. If one train is taken out of service for maintenance or test purposes, the second train will provide ESF actuation for the unit. If both trains are taken out of service or placed in test, a reactor trip will result. Each train is packaged in its own cabinet for physical and electrical separation to satisfy separation and independence requirements.

The SSPS performs the decision logic for most ESF equipment actuation; generates the electrical output signals that initiate the required actuation; and provides the status, permissive, and annunciator output signals to the main control room of the unit.

The bistable outputs from the signal processing equipment are sensed by the SSPS equipment and combined into logic matrices that represent combinations indicative of various transients. If a required logic matrix combination is completed, the system will send actuation signals via master and slave relays to those components whose aggregate Function best serves to alleviate the condition and restore the unit to a safe condition. Examples are given in the Applicable Safety Analyses, LCO, and Applicability sections of this Bases.

Each SSPS train has a built in testing device that can automatically test the decision logic matrix functions and the actuation channels while the unit is at power. When any one train is taken out of service for testing, the other train is capable of providing unit monitoring and protection until the testing has been completed. The testing device is semiautomatic to minimize testing time.

The actuation of ESF components is accomplished through master and slave relays. The SSPS energizes the master relays appropriate for the condition of the unit. Each master relay then energizes one or more slave relays, which then cause actuation of the end devices. The master and slave relays are routinely tested to ensure operation. The test of the master relays energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays. The low voltage is not sufficient to actuate the slave relays but only demonstrates signal path continuity. The SLAVE RELAY TEST actuates the devices if their operation will not interfere with continued unit operation. For the latter case, actual component operation is prevented by the SLAVE RELAY TEST circuit, and slave relay contact operation is verified by a continuity check of the circuit containing the slave relay.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-7 REVISION 20 BASES BACKGROUND Sequencer Output Relays (continued) The sequencer output relays which change state to actuate ESF loads powered by the 4160-V ESF bus function as ESFAS actuation relays because these relays are required to function to energize the ESF loads. These particular relays are located in the termination and relay cabinets of the sequencer and are part of the control circuitry of these ESF loads.

There are two independent trains of sequencers and each is powered by the respective train of 120-Vac ESF electrical power supply. The power supply for the output relays is the sequencer power supply. The applicable output relays are tested in the slave relay testing procedures, and in particular, in conjunction with the specific slave relay also required to actuate to energize the applicable ESF load.

APPLICABLE Each of the analyzed accidents can be detected by one or more SAFETY ANALYSES, ESFAS Functions. One of the ESFAS Functions is the primary LCO, AND actuation signal for that accident. An ESFAS Function may be APPLICABILITY the primary actuation signal for more than one type of accident. An ESFAS Function may also be a secondary, or backup, actuation signal for one or more other accidents. For example, Pressurizer Pressure-Low is a primary actuation signal for small loss of coolant accidents (LOCAs) and a backup actuation signal for steam line breaks (SLBs) outside containment. Functions such as manual initiation, not specifically credited in the accident safety analysis, are implicitly credited in the safety analysis and the NRC staff approved licensing basis for the unit. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions may also serve as backups to Functions that were credited in the accident analysis (Ref. 3).

Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-8 REVISION 20 BASES APPLICABLE The LCO requires all instrumentation performing an ESFAS Function SAFETY ANALYSES listed in Table 3.3.2-1 in the accompanying LCO to be OPERABLE. LCO, and The Allowable Value specified in Table 3.3.2-1 is the least APPLICABILITY conservative value of the as-found setpoint that the channel can have (continued) when tested, such that a channel is OPERABLE if the as-found setpoint is within the as-found tolerance and is conservative with respect to the Allowable Value during the CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT). As such, the Allowable Value differs from the NTSP by an amount greater than or equal to the expected instrument channel uncertainties, such as drift, during the surveillance interval. In this manner, the actual setting of the channel (NTSP) will ensure that a SL is not exceeded at any given point of time as long as the channel has not drifted beyond expected tolerances during the surveillance interval. Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

If the actual setting of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded. The degraded condition of the channel will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the NTSP (within the allowed tolerance) and evaluating the channel response. If the channel is functioning as required and expected to pass the next surveillance, then the channel can be restored to service at the completion of the surveillance.

A trip setpoint may be set more conservative than the NTSP as necessary in response to plant conditions. However, in this case, the operability of this instrument must be verified based on the field setting and not the NTSP. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-9 REVISION 20 BASES APPLICABLE The LCO generally requires OPERABILITY of four or three SAFETY ANALYSES, channels in each instrumentation function and two channels in LCO, AND each logic and manual initiation function. The two-out-of-three APPLICABILITY and the two-out-of-four configurations allow one channel to be (continued) tripped during maintenance or testing without causing an ESFAS initiation. If an instrument channel is equipped with installed bypass capability, such that no jumpers or lifted leads are required to place the channel in bypass and annunciation of the bypass condition is available in the control room, corrective maintenance and testing of that channel may be performed in the bypass condition. Bypassing a channel renders that channel inoperable and the associated Required Actions for that channel are applicable. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.

The required channels of ESFAS instrumentation provide unit protection in the event of any of the analyzed accidents. ESFAS protection functions are as follows:

1. Safety Injection Safety Injection (SI) provides two primary functions:

1. Primary side water addition to ensure maintenance or recovery of reactor vessel water level (coverage of the active fuel for heat removal, clad integrity, and for limiting peak clad temperature to < 2200

°F); and 2. Boration to ensure recovery and maintenance of SDM (k eff < 1.0). These functions are necessary to mitigate the effects of high energy line breaks (HELBs) both inside and outside of containment. The SI signal is also used to initiate other Functions such as:

• Phase A Isolation;

• Containment Purge Isolation;

• Reactor Trip;

• Feedwater Isolation;

• Start of motor driven auxiliary feedwater (AFW) pumps; and

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-10 REVISION 20 BASES APPLICABLE 1. Safety Injection (continued) SAFETY ANALYSES, LCO, and

• Control room ventilation isolation. APPLICABILITY These other functions ensure:

• Isolation of nonessential systems through containment penetrations;

• Trip of the reactor to limit power generation;

• Isolation of main feedwater (MFW) to limit secondary side mass losses;

• Start of AFW to ensure secondary side cooling capability; and

• Isolation of the control room to ensure habitability.

In addition, safety injection also initiates component cooling water, emergency diesel generators, containment cooling fans, and nuclear service cooling water.

All of the above items are credited with response times in the accident analyses. Two functions which safety injection initiates but which are not credited with response times are turbine trip and enabling semi-automatic switchover of Emergency Core Cooling System (ECCS) suction to containment sump.

a. Safety Injection - Manual Initiation The LCO requires two channels to be OPERABLE. The operator can initiate SI at any time by using either of two switches in the control room. This action will cause actuation of all components in both trains in the same manner as would the automatic actuation signals on both trains of SSPS.

The LCO for the Manual Initiation Function ensures the proper amount of redundancy is maintained in the manual ESFAS actuation

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-11 REVISION 20 BASES APPLICABLE a. Safety Injection - Manual Initiation (continued) SAFETY ANALYSES, LCO, and circuitry to ensure the operator has manual ESFAS APPLICABILITY initiation capability.

Each channel consists of one handswitch and the interconnecting wiring to the actuation logic cabinets of both SSPS trains. Each handswitch actuates both trains. This configuration does not allow testing at power.

b. Safety Injection - Automatic Actuation Logic and Actuation Relays This LCO requires two trains to be OPERABLE. Actuation logic consists of all circuitry housed within the actuation subsystems, including the initiating relay contacts responsible for actuating the ESF equipment. Under specific conditions, a single inoperable actuation relay does not require that the affected automatic actuation logic and actuation relay function be declared inoperable. Specific guidance is provided in this section under the heading "Actuation Relays."

Manual and automatic initiation of SI must be OPERABLE in MODES 1, 2, and 3. In these MODES, there is sufficient energy in the primary and secondary systems to warrant automatic initiation of ESF systems. Manual Initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a SI, actuation is simplified by the use of the manual actuation handswitches. Actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation.

These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting individual systems, pumps, and other equipment to mitigate the

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-12 REVISION 20 BASES APPLICABLE b. Safety Injection - Automatic Actuation Logic and SAFETY ANALYSES, Actuation Relays (continued) LCO, and APPLICABILITY consequences of an abnor mal condition or accident. Unit pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent

overpressurization of unit systems.

c. Safety Injection - Containment Pressure High 1 (PI-0934, PI-0935, PI-0936)

NOTE: Containment pressure channels are also required OPERABLE by the Post Accident Monitoring Technical Specification.

This signal provides protection against the following accidents:

• SLB inside containment;

• LOCA; and

• Feed line break inside containment.

Containment Pressure High 1 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with a two-out-of-three logic. The transmitters (d/p cells) and electronics are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment.

Thus, the high pressure Function will not experience any adverse environmental conditions and the NTSP reflects only steady state instrument uncertainties. Containment Pressure High 1 must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary systems to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-13 REVISION 20 BASES APPLICABLE d. Safety Injection - Pressurizer Pressure Low SAFETY ANALYSES, LCO, and This signal (PI-0455A, B, & C, PI-0456, PI-0456A, PI-0457, APPLICABILITY PI-0457A, PI-0458 & PI-0458A) provides protection (continued) against the following accidents:

• Inadvertent opening of a steam generator (SG) relief or safety valve;

• SLB;

• A spectrum of rod cluster control assembly ejection accidents (rod ejection);

• Inadvertent opening of a pressurizer relief or safety valve;

• LOCAs; and

• SG Tube Rupture.

Pressurizer pressure provides both control and protection functions: input to the Pressurizer Pressure Control System, reactor trip, and SI. Therefore, the actuation logic must be able to withstand both an input failure to control system, which may then require the protection function actuation, and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with a two-out-of-four logic.

The transmitters are located inside containment, with the taps in the vapor space region of the pressurizer, and thus possibly experiencing adverse environmental conditions (LOCA, SLB inside containment, rod ejection). Therefore, the NTSP reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 (above P-11) to mitigate the consequences of an HELB inside containment. This signal may

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-14 REVISION 20 BASES APPLICABLE d. Safety Injection - Pressurizer Pressure Low SAFETY ANALYSES, (continued) LCO, and APPLICABILITY be manually blocked by the operator below the P - 11 setpoint. Automatic SI actuation below this pressure setpoint continues to be performed by the Containment High 1 signal.

This Function is not required to be OPERABLE in MODE 3 below the P - 11 setpoint. Other ESF functions are used to detect accident conditions and actuate the ESF systems in this MODE. In MODES 4, 5, and 6, this Function is not needed for accident detection and mitigation.

e. Safety Injection - Steam Line Pressure Low LOOP 1 LOOP 2 LOOP 3 LOOP 4 PI-0514A,B&C PI-0524A&B PI-0534A&B PI-0544A,B&C PI-0515A PI-0525A PI-0535A PI-0545A PI-0516A PI-0526A PI-0536A PI-0546A

NOTE: Steam Line Pressure channels are also required OPERABLE by the Post Accident Monitoring Technical Specification.

Steam Line Pressure Low provides protection against the following accidents:

• SLB;

• Feed line break; and

• Inadvertent opening of an SG relief or an SG safety valve. Steam Line Pressure Low provides no input to any control functions. Thus, three OPERABLE channels on each steam line are sufficient to satisfy the protective requirements with a two-out-of-three logic on each steam

line.

With the transmitters located inside the steam tunnels, it is possible for them to experience adverse environmental conditions during a secondary side break. Therefore, the NTSP reflects both steady state and adverse environmental instrument uncertainties.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-15 REVISION 20 BASES APPLICABLE e. Safety Injection - Steam Line Pressure Low SAFETY ANALYSES, (continued) LCO, and APPLICABILITY This Function is anticipatory in nature and has a typical lead/lag ratio of 50/5.

Steam Line Pressure Low must be OPERABLE in MODES 1, 2, and 3 (above P - 11) when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P - 11 setpoint. Below P - 11, feed line break is not a concern.

Inside containment, SLB will be terminated by automatic SI actuation via Containment Pressure High 1, and outside containment SLB will be terminated by the Steam Line

Pressure Negative Rate High signal for steam line isolation. This Function is not required to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to cause an accident.

2. Containment Spray

Containment Spray provides two primary functions:

1. Lowers containment pressure and temperature after an HELB in containment; and

2. Reduces the amount of radioactive iodine in the containment atmosphere.

These functions are necessary to:

• Ensure the pressure boundary integrity of the containment structure; and

• Limit the release of radioactive iodine to the environment in the event of a failure of the containment structure.

The containment spray actuation signal starts the containment spray pumps and aligns the discharge of the pumps to the containment spray nozzle headers in the upper levels of containment. Water is initially drawn from the RWST. When the RWST reaches the Tank Empty setpoint 8%, the

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-16 REVISION 20 BASES APPLICABLE 2. Containment Spray (continued) SAFETY ANALYSES, LCO, and spray pump suctions are manually switched over to the APPLICABILITY containment sump if continued containment spray is required. Containment spray is actuated manually or by Containment Pressure High 3.

a. Containment Spray - Manual Initiation The operator can initiate both trains of containment spray at any time from the control room by simultaneously turning the two containment spray actuation handswitches in the same channel. Because an inadvertent actuation of containment spray could have such serious consequences, two switches must be turned simultaneously to initiate containment spray. There are two sets of two switches each in the control room. Each set of two switches is a channel of CS Manual Initiation. Simultaneously turning the two switches in either channel will actuate both trains of containment spray. Two Manual Initiation switches in each channel are required to be OPERABLE to ensure no single failure disables the

Manual Initiation Function.

b. Containment Spray - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b. Under specific conditions, a single inoperable actuation relay does not require that the affected automatic actuation logic and actuation relays function be declared inoperable. Specific guidance is provided in this section under the heading "Actuation Relays."

Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual initiation is also required in MODE 4, even though automatic actuation is not required. In

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-17 REVISION 20 BASES APPLICABLE b. Containment Spray - Automatic Actuation Logic and SAFETY ANALYSES, Actuation Relays (continued) LCO, and APPLICABILITY this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by the use of the manual actuation handswitches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.

c. Containment Spray - Containment Pressure High 3 (PI-0934, PI-0935, PI-0936, PI-0937)

NOTE: Containment Pressure Channels are also required OPERABLE by the Post Accident Monitoring Technical Specification.

This signal provides protection against a LOCA or an SLB inside containment. The transmitters (d/p cells and electronics) are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment. Thus, they will not experience any adverse environmental conditions and the NTSP reflects only steady state instrument uncertainties.

This Function requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass rather than trip to decrease the probability of an inadvertent actuation.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-18 REVISION 20 BASES APPLICABLE c. Containment Spray - Containment Pressure High 3 SAFETY ANALYSES, (continued) LCO, and APPLICABILITY The Containment Pressure High-3 instrument Function consists of four channels in a two-out-of-four logic configuration. Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip. Containment Pressure High 3 must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to pressurize the containment and reach the Containment Pressure High 3 setpoints.

3. Phase A Containment Isolation

Phase A containment isolation is actuated automatically by SI, or manually via the automatic actuation logic.

a. Phase A Isolation Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains. Note that manual initiation of Phase A Containment Isolation also actuates Containment Ventilation Isolation.

b. Phase A Isolation Automatic Actuation Logic and Actuation Relays Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b.

Under specific conditions, a single inoperable actuation relay does not require that the affected automatic actuation logic function be

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-19 REVISION 20 BASES APPLICABLE b. Phase A Isolation Automatic Actuation Logic and SAFETY ANALYSES, Actuation Relays (continued) LCO, and APPLICABILITY declared inoperable.

Specific guidance is provided in this section under the heading "Actuation Relays."

Manual and automatic initiation of Phase A Containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the manual actuation handswitches. Automatic actuation logic and actuation relays must be OPERABLE in MODE 4 to support system level manual initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation. There also is

adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.

c. Phase A Isolation - Safety Injection Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function.

Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-20 REVISION 20 BASES APPLICABLE 4. Steam Line Isolation SAFETY ANALYSES, LCO, and Isolation of the main steam lines provides protection in the event APPLICABILITY of an SLB inside or outside containment. Rapid isolation of the (continued) steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream of the MSIVs, closure of the MSIVs terminates the accident. Steam Line Isolation also mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.

a. Steam Line Isolation Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are two switches in the control room and either switch can initiate action to immediately close all MSIVs. The LCO requires two channels to be OPERABLE.

b. Steam Line Isolation Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b. Under specific conditions, a single inoperable actuation relay does not require that the affected automatic actuation logic function be declared inoperable. Specific guidance is provided in this section under the heading "Actuation Relays."

Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have an SLB or other accident.

This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-21 REVISION 20 BASES APPLICABLE 4. Steam Line Isolation (continued) SAFETY ANALYSES, LCO, and unless one MSIV and associated bypass valve in each APPLICABILITY steam line is closed. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.

c. Steam Line Isolation Containment Pressure High 2 (PI-0934, PI-0935, PI-0936)

NOTE: Containment Pressure channels are also required OPERABLE by the Post Accident Monitoring Technical Specification.

This Function actuates closure of the MSIVs in the event of a LOCA or an SLB inside containment to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment. Thus, they will not experience any adverse environmental conditions, and the NTSP reflects only steady state instrument uncertainties. Containment Pressure High 2 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic.

Containment Pressure High 2 must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless one MSIV and associated bypass valve in each steam line is closed. In

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-22 REVISION 20 BASES APPLICABLE c. Steam Line Isolation Containment Pressure SAFETY ANALYSES, High 2 (continued) LCO, and APPLICABILITY MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment to the Containment Pressure High 2 setpoint.

d. Steam Line Isolation Steam Line Pressure (1) Steam Line Pressure Low LOOP 1 LOOP 2 LOOP 3 LOOP 4 PI-0514A,B&C PI-0524A&B PI-0534A&B PI-0544A,B&C PI-0515A PI-0525A PI-0535A PI-0545A PI-0516A PI-0526A PI-0536A PI-0546A NOTE: Steam Line Pressure channels are also required OPERABLE by the Post Accident Monitoring Technical Specification.

Steam Line Pressure Low provides closure of the MSIVs in the event of an SLB to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump. Steam Line Pressure Low was discussed previously under SI Function 1.e.1.

Steam Line Pressure Low Function must be OPERABLE in MODES 1, 2, and 3 (above P - 11), except with one MSIV and associated bypass valve in each steam line closed, when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P - 11 setpoint. Below P - 11, an inside containment SLB will be terminated by automatic actuation via Containment Pressure High 2. Stuck valve transients and outside containment SLBs will be

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-23 REVISION 20 BASES APPLICABLE (1) Steam Line Pressure Low (continued) SAFETY ANALYSES, LCO, and terminated by the Steam Line Pressure Negative APPLICABILITY Rate High signal for Steam Line Isolation below P-11 when SI has been manually blocked. The Steam Line Isolation Function is required OPERABLE in MODES 2 and 3 unless one MSIV and associated bypass valve in each steam line is closed. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident.

(2) Steam Line Pressure Negative Rate High LOOP 1 LOOP 2 LOOP 3 LOOP 4 PI-0514A, B&C PI-0524A&B PI-0534A&B PI-0544A, B&C PI-0515A PI-0525A PI-0535A PI-0545A PI-0516A PI-0526A PI-0536A PI-0546A NOTE: Steam Line Pressure channels are required OPERABLE by the Post Accident Monitoring Technical Specification.

Steam Line Pressure Negative Rate High provides closure of the MSIVs for an SLB when less than the P-11 setpoint, to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. When the operator manually blocks the Steam Line Pressure Low main steam isolation signal when less than the P-11 setpoint, the Steam Line Pressure Negative Rate High signal is automatically enabled. Steam Line Pressure Negative Rate High provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy requirements with a two-out-of-three logic on each steam line.

Steam Line Pressure Negative Rate High must be OPERABLE in MODE 3 when less than the P-11 setpoint, when a secondary side break or stuck open valve could result in

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-24 REVISION 20 BASES APPLICABLE (2) Steam Line Pressure Negative Rate High SAFETY ANALYSES, (continued) LCO, and APPLICABILITY the rapid depressurization of the steam line(s). In MODES 1 and 2, and in MODE 3, when above the P-11 setpoint, this signal is automatically enabled.

The Steam Line Isolation Function is required to be OPERABLE in MODES 2 and 3 unless one MSIV and associated bypass valve in each steam line is closed. In MODES 4, 5, and 6, there is insufficient energy in the primary and secondary sides to have an SLB or other accident that would result in a release of significant enough quantities of energy to cause a cooldown of the RCS.

While the transmitters may experience elevated ambient temperatures due to an SLB, the trip function is based on rate of change, not the absolute accuracy of the indicated steam pressure. Therefore, the NTSP reflects only steady state instrument uncertainties.

5. Turbine Trip and Feedwater Isolation The primary functions of the Turbine Trip and Feedwater Isolation signals are to prevent damage to the turbine due to water in the steam lines, and to stop the excessive flow of feedwater into the SGs. These Functions are necessary to mitigate the effects of a high water level in the SGs, which could result in carryover of water into the steam lines and excessive cooldown of the primary system. The SG high water level is due

to excessive feedwater flows.

This Function is actuated by SG Water Level High High, or by an SI signal. The RTS also initiates a turbine trip signal whenever a reactor trip (P-4) is generated. In the event of SI, the unit is taken off line and the turbine generator must be tripped. The MFW System is also taken out of operation and the AFW System is automatically started. The SI signal was discussed previously.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-25 REVISION 20 BASES APPLICABLE a. Turbine Trip and Feedwater Automatic Actuation Logic SAFETY ANALYSES, and Actuation Relays LCO, and APPLICABILITY Automatic Actuation Logic and Actuation Relays consist (continued) of the same features and operate in the same manner as described for ESFAS Function 1.b. Under specific conditions, a single inoperable actuation relay does not require that the affected automatic actuation logic function be declared inoperable. Specific guidance is provided in this section under the heading "Actuation Relays."

b. Feedwater Isolation Low RCS Tavg Coincident with Reactor Trip Since Tavg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop.

Thus, this function is specified as a total of four channels and not on a per loop basis. The channels are used in a two-out-of-four logic. The Low RCS Tavg signal is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power. The P-4 interlock is discussed in Function 8.a.

c. Turbine Trip and Feedwater Isolation Steam Generator Water Level - High High (P-14)

LOOP 1 LOOP 2 LOOP 3 LOOP 4 LI-0517 LI-0527 LI-0537 LI-0547 LI-0518 LI-0528 LI-0538 LI-0548 LI-0519 LI-0529 LI-0539 LI-0549 LI-0551 LI-0552 LI-0553 LI-0554 NOTE: Steam Generator Water Level channels are required OPERABLE by the Post Accident Monitoring Technical Specification.

The setpoints for this Function on Table 3.3.2-1 are in % of narrow range instrument span.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-26 REVISION 20 BASES APPLICABLE c. Turbine Trip and Feedwater Isolation - Steam SAFETY ANALYSES, Generator Water Level - High High (P-14)

LCO, and (continued) APPLICABILITY This signal provides protection against excessive feedwater flow. The ESFAS SG water level instruments

provide input to the SG Water Level Control System.

Therefore, the actuation logic must be able to withstand both an input failure to the control system (which may then require the protection function actuation) and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are

required to satisfy the requirements with a two-out-of-four

logic. The transmitters (d/p cells) are located inside containment. However, the events that this Function protects against cannot cause an adverse environment in containment.

Therefore, the NTSP Setpoint reflects only steady state instrument uncertainties.

d. Turbine Trip and Feedwater Isolation - Safety Injection Turbine Trip and Feedwater Isolation is also initiated by all Functions that initiate SI. The Feedwater Isolation Function requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead Function 1, SI, is referenced for all initiating functions and

requirements.

Turbine Trip and Feedwater Isolation Functions must be OPERABLE in MODES 1 and 2 except when one MFIV or MFRV and associated bypass valve per feedwater line are closed and deactivated or isolated by a closed manual valve when the MFW System is in operation and the turbine generator may be in operation. In MODES 3, 4, 5, and 6, the MFW System and the turbine generator are not in service and this Function is not required to be OPERABLE.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-27 REVISION 20 BASES APPLICABLE 6. Auxiliary Feedwater SAFETY ANALYSES, LCO, and The AFW System is designed to provide a secondary side APPLICABILITY heat sink for the reactor in the event that the MFW (continued) System is not available. The system has two motor driven pumps and a turbine driven pump, making it available during normal unit operation, during a loss of ac power, a loss of MFW, and during a Feedwater System pipe break. The normal source of water for the AFW System is the condensate storage tank (CST). The AFW System is aligned so that upon a pump start, flow is initiated to the respective SGs immediately.

a. Auxiliary Feedwater - Automatic Actuation Logic and Actuation Relays (Solid State Protection System)

Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b. Under specific conditions, a single inoperable actuation relay does not require that the affected automatic actuation logic function be declared inoperable. Specific guidance is provided in this section under the heading "Actuation Relays."

b. Auxiliary Feedwater - Steam Generator Water Low Low LOOP 1 LOOP 2 LOOP 3 LOOP 4 LI-0517 LI-0527 LI-0537 LI-0547 LI-0518 LI-0528 LI-0538 LI-0548 LI-0519 LI-0529 LI-0539 LI-0549 LI-0551 LI-0552 LI-0553 LI-0554 NOTE: Steam Generator Water Level channels are required OPERABLE by the Post Accident Monitoring Technical Specification.

The setpoints for this Function on Table 3.3.2-1 are in % of narrow range instrument span.

SG Water Level Low Low provides protection against a loss of heat sink. A feed line break, inside or outside of containment, or a loss of

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-28 REVISION 20 BASES APPLICABLE b. Auxiliary Feedwater - Steam Generator Water Level SAFETY ANALYSES, Low Low (continued) LCO, and APPLICABILITY MFW, would result in a loss of SG water level. SG Water Level -Low Low provides input to the SG Level Control System. Therefore, the actuation logic must be able to withstand both an input failure to the control system which may then require a protection function actuation and a single failure in the other channels providing the protection function actuation. Thus, four OPERABLE channels are required to satisfy the requirements with two-out-of-four logic. SG Water Level-Low Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level-Low Low in any two operating SGs will cause the turbine driven pump to start.

With the transmitters (d/p cells) located inside containment and thus possibly experiencing adverse environmental conditions (feed line break), the NTSP reflects the inclusion of both steady state and adverse environmental instrument uncertainties.

c. Auxiliary Feedwater - Safety Injection

An SI signal starts the motor driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

Functions 6.a through 6.c must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor.

These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-29 REVISION 20 BASES APPLICABLE 6. Auxiliary Feedwater (continued) SAFETY ANALYSES, LCO, and remove decay heat or sufficient time is available to manually APPLICABILITY place either system in operation.

d. Auxiliary Feedwater-Trip Of All Main Feedwater Pumps

A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no

load temperature and pressure. Each turbine driven MFW pump is equipped with a pressure switch on the control oil header. A low pressure signal from this pressure switch indicates a trip of that pump. A trip of all MFW pumps starts the motor driven AFW pumps to ensure that at least one SG is available with water to act as the heat sink for the reactor.

Function 6.d must be OPERABLE in MODES 1 and 2 when the MFW system is operating and supplying the SGs. This ensures that at least one SG is provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODE 2, when the MFW system is not supplying the SGs, this function is not required as the AFW system is operating to supply the SGs and does not require the auto start from this function. In MODES 3, 4, and 5, the RCPs and MFW pumps may be normally shut down, and thus neither pump trip is indicative of a condition requiring automatic AFW initiation.

7. Semi-Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the ECCS pumps is switched to the containment recirculation sump. The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sump, the RHR pumps pump the water through the RHR

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-30 REVISION 20 BASES APPLICABLE 7. Semi-Automatic Switchover to Containment Sump SAFETY ANALYSES, (continued) LCO, and APPLICABILITY heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RWST to the containment sump must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sump to support ESF pump suction. Furthermore, early switchover must not occur to ensure that sufficient borated water is injected from the RWST. This ensures the reactor remains shut down in the recirculation mode.

a. Semi-Automatic Switchover to Containment Sump -

Automatic Actuation Logic and Actuation Relays

Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b. Under specific conditions, a single inoperable actuation relay does not require that the affected automatic actuation logic function be declared inoperable. Specific guidance is provided in this section under the heading "Actuation Relays."

b. Semi-Automatic Switchover to Containment Sump -

Refueling Water Storage Tank (RWST) Level Low Low Coincident With Safety Injection (LI-0990A&B, LI-0991A&B, LI-0992A, LI-0993A)

NOTE: RWST Level channels are also required OPERABLE by the Post Accident Monitoring Technical Specification. In addition channels LI-0990 and 0991 provide actuation signals to the RWST sludge mixing pump isolation valves required OPERABLE by LCO 3.5.4.

During the injection phase of a LOCA, the RWST is the source of water for all ECCS pumps. A low low level in the RWST coincident with an SI signal provides protection against a loss of water for the ECCS pumps and indicates the end of the injection phase of the LOCA. The containment sump to RHR pump suction valves open

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-31 REVISION 20 BASES APPLICABLE b. Automatic Switchover to Containment Sump - Refueling SAFETY ANALYSES, Water Storage Tank (RWST) Level Low Low Coincident LCO, and With Safety Injection (continued) APPLICABILITY automatically. The operator must complete the switchover by manually closing the RWST suction valves.

The RWST is equipped with four level transmitters. These transmitters provide no control functions. Therefore, a two-out-of-four logic is adequate to initiate the protection function actuation. Although only three channels would be sufficient, a fourth channel has been added for increased reliability.

The setpoints for this function on Table 3.3.2-1 are in inches from the RWST base. The NTSP is equivalent to 29.0% of instrument span, including instrument uncertainty. The Allowable Values are equivalent to 28.5% and 29.5 % of instrument span.

The transmitters are located in an area not affected by HELBs or post accident high radiation. Thus, they will not experience any adverse environmental conditions and the NTSP reflects only steady state instrument uncertainties.

Semi-Automatic switchover occurs only if the RWST low low level signal is coincident with SI. This prevents accidental switchover during normal operation. Accidental switchover could damage ECCS pumps if they are attempting to take suction from an empty sump. The automatic switchover Function requirements for the SI Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.

These Functions must be OPERABLE in MODES 1, 2, 3, and 4 when there is a potential for a LOCA to occur, to ensure a continued supply of water for

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-32 REVISION 20 BASES APPLICABLE b. Automatic Switchover to Containment Sump - Refueling SAFETY ANALYSES, Water Storage Tank (RWST) Level Low Low Coincident LCO, and With Safety Injection (continued) APPLICABILITY the ECCS pumps. In MODE 4, only one train of Automatic Actuation Logic and Actuation Relays is required OPERABLE to support the single RHR train required OPERABLE in this MODE. These Functions are not required to be OPERABLE in MODES 5 and 6 because there is adequate time for the operator to evaluate unit conditions and respond by manually starting systems, pumps, and other equipment to mitigate the consequences of an abnormal condition or accident. System pressure and temperature are very low and many ESF components are administratively locked out or otherwise prevented from actuating to prevent inadvertent overpressurization of unit systems.

8. Engineered Safety Feature Actuation System Interlocks

To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.

a. Engineered Safety Feature Actuation System Interlocks -

Reactor Trip, P-4 The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open. Once the P-4 interlock is enabled, automatic SI initiation can be blocked after a 60 second time delay. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete (all loads are started). Once SI is blocked, automatic actuation of SI cannot occur until the RTBs have been manually closed. The safety functions of the P-4 interlock are:

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-33 REVISION 20 BASES APPLICABLE a. Engineered Safety Feature Actuation System Interlocks -

SAFETY ANALYSES, Reactor Trip, P-4 (continued) LCO, and APPLICABILITY

• Trip the main turbine;

• Isolate MFW with coincident low Tavg;

• Prevent reactuation of SI after a manual reset of SI; and

• Prevent opening of the MFW isolation valves if they were closed on SI or SG Water Level High High.

Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power.

To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.

None of the noted Functions serves a mitigation function in the unit licensing basis safety analyses. Only the turbine trip Function is explicitly assumed since it is an immediate consequence of the reactor trip Function. Neither turbine trip, nor any of the other four Functions associated with the reactor trip signal, is required to show that the unit licensing basis safety analysis acceptance criteria are not exceeded.

The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a NTSB and Allowable Value. The interlock is armed when the RTB (RTA or RTB) or associated bypass breaker (BYA or BYB) is closed in each Train.

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-34 REVISION 20 BASES APPLICABLE a. Engineered Safety Feature Actuation System Interlocks -

SAFETY ANALYSES, Reactor Trip, P-4 (continued) LCO, and APPLICABILITY This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical, approaching criticality, or the automatic SI function is required to be OPERABLE. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because the main turbine, the MFW System, and the automatic SI function are not required to be OPERABLE. The P-4 function to trip the turbine and isolate main feedwater are only required in MODES 1 and 2 when these systems may be in service.

b. Engineered Safety Feature Actuation System Interlocks -

Pressurizer Pressure, P-11 The P-11 interlock (PT-0455, PT-0456, PT-0457) permits a normal unit cooldown and depressurization without actuation of SI or main steam line isolation. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure Low and Steam Line Pressure Low SI signals and the Steam Line Pressure Low steam line isolation signal (previously discussed). When the Steam Line Pressure Low steam line isolation signal is manually blocked, a main steam isolation signal on Steam Line Pressure Negative Rate High is enabled. This provides protection for an SLB by closure of the MSIVs. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure Low and Steam Line Pressure Low SI signals and the Steam Line Pressure Low steam line isolation signal are automatically enabled. The operator can also enable these trips by use of the respective manual reset buttons. When the Steam Line Pressure Low steam line isolation signal is enabled, the main steam isolation on Steam Line Pressure Negative Rate High is disabled. The NTSP

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-35 REVISION 20 BASES APPLICABLE b. Engineered Safety Feature Actuation System Interlocks -

SAFETY ANALYSES, Pressurizer Pressure, P-11 (continued) LCO, and APPLICABILITY reflects only steady state instrument uncertainties.

This Function must be OPERABLE in MODES 1, 2, and 3 to allow an orderly cooldown and depressurization of the unit without the actuation of SI or main steam isolation. This Function does not have to be OPERABLE in MODE 4, 5, or 6

because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown curves to be met.

ACTUATION RELAYS If the inoperability of one or more slave relays affects only one train of an ESF system function, and if the integrated system response that accomplishes the design safety function of the applicable engineered

safety feature is maintained given the inoperability of the slave relay(s), then the TS requirements to be applied may be limited to those of the applicable system specification. If more than one ESF system function is affected, or the integrated system response is affected, then the automatic actuation logic and actuation relays TS requirements must be applied, in addition to any necessary system TS requirements.

The purpose of ESFAS actuation logic and relays is to initiate the integrated system response that accomplishes the design safety function of the applicable engineered safety feature (ESF). Slave relays actuate individual components within systems that comprise the various ESFs. The application of slave relays varies from actuation of a single component within a system to multiple components that are shared among systems, and hence, the inoperability of a slave relay could impact one or more components that perform functions in one or more ESFs.

If the relay in question functions to provide the integrated system response of an ESF, then the TS requirements applicable to the ESFAS actuation logic and relays must be applied. Also, if the relay in question impacts more than one ESF system function, then the TS requirements applicable

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-36 REVISION 20 BASES ACTUATION RELAYS to the ESFAS actuation logic and relays must be applied. In (continued) these cases, depending on the operability requirements of the applicable system specification(s), the applicable system TS requirements may also be necessary.

If the results of a slave failure on a system performing ESF functions are no more severe than a limited equipment inoperability within that system, then the failure does not conflict with the actuation logic and relays TS requirements because the ability to initiate the integrated system response for the ESF is maintained. In this case, the failure of the slave relay would result only in the loss of the ability to actuate limited aspects of a system, where the collective impact of the slave relay inoperability would be no more severe than the inoperability of the one or more affected components of the system in question. The appropriate TS requirements to be applied under these conditions are limited to those of the system specification(s). The loss of that ability due to the slave relay inoperability must be completely within the system conditions provided for by the TS, whether in the statement of the LCO or in the allowed outage configuration(s) as provided in the action statements.

For example, if a slave relay inoperability affected only the Train A containment spray pump, this condition would be no more severe than the pump being inoperable. In this case, Train A of containment spray should be declared inoperable and the TS requirements for an inoperable train of containment spray should be applied. In this case it would be unnecessarily conservative to apply the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AOT. The application of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> AOT could result in an unnecessary shutdown and the associated plant transient and increased risk of operating events associated with plant transients.

Therefore, if the inoperability of one or more slave relays affects only one train of an ESF system function, and if the integrated system response that accomplishes the design safety function of the applicable ESF is maintained given the inoperability of the slave relay(s), then the TS requirements to be applied may be limited to those of the appropriate system specification. If more than one ESF system function is affected, or the integrated system

ESFAS Instrumentation B 3.3.2 (continued)

Vogtle Units 1 and 2 B 3.3.2-37 REVISION 20 BASES ACTUATION RELAYS response is affected, then the actuation logic and actuation (continued) relay TS requirements should be applied, in addition to any necessary system TS requirements.

The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

ACTIONS In the event a channel's NTSP is found nonconservative with respect to the Allowable Value, or the channel is not functioning as required, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection Function(s) affected. When the Required Channels in Table 3.3.2-1 are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.

A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.

When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.

A.1 Condition A applies to all ESFAS protection functions.

Condition A addresses the situation where one or more channels for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

PAM Instrumentation B 3.3.3 (continued)

Vogtle Units 1 and 2 B 3.3.3-17 Rev. 2-3/05 BASES ACTIONS I.1 (continued)

If the Required Action and associated Completion Time of Conditions H are not met and Table 3.3.3-1 directs entry into Condition I, the unit must be brought to a MODE where the requirements of this LCO do not apply. To achieve this status, the unit must be brought to at least MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Condition I is modified by a Note that excludes the Containment Radiation and RVLIS Functions. These Functions are addressed by another Condition.

J.1 Alternate means of monitoring Reactor Vessel Water Level (RVLIS) and Containment Area Radiation are available. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. If these alternate means are used, the Required Action is not to shut down the unit but rather to follow the directions of Specification 5.6.8, in the Administrative Controls

section of the TS. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas

PAM Instrumentation B 3.3.3 (continued)

Vogtle Units 1 and 2 B 3.3.3-18 REVISION 14 BASES ACTIONS J.1 (continued)

in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

SURVEILLANCE A Note has been added to the SR Table to clarify that SR 3.3.3.1 REQUIREMENTS and SR 3.3.3.2 apply to each PAM instrumentation Function in Table 3.3.3-1.

SR 3.3.3.1

Performance of the CHANNEL CHECK ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption

that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar unit instruments located throughout the

unit.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

PAM Instrumentation B 3.3.3 Vogtle Units 1 and 2 B 3.3.3-19 REVISION 14 BASES SURVEILLANCE SR 3.3.3.2 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter with the necessary range and accuracy. This SR is modified by a Note that excludes neutron detectors. The calibration method for neutron detectors is specified in the Bases of LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Safety Evaluation Report related to the operation of the Vogtle Electric Generating Plant, Units 1 and 2, NUREG-1137, Supplement No. 2, Section 7.5, May 1986.

2. Regulatory Guide 1.97, Rev. 2.

3. NUREG-0737, Supplement 1, "TMI Action Items."

Remote Shutdown System B 3.3.4 (continued)

Vogtle Units 1 and 2 B 3.3.4-3 Rev. 1 - 6/05 BASES (continued)

APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1, 2, and 3. This is required so that the unit can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 4, 5, or 6. In these MODES, the facility is already subcritical and in a condition of reduced RCS energy. Under these conditions, considerable time is available to restore necessary instrument control functions if control room instruments or controls become unavailable.

ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for each Function listed on Table 3.3.4-1. The Completion Time(s) of the inoperable channel(s)/train(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System are inoperable. This includes any Function listed in Table 3.3.4-1, as well as the transfer switches and control circuits. A required Function is considered to be inoperable if one or more of its required channels is inoperable.

The Required Action is to restore the required Function to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

Remote Shutdown System B 3.3.4 (continued)

Vogtle Units 1 and 2 B 3.3.4-4 REVISION 14 BASES ACTIONS B.1 and B.2 (continued) If the Required Action and associated Completion Time of Condition A are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious.

CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

As specified in the Surveillance, a CHANNEL CHECK is only required for those channels which are normally energized.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Remote Shutdown System B 3.3.4 Vogtle Units 1 and 2 B 3.3.4-7 REVISION 30 BASES TABLE B 3.3.4-1 (continued)

REMOTE SHUTDOWN SYSTEM MONITORING INSTRUMENTATION READOUT 1 CHANNELS INSTRUMENT FUNCTION LOCATION AVAILABLE

12. Auxiliary Feedwater Flow A, B 1/LOOP (LOOP 1 FI-5152B, Panel A) (LOOP 2 FI-5151B, Panel B) (LOOP 3 FI-5153B, Panel B) (LOOP 4 FI-5150B, Panel A)

13. Steam Generator Pressure A, B 1/LOOP (LOOP 1 PI-0514C, Panel A) (LOOP 2 PI-0525B, Panel B) (LOOP 3 PI-0535B, Panel B) (LOOP 4 PI-0544C, Panel A)

1 A - Remote Shutdown Panel PSDA B - Remote Shutdown Panel PSDB L - Local Indication 2 Graph will be provided to determine level from pressure reading.

3 An Operable channel is determined by an algorithm requiring a minimum of 4 B Train core exit thermocouple inputs from the respective quadrant. The algorithm dismisses the high and low, requiring a minimum of 2 Operable thermocouples to display the average quadrant temperature.

4 Also refer to Technical Specification 3.3.3 functions, 16 and 22-25 for Core Exit Thermocouples.

LOP DG Start Instrumentation B 3.3.5 Vogtle Units 1 and 2 B 3.3.5-1 Rev. 1-10/07 B 3.3 INSTRUMENTATION

B 3.3.5 4.16 kV ESF Bus Loss of Power (LOP) Instrumentation

BASES BACKGROUND Each 4.16 kV ESF bus voltage is monitored by four channels of LOP instrumentation. The LOP instrumentation channels provide four separate signals from each bus to the associated sequencer.

The LOP channel signals are generated by four potential transformers on each bus. Two transformers are connected between phases A and B and two transformers are connected between phases C and B.

The signal from each transformer is converted in the sequencer cabinets to a 4-20 mA signal, and the resulting analog signal is fed to analog input modules and subsequently to comparator modules, functionally equivalent to 12 bistables also contained in the sequencer. Four bistables are set to trip on a loss of voltage signal

( 71.5% of bus voltage after a short time delay) and four bistables are set to trip on a degraded voltage signal ( 90% bus voltage for a longer period of time). Four additional bistables provide alarm functions and are not required operable by this Technical Specification. The LOP instrument channels lose their individual channel identity at the output of the bistables. The bistable output is combined in two-out-of-four logic circuitry for each trip function on each bus. The logic and actuation relays are integral to the sequencer circuitry and are required OPERABLE as part of the sequencer OPERABILITY requirements in LCOs 3.8.1 and 3.8.2 and the ESFAS actuation relay OPERABILITY requirements in LCO 3.3.2.

The LOP channels are described in FSAR, Section 8.3 (Ref. 1).

The Loss of Voltage and Degraded Voltage instrument Functions provide signals to their respective sequencer to ensure an adequate ESF bus voltage is maintained and provide an anticipatory automatic start of the auxiliary feedwater pumps. A two-out-of-four logic combination for Loss of Voltage or Degraded Voltage on an ESF bus will initiate sequencer circuits to start the diesel generator, shed bus loads, and sequence loading of the diesel generator if required. The two-out-of-four logic on one ESF bus will also initiate sequencer circuits to start the motor-driven auxiliary feedwater pump associated with that bus. A two-out-of-four logic signal from both ESF buses will initiate sequencer circuitry to start the turbine-driven auxiliary feedwater pump.

(continued)

LOP DG Start Instrumentation B 3.3.5 Vogtle Units 1 and 2 B 3.3.5-2 Rev. 1-3/00 BASES BACKGROUND Trip Setpoints and Allowable Values (continued) The Trip Setpoints used in the bistables are based on the analytical limits presented in FSAR, Chapter 15 (Ref. 2). These analytical limits have been incorporated into SR 3.3.5.2 as the Allowable Values. The selection of the Trip Setpoints is such that adequate protection is provided when all sensor and processing time delays are taken into account.

APPLICABLE The LOP DG start instrumentation is required for the ESF SAFETY ANALYSES Systems to function in any accident with a loss of offsite power. Its design basis is that of the ESFAS.

(continued)

LOP DG Start Instrumentation B 3.3.5 Vogtle Units 1 and 2 B 3.3.5-3 Rev. 2-10/07 BASES APPLICABLE Accident analyses credit the loading of the DG based on the loss of SAFETY ANALYSES offsite power during a loss of coolant accident (LOCA). The actual DG (continued) start has historically been associated with the ESFAS actuation. The DG loading has been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power. The analyses assume a non-mechanistic DG loading, which does not explicitly account for each individual component of loss of power detection and subsequent actions.

The required channels of LOP instrumentation, in conjunction with the ESF systems powered from the DGs, and the turbine-driven Auxiliary Feedwater Pump provide unit protection in the event of any of the analyzed accidents discussed in Reference 2, in which a loss of offsite power is assumed.

The delay times assumed in the safety analysis for the ESF equipment include the DG start delay, and the appropriate sequencing delay, if applicable. The response times for ESFAS actuated equipment in LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation," include the appropriate DG loading and sequencing delay. The short time delays used in conjunction with the loss of voltage and degraded voltage bistables are chosen to preclude sequence initiation due to momentary voltage fluctuations. The undervoltage sensing bistable time delays are nominal values and are not included in the safety analyses.

The LOP instrumentation channels satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO The LCO for LOP instrumentation requires that four channels per bus of both the loss of voltage and degraded voltage Functions shall be OPERABLE in MODES 1, 2, 3, and 4 when the LOP instrumentation supports safety systems associated with the ESFAS. In MODES 5 and 6, the four channels must be OPERABLE whenever the associated DG is required to be OPERABLE to ensure that the automatic start of the DG is available when needed. Loss of the LOP instrumentation Function could result in the delay of safety systems initiation when required. This could lead to unacceptable consequences during accidents. During the loss of offsite power the DG powers the motor driven auxiliary feedwater pumps. Failure of these pumps to start would leave only one turbine driven pump, as well as an increased potential for a loss of decay heat removal through the secondary system.

(continued)

LOP DG Start Instrumentation B 3.3.5 (continued)

Vogtle Units 1 and 2 B 3.3.5-7 REVISION 20 BASES ACTIONS E.1 (continued) required to be entered immediately. The actions of this LCO provide for adequate compensatory actions to support unit safety.

SURVEILLANCE SR 3.3.5.1 REQUIREMENTS SR 3.3.5.1 is the performance of a COT. A COT is performed on each required channel to ensure the entire channel will perform the intended Function. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2 SR 3.3.5.2 is the performance of a CHANNEL CALIBRATION. The Nominal Trip Setpoint considers factors that may affect channel performance such as rack drift, etc. Therefore, the Nominal Trip Setpoint (within the calibration tolerance) is the expected value for the CHANNEL CALIBRATION. However, the Allowable Value is the value that was used for the loss of voltage and degraded grid studies.

Therefore, a channel with an actual Trip Setpoint value that is conservative with respect to the Allowable Value is considered OPERABLE; but the channel should be reset to the Nominal Trip Setpoint value (within the calibration tolerance) to allow for factors which may affect channel performance (such as rack drift) prior to the next surveillance.

The setpoints, as well as the response to a loss of voltage and a degraded voltage test, shall include a single point verification that the trip occurs within the required time delay.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

LOP DG Start Instrumentation B 3.3.5 (continued)

Vogtle Units 1 and 2 B 3.3.5-8 REVISION 26 BASES SURVEILLANCE S.R. 3.3.5.3 REQUIREMENTS (continued) The SR ensures the individual channel ESF RESPONSE TIMES with and without offsite power for the AFW System are less than or equal to the maximum values assumed in the accident analyses. Response time testing acceptance criteria are included in the FSAR, Chapter 7 (Ref. 3). Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the Response Time test may be performed with the transfer functions set to one with the resulting measured response time compared to the appropriate FSAR response time.

Alternately, the response time test can be performed with the time constants set to their nominal values provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is

measured.

ESF RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 18 months. The 18 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

This SR is modified by a Note that clarifies that the turbine driven AFW pump is tested within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 900 psig in the

SGs.

LOP DG Start Instrumentation B 3.3.5 Vogtle Units 1 and 2 B 3.3.5-9 REVISION 26 BASES REFERENCES 1. FSAR, Section 8.3.

2. FSAR, Chapter 15.

3. FSAR, Chapter 7.

Containment Ventilation Isolation Instrumentation B 3.3.6 (continued)

Vogtle Units 1 and 2 B 3.3.6-7 REVISION 14 BASES ACTIONS C.1 and C.2 (continued)

Required Action A.1. If no radiation monitoring channels are operable or the Required Action and associated Completion Time of Condition A are not met, operation may continue as long as the Required Action to place and maintain containment purge supply and exhaust isolation valves in their closed position is met or the applicable Conditions of LCO 3.9.4, "Containment Penetrations," are met for each penetration not in the required status. The Completion Time for these Required Actions is Immediately.

A Note states that Condition C is applicable during CORE ALTERATIONS and during movement of irradiated fuel assemblies

within containment.

SURVEILLANCE A Note has been added to the SR Table to clarify that REQUIREMENTS Table 3.3.6-1 determines which SRs apply to which Containment Ventilation Isolation Functions.

SR 3.3.6.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is

Containment Ventilation Isolation Instrumentation B 3.3.6 (continued)

Vogtle Units 1 and 2 B 3.3.6-8 REVISION 14 BASES SURVEILLANCE SR 3.3.6.1 (continued)

REQUIREMENTS outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.2 SR 3.3.6.2 is the performance of an ACTUATION LOGIC TEST. The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and there is an intact voltage signal path to the master relay coils. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.3 SR 3.3.6.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying contact operation and a low voltage continuity check of the slave relay coil. Upon master relay contact operation, a low voltage is injected to the slave relay coil. This voltage is insufficient to pick up the slave relay, but large enough to demonstrate signal path continuity. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Containment Ventilation Isolation Instrumentation B 3.3.6 (continued)

Vogtle Units 1 and 2 B 3.3.6-9 REVISION 20 BASES SURVEILLANCE SR 3.3.6.4 REQUIREMENTS (continued) A COT is performed on each required channel to ensure the entire channel will perform the intended Function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. For MODES 1, 2, 3, and 4, this test verifies the capability of the

instrumentation to provide the containment purge and exhaust system isolation. During CORE ALTERATIONS and movement of irradiated fuel in containment, this test verifies the capability of the required channels to generate the signals required for input to the control room alarm. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

SR 3.3.6.5 SR 3.3.6.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact operation is verified in one of two ways. Actuation equipment that may be operated in the design mitigation mode is either allowed to function or is placed in a condition where the relay contact operation can be verified without operation of the equipment. Actuation equipment that may not be operated in the design mitigation mode is prevented from operation by the SLAVE RELAY TEST circuit. For this latter case, contact operation is verified by a continuity check of the circuit containing the slave relay.

For slave relays and associated auxiliary relays in the CVI actuation system circuit that are Potter and Brumfield (P&B) type Motor Driven Relays (MDR), the SLAVE RELAY TEST is performed on an 18-month frequency. This test frequency is based on relay reliability assessments presented in WCAP-13878, "Reliability Assessment of Potter and Brumfield MDR Series Relays." The reliability assessments are relay specific and apply only to Potter and Brumfield MDR series relays.

Quarterly testing of the slave relays associated with non-P&B MDR auxiliary relays will be administratively controlled until an alternate method of testing the auxiliary relays is developed or until they are replaced by P&B MDR series relays.

SR 3.3.6.6 SR 3.3.6.6 is the performance of a TADOT. This test is a check of the Manual Actuation Functions. Each Manual Actuation Function is tested up to, and including, the master relay coils. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.).

Containment Ventilation Isolation Instrumentation B 3.3.6 (continued)

Vogtle Units 1 and 2 B 3.3.6-10 REVISION 20 BASES SURVEILLANCE SR 3.3.6.6 (continued) REQUIREMENTS The test also includes trip devices that provide actuation signals directly to the SSPS, bypassing the analog process control

equipment. The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.7 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

SR 3.3.6.8

This SR ensures the individual channel RESPONSE TIMES are less than or equal to the maximum values assumed in the accident analysis.

Response time testing acceptance criteria are included in the FSAR.

Individual component response times are not modeled in the analyses.

The analyses model the overall or elapsed time, from the point at which the parameter exceeds the Trip Setpoint Valve at the sensor, to the point at which the equipment in both trains reaches the required functional state.

RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel.

The final actuation device in one train is tested with each channel.

Therefore, staggered testing results in response time verification of these devices every 18 months. The 18 month frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

Containment Ventilation Isolation Instrumentation B 3.3.6 Vogtle Units 1 and 2 B 3.3.6-11 REVISION 14 BASES REFERENCES 1. 10 CFR 100.11.

CREFS Actuation Instrumentation B 3.3.7 (continued)

Vogtle Units 1 and 2 B 3.3.7-13 REVISION 14 BASES ACTIONS O.1, O.2.1, O.2.2.1, and O.2.2.2 (continued)

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time for actions O.1 and O.2.1 reflects the urgency with which this condition must be addressed and is reasonable based on the low probability of an event occurring during this time interval that would require CREFS operation. The

7 day Completion Time of actions O.2.2.1 and O.2.2.2 is reasonable based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining CREFS manual and automatic actuation instrumentation.

P.1 Condition P is applicable when four air intake radiogas monitor channels are inoperable. In this condition, the air flow into the control room is not monitored. Action P.1 requires that a CREFS train in each unit be placed in the emergency mode of operation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Action P.1 accomplishes the radiogas monitor channel function and ensures the control room is protected for all postulated accident and single failure considerations by placing the two CREFS trains in operation. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time for action P.1 reflects the urgency with which this condition must be addressed and is a reasonable time to initiate two CREFS trains considering the low probability of an event occurring during this time interval that would require CREFS operation.

SURVEILLANCE A Note has been added to the SR Table to clarify that REQUIREMENTS Table 3.3.7-1 determines which SRs apply to which CREFS Actuation Functions.

SR 3.3.7.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of

CREFS Actuation Instrumentation B 3.3.7 (continued)

Vogtle Units 1 and 2 B 3.3.7-14 REVISION 20 BASES SURVEILLANCE SR 3.3.7.1 (continued) REQUIREMENTS something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the unit staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

SR 3.3.7.2

A COT is performed on each required channel to ensure the entire channel will perform the intended function. This test verifies the capability of the instrumentation to provide the CREFS actuation. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.3 SR 3.3.7.3 is the performance of an ACTUATION LOGIC TEST.

The train being tested is placed in the bypass condition, thus preventing inadvertent actuation. Through the semiautomatic tester, all possible logic combinations, with and without applicable permissives, are tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are OPERABLE and there is an intact voltage signal path to the master relay coils.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Frequency is justified in WCAP-10271-P-A, Supplement 2, Rev. 1 (Ref. 1).

CREFS Actuation Instrumentation B 3.3.7 (continued)

Vogtle Units 1 and 2 B 3.3.7-15 REVISION 26 BASES SURVEILLANCE SR 3.3.7.4 REQUIREMENTS (continued) SR 3.3.7.4 is the performance of a TADOT. This test is a check of the Manual Actuation Functions. Each Manual Actuation Function is tested, which in some instances includes actuation of the end device (i.e., pump starts, valve cycles, etc.).

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

The SR is modified by a Note that excludes verification of setpoints during the TADOT. The Functions tested have no setpoints associated with them.

SR 3.3.7.5 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

SR 3.3.7.6 This SR ensures the individual channel ESF RESPONSE TIME for the CREFS radiogas monitor actuation instrumentation is less than or equal to the maximum values assumed in the accident analyses. Response time testing acceptance criteria are included

in the FSAR, Chapter 7 (Ref. 3). Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the Trip Setpoint value at the sensor, to the point at which the equipment in both trains reaches the required functional state (e.g., pumps at rated discharge pressure, valves in full open or closed position).

For channels that include dynamic transfer functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may

CREFS Actuation Instrumentation B 3.3.7 Vogtle Units 1 and 2 B 3.3.7-16 REVISION 26 BASES SURVEILLANCE SR 3.3.7.6 (continued) REQUIREMENTS be performed with the transfer functions set to one with the

resulting measured response time compared to the appropriate FSAR response time. Alternately, the response time test can be performed with the constants set to their nominal values provided the required response time is analytically calculated assuming the time constants are set at their nominal values. The response time may be measured by a series of overlapping tests such that the entire response time is measured.

ESF RESPONSE TIME tests are conducted on an 18 month STAGGERED TEST BASIS. Testing of the final actuation devices, which make up the bulk of the response time, is included in the testing of each channel. The final actuation device in one train is tested with each channel. Therefore, staggered testing results in response time verification of these devices every 18 months. The 18 month Frequency is consistent with the typical refueling cycle and is based on unit operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

REFERENCES 1. Westinghouse to SCS Letter 88GP-G-0025, dated May 23, 1988. Transmittal of PMTC FSAR changes.

2. VEGP Calculation No. X6CNA.09.01, Control Room HVAC Technical Specifications, 21 October 1988.

3. FSAR, Chapter 7.

HFASA Instrumentation B 3.3.8 (continued)

Vogtle Units 1 and 2 B 3.3.8-2 Rev. 3 - 6/05 BASES APPLICABILITY In MODES 1 and 2, operators are alerted to an unplanned (continued) dilution event by a reactor trip on overtemperature delta-T or power range neutron flux high, low setpoint, respectively. As a protective measure in addition to HFASA, in MODE 5 with the loops not filled, unplanned dilution events are precluded by requiring the unborated water source (reactor makeup water storage tank (RMWST)) to be isolated.

ACTIONS A.1 With one channel of HFASA inoperable, Required Action A.1 requires the inoperable channel to be restored within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.

In this condition, one channel of HFASA remains available to provide protection. The 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time is consistent with that required for an inoperable source range channel.

Required Action A.1 is modified by a Note stating that LCO 3.0.4c is applicable provided that Required Actions B.1 and B.2 are met.

When Condition A (and Required Action A.1) are applicable, the Note permits MODE changes provided that Required Action B.1 and B.2 are met. Required Action B.1 is a periodic verification of shutdown margin, and Required Action B.2 ensures that the unborated water source isolation valves are shut, precluding a boron dilution event. With one channel of HFASA inoperable, it is prudent to take the compensatory actions of Required Actions B.1 and B.2 if MODE changes are desired or required.

B.1 and B.2 With the Required Action A.1 and associated Completion Time not met, or with both channels of HFASA inoperable, the appropriate ACTIONS are to verify that the required SDM is present and isolate the unborated water source by performing

HFASA Instrumentation B 3.3.8 Vogtle Units 1 and 2 B 3.3.8-3 REVISION 20 BASES ACTIONS B.1 and B.2 (continued)

SR 3.9.2.1. This places the unit in a condition that precludes an unplanned dilution event. The Completion Times of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter for verifying SDM provide timely

assurance that no unintended dilution occurred while the HFASA

was inoperable and that SDM is maintained. The Completion

Times of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and once per 14 days thereafter for verifying that

the unborated source is isolated provide timely assurance that an

unplanned dilution event cannot occur while the HFASA is

inoperable and that this protection is maintained until the HFASA is

restored.

SURVEILLANCE The HFASA channels are subject to a COT and a CHANNEL REQUIREMENTS CALIBRATION.

SR 3.3.8.1 SR 3.3.8.1 requires the performance of a COT to ensure that each

channel of the HFASA and its setpoint are OPERABLE. This test

shall include verification that the HFASA setpoint is less than or

equal to 2.3 times background. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control

Program. This Surveillance Requirement is modified by a Note that

provides a 4-hour delay in the requirement to perform this

surveillance for the HFASA instrumentation upon entering MODE 3

from MODE 2. This Note allows a normal shutdown to proceed

without delay for the performance of the surveillance to meet the

applicability requirements in MODE 3.

SR 3.3.8.2 SR 3.3.8.2 requires the performance of a CHANNEL

CALIBRATION. There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found setting are consistent with those established by the setpoint methodology. This test verifies that each channel responds to a measured parameter within the necessary range and

accuracy. It encompasses the HFASA portion of the instrument

loop. The Surveillance Frequency is controlled under the

Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Subsection 15.4.6.

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 (continued)

Vogtle Units 1 and 2 B 3.4.1-5 REVISION 14 BASES ACTIONS A.1 (continued)

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time for restoration of the parameters is based on plant operating experience and provides sufficient time to adjust plant parameters, to determine the cause for the off normal condition, and to restore the readings within limits.

B.1 If degradation in RCS total flow rate is detected via the flow rate indicators, a precision calorimetric heat balance must be performed within 7 days of detection of the degradation. The precision heat balance will positively verify actual RCS total flow rate. The 7-day Completion Time is adequate to allow for the setup necessary for this measurement and is acceptable since the RCS low flow reactor trips will protect the reactor against actual low flow conditions.

C.1 If Required Actions A.1 or B.1 are not met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. In MODE 2, the reduced power condition eliminates the potential for violation of the accident analysis bounds. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable to reach the required plant conditions in an orderly manner.

SURVEILLANCE SR 3.4.1.1 REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 (continued)

Vogtle Units 1 and 2 B 3.4.1-6 REVISION 14 BASES SURVEILLANCE SR 3.4.1.2 REQUIREMENTS (continued) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.1.3

The RCS flow instrumentation indicates from 0% to 120% as opposed to actual flow in gallons per minute. Therefore, the flow instrumentation is used to detect degradation in flow rather than as a comparison against the actual limit in gallons per minute.

Degradation is defined as a change in indicated percent flow which is greater than the instrument channel inaccuracies and parallax errors. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.1.4 Measurement of RCS total flow rate by performance of a precision calorimetric heat balance allows the installed RCS flow instrumentation to be correlated with the precision flow measurement and verifies the actual RCS flow rate is greater than or equal to the minimum required RCS flow rate. In addition, in order to ensure that the measurement uncertainty assumed in the limit for RCS total flow rate is maintained, the instrumentation used for the precision calorimetric heat balance will be calibrated within 30 days prior to the precision calorimetric.

RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 Vogtle Units 1 and 2 B 3.4.1-7 REVISION 14 BASES SURVEILLANCE SR 3.4.1.4 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that allows entry into MODE 1, without having performed the SR, and placement of the unit in the best condition for performing the SR. The Note states that the SR is not required to be performed until 7 days after 90% RTP. This exception is appropriate since the heat balance requires the plant to be at a minimum of 90% RTP to obtain the stated RCS flow accuracies. The Surveillance shall be performed within 7 days after reaching 90% RTP.

REFERENCES 1. FSAR, Chapter 15.

RCS Minimum Temperature for Criticality B 3.4.2 Vogtle Units 1 and 2 B 3.4.2-3 REVISION 14 BASES APPLICABILITY it is necessary to allow RCS loop average temperatures to (continued) fall below the HZP temperature, which may cause RCS loop average temperatures to fall below the temperature limit of this LCO.

ACTIONS A.1

If the parameters that are outside the limit cannot be restored, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 30 minutes. Rapid reactor shutdown can be readily and practically achieved within a 30 minute period. The allowed time is reasonable, based on operating experience, to reach MODE 3 in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.2.1 REQUIREMENTS RCS loop average temperature is required to be verified at or above 551°F when the Tavg - Tref deviation alarm (TI-0412, TI-0422, TI-0432, TI-0442) is not reset and any RCS loop Tavg < 561°F. When these conditions are present, RCS loop average temperatures could fall below the LCO requirement without additional warning. The frequency of 30 minutes is sufficient to prevent the inadvertent violation of the LCO. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 4.3 and Subsections 15.0.3 and 15.4.8.

RCS P/T Limits B 3.4.3 (continued)

Vogtle Units 1 and 2 B 3.4.3-1 Rev. 1-3/05 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.3 RCS Pressure and Temperature (P/T) Limits

BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads

are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic

operation.

The PTLR contains P/T limit curves for heatup, cooldown, inservice leak and hydrostatic (ISLH) testing, and data for the maximum rate of change of reactor coolant temperature.

Each P/T limit curve defines an acceptable region for normal operation. The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.

The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittle failure, and the LCO limits apply mainly to the vessel. The limits do not apply to the pressurizer, which has different design characteristics and operating functions.

10 CFR 50, Appendix G (Ref. 1), requires the establishment of P/T limits for specific material fracture toughness requirements of the RCPB materials. Reference 1 requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME) Code,Section XI, Appendix G (Ref. 2).

The neutron embrittlement effect on the material toughness is reflected by increasing the nil ductility reference temperature (RT NDT) as exposure to neutron fluence increases.

RCS P/T Limits B 3.4.3 (continued)

Vogtle Units 1 and 2 B 3.4.3-7 REVISION 14 BASES ACTIONS C.1 and C.2 (continued)

Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within the PTLR limits is required when RCS pressure and temperature conditions are undergoing planned changes. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Surveillance for heatup, cooldown, or ISLH testing may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied.

This SR is modified by a Note that only requires this SR to be performed during system heatup, cooldown, and ISLH testing. No SR is given for criticality operations because LCO 3.4.2 contains a more restrictive requirement.

REFERENCES 1. 10 CFR 50, Appendix G.

2. ASME, Boiler and Pressure Vessel Code,Section XI, Appendix G.

3. ASTM E 185-82, July 1982.

4. 10 CFR 50, Appendix H.

5. Regulatory Guide 1.99, Revision 2, May 1988.

RCS P/T Limits B 3.4.3 Vogtle Units 1 and 2 B 3.4.3-8 Rev. 1-3/05 BASES REFERENCES 6. ASME, Boiler and Pressure Vessel Code,Section XI, (continued) Appendix E.

7. WCAP-14040-A, Revision 4.

RCS Loops-MODES 1 and 2 B 3.4.4 Vogtle Units 1 and 2 B 3.4.4-1 Revision No. 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.4 RCS Loops-MODES 1 and 2

BASES BACKGROUND The primary function of the RCS is removal of the heat generated in the fuel due to the fission process, and transfer of this heat, via the steam generators (SGs), to the secondary plant.

The secondary functions of the RCS include:

a. Moderating the neutron energy level to the thermal state, to increase the probability of fission;

b. Improving the neutron economy by acting as a reflector;

c. Carrying the soluble neutron poison, boric acid;

d. Providing a second barrier against fission product release to the environment; and

e. Removing the heat generated in the fuel due to fission product decay following a unit shutdown.

The reactor coolant is circulated through four loops connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow and temperature instrumentation for both control and protection. The reactor vessel contains the clad fuel. The SGs provide the heat sink to the isolated secondary coolant. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage. This forced circulation of the reactor coolant ensures mixing of the coolant for proper boration and chemistry control.

APPLICABLE Safety analyses contain various assumptions for the design SAFETY ANALYSES bases accident initial conditions including RCS pressure, RCS temperature, reactor power level, core parameters, and safety system setpoints. The important aspect for this LCO is the reactor coolant forced flow rate, which is represented by the number of RCS loops in service.

(continued)

RCS Loops-MODES 1 and 2 B 3.4.4 Vogtle Units 1 and 2 B 3.4.4-2 Rev. 2-9/06 BASES APPLICABLE All of the accident/safety analyses performed at full rated thermal SAFETY ANALYSES power assume that all four RCS loops are in operation as an initial (continued) condition. Some accident/safety analyses have been performed at zero power conditions assuming only two RCS loops are in operation to conservatively bound lower modes of operation. The events which assume only two RCPs in operation include the uncontrolled RCCA (Bank) withdrawal from subcritical and the rod ejection events. While all accident/safety analyses performed at full rate thermal power assume that all the RCS loops are in operation, selected events examine the effects resulting from a loss of RCP operation. These include the complete and partial loss of forced RCS flow, reactor coolant pump rotor seizure, and reactor coolant pump shaft break events. For each of these events, it is demonstrated that all the applicable safety criteria are satisfied. For the remaining accident/safety analyses, operation of all four RCS loops during the transient up to the time of reactor trip is assumed thereby ensuring that all the applicable acceptance criteria are satisfied. Those transients analyzed beyond the time of reactor trip were examined assuming that a loss of offsite power occurs which results in the RCPs coasting down.

By ensuring that the plant operates with all RCS loops in operation in MODES 1 and 2, adequate heat transfer is provided between the fuel cladding and the reactor coolant.

RCS Loops-MODES 1 and 2 satisfy Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO The purpose of this LCO is to require an adequate forced flow rate for core heat removal. Flow is represented by the number of RCPs in operation for removal of heat by the SGs. To meet safety analysis acceptance criteria for DNB, four pumps are required at rated power.

An OPERABLE RCS loop consists of an OPERABLE RCP in operation providing forced flow for heat transport and an OPERABLE SG.

(continued)

RCS Loops-MODES 1 and 2 B 3.4.4 (continued)

Vogtle Units 1 and 2 B 3.4.4-3 REVISION 14 BASES (continued)

APPLICABILITY In MODES 1 and 2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that the assumptions of the accident analyses remain valid, all RCS loops are required to be OPERABLE and in operation in these MODES to prevent DNB and core damage.

The decay heat production rate is much lower than the full power heat rate. As such, the forced circulation flow and heat sink requirements are reduced for lower, noncritical MODES as indicated by the LCOs for MODES 3, 4, and 5.

Operation in other MODES is covered by:

LCO 3.4.5, "RCS Loops-MODE 3"; LCO 3.4.6, "RCS Loops-MODE 4"; LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled"; LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled"; LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).

ACTIONS A.1 If the requirements of the LCO are not met, the Required Action is to reduce power and bring the plant to MODE 3. This lowers power level and thus reduces the core heat removal needs and minimizes the possibility of violating DNB limits.

The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging safety systems.

SURVEILLANCE SR 3.4.4.1 REQUIREMENTS This SR requires verification that each RCS loop is in operation. Verification may include flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal while maintaining the margin to DNB.

RCS Loops-MODES 1 and 2 B 3.4.4 Vogtle Units 1 and 2 B 3.4.4-4 REVISION 14 BASES SURVEILLANCE SR 3.4.4.1 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 15.

RCS Loops-MODE 3 B 3.4.5 Vogtle Units 1 and 2 B 3.4.5-1 Revision No. 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.5 RCS Loops-MODE 3

BASES BACKGROUND In MODE 3, the primary function of the reactor coolant is removal of decay heat and transfer of this heat, via the steam generator (SG), to the secondary plant fluid. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through four RCS loops, connected in parallel to the reactor vessel, each containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protection, and indication. The reactor vessel contains the clad fuel. The SGs provide the heat sink. The RCPs circulate the water through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and prevent fuel damage.

In MODE 3, RCPs are used to provide forced circulation for heat removal during heatup and cooldown. The MODE 3 decay heat removal requirements are low enough that a single RCS loop with one RCP running is sufficient to remove core decay heat. However, two RCS loops are required to be OPERABLE to ensure redundant capability for decay heat removal.

APPLICABLE Whenever the reactor trip breakers (RTBs) are in the closed SAFETY ANALYSES position and the control rod drive mechanisms (CRDMs) are energized, an inadvertent rod withdrawal from subcritical, resulting in a power excursion, is possible. Such a transient could be caused by a malfunction of the rod control system. In addition, the possibility of a power excursion due to the ejection of an inserted control rod is possible with the breakers closed or open. Such a transient could be caused by the mechanical failure of a CRDM.

Therefore, in MODE 3 with RTBs in the closed position and the Rod Control System capable of rod withdrawal, accidental control rod withdrawal from subcritical is postulated and requires at least two RCS loops to be OPERABLE and in operation to ensure that the accident analyses limits are

(continued)

RCS Loops-MODE 3 B 3.4.5 Vogtle Units 1 and 2 B 3.4.5-2 Rev. 1-10/01 BASES APPLICABLE met. For those conditions when the Rod Control System is SAFETY ANALYSES not capable of rod withdrawal, two RCS loops are required to (continued) be OPERABLE, but only one RCS loop is required to be in operation to be consistent with MODE 3 accident analyses.

Failure to provide decay heat removal may result in challenges to a fission product barrier. The RCS loops are part of the primary success path that functions or actuates to prevent or mitigate a Design Basis Accident or transient that either assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.

RCS Loops-MODE 3 satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO The purpose of this LCO is to require that at least two RCS loops be OPERABLE. In MODE 3 with the RTBs in the closed position and Rod Control System capable of rod withdrawal, two RCS loops must be in operation. Two RCS loops are required to be in operation in MODE 3 with RTBs closed and Rod Control System capable of rod withdrawal due to the postulation of a power excursion because of an inadvertent control rod withdrawal. The required number of RCS loops in operation ensures that the Safety Limit criteria will be met for all of the postulated accidents.

With the RTBs in the open position, or the CRDMs de-energized, the Rod Control System is not capable of rod withdrawal; therefore, only one RCS loop in operation is necessary to ensure removal of decay heat from the core and homogenous boron concentration throughout the RCS. An additional RCS loop is required to be OPERABLE to ensure adequate decay heat removal capability.

The Note permits all RCPs to be de-energized for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The purpose of the Note is to perform tests that are designed to validate various accident analyses values. One of these tests is validation of the pump coastdown curve used as input to a number of accident analyses including a loss of flow accident. This test is generally performed in MODE 3 during the initial startup testing program, and as such should only be performed once. If, however, changes are made to the RCS that would cause a

(continued)

RCS Loops-MODE 3 B 3.4.5 Vogtle Units 1 and 2 B 3.4.5-3 Rev. 1-9/06 BASES LCO change to the flow characteristics of the RCS, the input (continued) values of the coastdown curve must be revalidated by conducting the test again.

Utilization of the Note is permitted provided the following conditions are met, along with any other conditions imposed by initial startup test procedures:

a. No operations are permitted that would dilute the RCS boron concentration, thereby maintaining the margin to criticality.

Boron reduction is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation; and

b. Core outlet temperature is maintained at least 10F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

An OPERABLE RCS loop consists of one OPERABLE RCP and one OPERABLE SG which has the minimum water level specified in SR 3.4.5.2. An RCP is OPERABLE if it is capable of being powered and is able to provide forced flow if required.

APPLICABILITY In MODE 3, this LCO ensures forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing. The most stringent condition of the LCO, that is, two RCS loops OPERABLE and two RCS loops in operation, applies to MODE 3 with RTBs in the closed position. The least stringent condition, that is, two RCS loops OPERABLE and one RCS loop in operation, applies to MODE 3 with the RTBs open.

Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops-MODES 1 and 2";

LCO 3.4.6, "RCS Loops-MODE 4";

LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled"; LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled"; LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).

(continued)

RCS Loops-MODE 3 B 3.4.5 Vogtle Units 1 and 2 B 3.4.5-4 Revision No. 0 BASES (continued)

ACTIONS A.1 If one required RCS loop is inoperable, redundancy for heat removal is lost. The Required Action is restoration of the required RCS loop to OPERABLE status within the Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This time allowance is a justified period to be without the redundant, nonoperating loop because a single loop in operation has a heat transfer capability greater than that needed to remove the decay heat produced in the reactor core and because of the low probability of a failure in the remaining loop occurring during this period.

B.1 If restoration is not possible within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the unit must be brought to MODE 4. In MODE 4, the unit may be placed on the Residual Heat Removal System. The additional Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is compatible with required operations to achieve cooldown and depressurization from the existing plant conditions in an orderly manner and without challenging plant systems.

C.1 and C.2

If the required RCS loop is not in operation, and the RTBs are closed and Rod Control System capable of rod withdrawal, the Required Action is either to restore the required RCS loop to operation or to de-energize all CRDMs by opening the RTBs or de-energizing the motor generator (MG) sets. When the RTBs are in the closed position and Rod Control System capable of rod withdrawal, it is postulated that a power excursion could occur in the event of an inadvertent control rod withdrawal. This mandates having the heat transfer capacity of two RCS loops in operation. If only one loop is in operation, the RTBs must be opened. The Completion Times of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to restore the required RCS loop to operation or de-energize all CRDMs is adequate to perform these operations in an orderly manner without exposing the unit to risk for an undue time period.

(continued)

RCS Loops-MODE 3 B 3.4.5 (continued)

Vogtle Units 1 and 2 B 3.4.5-5 REVISION 14 BASES ACTIONS D.1, D.2, and D.3 (continued) If two required RCS loops are inoperable or no RCS loop is in operation, except as during conditions permitted by the Note in the LCO section, all CRDMs must be de-energized by opening the RTBs or de-energizing the MG sets. All operations involving a reduction of RCS boron concentration must be suspended, and action to restore one of the RCS loops to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and opening the RTBs or de-energizing the MG sets removes the

possibility of an inadvertent rod withdrawal. The immediate Completion Time reflects the importance of maintaining operation for heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.

SURVEILLANCE SR 3.4.5.1 REQUIREMENTS This SR requires verification that the required loops are in operation. Verification may include flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.5.2 SR 3.4.5.2 requires verification of SG OPERABILITY. SG OPERABILITY is verified by ensuring that the secondary side water level (LI-0501, LI-0502, LI-0503, LI-0504) for the required RCS loops is above the highest point of the steam generator U-tubes for each required loop. To assure that the steam generator is capable of functioning as a heat sink for the removal of decay heat, the U-tubes must be completely submerged. Plant procedures provide the minimum indicated levels for the range of the steam generator operating conditions required to satisfy this SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RCS Loops-MODE 3 B 3.4.5 Vogtle Units 1 and 2 B 3.4.5-6 REVISION 14 BASES SURVEILLANCE SR 3.4.5.3 REQUIREMENTS (continued) Verification that the required RCPs are OPERABLE ensures that safety analyses limits are met. The requirement also ensures that an additional RCP can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power availability to the required RCPs. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES None.

RCS Loops-MODE 4 B 3.4.6 (continued)

Vogtle Units 1 and 2 B 3.4.6-1 Rev. 1-10/01 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.6 RCS Loops - MODE 4

BASES BACKGROUND In MODE 4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam generator (SG) secondary side coolant or the component cooling water via the residual heat removal (RHR) heat exchangers.

The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

The reactor coolant is circulated through four RCS loops connected in parallel to the reactor vessel, each loop containing an SG, a reactor coolant pump (RCP), and appropriate flow, pressure, level, and temperature instrumentation for control, protection, and indication. The RCPs circulate the coolant through the reactor vessel and SGs at a sufficient rate to ensure proper heat transfer and to prevent boric acid stratification.

In MODE 4, either RCPs or RHR loops can be used to provide forced circulation. The intent of this LCO is to provide forced flow from at least one RCP or one RHR loop for decay heat removal and transport. The flow provided by one RCP loop or RHR loop is adequate for decay heat removal. The other intent of this LCO is to require that two paths be available to provide redundancy for decay heat removal.

APPLICABLE In MODE 4, RCS circulation is considered in the determination of the SAFETY ANALYSES time available for mitigation of the accidental boron dilution event. The RCS and RHR loops provide this circulation.

RCS Loops - MODE 4 satisfies Criterion 4 of 10 CFR 50.36 (c)(2)(ii).

LCO The purpose of this LCO is to require that at least two loops be OPERABLE in MODE 4 and that one of these loops be in operation. The LCO allows the two loops that are required to be OPERABLE to consist of any combination of RCS

RCS Loops-MODE 4 B 3.4.6 (continued)

Vogtle Units 1 and 2 B 3.4.6-2 Rev. 1-3/05 BASES LCO loops and RHR loops. Any one loop in operation provides enough (continued) flow to remove the decay heat from the core with forced circulation. An additional loop is required to be OPERABLE to provide redundancy for heat removal.

Note 1 permits all RCPs or RHR pumps to be de-energized for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The purpose of the Note is to permit tests that are designed to validate various accident analyses values.

These tests are initially performed during startup testing. However, if changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values must be revalidated by conducting the test again. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> time period is adequate to perform the necessary testing, and operating experience has shown that boron stratification is not a problem during this short period with no forced flow.

Utilization of Note 1 is permitted provided the following conditions are met along with any other conditions imposed by initial startup test procedures:

a. No operations are permitted that would dilute the RCS boron concentration, therefore maintaining the margin to criticality. Boron reduction is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation; and

b. Core outlet temperature is maintained at least 10F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.

Note 2 requires that the secondary side water temperature of each SG be < 50F above each of the RCS cold leg temperatures before the start of an RCP any time during MODE 4 operation with any RCS cold leg temperature the Cold Overpressure Protection System (COPS) arming temperature specified in the PTLR. This restraint is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started. The Note further restricts starting an RCP to a range of temperature differentials between the SGs and the RCS that is consistent with analysis assumptions used to demonstrate that the RHR design pressure is not exceeded when the RHR suction isolation valves are open.

RCS Loops-MODE 4 B 3.4.6 (continued)

Vogtle Units 1 and 2 B 3.4.6-4 REVISION 14 BASES ACTIONS B.1 (continued)

If one required RHR loop is OPERABLE and in operation and there are no RCS loops OPERABLE, an inoperable RCS or RHR loop must be restored to OPERABLE status to provide a redundant means for decay heat removal.

If the parameters that are outside the limits cannot be restored, the unit must be brought to MODE 5 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Bringing the unit to MODE 5 is a conservative action with regard to decay heat removal. With only one RHR loop OPERABLE, redundancy for decay heat removal is lost and, in the event of a loss of the

remaining RHR loop, it would be safer to initiate that loss from MODE 5 ( 200°F) rather than MODE 4 (200 to 350

°F). The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 5 from MODE 4 in an orderly manner and without challenging plant systems.

C.1 and C.2

If no loop is OPERABLE or in operation, except during conditions permitted by Note 1 in the LCO section, all operations involving a reduction of RCS boron concentration must be suspended and action to restore one RCS or RHR loop to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and the margin to criticality must not be reduced in this type of operation. The immediate Completion Times reflect the importance of maintaining operation for decay heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.

SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This SR requires verification that one RCS or RHR loop is in operation. Verification may include flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RCS Loops-MODE 5, Loops Filled B 3.4.7 Vogtle Units 1 and 2 B 3.4.7-1 Revision No. 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.7 RCS Loops-MODE 5, Loops Filled

BASES BACKGROUND In MODE 5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat either to the steam generator (SG) secondary side coolant or component cooling water via the residual heat removal (RHR) heat exchangers. While the principal means for decay heat removal is via the RHR System, the SGs are specified as a backup means for redundancy. Even though the SGs cannot produce steam in this MODE, they are capable of being a heat sink due to their large contained volume of secondary water. As long as the SG secondary side water is at a lower temperature than the reactor coolant, heat transfer will occur. The rate of heat transfer is directly proportional to the temperature difference. The secondary function of the reactor coolant is to act as a carrier for soluble neutron poison, boric acid.

In MODE 5 with the RCS loops filled, the reactor coolant is circulated by means of two RHR loops connected to the RCS, each loop containing an RHR heat exchanger, an RHR pump, and appropriate flow and temperature instrumentation for control, protection, and indication. One RHR pump circulates the water through the RCS at a sufficient rate to prevent boric acid stratification.

The number of loops in operation can vary to suit the operational needs. The intent of this LCO is to provide forced flow from at least one RHR loop for decay heat removal and transport. The flow provided by one RHR loop is adequate for decay heat removal. The other intent of this LCO is to require that a second path be available to provide redundancy for heat removal.

The LCO provides for redundant paths of decay heat removal capability. The first path can be an RHR loop that must be OPERABLE and in operation. The second path can be another OPERABLE RHR loop or maintaining two SGs with secondary side water levels above the highest point of the SG U-tubes to provide an alternate method for decay heat removal. To assure that the SG is capable of functioning as a heat sink (continued)

RCS Loops-MODE 5, Loops Filled B 3.4.7 Vogtle Units 1 and 2 B 3.4.7-2 Rev. 1-10/01 BASES BACKGROUND for the removal of decay heat, the U-tubes must be completely (continued) submerged, which is achieved if the SG level criteria are satisfied.

APPLICABLE In MODE 5, RCS circulation is considered in the determination of the SAFETY ANALYSES time available for mitigation of the accidental boron dilution event. The RHR loops provide this circulation.

RCS loops-MODE 5 (Loops Filled) satisfies Criterion 4 of 10 CFR 50.36 (c)(2)(ii).

LCO The purpose of this LCO is to require that at least one of the RHR loops be OPERABLE and in operation with an additional RHR loop OPERABLE or two SGs with secondary side water level above the highest point of the SG U-tubes. One RHR loop provides sufficient forced circulation to perform the safety functions of the reactor coolant under these conditions. An additional RHR loop is required to be OPERABLE to meet single failure considerations. However, if the standby RHR loop is not OPERABLE, an acceptable alternate method is two SGs with their secondary side water levels above the highest point of the SG U-tubes. Should the operating RHR loop fail, the SGs could be used to remove the decay heat. SG wide (LI 501-504) and SG narrow (LI 517-519, LI 527-529, LI 537-539, LI 547-549, and LI 551-554) range instrumentation are available for determining SG water level.

Note 1 permits all RHR pumps to be de-energized 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The purpose of the Note is to permit tests designed to validate various accident analyses values. These tests are initially performed during startup testing. However, if changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values must be revalidated by conducting the test again. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> time period is adequate to perform the necessary testing, and operating experience has shown that boron stratification is not likely during this short period with no forced flow.

(continued)

RCS Loops-MODE 5, Loops Filled B 3.4.7 Vogtle Units 1 and 2 B 3.4.7-4 Rev. 1-9/99 BASES LCO b. RCS pressure maintained > 100 psig since the most (continued) recent filling and venting.

The loops are not considered to be filled if these requirements are not satisfied.

APPLICABILITY In MODE 5 with RCS loops filled, this LCO requires forced circulation of the reactor coolant to remove decay heat from the core and to provide proper boron mixing. One loop of RHR provides sufficient circulation for these purposes. However, one additional RHR loop is required to be OPERABLE, or the secondary side water level of at least two SGs is required to be above the highest point of the SG U-tubes. Operation in other MODES is covered by:

LCO 3.4.4, "RCS Loops-MODES 1 and 2"; LCO 3.4.5, "RCS Loops-MODE 3"; LCO 3.4.6, "RCS Loops-MODE 4"; LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled"; LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).

ACTIONS A.1 and A.2

If one RHR loop is inoperable and the required SGs have secondary side water levels below the highest point of the SG U-tubes, redundancy for heat removal is lost. Action must be initiated immediately to restore a second RHR loop to OPERABLE status or to restore the required SG secondary side water levels. Either Required Action A.1 or Required Action A.2 will restore redundant heat removal paths. The immediate Completion Time reflects the importance of maintaining the availability of two paths for heat removal.

B.1 and B.2

If no RHR loop is in operation, except during conditions permitted by Note 1, or if no loop is OPERABLE, all operations involving a reduction of RCS boron concentration must be suspended and action to restore one RHR loop to (continued)

RCS Loops-MODE 5, Loops Filled B 3.4.7 (continued)

Vogtle Units 1 and 2 B 3.4.7-5 REVISION 14 BASES ACTIONS B.1 and B. 2 (continued)

OPERABLE status and operation must be initiated. To prevent boron dilution, forced circulation is required to provide proper mixing and preserve the margin to criticality in this type of operation. The immediate Completion Times reflect the importance of maintaining operation for heat removal.

SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This SR requires verification that the required loop is in operation. Verification may include flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.7.2

Verifying that at least two SGs are OPERABLE by ensuring their secondary side narrow range water levels are above the highest point of the SG U-tubes ensures an alternate decay heat removal method in the event that the second RHR loop is not OPERABLE. To assure that the SG is capable of functioning as a heat sink for the removal of decay heat, the U-tubes must be completely submerged, which is achieved if the SG level criteria are satisfied. Plant procedures provide the minimum indicated levels for the range of the SG operating conditions required to satisfy this SR. If both RHR loops are OPERABLE, this Surveillance is not needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.7.3

Verification that a second RHR pump is OPERABLE ensures that an additional pump can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation.

>

RCS Loops-MODE 5, Loops Not Filled B 3.4.8 (continued)

Vogtle Units 1 and 2 B 3.4.8-4 REVISION 14 BASES ACTIONS B.1 and B.2 (continued)

If no required RHR loops are OPERABLE or in operation, except during conditions permitted by Note 1, all operations involving a reduction of RCS boron concentration must be suspended and action must be initiated immediately to restore an RHR loop to OPERABLE status and operation. The immediate Completion Time reflects the importance of maintaining operation for heat removal. The action to restore must continue until one loop is restored to OPERABLE status and operation.

C.1 If the valve(s) required to be closed are discovered to be open (except as provided by Note 3 to the LCO), action must be initiated immediately to secure the open valve(s) in the closed position in order to preclude an uncontrolled boron dilution transient.

SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This SR requires verification that one loop is in operation. Verification may include flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.8.2

Verification that the required number of pumps are OPERABLE ensures that additional pumps can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation.

Verification is performed by verifying proper breaker alignment and power available to the required pumps. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Pressurizer B 3.4.9 (continued)

Vogtle Units 1 and 2 B 3.4.9-3 Rev. 1-11/98 BASES LCO groups of pressurizer heaters onto the non-Class 1E emergency buses. (continued) These non-Class 1E emergency buses are in turn fed from the Class 1E 4160-V buses which can in turn be supplied from the emergency diesel generators or offsite power sources. The minimum heater capacity required is sufficient to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wide margin to subcooling can be obtained in the loops.

APPLICABILITY The need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature, resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, applicability has been designated for MODES 1 and 2. The applicability is also provided for MODE 3. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational perturbation, such as reactor coolant pump startup.

In MODES 1, 2, and 3, there is the need to maintain the availability of pressurizer heaters, capable of being powered from an emergency power supply. In the event of a loss of offsite power, the initial conditions of these MODES give the greatest demand for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. For MODE 4, 5, or 6, it is not necessary to control pressure (by heaters) to ensure loop subcooling for heat transfer when the Residual Heat Removal (RHR) System is in service, and therefore, the LCO is not applicable.

ACTIONS A.1 and A.2

Pressurizer water level control malfunctions or other plant evolutions may result in a pressurizer water level above the nominal upper limit, even with the plant at steady state conditions. Normally the plant will trip in this event since the upper limit of this LCO is the same as the Pressurizer Water Level-High Trip.

If the pressurizer water level is not within the limit, action must be taken to restore the plant to operation within the bounds of the safety analyses. To achieve this status, the unit must be brought to MODE 3, with the reactor trip breakers open, within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. This takes the unit out of the applicable MODES

Pressurizer B 3.4.9 (continued)

Vogtle Units 1 and 2 B 3.4.9-4 REVISION 14 BASES ACTIONS A.1 and A.2 (continued) and restores the unit to operation within the bounds of the safety analyses.

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

B.1 If one required group of pressurizer heaters is inoperable, restoration is required within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is reasonable considering the anticipation that a demand caused by loss of offsite power would be unlikely in this period. Pressure control may be maintained during this time using normal station powered heaters.

C.1 and C.2 If one group of pressurizer heaters are inoperable and cannot be restored in the allowed Completion Time of Required Action B.1, the plant must be brought to a MODE in which the LCO does not apply.

To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.9.1 REQUIREMENTS This SR requires that during steady state operation, pressurizer level is maintained below the nominal upper limit to provide a minimum space for a steam bubble. The Surveillance is performed by observing the indicated level. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Pressurizer B 3.4.9 Vogtle Units 1 and 2 B 3.4.9-5 REVISION 14 BASES SURVEILLANCE SR 3.4.9.2 REQUIREMENTS (continued) The SR is satisfied when the power supplies are demonstrated to be capable of producing the minimum power and the associated pressurizer heaters are verified to be at their design rating. This may be done by testing the power supply output and by performing an electrical check on heater element continuity and resistance. At VEGP, the pressurizer heaters are in use during normal power operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 15.

2. NUREG-0737, November 1980.

Pressurizer Safety Valves B 3.4.10 (continued)

Vogtle Units 1 and 2 B 3.4.10-1 Rev. 2-3/05 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10 Pressurizer Safety Valves

BASES BACKGROUND The pressurizer safety valves provide, in conjunction with the Reactor Protection System, overpressure protection for the RCS. The pressurizer safety valves are of the pop type. The valves are spring loaded and self actuated by direct fluid pressure with backpressure compensation. The safety valves are designed to prevent the system pressure from exceeding the system Safety Limit (SL), 2735 psig, which is 110% of the design pressure.

Because the safety valves are self actuating, they are considered independent components. The relief capacity for each valve, 420,000 lb/hr at a pressurizer pressure of 2560 psig, is based on postulated overpressure transient conditions resulting from a complete loss of steam flow to the turbine with the reactor operating at 102 percent of engineered safeguards design power. The relief rate is stated at a pressure of 2560 psig which is equivalent to the former set pressure of 2485 psig plus 3% for set pressure tolerance and valve accumulation. This event results in the maximum surge rate into the pressurizer, which specifies the minimum relief capacity for the safety valves. The decrease in set pressure to 2460 psig and increase in tolerance does not significantly affect the relief capacity of

the safety valves.

The discharge flow from the pressurizer safety valves is directed to the pressurizer relief tank. This discharge flow is indicated by an increase in temperature downstream of the pressurizer safety valves or increase in the pressurizer relief tank temperature or level.

Overpressure protection is required in MODES 1, 2, 3, 4, 5, and MODE 6 with the reactor vessel head on; however, in MODE 4 with

any RCS cold leg temperature the COPS arming temperature specified in the PTLR, MODE 5, and MODE 6 with the reactor vessel head on, overpressure protection is provided by operating procedures and by meeting the requirements of LCO 3.4.12, "Cold Temperature Overpressure Protection System (COPS)." The upper and lower pressure limits are based on the 2% tolerance requirement assumed in the safety analyses. The lift setting is for the ambient conditions associated with

Pressurizer Safety Valves B 3.4.10 (continued)

Vogtle Units 1 and 2 B 3.4.10-2 Rev. 2-3/05 BASES BACKGROUND MODES 1, 2, 3, and MODE 4 with all RCS cold leg temperatures > (continued) the COPS arming temperature specified in the PTLR. This requires either that the valves be set hot or that a correlation between hot and cold settings be established.

The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to 110% of

design pressure.

The consequences of exceeding the American Society of Mechanical Engineers (ASME) pressure limit (Ref. 1) could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation.

APPLICABLE All accident and safety analyses in the FSAR (Ref. 2) that require SAFETY ANALYSES safety valve actuation assume operation of three pressurizer safety valves to limit increases in RCS pressure. The overpressure protection analysis (Ref. 3) is also based on operation of three safety valves. Accidents that could result in overpressurization if not

properly terminated include:

a. Uncontrolled rod withdrawal from full power;

b. Loss of reactor coolant flow;

c. Loss of external electrical load;

d. Loss of normal feedwater;

e. Loss of all AC power to station auxiliaries;

f. Locked rotor; and

g. Feedwater line break.

Detailed analyses of the above transients are contained in Reference 2. Safety valve actuation is required in events c, e, and f (above) to limit the pressure increase. Compliance with this LCO is consistent with the design bases and accident analyses assumptions.

Pressurizer Safety Valves B 3.4.10 (continued)

Vogtle Units 1 and 2 B 3.4.10-3 Rev. 3-3/05 BASES (continued)

LCO Pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

The three pressurizer safety valves are set to open at an RCS pressure of 2460 psig, and within the specified tolerance, to avoid exceeding the maximum design pressure SL, and to maintain accident analyses assumptions. The upper and lower pressure tolerance limits are based on the 2% tolerance requirements assumed in the safety analyses.

The limit protected by this Specification is the reactor coolant pressure boundary (RCPB) SL of 110% of design pressure.

APPLICABILITY In MODES 1, 2, 3, and MODE 4 with all RCS cold leg temperatures > the COPS arming temperature specified in the PTLR, OPERABILITY of three valves is required because the combined capacity is required to keep reactor coolant pressure below 110% of its design value during certain accidents. MODE 3 is conservatively included, although the listed accidents may not require the safety valves for protection.

The LCO is not applicable in MODE 4 with any RCS cold leg temperature the COPS arming temperature specified in the PTLR, MODE 5, or MODE 6 (with the reactor vessel head on) because the cold overpressure protection system is in service. Overpressure protection is not required in MODE 6 with reactor vessel head removed. The Note allows entry into MODE 3 and MODE 4 with all RCS cold leg temperatures > the COPS arming temperature specified in the PTLR with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition.

Only one valve at a time will be removed from service for testing. The 54 hour6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> exception is based on 18 hour2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> outage time for each of the three valves. The 18 hour2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> period is derived from operating experience that hot testing can be performed in this timeframe.

Pressurizer PORVs B 3.4.11 Vogtle Units 1 and 2 B 3.4.11-4 Rev. 2 - 6/05 BASES APPLICABILITY requirements in MODES 4, 5, and 6 with the reactor vessel head in place. (continued)

ACTIONS A Note has been added to clarify that all pressurizer PORVs are treated as separate entities, each with separate Completion Times (i.e., the Completion Time is on a component basis).

A.1 PORVs may be inoperable and capable of being manually cycled (e.g., excessive seat leakage, instrumentation problems, or other causes that do not create a possibility for a small break LOCA). In this condition, either the PORVs must be restored or the flow path isolated within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The associated block valve is required to be closed, but power must be maintained to the associated block valve, since removal of power would render the block valve inoperable. The PORVs may be considered OPERABLE in either the manual or automatic mode. This permits operation of the plant until the next refueling outage (MODE 6) so that maintenance can be performed on the PORVs to eliminate the problem condition.

Quick access to the PORV for pressure control can be made when power remains on the closed block valve. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on plant operating experience that has shown that minor problems can be corrected or closure accomplished in this time period.

B.1, B.2, and B.3

If one PORV is inoperable and not capable of being manually cycled, it must be either restored or isolated by closing the associated block valve and removing the power to the associated block valve. The Completion Times of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> are reasonable, based on challenges to the PORVs during this time period, and provide the operator adequate time to correct the situation. If the inoperable valve cannot be restored to OPERABLE status, it must be isolated within the specified time. Because there is at least one PORV that remains OPERABLE, an additional 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is provided to restore the inoperable PORV to

(continued)

Pressurizer PORVs B 3.4.11 Vogtle Units 1 and 2 B 3.4.11-7 REVISION 14 BASES ACTIONS G.1 and G.2 (continued)

conditions from full power conditions in an orderly manner and without challenging plant systems. In MODES 4, 5, and 6, maintaining PORV OPERABILITY may be required. See LCO 3.4.12.

SURVEILLANCE SR 3.4.11.1 REQUIREMENTS Block valve cycling verifies that the valve(s) can be closed if needed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Note modifies this SR by stating that it is not required to be performed with the block valve closed, in accordance with the Required Actions of Conditions A, B, or E.

SR 3.4.11.2

SR 3.4.11.2 requires a complete cycle of each PORV. Operating a PORV through one complete cycle ensures that the PORV can be manually actuated for mitigation of an SGTR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Regulatory Guide 1.32, February 1977.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-1 Rev. 1-3/05 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.12 Cold Overpressure Protection Systems (COPS)

BASES BACKGROUND The COPS controls RCS pressure at low temperatures so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the pressure and temperature (P/T) limits of 10 CFR 50, Appendix G (Ref. 1). The reactor vessel is the limiting RCPB component for demonstrating such protection. The PTLR provides the maximum allowable actuation logic setpoints for the power operated relief valves (PORVs) and the maximum RCS pressure for the existing RCS cold leg temperature during cooldown, shutdown, and heatup to meet the Reference 1 requirements during the COPS MODES or other specified condition in the COPS Applicability.

The reactor vessel material is less tough at low temperatures than at normal operating temperature. As the vessel neutron exposure accumulates, the material toughness decreases and becomes less resistant to pressure stress at low temperatures (Ref. 2). RCS pressure, therefore, is maintained low at low temperatures and is increased only as temperature is increased.

The potential for vessel overpressurization is most acute when the RCS is water solid, occurring only while shutdown; a pressure fluctuation can occur more quickly than an operator can react to relieve the condition. Exceeding the RCS P/T limits by a significant amount could cause brittle cracking of the reactor vessel. LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," requires administrative control of RCS pressure and temperature during heatup and cooldown to prevent exceeding the PTLR limits.

This LCO provides RCS overpressure protection by having a minimum coolant input capability and having adequate pressure relief capacity. Limiting coolant input capability requires both safety injection pumps to be incapable of injection into the RCS and the accumulators to be isolated. The pressure relief capacity requires either two redundant RCS relief valves or a depressurized RCS and an RCS vent of sufficient size. One RCS relief valve or the open RCS vent is the overpressure protection device that acts to terminate an increasing pressure event.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-2 Revision No. 0 BASES BACKGROUND With minimum coolant input capability, the ability to provide core (continued) coolant addition is restricted. The LCO does not require the makeup control system deactivated or the safety injection (SI) actuation circuits blocked. Due to the lower pressures in the COPS MODES and the expected core decay heat levels, the makeup system can provide adequate flow via the makeup control valve. If conditions require the use of the safety injection pumps for makeup in the event of loss of inventory, then pumps can be made available through

manual actions.

The COPS for pressure relief consists of two PORVs with reduced lift settings, or two residual heat removal (RHR) suction relief valves, or one PORV and one RHR suction relief valve, or a depressurized RCS and an RCS vent of sufficient size. Two RCS relief valves are required for redundancy. One RCS relief valve has adequate relieving capability to prevent overpressurization for the required coolant input capability.

PORV Requirements

As designed for the COPS, each PORV is signaled to open if the RCS pressure approaches a limit determined by the COPS actuation logic.

The COPS actuation logic monitors both RCS temperature and RCS pressure and determines when a condition not acceptable with respect to the PTLR limits is approached. The wide range RCS temperature indications are auctioneered to select the lowest

temperature signal.

The lowest temperature signal is processed through a function generator that calculates a pressure limit for that temperature. The calculated pressure limit is then compared with the indicated RCS pressure from a wide range pressure channel. If the indicated

pressure meets or exceeds the calculated value, a PORV is signaled

to open. The PTLR presents the PORV setpoints for the COPS. The setpoints are normally staggered so only one valve opens during a low temperature overpressure transient. Having the setpoints of both valves within the limits in the PTLR ensures that the Reference 1 limits will not be exceeded in any analyzed event.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-3 Rev. 1-3/05 BASES BACKGROUND PORV Requirements (continued)

When a PORV is opened in an increasing pressure transient, the release of coolant will cause the pressure increase to slow and reverse. As the PORV releases coolant, the RCS pressure decreases until a reset pressure is reached and the valve is signaled to close.

The pressure continues to decrease below the reset pressure as the

valve closes.

RHR Suction Relief Valve Requirements

During the COPS MODES or other specified condition in the COPS Applicability, the RHR System is operated for decay heat removal and low pressure letdown control. Therefore, the RHR suction isolation valves are open in the piping from the RCS hot legs to the inlets of the RHR pumps. While these valves are open and the RHR suction

valves are open, the RHR suction relief valves are exposed to the RCS and are able to relieve pressure transients in the RCS.

The RHR suction isolation valves and the RHR suction valves must be open to make the RHR suction relief valves OPERABLE for RCS overpressure mitigation. The RHR suction relief valves are self-actuated water relief valves with pressure tolerances and accumulation limits established by Section III of the American Society of Mechanical Engineers (ASME) Code (Ref. 3) for Class 2 relief valves.

RCS Vent Requirements Once the RCS is depressurized, a vent exposed to the containment atmosphere will maintain the RCS at containment ambient pressure in an RCS overpressure transient, if the relieving requirements of the transient do not exceed the capabilities of the vent. Thus, the vent path must be capable of relieving the flow resulting from the limiting COPS mass or heat input transient, and maintaining pressure below the P/T limits. The required vent capacity may be provided by one or more vent paths.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-4 Rev. 1-3/05 BASES (continued)

APPLICABLE Safety analyses (Ref. 4) demonstrate that the reactor vessel SAFETY ANALYSES is adequately protected against exceeding the Reference 1 P/T limits. In MODES 1, 2, 3, and MODE 4 with all RCS cold leg temperatures >

the COPS arming temperature specified in the PTLR, the pressurizer safety valves will prevent RCS pressure from exceeding the Reference 1 limits. In MODE 4 with any RCS cold leg temperature the COPS arming temperature specified in the PTLR and below, overpressure prevention falls to two OPERABLE RCS relief valves or to a depressurized RCS and a sufficient sized RCS vent. Each of these means has a limited overpressure relief capability.

The actual temperature at which the pressure in the P/T limit curve falls below the pressurizer safety valve setpoint increases as the reactor vessel material toughness decreases due to neutron embrittlement. Each time the PTLR curves are revised, the COPS must be re-evaluated to ensure its functional requirements can still be met using the RCS relief valve method or the depressurized and

vented RCS condition.

The PTLR contains the acceptance limits that define the COPS requirements. Any change to the RCS must be evaluated against the Reference 4 analyses to determine the impact of the change on the

COPS acceptance limits.

Transients that are capable of overpressurizing the RCS are categorized as either mass or heat input transients, as discussed

below.

Mass Input Type Transients

a. Inadvertent safety injection; or

b. Charging/letdown flow mismatch.

Heat Input Type Transients

a. Reactor coolant pump (RCP) startup with temperature asymmetry between the RCS and steam generators.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-5 Rev. 1-3/05 BASES APPLICABLE SAFETY ANALYSES (continued) The following are required during the COPS MODES or other specified condition in the COPS Applicability to ensure that mass and heat input transients do not occur, which either of the COPS overpressure protection means cannot handle:

a. Rendering both safety injection pumps incapable of injection;

b. Deactivating the accumulator discharge isolation valves in their closed positions; and

c. Disallowing the start of an RCP if the secondary temperature is more than 50F above the RCS cold leg temperature in any one loop. With the RHR suction isolation valves open, this value is reduced to 25F at an RCS temperature of 350 F and varies linearly to 50F at an RCS temperature of 200F for RHR design pressure considerations. LCO 3.4.6, "RCS Loops-MODE 4," and LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," contain notes on this limitation that provide this protection.

The Reference 4 analyses demonstrate that either one RCS relief valve or the depressurized RCS and RCS vent can maintain RCS pressure below limits when both centrifugal charging pumps are actuated. Thus, the LCO requires both safety injection pumps to be incapable of injecting into the RCS during the COPS MODES or other specified condition in the COPS Applicability.

Since neither one RCS relief valve nor the RCS vent can handle the pressure transient caused by accumulator injection when RCS temperature is low, the LCO also requires accumulator isolation when accumulator pressure is greater than or equal to the maximum RCS pressure for the existing RCS cold leg temperature allowed in the PTLR. The isolated accumulators must have their discharge valves closed and the valve power supply breakers fixed in their open

positions.

PORV Performance

The fracture mechanics analyses show that the vessel is protected when the PORVs are set to open at or below the limits shown in the PTLR.

The setpoints are derived by analyses that model the performance of the COPS, assuming

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-6 Rev. 2-3/05 BASES APPLICABLE PORV Performance (continued) SAFETY ANALYSES the mass injection transient of two centrifugal charging pumps and the positive displacement pump injecting into the RCS, and the heat injection transient of starting an RCP with the RCS 50 F colder than the secondary coolant. These analyses consider pressure overshoot and undershoot beyond the PORV opening and closing, resulting from signal processing and valve stroke times. The PORV setpoints at or below the derived limit ensure the Reference 1 P/T limits will be met.

---

NOTE----------------------------------------

Although the positive displacement pump (PDP) was replaced with the normal charging pump (NCP), the current mass injection transient analysis assumes two centrifugal charging pumps and the positive displacement pump. Westinghouse performed an evaluation of the effect of replacing the PDP with the NCP and obtained acceptable results without reanalysis of the mass injection transient. Reference Westinghouse letter, GP-16838 from J. L. Tain to J. B. Beasley, Jr.,

dated August 13, 1998, COPS PORV Setpoint for New Charging Pump. ---------------------------------------------------------------------------------------------

The PORV setpoints in the PTLR will be updated when the revised P/T limits conflict with the COPS analysis limits. The P/T limits are periodically modified as the reactor vessel material toughness decreases due to neutron embrittlement caused by neutron irradiation. Revised limits are determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases for LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits," discuss these examinations.

The PORVs are considered active components. Thus, the failure of one PORV is assumed to represent the worst case, single active

failure.

RHR Suction Relief Valve Performance

The RHR suction relief valves do not have variable pressure and temperature lift setpoints like the PORVs. Analyses show that one

RHR suction relief valve with a setpoint at or between 440 psig and 460 psig (Ref. 9) will pass flow greater than that required for the limiting COPS transient while maintaining RCS pressure less than the

P/T limit curve.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-7 Rev. 3-3/05 BASES APPLICABLE RHR Suction Relief Valve Performance (continued) SAFETY ANALYSES As the RCS P/T limits are decreased to reflect the loss of toughness in the reactor vessel materials due to neutron embrittlement, the RHR suction relief valves must be analyzed to still accommodate the design basis transients for COPS.

The RHR suction relief valves are considered active components. Thus, the failure of one valve is assumed to represent the worst case single active failure.

RCS Vent Performance With the RCS depressurized, analyses show a vent size of 1.5 square inches (based on an equivalent length of 10 feet of pipe, i.e., a vent capable of relieving 685 gpm waterflow at 722 psig) is capable of mitigating the allowed COPS overpressure transient. The capacity of a vent this size is greater than the flow of the limiting transient for the COPS configuration, with both safety injection pumps incapable of injecting into the RCS, maintaining RCS pressure less than the maximum pressure on the P/T limit curve.

The RCS vent size will be re-evaluated for compliance each time the P/T limit curves are revised based on the results of the vessel material surveillance.

The RCS vent is passive and is not subject to active failure.

The COPS satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO This LCO requires that the COPS is OPERABLE. The COPS is OPERABLE when the minimum coolant input and pressure relief capabilities are OPERABLE. Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the Reference 1 limits as a result of an operational transient.

To limit the coolant input capability, the LCO requires both safety injection pumps to be incapable of injecting into the RCS and all accumulator discharge isolation valves closed and immobilized when accumulator pressure is greater than or equal to the maximum RCS pressure for the existing RCS cold leg temperature allowed in the PTLR.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-8 Rev. 2-3/05 BASES LCO The elements of the LCO that provide low temperature (continued) overpressure mitigation through pressure relief are:

a. Two RCS relief valves, as follows:

1. Two OPERABLE PORVs; or A PORV is OPERABLE for the COPS when its block valve is open, its lift setpoint is set to the limit required by the PTLR and testing proves its ability to open at this setpoint, and motive power is available to the two valves and their control circuits. The PORVs (PV-455A and PV-456A) are powered from 125 V MCCs 1/2AD1M and 1/2BD1M, respectively. The PORVs are to be considered OPERABLE whenever these MCCs are available to supply

power. 2. Two OPERABLE RHR suction relief valves; or An RHR suction relief valve is OPERABLE for the COPS when its RHR suction isolation valve and its RHR suction valve are open, its setpoint is at or between 440 psig and 460 psig, and testing has proven its ability to open at this setpoint.

3. One OPERABLE PORV and one OPERABLE RHR suction relief valve; or

b. A depressurized RCS and an RCS vent.

An RCS vent is OPERABLE when open with an area of 1.5 square inches (based on an equivalent length of 10 feet of pipe, i.e., capable of relieving 685 gpm at 722 psig).

Each of these methods of overpressure prevention is capable of mitigating the limiting COPS transient.

APPLICABILITY This LCO is applicable in MODE 4 with any RCS cold leg temperature the COPS arming temperature specified in the PTLR, in MODE 5, and in MODE 6 when the reactor vessel head is on. The pressurizer safety valves provide overpressure protection that meets the Reference 1 P/T limits in MODES 1, 2, 3, and MODE 4 with all RCS cold leg temperatures > the COPS arming temperature specified in the PTLR. When the reactor vessel head is off, overpressurization cannot occur.

LCO 3.4.3 provides the operational P/T limits for all MODES. LCO 3.4.10, "Pressurizer Safety Valves," requires the COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-9 Rev. 3-6/05 BASES APPLICABILITY OPERABILITY of the pressurizer safety valves that provide (continued) overpressure protection during MODES 1, 2, 3, and MODE 4 with all RCS cold leg temperatures > the COPS arming temperature specified in the PTLR.

Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input transient can cause a very rapid increase in RCS pressure when little or no time allows operator action to mitigate the event.

The Applicability is modified by a Note stating that accumulator isolation is only required when the accumulator pressure is more than or at the maximum RCS pressure for the existing temperature, as allowed by the P/T limit curves. This Note permits the accumulator discharge isolation valve Surveillance to be performed only under these pressure and temperature conditions.

ACTIONS A Note modifies the ACTIONS table. The Note prohibits the application of LCO 3.0.4b for entry into MODE 4 as well as entry into MODE 6 with the vessel head on from MODE 6 and MODE 5 from MODE 6 with the vessel head on. There is an increased risk associated with entering MODE 4 from MODE 5, MODE 6 with the reactor vessel head on from MODE 6, and MODE 5 from MODE 6 with the reactor vessel head on with COPS inoperable. The provisions of LCO 3.0.4b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in these circumstances.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-10 Rev. 2-3/05 BASES ACTIONS A.1 (continued)

With one or more safety injection pumps capable of injecting into the RCS, RCS overpressurization is possible.

Rendering the safety injection pumps incapable of injecting into the RCS within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to restore restricted coolant input capability to the RCS reflects the urgency of removing the RCS from this condition.

B.1, C.1, and C.2

An unisolated accumulator requires isolation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This is only required when the accumulator pressure is at or more than the maximum RCS pressure for the existing temperature allowed by the P/T limit curves.

If isolation is needed and cannot be accomplished in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, Required Action C.1 and Required Action C.2 provide two options, either of which must be performed in the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. By increasing the RCS temperature to > the COPS arming temperature specified in the PTLR, an accumulator pressure of 678 psig cannot exceed the COPS limits if the accumulators are fully injected. Depressurizing the accumulators below the COPS limit from the PTLR also gives this

protection.

The Completion Times are based on operating experience that these activities can be accomplished in these time periods and that the likelihood that an event requiring COPS during this time is small.

D.1 In MODE 4 with any RCS cold leg temperature the COPS arming temperature specified in the PTLR, with one required RCS relief valve inoperable, the RCS relief valve must be restored to OPERABLE status within a Completion Time of 7 days. Two RCS relief valves in any combination of the PORVS and the RHR suction relief valves are required to provide low temperature overpressure mitigation while withstanding a single failure of an active component.

The Completion Time considers the facts that only one of the RCS relief valves is required to mitigate an overpressure transient and that the likelihood of an active failure of the remaining valve path during this time period is very low.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-12 REVISION 14 BASES (continued)

SURVEILLANCE SR 3.4.12.1 and SR 3.4.12.2 REQUIREMENTS To minimize the potential for a low temperature overpressure event by limiting the mass input capability, both safety injection pumps are verified incapable of injecting into the RCS, and the accumulator discharge isolation valves are verified closed and locked out.

The safety injection pumps are rendered incapable of injecting into the RCS through at least two independent means such that a single failure or single action will not result in an injection into the RCS.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.12.3 Each required RHR suction relief valve shall be demonstrated OPERABLE by verifying its RHR suction isolation valves are open and by testing it in accordance with the Inservice Testing Program.

This Surveillance is only required to be performed if the RHR suction relief valve is being used to meet this LCO. For Train A, the RHR suction relief valve is PSV-8708A and the suction isolation valves are HV-8701A and B. For Train B, the RHR suction relief valve is PSV-8708B and the suction isolation valves are HV-8702A and B.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The RHR suction valves are verified to be opened.

The ASME Code,Section XI (Ref. 8), test per Inservice Testing Program verifies OPERABILITY by proving proper relief valve mechanical motion and by measuring and, if required, adjusting the lift setpoint.

SR 3.4.12.4 The RCS vent of 1.5 square inches (based on an equivalent length of 10 feet of pipe) is proven OPERABLE by verifying its open condition.

COPS B 3.4.12 (continued)

Vogtle Units 1 and 2 B 3.4.12-13 REVISION 14 BASES SURVEILLANCE SR 3.4.12.4 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The passive vent arrangement must only be open to be OPERABLE. This Surveillance is required to be pe rformed if the vent is being used to satisfy the pressure relief requirements of the LCO 3.4.12 b.

SR 3.4.12.5

The PORV block valve must be verified open to provide the flow path for each required PORV to perform its function when actuated. The valve must be remotely verified open in the main control room. This Surveillance is performed if the PORV satisfies the LCO.

The block valve is a remotely controlled, motor operated valve. The power to the valve operator is not required to be removed, and the manual operator is not required to be locked in the inactive position.

Thus, the block valve can be closed in the event the PORV develops excessive leakage or does not close (sticks open) after relieving an overpressure situation.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.12.6 Performance of a COT is required within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after decreasing RCS temperature to the COPS arming temperature specified in the PTLR on each required PORV to verify and, as necessary, adjust its lift setpoint. The COT will verify the setpoint is within the allowed maximum limits in the PTLR. PORV actuation could depressurize the RCS and is not required.

A Note has been added indicating that this SR is required to be performed 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after decreasing RCS cold leg temperature to the COPS arming temperature specified in the PTLR. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> considers the unlikelihood of a low temperature overpressure event during this time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RCS Operational LEAKAGE B 3.4.13 (continued)

Vogtle Units 1 and 2 B 3.4.13-1 Revision No. 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.13 RCS Operational LEAKAGE

BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.

During plant life, the joint and valve interfaces can allow varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.

10 CFR 50, Appendix A, GDC 30 (Ref. 1), requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessary.

Quickly separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur that is detrimental to the safety of the facility and the public.

A limited amount of leakage inside containment is expected from auxiliary systems that cannot be made 100% leaktight. Leakage from these systems should be detected, located, and isolated from the containment atmosphere, if possible, to not interfere with RCS leakage detection.

This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).

RCS Operational LEAKAGE B 3.4.13 (continued)

Vogtle Units 1 and 2 B 3.4.13-2 Rev. 2-9/06 BASES (continued)

APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses SAFETY ANALYSES do not address operational LEAKAGE. However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event. The safety analyses for an event resulting in steam discharge to the atmosphere assumes that primary to secondary LEAKAGE from all steam generators (SGs) is one gallon per minute or increases to one gallon per minute as a result of accident induced conditions. The LCO requirement to limit primary to secondary LEAKAGE through any one SG to less than or equal to 150 gallons per day is significantly less than the conditions assumed in the safety analysis.

The RCS operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Boundary LEAKAGE

No pressure boundary LEAKAGE is allowed, being indicative of an off-normal condition. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

b. Unidentified LEAKAGE

One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.

c. Identified LEAKAGE

Up to 10 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary

RCS Operational LEAKAGE B 3.4.13 (continued)

Vogtle Units 1 and 2 B 3.4.13-3 Rev. 1-9/06 BASES LCO c. Identified LEAKAGE (continued)

LEAKAGE or controlled reactor coolant pump (RCP) seal leakoff (a normal function not considered LEAKAGE). Violation of this LCO could result in continued degradation of a component or system. d. Primary to Secondary LEAKAGE through Any One SG The limit of 150 gallons per day per SG is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam Generator Program Guidelines (Ref. 4). The Steam Generator Program operational LEAKAGE performance criterion in NEI 97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be limited to 150 gallons per day." The limit is based on operating experience with SG tube degradation mechanisms that result in tube leakage. The operational leakage rate criterion in conjunction with the implementation of the Steam Generator Program is an effective measure for minimizing the frequency of steam generator tube ruptures.

APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.

In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.

LCO 3.4.14, "RCS Pressure Isolation Valve (PIV) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leak tight. If both valves leak and result in a loss of mass from the RCS, the loss must be included in the allowable identified LEAKAGE.

RCS PIV Leakage B 3.4.14 (continued)

Vogtle Units 1 and 2 B 3.4.14-2 REVISION 26 BASES BACKGROUND PIVs are provided to isolate the RCS from the following (continued) typically connected systems:

a. Residual Heat Removal (RHR) System;

b. Safety Injection System; and

c. Chemical and Volume Control System.

The PIVs are listed in the FSAR, Section 5.4 (Ref. 6).

Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier.

APPLICABLE Reference 4 identified potential intersystem LOCAs as a SAFETY ANALYSES significant contributor to the risk of core melt. The dominant accident sequence in the intersystem LOCA category is the failure of the low pressure portion of the RHR System outside of containment. The accident is the result of a postulated failure of the PIVs, which are part of the RCPB, and the subsequent pressurization of the RHR System downstream of the PIVs from the RCS. Because the low pressure portion of the RHR System is typically designed for 600 psig, overpressurization failure of the RHR low pressure line would result in a LOCA outside containment and subsequent risk of core melt.

Reference 5 evaluated various PIV configurations, leakage testing of the valves, and operational changes to determine the effect on the probability of intersystem LOCAs. This study concluded that periodic leakage testing of the PIVs can substantially reduce the probability of an intersystem LOCA.

RCS PIV leakage satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO RCS PIV leakage is identified LEAKAGE into closed systems connected to the RCS. Isolation valve leakage is usually on

RCS PIV Leakage B 3.4.14 Vogtle Units 1 and 2 B 3.4.14-8 Revision No. 0 BASES REFERENCES 8. 10 CFR 50.55a(g).

(continued)

9. WCAP-11269, Rev. 1, Westinghouse Setpoint Methodology for Protection Systems.

RCS Leakage Detection Instrumentation B 3.4.15 (continued)

Vogtle Units 1 and 2 B 3.4.15-1 REVISION 19 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.15 RCS Leakage Detection Instrumentation

BASES BACKGROUND GDC 30 of Appendix A to 10 CFR 50 (Ref. 1) requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE. Regulatory Guide 1.45, Revision 0 (Ref. 2) describes acceptable methods for selecting leakage detection systems. Leakage detection systems must have the capability to detect significant reactor coolant pressure boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential for propagation to a gross failure. Thus, an early indication or warning signal is necessary to permit proper evaluation of all unidentified LEAKAGE. In addition to meeting the OPERABILITY requirements, the monitors are typically set to provide the most sensitive response without causing an excessive number of spurious alarms.

Systems employed for detecting leakage to the containment from unidentified sources are:

• Containment atmosphere airborne particulate radioactivity monitor;

• Containment atmosphere gaseous radioactivity monitor;

• Containment air cooler condensate flow monitor; and

• Containment sump level monitor.

The containment airborne particulate radioactivity monitor draws an air sample from containment via a sample pump. The sample is then passed through a particulate filter with detectors. Particulate activity can be correlated with the coolant fission and corrosion product activities.

RCS Leakage Detection Instrumentation B 3.4.15 (continued)

Vogtle Units 1 and 2 B 3.4.15-2 REVISION 19 BASES BACKGROUND The containment atmosphere gaseous radioactivity monitor draws air (continued) continuously from the containment atmosphere through a gas monitor. This sample stream flows continuously through a fix shielded volume where its activity is monitored. Gaseous radioactivity can be correlated with the gaseous activity of the reactor coolant.

The containment air cooler condensate monitoring system permits measurement of the liquid runoff from the containment cooler units. It consists of a drain collection header, a vertical standpipe, valving, and standpipe level instrumentation for the coolers. The condensation from the containment coolers flows via the collection header to the vertical standpipe, and a differential pressure transmitter provides standpipe level signals. The system provides measurements of low leakages by monitoring standpipe level increase versus time. Drainage flow rate from the cooling units due to normal condensation is calculated for the ambient (background) atmospheric conditions present within the containment. With the initiation of an additional or abnormal leak, the containment atmosphere humidity and condensation runoff rate both begin to increase, the water level rises in the vertical pipe, and the high condensate flow alarm is actuated. The condensate flow rate is a function of containment humidity, nuclear service cooling water (NSCW) temperature, and containment purge rate.

The containment normal or reactor cavity sumps can also be used to detect RCS leakage. Since a leak in the RCS would result in reactor coolant flowing into the containment normal or reactor cavity sumps, leakage would be indicated by a level increase in the sump. The actual reactor coolant leakage rate can be established from the increase above the normal rate of change of sump level. Indication of an increasing sump level is transmitted from the sump to the control room level indicator by means of a sump level transmitter. The system provides measurements of low leakages by monitoring level increase versus time. A check of other instrumentation would be required to eliminate possible leakage from nonradioactive systems as a cause of an increase in sump level.

The above-mentioned LEAKAGE detection systems differ in sensitivity and response time. Some of these systems could serve as early alarm systems signaling the operators that closer examination of other detection systems is necessary to determine the extent of any corrective action that may be required.

RCS Leakage Detection Instrumentation B 3.4.15 (continued)

Vogtle Units 1 and 2 B 3.4.15-3 REVISION 19 BASES APPLICABLE The need to evaluate the severity of an alarm or an indication is SAFETY ANALYSES important to the operators, and the ability to compare and verify with indications from other systems is necessary.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Quickly separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative information to the operators, allowing them to take corrective action should a leak occur detrimental to the safety of the unit and the public.

RCS leakage detection instrumentation satisfies Criterion 1 of 10 CFR 50.36 (c)(2)(ii).

LCO This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide confidence th at small amounts of unidentified LEAKAGE are detected in time to allow actions to place the plant in a safe condition, when RCS LEAKAGE indicates possible RCPB degradation.

The LCO requires three instruments to be OPERABLE.

The containment normal or reactor cavity sumps are used to collect unidentified LEAKAGE. The LCO requirements apply to the total amount of unidentified LEAKAGE colle cted in the containment normal and reactor cavity sumps. Since a leak in the primary system would result in reactor coolant flowing into the containment normal or reactor cavity sumps, leakage would be indicated by a level increase in the sumps. Indication of an increasing sump level is transmitted from the sump to the control room level indicator by means of a sump level transmitter. The system provides measurements of low leakages by monitoring level increase versus time. The leakage rate can also be determined from the frequency of sump pump operation. Under normal conditions, the containment normal and reactor cavity sump pumps operate very infrequently. Gross leakage can be surmised from more frequent pump operation. Sump level and pump running indications are provided in the control room to alert the operators.

The detection capabilities of the containment normal sump and reactor cavity sump are described in Reference 3. The identification of an increase in unidentified LEAKAGE will be delayed by the time required for the unidentified LEAKAGE to travel to the containment normal and reactor cavity sumps and it may take longer than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to RCS Leakage Detection Instrumentation B 3.4.15 (continued)

Vogtle Units 1 and 2 B 3.4.15-4 REVISION 19 BASES LCO detect a 1 gpm increase in unidentified LEAKAGE, depending on the (continued) origin and magnitude of the LEAKAGE. This sensitivity is acceptable for containment sump monitor OPERABILITY.

The reactor coolant contains radioactivity that, when released to the containment, may be detected by the gaseous or particulate containment atmosphere radioactivity monitor. Only one of the two detectors is required to be OPER ABLE. Radioactivity detection systems are included for monitoring both particulate and gaseous activities because of their sensitivities and rapid responses to RCS LEAKAGE, but have recognized limitations. Reactor coolant radioactivity levels will be low during initial reactor startup, following a refueling outage, and for a few weeks thereafter, until activated corrosion products have been formed and fission products appear from fuel assembly cladding contamination or cladding defects. If there are few fuel assembly cladding defects and low levels of activation products, it may not be possible for the gaseous or particulate containment atmosphere radioactivity monitors to detect a 1 gpm increase within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> during normal operation. However, the gaseous or particulate containment atmosphere radioactivity monitor is OPERABLE when it is capable of detecting a 1 gpm increase in unidentified LEAKAGE within approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> given an RCS activity equivalent to that assumed in the design calculations for the monitors, as described in Reference 3.

An increase in humidity of the containment atmosphere could indicate the release of water vapor to the containment. The containment air cooler condensate flow rate system provides measurements of low leakages by monitoring a standpipe level increase versus time. Condensate flow from the containment air coolers is instrumented to detect when there is an increase above the normal value by 1 gpm. The time required to detect a 1 gpm increase above the normal value varies based on environmental and system conditions and may take longer than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This sensitivity is acceptable for containment air cooler condensate flow rate monitor OPERABILITY.

The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment sump monitors, in combination with a gaseous or particulate radioactivity monitor and/or a containment air cooler condensate flow rate monitor, provides an acceptable minimum.

RCS Leakage Detection Instrumentation B 3.4.15 (continued)

Vogtle Units 1 and 2 B 3.4.15-5 REVISION 19 BASES (continued)

APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS leakage detection instrumentation is required to be OPERABLE.

In MODE 5 or 6, the temperature is to be 200°F and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1, 2, 3, and 4, the likelihood of leakage and crack propagation are much smaller.

Therefore, the requirements of this LCO are not applicable in MODES 5 and 6.

ACTIONS A.1 With one containment sump monitor inoperable, the remaining containment sump monitors, the containment atmosphere radioactivity monitor, and/or the containment air cooler condensate flow rate monitor will provide indications of changes in leakage. Together with these monitors, the periodic surveillance for RCS water inventory balance, SR 3.4.13.1, must be performed at an increased frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to provide information that is adequate to detect leakage.

B.1 and B.2 With two or more containment sump monitors inoperable, no other form of sampling or monitors can provide the equivalent information; however, the containment atmosphere radioactivity and/or containment air cooler condensate flow rate monitors will provide indications of changes in leakage. Together with these remaining monitors, the periodic surveillance for RCS water inventory balance, SR 3.4.13.1, must be performed at an increased frequency of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to provide information that is adequate to detect leakage.

Restoration of at least two sump monitors to OPERABLE status within a Completion Time of 30 days is required to regain most of this function and allow operation to continue under the provisions of Condition A. This Completion Time is acceptable, considering the remaining OPERABLE atmosphere radioactivity and/or condensate flow rate monitors and the Frequency and adequacy of the RCS water inventory balance required by Action B.1.

RCS Leakage Detection Instrumentation B 3.4.15 (continued)

Vogtle Units 1 and 2 B 3.4.15-6 REVISION 19 BASES ACTIONS C.1.1, C.1.2, C.2.1, and C.2.2 (continued) With both gaseous and particulate containment atmosphere radioactivity monitoring instrumentation channels inoperable, alternative action is required. Either grab samples of the containment atmosphere must be taken and analyzed or water inventory balances, in accordance with SR 3.4.13.1, must be performed to provide alternate periodic information.

With a sample obtained and analyzed or water inventory balance performed every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor may be operated for up to 30 days to allow restoration of the required containment atmosphere radioactivity monitors. Alternatively, continued operation is allowed if the air cooler condensate flow rate monitoring system is OPERABLE, provided grab samples are taken every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> interval provides periodic information that is adequate to detect leakage. The 30 day Completion Time recognizes at least one other form of leakage detection is available.

D.1 and D.2

With the required containment air cooler condensate flow rate monitor inoperable, alternative action is again required. Either SR 3.4.15.2 must be performed or water inventory balances, in accordance with

SR 3.4.13.1, must be performed to provide alternate periodic information. Provided a CHANNEL CHECK is performed every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or a water inventory balance is performed every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, reactor operation may continue while awaiting restoration of the containment air cooler condensate flow rate monitor to OPERABLE status.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> interval provides periodic information that is adequate to detect RCS LEAKAGE.

E.1 and E.2

With both required containment atmosphere gaseous and particulate radioactivity monitors and the required containment air cooler condensate flow rate monitor inoperable, the only means of detecting leakage is the containment sump monitor. This Condition does not provide the required diverse means of leakage detection. The Required Action is to restore either of the inoperable required

µ

µ

µ

µ

µ

µ

RCS Specific Activity B 3.4.16 Vogtle Units 1 and 2 B 3.4.16-4 Rev. 1 - 6/05 BASES (continued)

ACTIONS A Note permits the use of the provisions of LCO 3.0.4c. This allowance permits entry into the applicable MODE(S) while relying on the ACTIONS.

This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the unit remains at or proceeds to power operation.

A.1 and A.2

With the DOSE EQUIVALENT I-131 greater than the LCO limit, samples at intervals of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> must be taken to demonstrate that the limits of Figure 3.4.16-1 are not exceeded. The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is required to obtain and analyze a sample. Sampling is done to continue to provide a trend.

The DOSE EQUIVALENT I-131 must be restored to within limits within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is acceptable because of the low probability of an SGTR acci dent occurring duri ng this period.

B.1 and B.2

With the gross specific activity in excess of the allowed limit, an analysis must be performed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to determine DOSE EQUIVALENT I-131. The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is required to obtain and analyze a sample.

The change within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to MODE 3 and RCS average temperature < 500F lowers the saturation pressure of the reactor coolant below the setpoints of the main steam safety valves and prevents venting the SG to the environment in an SGTR event. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 below 500F from full power conditions in an orderly manner and without challenging plant systems.

(continued)

RCS Specific Activity B 3.4.16 (continued)

Vogtle Units 1 and 2 B 3.4.16-5 REVISION 14 BASES ACTIONS C.1 (continued) If a Required Action and the associated Completion Time of Condition A is not met or if the DOSE EQUIVALENT I-131 is in the unacceptable region of Figure 3.4.16-1, the reactor must be brought

to MODE 3 with RCS average temperature < 500

°F within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating

experience, to reach MODE 3 below 500

°F from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.16.1 REQUIREMENTS SR 3.4.16.1 requires performing gross specific activity of the reactor coolant. Gross specific activity is basically a quantitative measure of radionuclides with half lives longer than 14 minutes, excluding all

radioiodines. It is the sum of concentrations of individually identified

nuclides, liquid and gaseous, counted within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the sample

is taken and extrapolated back to when the sample was taken.

Determination of the contributors to the gross specific activity shall be

based upon those gamma energy peaks identifiable with a 95%

confidence level. The latest available data may be used for pure

beta-emitting radionuclides. This Surveillance provides an indication

of any increase in gross specific activity.

Trending the results of this Surveillance allows proper remedial action to be taken before reaching the LCO limit under normal operating conditions. The Surveillance is applicable in MODES 1 and 2, and in

MODE 3 with Tavg at least 500

°F. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.16.2

This Surveillance is performed in MODE 1 only to ensure iodine remains within limit during normal operation and

following fast power changes when fuel failure is more apt to

occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RCS Specific Activity B 3.4.16 Vogtle Units 1 and 2 B 3.4.16-6 REVISION 14 BASES SURVEILLANCE SR 3.4.16.2 (continued)

REQUIREMENTS The Frequency, between 2 and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after a power change 15% RTP within a 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> period, is established because the iodine levels peak during this time following fuel failure; samples at other times would provide inaccurate results.

SR 3.4.16.3

A radiochemical analysis for determination is required with the plant operating in MODE 1 equilibrium conditions. The determination directly relates to the LCO and is required to verify plant operation

within the specified gross activity LCO limit. The analysis for is a measurement of the specific activity for each radionuclide identified in

the reactor coolant with half lives longer than 14 minutes, excluding all

radioiodines. The specific activities for these individual radionuclides

shall be used in the determination of for the reactor coolant sample.

Determination of the contributors to shall be based upon those energy peaks identifiable with a 95% confidence level. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR has been modified by a Note that indicates sampling is required to be performed within 31 days after a minimum of 2 effective

full power days and 20 days of MODE 1 operation have elapsed since

the reactor was last subcritical for at least 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, if the surveillance

requirement had not been performed within the last 184 days, such as

during a refueling outage. This ensures that the radioactive materials

are at equilibrium so the analysis for is representative and not skewed by a crud burst or other similar abnormal event.

REFERENCES 1. 10 CFR 100.11, 1973.

2. FSAR, Subsection 15.6.3.

SG Tube Integrity B 3.4.17 (continued)

Vogtle Units 1 and 2 B 3.4.17-1 Rev. 0-9/06 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.17 Steam Generator (SG) Tube Integrity

BASES BACKGROUND Steam generator (SG) tubes are small diameter, thin walled tubes that carry primary coolant through the primary to secondary heat exchangers. The SG tubes have a number of important safety functions. Steam generator tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary system's pressure and inventory. The SG tubes isolate the radioactive fission products in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act as the heat transfer surface between the primary and secondary systems to remove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG.

The SG heat removal function is addressed by LCO 3.4.4, "RCS Loops - MODES 1 and 2," LCO 3.4.5, "RCS Loops - MODE 3," LCO 3.4.6, "RCS Loops - MODE 4," and LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled."

SG tube integrity means that the tubes are capable of performing their intended RCPB safety function consistent with the licensing basis, including applicable regulatory requirements.

Steam generator tubing is subject to a variety of degradation mechanisms. Steam generator tubes may experience tube degradation related to corrosion phenomena, such as wastage, pitting, intergranular attack, and stress corrosion cracking, along with other mechanically induced phenomena such as denting and wear. These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG tube degradation.

Specification 5.5.9, "Steam Generator (SG) Program," requires that a program be established and implemented to ensure that SG tube integrity is maintained. Pursuant to Specification 5.5.9, tube integrity is maintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. The SG performance criteria are described in Specification 5.5.9. Meeting the SG performance criteria provides reasonable assurance of maintaining tube integrity at normal and accident conditions.

The processes used to meet the SG performance criteria are defined by the Steam Generator Program Guidelines (Ref. 1).

SG Tube Integrity B 3.4.17 (continued)

Vogtle Units 1 and 2 B 3.4.17-2 REVISION 28 BASES (continued)

APPLICABLE The steam generator tube rupture (SGTR) accident is the limiting SAFETY ANALYSES design basis event for SG t ubes and avoiding an SGTR is the basis for this Specification. The analysis of a SGTR event assumes a bounding primary to secondary LEAKAGE rate equal to the operational LEAKAGE rate limits in LCO 3.4.13, "RCS Operational LEAKAGE," plus the leakage rate associated with a double-ended rupture of a single tube. The accident analysis for a SGTR assumes the contaminated secondary fluid is only briefly released to the atmosphere via safety valves and the majority is discharged to the main condenser.

The analysis for design basis accidents and transients other than a SGTR assume the SG tubes retain their structural integrity (i.e., they are assumed not to rupture.) In these analyses, the steam discharge to the atmosphere is based on the total primary to secondary LEAKAGE from all SGs of 1 gallon per minute or is assumed to increase to 1 gallon per minute as a result of accident induced conditions. For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT I-131 is assumed to be equal to the LCO 3.4.16, "RCS Specific Activity," limits. For accidents that assume fuel damage, the primary coolant activity is a function of the amount of activity released from the damaged fuel. The dose consequences of these events are within the limits of GDC 19 (Ref. 2), 10 CFR 100 (Ref.

3) or the NRC approved licensing basis (e.g., a small fraction of these

limits).

Steam generator tube integrity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requires that SG tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the plugging criteria be plugged in accordance with the Steam Generator Program.

During an SG inspection, any inspected tube that satisfies the Steam

Generator Program plugging criteria is removed from service by plugging. If a tube was determined to satisfy the plugging criteria but was not plugged, the tube may still have tube integrity.

In the context of this Specification, a SG tube is defined as the entire length of the tube, including the tube wall, between the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesheet weld at the tube outlet. Portions of the tube below 15.2 inches below the top of the

SG Tube Integrity B 3.4.17 (continued)

Vogtle Units 1 and 2 B 3.4.17-5 REVISION 28 BASES ACTIONS A.1 and A.2 (continued) Condition A applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube plugging criteria but were not plugged in accordance with the Steam Generator Program as required by SR 3.4.17.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG performance criteria described in the Steam Generator Program. The SG plugging criteria define limits on SG tube degradation that allow for flaw growth between inspections while still providing assurance that the SG performance criteria will continue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an evaluation must be completed that demonstrates that the SG performance criteria will continue to be met until the next refueling outage or SG tube inspection. The tube integrity determination is based on the estimated condition of the tube at the time the situation is discovered and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, Condition B applies.

A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of plant operation with a SG tube that may not

have tube integrity.

If the evaluation determines that the affected tube(s) have tube integrity, Required Action A.2 allows plant operation to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported by an operational assessment that reflects the affected tubes. However, the affected tube(s) must be plugged prior to entering MODE 4 following the next refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment.

B.1 and B.2 If the Required Actions and associated Completion Times of Condition A are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within 36

hours.

The allowed Completion Times are reasonable, based on operating experience, to reach the desired plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SG Tube Integrity B 3.4.17 (continued)

Vogtle Units 1 and 2 B 3.4.17-6 REVISION 28 BASES (continued)

SURVEILLANCE SR 3.4.17.1 REQUIREMENTS During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref. 1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator Program ensures that the inspection is appropriate and consistent with accepted industry practices.

During SG inspections a condition monitoring assessment of the SG tubes is performed. The condition monitoring assessment determines the "as found" condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for the previous operating period.

The Steam Generator Program determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying the tube plugging criteria. Inspection scope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and potential degradation locations. The Steam Generator Program also specifies the inspection methods to be used to find potential degradation. Inspection methods are a function of degradation morphology, nondestructive examination (NDE) technique capabilities, and inspection locations.

The Steam Generator Program defines the Frequency of SR 3.4.17.1. The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Ref. 6). The Steam Generator Program uses information on existing degradations and growth rates to determine an inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the next scheduled inspection. In addition, Specification 5.5.9 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met between scheduled inspections. If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected SGs is restricted by Specification 5.5.9 until subsequent inspections support extending the inspection interval.

SR 3.4.17.2

During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging. The tube plugging criteria delineated in Specification 5.5.9 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In addition, the tube plugging

SG Tube Integrity B 3.4.17 Vogtle Units 1 and 2 B 3.4.17-7 REVISION 28 BASES SURVEILLANCE SR 3.4.17.2 (continued) REQUIREMENTS criteria, in conjunction with other elements of the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s). Reference 1 provides guidance for performing operational assessments to verify that the tubes remaining in service will continue to meet the SG performance criteria.

The Frequency of prior to entering MODE 4 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the plugging criteria are plugged prior to subjecting the SG tubes to significant primary to secondary pressure differential.

REFERENCES 1. NEI 97-06, "Steam Generator Program Guidelines."

2. 10 CFR 50 Appendix A, GDC 19.

3. 10 CFR 100.

4. ASME Boiler and Pressure Vessel Code,Section III, Subsection NB.

5. Draft Regulatory Guide 1.121, "Basis for Plugging Degraded Steam Generator Tubes," August 1976.

6. EPRI, "Pressurized Water Reactor Steam Generator Examination Guidelines."

7. License Amendment Nos. 167 and 149, "Vogtle Electric Generating Plant, Units 1 and 2, Issuance of Amendments Regarding Revision to Technical Specifications 5.5.9, "Steam Generator (SG) Program," and 5.6.10, "Steam Generator Tube Inspection Report," (TAC Nos. ME8313 and ME8314),"

September 10, 2012.

Accumulators B 3.5.1 (continued)

Vogtle Units 1 and 2 B 3.5.1-7 REVISION 14 BASES ACTIONS C.1 and C.2 (continued) 1000 psig within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 If more than one accumulator is inoperable, the plant is in a condition outside the accident analyses; therefore, LCO 3.0.3 must be entered

immediately.

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS

Each accumulator valve (HV-8808A, B, C, D) should be verified to be fully open. This verification ensures that the accumulators are available for injection and ensures timely discovery if a valve should be less than fully open. If an isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve position should not change with power removed, a closed valve could result in not meeting accident analyses assumptions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.2 and SR 3.5.1.3

The borated water volume (LI-0950, 0951, 0952, 0953, 0954, 0955, 0956, 0957) and nitrogen cover pressure (PI-0960A&B, 0961A&B, 0962A&B, 0963A&B, 0964A&B, 0965A&B, 0966A&B, 0967A&B) are verified for each accumulator. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Accumulators B 3.5.1 (continued)

Vogtle Units 1 and 2 B 3.5.1-8 REVISION 14 BASES SURVEILLANCE SR 3.5.1.4 REQUIREMENTS (continued) The boron concentration should be verified to be within required limits for each accumulator since the static design of the accumulators limits the ways in which the concentration can be changed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Sampling the affected accumulator within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after a 1% volume increase (7% of indicated level) will identify whether inleakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water inventory is from the refueling water storage tank (RWST), because the water contained in the RWST is within the accumulator boron concentration requirements.

This is consistent with the recommendation of NUREG-1366 (Ref. 6).

SR 3.5.1.5

Verification that power is removed from each accumulator isolation valve operator when the pressurizer pressure is > 1000 psig ensures that an active failure could not result in the undetected closure of an accumulator motor operated isolation valve. If this were to occur, only two accumulators would be available for injection given a single failure coincident with a LOCA. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR allows power to be supplied to the motor operated isolation valves when pressurizer pressure is 1000 psig, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during plant startups or shutdowns.

ECCS-Operating B 3.5.2 (continued)

Vogtle Units 1 and 2 B 3.5.2-7 Revision No. 0 BASES (continued)

ACTIONS A.1

With one or more trains inoperable and at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available, the inoperable components must be returned to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is based on an NRC reliability evaluation (Ref. 5) and is a reasonable time for repair of many ECCS components.

An ECCS train is inoperable if it is not capable of delivering design flow to the RCS. Individual components are inoperable if they are not capable of performing their design function or supporting systems are

not available.

The LCO requires the OPERABILITY of a number of independent subsystems. Due to the redundancy of trains and the diversity of subsystems, the inoperability of one component in a train does not render the ECCS incapable of performing its function. Neither does the inoperability of two different components, each in a different train, necessarily result in a loss of function for the ECCS. The intent of this Condition is to maintain a combination of equipment such that 100% of the ECCS flow equivalent to a single OPERABLE ECCS train remains available. This allows increased flexibility in plant operations under circumstances when components in opposite trains are inoperable.

An event accompanied by a loss of offsite power and the failure of an EDG can disable one ECCS train until power is restored. A reliability analysis (Ref. 5) has shown that the impact of having one full ECCS train inoperable is sufficiently small to justify continued operation for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Reference 6 describes situations in which one component, such as an RHR crossover valve, can disable both ECCS trains. With one or more component(s) inoperable such that 100% of the flow equivalent to a single OPERABLE ECCS train is not available, the facility is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be immediately entered.

ECCS-Operating B 3.5.2 (continued)

Vogtle Units 1 and 2 B 3.5.2-8 REVISION 14 BASES ACTIONS B.1 and B.2 (continued)

If the inoperable trains cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.5.2.1 REQUIREMENTS Verification of proper valve position ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these valves could render both ECCS trains inoperable. Securing these

valves in the correct position by placing the power lockout switches in the correct position ensures that they cannot change position as a result of an active failure or be inadvertently misaligned. These valves are of the type, described in Reference 6, that can disable the function of both ECCS trains and invalidate the accident analyses.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2

Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve will automatically reposition within the proper stroke time. This Surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being

ECCS-Shutdown B 3.5.3 Vogtle Units 1 and 2 B 3.5.3-3 Rev. 1 - 6/05 BASES ACTIONS A.1 (continued) With no ECCS RHR subsystem OPERABLE, the plant is not prepared to respond to a loss of coolant accident or to continue a cooldown using the RHR pumps and heat exchangers. The Completion Time of im-mediately to initiate actions that would restore at least one ECCS RHR subsystem to OPERABLE status ensures that prompt action is taken to restore the required cooling capacity. Normally, in MODE 4, reactor decay heat is removed from the RCS by an RHR loop. If no RHR loop is OPERABLE for this function, reactor decay heat must be removed by some alternate method, such as use of the steam generators. The alternate means of heat removal must continue until the inoperable RHR loop components can be restored to operation so that decay heat removal is continuous.

With both RHR pumps and heat exchangers inoperable, it would be unwise to require the plant to go to MODE 5, where the only available heat removal system is the RHR. Therefore, the appropriate action is to initiate measures to restore one ECCS RHR subsystem and to continue the actions until the subsystem is restored to OPERABLE status.

B.1 With the required ECCS centrifugal charging subsystem inoperable, and at least 100% of the ECCS flow equivalent to a singe OPERABLE ECCS train available, the inoperable components must be returned to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Since the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is acceptable when the unit is in MODES 1, 2, and 3 (Ref. 5) and MODE 4 represents less severe conditions for the initiation of a LOCA, the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is also acceptable for MODE 4. This allows increased flexibility in plant operations under circumstances when components in the required train may be inoperable, but ECCS remains capable of delivering 100% of the required flow.

C.1 With no ECCS centrifugal charging subsystem OPERABLE, due to the inoperability of the centrifugal charging pump or flow path from the RWST, the plant is not prepared to provide high pressure response to Design Basis Events requiring SI. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time to

(continued)

ECCS-Shutdown B 3.5.3 Vogtle Units 1 and 2 B 3.5.3-4 Rev. 1 - 6/05 BASES ACTIONS C.1 (continued)

restore at least one ECCS centrifugal charging subsystem to OPERABLE status ensures that prompt action is taken to provide the required cooling capacity or to initiate actions to place the plant in MODE 5, where an ECCS train is not required.

D.1 When the Required Actions of Conditions B or C cannot be completed within the required Completion Time, a controlled shutdown should be initiated. Twenty-four hours is a reasonable time, based on operating experience, to reach MODE 5 in an orderly manner and without challenging plant systems or operators.

SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The applicable Surveillance descriptions from Bases 3.5.2 for SRs 3.5.2.3, 3.5.2.4 and 3.5.2.7 apply. Note that these Surveillance descriptions were written for a specification that is applicable in MODEs 1, 2, and 3, and SR 3.5.3.1 is applicable for MODE 4. However, the descriptions provided for SRs 3.5.2.3, 3.5.2.4, and 3.5.2.7 are applicable to MODE 4 as well. SR 3.5.3.1 is modified by a Note that allows an RHR train to be considered OPERABLE during alignment and operation for decay heat removal, if capable of being manually realigned (remote or local) to the ECCS mode of operation and not otherwise inoperable. This allows operation in the RHR mode during MODE 4, if necessary.

REFERENCES The applicable references from Bases 3.5.2 apply.

Seal Injection Flow B 3.5.5 (continued)

Vogtle Units 1 and 2 B 3.5.5-3 REVISION 14 BASES (continued)

ACTIONS A.1

With the seal injection flow exceeding its limit, the amount of charging flow available to the RCS may be reduced. Under this Condition, action must be taken to restore the flow to below its limit. The operator has 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> from the time the flow is known to be above the limit to perform SR 3.5.5.1 and correctly position the manual valves and thus be in compliance with the accident analysis. The Completion Time minimizes the potential exposure of the plant to a LOCA with insufficient injection flow and provides a reasonable time to restore seal injection flow to within the limit. This time is conservative with respect to the Completion Times of other ECCS LCOs; it is based on operating experience and is sufficient for taking corrective actions by operations personnel.

B.1 and B.2

When the Required Actions cannot be completed within the required Completion Time, a controlled shutdown must be initiated. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for reaching MODE 3 from MODE 1 is a reasonable time for a controlled shutdown, based on operating experience and normal cooldown rates, and does not challenge plant safety systems or operators. Continuing the plant shutdown begun in Required Action B.1, an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience and normal cooldown rates, to reach MODE 4, where this LCO is no longer applicable.

SURVEILLANCE SR 3.5.5.1 REQUIREMENTS Verification that the manual seal injection throttle valves are adjusted to give a flow within the limit ensures that proper manual seal injection throttle valve position, and hence, proper seal injection flow, is maintained. A differential pressure that is above the reference minimum value is established between the charging header (PT-120, charging header pressure) and the RCS, and the total seal injection flow is verified to be within the limits determined in accordance with the ECCS safety analysis (Ref. 3). The seal water injection flow limits are as shown in figure B 3.5.5-1. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Seal Injection Flow B 3.5.5 Vogtle Units 1 and 2 B 3.5.5-4 REVISION 14 BASES SURVEILLANCE SR 3.5.5.1 (continued) REQUIREMENTS The requirements for charging flow vary widely according to plant status and configuration. When charging flow is adjusted, the positions of the air-operated valves which control charging flow are adjusted to balance the flows through the charging header and through the seal injection header to ensure that the seal injection flow to the reactor coolant pumps is maintained between 8 and 13 gpm per pump. The reference minimum differential pressure across the seal injection needle valves ensures that regardless of the varied settings of the charging flow control valves that are required to support optimum charging flow, a reference test condition can be established to ensure that flows across the needle valves are within the safety analysis. The values in the safety analysis for this reference set of conditions are calculated based on conditions during power operation and they are correlated to the minimum ECCS flow to be maintained under the most limiting accident conditions.

As noted, the Surveillance is not required to be performed until 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after the RCS pressure has stabilized within a

+/- 20 psig range of normal operating pressure. The RCS pressure requirement is specified since this configuration will produce the required pressure conditions necessary to assure that the manual valves are set correctly. The exception is limited to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to ensure that the

Surveillance is timely.

REFERENCES 1. FSAR, Chapter 6 and Chapter 15.

2. 10 CFR 50.46.

3. Westinghouse Calculation FRSS/SS-GAE-952.

Containment Air Locks B 3.6.2 (continued)

Vogtle Units 1 and 2 B 3.6.2-7 Revision No. 0 BASES ACTIONS C.1, C.2, and C.3 (continued) inoperable if both doors in an air lock have failed a seal test or if the

overall air lock leakage is not within limits. In many instances (e.g.,

only one seal per door has failed), containment remains OPERABLE, yet only 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (per LCO 3.6.1) would be provided to restore the air

lock door to OPERABLE status prior to requiring a plant shutdown. In

addition, even with both doors failing the seal test, the overall

containment leakage rate can still be within limits.

Required Action C.2 requires that one door in the affected

containment air lock must be verified to be closed within the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />

Completion Time. This specified time period is consistent with the

ACTIONS of LCO 3.6.1, which require that containment be restored to

OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

Additionally, the affected air lock(s) must be restored to OPERABLE

status within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time. The specified time period

is considered reasonable for restoring an inoperable air lock to

OPERABLE status, assuming that at least one door is maintained

closed in each affected air lock.

D.1 and D.2 If the inoperable containment air lock cannot be restored to

OPERABLE status within the required Completion Time, the plant

must be brought to a MODE in which the LCO does not apply. To

achieve this status, the plant must be brought to at least MODE 3

within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed

Completion Times are reasonable, based on operating experience, to

reach the required plant conditions from full power conditions in an

orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.1 REQUIREMENTS Maintaining containment air locks OPERABLE requires

compliance with the leakage rate test requirements of the

Containment Leakage Rate Testing Program. This SR reflects

the leakage rate testing requirements with regard to air

Containment Air Locks B 3.6.2 (continued)

Vogtle Units 1 and 2 B 3.6.2-8 REVISION 14 BASES SURVEILLANCE SR 3.6.2.1 (continued)

REQUIREMENTS lock leakage (Type B leakage tests). The acceptance criteria were

established during initial air lock and containment OPERABILITY

testing. The periodic testing requirements verify that the air lock

leakage does not exceed the allowed fraction of the overall

containment leakage rate. The Frequency is required by the

Containment Leakage Rate Testing Program.

The SR has been modified by two Notes. Note 1 states that an

inoperable air lock door does not invalidate the previous successful

performance of the overall air lock leakage test. This is considered

reasonable since either air lock door is capable of providing a fission

product barrier in the event of a DBA. Note 2 has been added to this

SR requiring the results to be evaluated against the acceptance criteria

applicable to SR 3.6.1.1. This ensures that air lock leakage is properly

accounted for in determining the overall containment leakage rate.

SR 3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of

both doors in a single air lock. Since both the inner and outer doors of

an air lock are designed to withstand the maximum expected post

accident containment pressure, closure of either door will support

containment OPERABILITY. Thus, the door interlock feature supports

containment OPERABILITY while the air lock is being used for

personnel transit in and out of the containment. Periodic testing of this

interlock demonstrates that the interlock will function as designed and

that simultaneous opening of the inner and outer doors will not

inadvertently occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Containment Isolation Valves B 3.6.3 (continued)

Vogtle Units 1 and 2 B 3.6.3-1 REVISION 26 B 3.6 CONTAINMENT SYSTEMS

B 3.6.3 Containment Isolation Valves

BASES BACKGROUND The containment isolation va lves form part of the containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limitin g systems to be provided with two isolation barriers that are closed on a containment isolation signal. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured),

blind flanges, and closed systems are considered passive devices.

Check valves, or other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system.

These barriers (typically containment isolation valves) make up the Containment Isolation System. A list of containment isolation valves is provided in FSAR table 6.2.4-2.

Automatic isolation signals are produced during accident conditions. Containment Phase "A" isolation occurs upon receipt of a safety injection signal. The Phase "A" isolation signal isolates nonessential process lines in order to minimize leakage of fission product radioactivity. In addition to the Phase A isolation signal above, the purge and exhaust valves receive a Containment Ventilation isolation signal on a containment high radiation condition. As a result, the containment isolation valves (and blind flanges) help ensure that the containment atmosphere will be isolated from the environment in the event of a release of fission product radioactivity to the containment atmosphere as a result of a Design Basis Accident (DBA). Manual actuations of the Phase A isolation signal are accomplished via either of the two control board handswitches. Manual actuations of the containment ventilation isolation signal are accomplished as a direct result of the manual Phase A isolation actuation or the manual

containment spray actuation.

Containment Isolation Valves B 3.6.3 (continued)

Vogtle Units 1 and 2 B 3.6.3-4 REVISION 26 BASES APPLICABLE compromising the containment boundary as long as the system SAFETY ANALYSES is operated in accordance with the subject LCO.

(continued) The containment isolation valves satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO Containment isolation valves form a part of the containment boundary. The containment isolation valves' safety function is related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during a DBA.

The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation signal. The 24 inch purge valves must be maintained sealed closed. The valves covered by this LCO are listed along with their associated

stroke times in the FSAR (Ref. 2).

The normally closed containment isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in their closed position, blind flanges are in place, and closed systems are intact.

Purge valves with resilient seals must meet additional leakage rate requirements. The other containment isolation valve leakage rates are addressed by LCO 3.6.1, "Containment," as Type C testing.

This LCO provides assurance that the containment isolation valves and purge valves will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the containment boundary during accidents. This LCO is applicable to those containment isolation valves listed in FSAR table 6.3.4-2 unless otherwise noted.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Containment Isolation Valves B 3.6.3 (continued)

Vogtle Units 1 and 2 B 3.6.3-7 Revision No. 0 BASES ACTIONS A.1 and A.2 (continued)

Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas and allows these valves to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is small.

B.1 With two containment isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed

and de-activated automatic valve, a closed manual valve, and a blind flange. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative control and

the probability of their misalignment is low.

C.1, C.2, and C.3 In the event one or more containment purge valves in one or more penetration flow paths are not within the purge valve leakage limits, purge valve leakage must be restored to within limits, or the affected penetration flow path must be isolated. The method of isolation must be by the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated

Containment Isolation Valves B 3.6.3 (continued)

Vogtle Units 1 and 2 B 3.6.3-8 REVISION 14 BASES ACTIONS C.1, C.2, and C.3 (continued)

automatic valve, closed manual valve, or blind flange. The specified Completion Time is reasonable, considering that one containment purge valve remains closed so that a gross breach of containment does not exist.

In accordance with Required Action C.2, this penetration flow path must be verified to be isolated on a periodic basis. The periodic verification is necessary to ensure that containment penetrations required to be isolated following an accident, which are no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those isolation devices outside containment capable of being mispositioned are in the correct position. For the isolation devices inside containment, the time period specified as "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation devices and other administrative controls that will ensure that isolation device misalignment is an unlikely possibility.

D.1 and D.2

If the Required Actions and associated Completion Times are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.3.1 REQUIREMENTS (HV-2626A, HV-2627A, HV-2628A, HV-2629A)

Each 24 inch containment purge valve is required to be verified sealed closed. This Surveillance is designed to ensure

Containment Isolation Valves B 3.6.3 (continued)

Vogtle Units 1 and 2 B 3.6.3-9 REVISION 14 BASES SURVEILLANCE SR 3.6.3.1 (continued) REQUIREMENTS that a gross breach of containment is not caused by an inadvertent or spurious opening of a containment purge valve. Detailed analysis of the purge valves failed to conclusively demonstrate their ability to close during a LOCA in time to limit offsite doses. Therefore, these valves are required to be in the sealed closed position during MODES 1, 2, 3, and 4. A containment purge valve that is sealed closed must have motive power to the valve operator removed. This can be accomplished by de-energizing the source of electric power. In this application, the term "sealed" has no connotation of leak tightness. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.3.2 (HV-2626B, HV-2627B, HV-2628B, HV-2629B)

This SR ensures that the minipurge valves are closed as required or, if open, open for an allowable reason. If a purge valve is open in violation of this SR, the valve is considered inoperable. If the inoperable valve is not otherwise known to have excessive leakage when closed, it is not considered to have leakage outside of limits. The SR is not required to be met when the minipurge valves are open under administrative control. The 14 inch containment purge supply and exhaust isolation valves may be opened under conditions delineated in administrative procedures. These procedures specify those circumstances under which it is acceptable to open the valves; for example, pressure control, establishment of respirable air quality prior to containment entry, maintenance, or surveillance testing. The procedures specify that: (1) the valves must be capable of closing under accident conditions, (2) that the instrumentation for causing isolation of the valves is functioning, and (3) the effluent release will be monitored and that it will be within regulatory limits. The minipurge

valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Containment Isolation Valves B 3.6.3 (continued)

Vogtle Units 1 and 2 B 3.6.3-10 REVISION 14 BASES SURVEILLANCE SR 3.6.3.3 REQUIREMENTS (continued) This SR requires verification that each containment isolation manual valve and blind flange located outside containment and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those Containment Isolation valves outside containment and capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR specifies that Containment Isolation valves that are open under administrative controls are not required to meet the SR during the time the valves are open.

The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, 3 and 4 for ALARA reasons. Therefore, the probability of misalignment of these Containment Isolation valves, once they have been verified to be in the proper position, is small.

SR 3.6.3.4

This SR requires verification that each containment isolation manual valve and blind flange located inside containment and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the containment boundary is within design limits. For Containment

Isolation valves inside containment, the Frequency of "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is appropriate since these Containment Isolation valves are operated under administrative controls and the probability of their

Containment Pressure B 3.6.4 (continued)

Vogtle Units 1 and 2 B 3.6.4-3 REVISION 14 BASES APPLICABILITY limitations of these MODES. Therefore, maintaining containment (continued) pressure within the limits of the LCO is not required in MODE 5 or 6.

ACTIONS A.1 When containment pressure is not within the limits of the LCO, it must be restored to within these limits within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The Required Action is necessary to return operation to within the bounds of the containment analysis. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is consistent with the ACTIONS of LCO 3.6.1, "Containment," which requires that containment be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

B.1 and B.2 If containment pressure cannot be restored to within limits within the

required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.4.1 REQUIREMENTS (PI-0934, PI-0935, PI-0936, PI-0937, P-9871, PI-10945)

Verifying that containment pressure is within limits ensures that unit operation remains within the limits assumed in the containment analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Containment Pressure B 3.6.4 Vogtle Units 1 and 2 B 3.6.4-4 Revision No. 0 BASES (continued)

REFERENCES 1. FSAR, Section 6.2.

2. 10 CFR 50, Appendix K.

Containment Air Temperature B 3.6.5 (continued)

Vogtle Units 1 and 2 B 3.6.5-3 Revision No. 0 BASES (continued)

LCO During a DBA, with an initial containment average air temperature less than or equal to the LCO temperature limit, the resultant peak accident temperature is maintained below the containment design temperature. As a result, the ability of containment to perform its design function is ensured.

APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining containment average air temperature within the limit is not required in MODE 5 or 6.

ACTIONS A.1 When containment average air temperature is not within the limit of the LCO, it must be restored to within limit within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. This Required Action is necessary to return operation to within the bounds of the containment analysis. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Completion Time is acceptable considering the sensitivity of the analysis to variations in this parameter and provides sufficient time to correct minor problems.

B.1 and B.2 If the containment average air temperature cannot be restored to within its limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Containment Air Temperature B 3.6.5 Vogtle Units 1 and 2 B 3.6.5-4 REVISION 14 BASES (continued)

SURVEILLANCE SR 3.6.5.1 REQUIREMENTS Location Tag Number

a. Level 2 TE-2563

b. Level B TE-2613

c. Level C TE-2612 NOTE: A local sample may be taken at a corresponding location in lieu of using one of the instruments designated above.

Verifying that containment average air temperature is within the LCO limit ensures that containment operation remains within the limit assumed for the containment analyses. In order to determine the containment average air temperature, an arithmetic average is calculated using measurements taken at locations within the containment selected to provide a representative sample of the overall containment atmosphere. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.2.

2. 10 CFR 50.49.

Containment Spray and Cooling Systems B 3.6.6 Vogtle Units 1 and 2 B 3.6.6-2 Rev. 2 - 7/08 BASES BACKGROUND Containment Spray System (continued)

The Containment Spray System provides a spray of cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce fission products from the containment atmosphere during a DBA. The RWST solution temperature is an important factor in determining the heat removal capability of the Containment Spray System during the injection phase. In the recirculation mode of operation, heat is removed from the containment sump water by the residual heat removal coolers. Each train of the Containment Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.

The Containment Spray System is actuated either automatically by a containment High-3 pressure signal or manually. An automatic actuation opens the containment spray pump discharge valves, starts the two containment spray pumps, and begins the injection phase. A manual actuation of the Containment Spray System requires the operator to actuate two separate switches on the main control board to begin the same sequence. The injection phase continues until an RWST empty tank level alarm is received (8% level). When the RWST level reaches the empty tank level, the operator manually aligns the system to the recirculation mode. The Containment Spray System in the recirculation mode maintains an equilibrium temperature between the containment atmosphere and the recirculated sump water. Operation of the Containment Spray System in the recirculation mode is controlled by the operator in accordance with the emergency operating procedures.

Containment Cooling System

Two trains of containment cooling, each of sufficient capacity to supply 100% of the design cooling requirement, are provided. Each train of four fan units is supplied with cooling water from a separate train of nuclear service cooling water (NSCW). Air is drawn into the coolers through the fan and discharged to the steam generator compartments, pressurizer compartment, and instrument tunnel, and outside the secondary shield in the lower areas of containment.

(continued)

Containment Spray and Cooling Systems B 3.6.6 (continued)

Vogtle Units 1 and 2 B 3.6.6-6 REVISION 24 BASES APPLICABILITY In MODES 5 and 6, the probability and consequences of these (continued) events are reduced due to the pressure and temperature limitations of these MODES. Thus, the Containment Spray System and the Containment Cooling System are not required to be OPERABLE in MODES 5 and 6.

ACTIONS A.1 With one containment spray train inoperable, the inoperable containment spray train must be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the redundant heat removal capability afforded by the Containment Spray System, reasonable time for repairs, and low probability of a DBA occurring during this period.

B.1 With one of the required containment cooling trains inoperable, the inoperable required containment cooling train must be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Containment Spray System and Containment Cooling System, and the low probability of a DBA occurring during this period.

MSSVs B 3.7.1 (continued)

Vogtle Units 1 and 2 B 3.7.1-1 Rev. 1-2/08 B 3.7 PLANT SYSTEMS

B 3.7.1 Main Steam Safety Valves (MSSVs)

BASES BACKGROUND The primary purpose of the MSSVs is to provide overpressure protection for the secondary system. The MSSVs also provide protection against overpressurizing the reactor coolant pressure boundary (RCPB) by providing a heat sink for the removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water System, is not

available.

Five MSSVs are located on each main steam header, outside containment, upstream of the main steam isolation valves, as described in the FSAR, Section 10.3 (Ref. 1). The actual MSSV capacity is 114% of rated steam flow at 110% of the steam generator design pressure. This meets the requirements of the ASME Code,Section III (Ref. 2). The MSSV design includes staggered setpoints, according to Table 3.7.1-2 in the accompanying LCO, so that only the needed valves will actuate. Staggered setpoints reduce the potential for valve chattering that is due to steam pressure insufficient to fully open all valves following a turbine reactor trip.

APPLICABLE The design basis requirement is that secondary system pressure is SAFETY ANALYSES limited to 110% of design pressure which is specified in Reference 2. The actual design basis applied for the MSSVs comes from Reference 6 and its purpose is to limit the secondary system pressure

to 110% of design pressure when passing 105% of design steam flow. This design basis is sufficient to cope with any anticipated operational occurrence (AOO) or accident considered in the Design Basis Accident (DBA) and transient analysis.

The events that challenge the relieving capacity of the MSSVs, and thus RCS pressure, are those characterized as decreased heat removal events, which are presented in the FSAR, Section 15.2 (Ref. 3). Of these, the full power turbine trip without steam dump is the limiting AOO. This event also terminates normal feedwater flow to

the steam generators.

ARVs B 3.7.4 Vogtle Units 1 and 2 B 3.7.4-4 Rev. 1 - 6/05 BASES APPLICABILITY to provide the decay heat removal function in MODE 4.

(continued) Therefore, the ARVs are not required OPERABLE in MODE 4 to satisfy the safety analysis assumptions of the DBA. However, the capability to remove decay heat from an SG required OPERABLE in MODE 4 by LCO 3.4.6, "RCS Loops - MODE 4" is implicit in the requirement for an OPERABLE SG and may require the associated ARV be capable of removing that heat if the normal decay heat removal system (steam dump) is not available.

In MODE 5 or 6, an SGTR is not a credible event.

ACTIONS A.1 With one required ARV line inoperable, action must be taken to restore OPERABLE status within 30 days. The 30 day Completion Time is reasonable considering the low probability of an SGTR event coincident with a loss of offsite power requiring the use of the ARVs and the redundant capability afforded by the remaining OPERABLE ARV lines, a nonsafety grade backup in the Steam Dump System, and MSSVs.

B.1 With two or more required ARV lines inoperable, action must be taken to restore all but one required ARV line to OPERABLE status. Since the block valve can be closed to isolate an ARV, some repairs may be possible with the unit at power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable to repair inoperable ARV lines, based on the availability of the Steam Dump System and MSSVs, and the low probability of an event occurring during this period that would require the ARV lines.

C.1 and C.2 If the ARV lines cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To

(continued)

ARVs B 3.7.4 Vogtle Units 1 and 2 B 3.7.4-5 REVISION 14 BASES ACTIONS C.1 and C.2 (continued) achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4 within 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.4.1 REQUIREMENTS To perform a controlled cooldown of the RCS, the ARVs must be able to be opened either remotely or locally and throttled through their full range. This SR ensures that the ARVs are tested through a full control cycle at least once per fuel cycle.

Performance of inservice testing or use of an ARV during a unit cooldown may satisfy this requirement.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 10.3.

2. FSAR, Subsection 15.6.3.

3. WCAP-11731, LOFTTR2 Analysis for a Steam Generator Tube Rupture Event for the Vogtle Electric Generating Plant Units 1 and 2, January 1988, and Westinghouse letter GP-16886, J. L. Tain to J.B. Beasley, Jr., SGTR Analysis

With Revised Operator Action Times and SECL 98-124, Revision 0, dated December 4, 1998.

AFW System B 3.7.5 (continued)

Vogtle Units 1 and 2 B 3.7.5-3 Rev. 2-10/01 BASES APPLICABLE In addition, the minimum available AFW flow and system SAFETY ANALYSES characteristics are serious considerations in the analysis (continued) of a small break loss of coolant accident (LOCA).

The AFW System design is such that it can perform its function following an FWLB between the MFW isolation valves and containment, combined with a loss of offsite power following turbine trip, and a single active failure of the steam turbine driven AFW pump. In such a case, the ESFAS logic may not detect the affected steam generator if the backflow check valve to the affected MFW header worked properly. One motor driven AFW pump would deliver to the broken MFW header (limited by flow restrictor installed in the AFW line) until the problem was detected, and flow terminated by the operator. Sufficient flow would be delivered to the intact steam generators by the other AFW line and the redundant AFW pump.

The ESFAS automatically actuates the AFW turbine driven pump and associated power operated valves and controls when required to ensure an adequate feedwater supply to the steam generators during loss of power. DC power operated valves are provided for each AFW line to control the AFW flow to each steam

generator.

The AFW System satisfies the requirements of Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO This LCO provides assurance that the AFW System will perform its design safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three independent AFW pumps in three diverse trains are required to be OPERABLE to ensure the availability of RHR capability for all events accompanied by a loss of offsite power and a single failure. This is accomplished by powering two of the pumps from independent emergency buses.

The third AFW pump is powered by a different means, a steam driven turbine supplied with steam from a source that is not isolated by closure of the MSIVs. The steam supply valves (1/2HV-3019 and 1/2HV-3009) for the turbine driven AFW pump are powered from 125 V MCCs 1/2AD1M and 1/2BD1M, respectively. Suction

header valve 1/2HV-5113, pump block valve 1/2HV-5106, and discharge header valves 1/2HV-5120, 5122, 5125, and 5127 are powered from 125 V MCC 1/2CD1M. If 125 V MCC 1/2AD1M or 1/2BD1M becomes inoperable, the affected steam supply valve is to be considered inoperable. If both 1/2AD1M and 1/2BD1M become AFW System B 3.7.5 (continued)

Vogtle Units 1 and 2 B 3.7.5-4 REVISION 18 BASES LCO inoperable, the turbine driven AFW train is to be considered (continued) inoperable. If 125 V MCC 1/2CD1M becomes inoperable, the turbine driven AFW train is to be considered inoperable.

The AFW System is configured into three trains. The AFW System is considered OPERABLE when the components and flow paths required to provide redundant AFW flow to the steam generators are OPERABLE. This requires that the two motor driven AFW pumps be OPERABLE in two diverse paths, each supplying AFW to separate steam generators. The turbine driven AFW pump is required to be OPERABLE with redundant steam supplies from each of two main steam lines upstream of the MSIVs, and shall be capable of supplying AFW to any of the steam generators. The piping, valves, instrumentation, and controls in the required flow paths also are required to be OPERABLE. The AFW pumphouse ESF supply fans and associated dampers must be OPERABLE to support operation of the motor driven pumps, and the ESF outside air intake and exhaust dampers must be OPERABLE to support operation of the

turbine driven pump.

On Unit 1, at least one SG sample automatic isolation valves is required for the turbine driven AFW system to be OPERABLE.

The failure of all four SG sample automatic isolation valves to automatically close on an actuation signal will prevent the turbine driven AFW system from meeting its safety function. However, manual isolation of at least one of the SG sample flow paths will allow the turbine driven AFW system to meet its intended safety function in the event of INOPERABLE SG sample automatic

isolation valves.

On Unit 2, the failure of all four SG sample automatic isolation valves will not prevent the turbine driven AF W system from m eeting its safety function. The margins of the turbine driven AFW system are sufficient to meet accident analyses when up to four SG sample automatic isolation valves are not ORERABLE.

The SG sample automatic isolation valves are not required for the motor driven AFW system to meet its intended safety function on either unit. The margins of the motor driven AFW system are sufficient to meet accident analyses when up to four SG sample automatic isolation valves are not OPERABLE.

Although the AFW System can be used in MODE 4 to add to SG inventory when the SG is being used to support RCS operability requirements in accordance with LCO 3.4.6, the LCO does not require the AFW System to be OPERABLE in MODE 4.

AFW System B 3.7.5 (continued)

Vogtle Units 1 and 2 B 3.7.5-5 REVISION 24 BASES (continued)

APPLICABILITY In MODES 1, 2, and 3, the AFW System is required to be OPERABLE in the event that it is called upon to function when the MFW is lost.

In MODE 4 the AFW System may be used for heat removal via the steam generators, but is not required since the RHR System is available in this MODE.

In MODE 5 or 6, the steam generators are not normally used for heat removal, and the AFW System is not required.

ACTIONS A Note prohibits the application of LCO 3.0.4b to an inoperable AFW train. There is an increased risk associated with an AFW train inoperable and the provisions of LCO 3.0.4b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 If one of the two steam supplies to the turbine driven AFW train is inoperable, action must be taken to restore OPERABLE status within 7 days. The 7 day Completion Time is reasonable, based on the following reasons:

a. The redundant OPERABLE steam supply to the turbine driven AFW pump;

b. The availability of redundant OPERABLE motor driven AFW pumps; and

c. The low probability of an event occurring that requires the inoperable steam supply to the turbine driven AFW pump.

B.1 With one of the required AFW trains (pump or flow path) inoperable for reasons other than Condition A, action must be taken to restore OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This Condition includes the loss of two steam supply lines to the

turbine driven AFW pump. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable, based on redundant capabilities afforded by the

AFW System B 3.7.5 (continued)

Vogtle Units 1 and 2 B 3.7.5-6 REVISION 24 BASES ACTIONS B.1 (continued)

AFW System, time needed for repairs, and the low probability of a DBA occurring during this time period.

C.1 and C.2 When Required Action A.1 or B.1 cannot be completed within the required Completion Time, or if two AFW trains are inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

In MODE 4, AFW is not required since RHR is available.

D.1 If all three AFW trains are inoperable, the unit is in a seriously degraded condition with no safety related means for conducting a cooldown, and only limited means for conducting a cooldown with

nonsafety related equipment. In such a condition, the unit should not be perturbed by any action, including a power change, that might result in a trip. The seriousness of this condition requires that action be started immediately to restore one AFW train to OPERABLE status.

Required Action D.1 is modified by a Note indicating that all required MODE changes or power reductions are suspended until one AFW train is restored to OPERABLE status. In this case, LCO 3.0.3 is not applicable because it could force the unit into a less safe condition.

CST B 3.7.6 Vogtle Units 1 and 2 B 3.7.6-1 Revision No. 0 B 3.7 PLANT SYSTEMS

B 3.7.6 Condensate Storage Tank (CST)

BASES BACKGROUND The two CSTs (V4001 and V4002) provide redundant safety grade sources of water to the steam generators for removing decay and sensible heat from the Reactor Coolant System (RCS). The CSTs provide a passive flow of water, by gravity, to the Auxiliary Feedwater (AFW) System (LCO 3.7.5). The steam produced is released to the atmosphere by the main steam safety valves or the atmospheric dump valves.

When the main steam isolation valves are open, the preferred means of heat removal is to discharge steam to the condenser by the nonsafety grade path of the steam dump valves. The condensed steam is returned to the CST. This has the advantage of conserving condensate while minimizing releases to the environment.

Because the CST is a principal component in removing residual heat from the RCS, it is designed to withstand earthquakes and other natural phenomena, including missiles that might be generated by natural phenomena. The CST is designed to Seismic Category I to ensure availability of the feedwater supply.

A description of the CST is found in the FSAR, Subsection 9.2.6 (Ref. 1).

APPLICABLE The CST provides cooling water to remove decay heat and to SAFETY ANALYSES cool down the unit following all events in the accident analysis as discussed in the FSAR, Chapters 6 and 15 (Refs. 2 and 3, respectively). For anticipated operational occurrences and accidents that do not affect the OPERABILITY of the steam generators, the analysis assumption is generally 60 minutes at MODE 3, steaming through the MSSVs, followed by a cooldown to residual heat removal (RHR) entry conditions.

The limiting event for the condensate volume is the large feedwater line break coincident with a loss of offsite

(continued)

CST B 3.7.6 Vogtle Units 1 and 2 B 3.7.6-2 Rev. 1-10/01 BASES APPLICABLE power. Single failures that also affect this event include SAFETY ANALYSES the following:

(continued) a. Failure of the diesel generator powering the motor driven AFW pump to the unaffected steam generator (requiring additional steam to drive the remaining AFW pump turbine);

and

b. Failure of the steam driven AFW pump (requiring a longer time for cooldown using only one motor driven AFW pump).

These are not usually the limiting failures in terms of consequences for these events.

A nonlimiting event considered in CST inventory determinations is a break in either the main feedwater or AFW line near where the two join. This break has the potential for dumping condensate until terminated by operator action, since the Auxiliary Feedwater Actuation System would not detect a difference in pressure between the steam generators for this break location. This loss of condensate inventory is partially compensated for by the retention of steam generator inventory.

The CST satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO To satisfy accident analysis assumptions, the CST must contain sufficient cooling water to remove decay heat for 60 minutes following a reactor trip from 102% RTP, and then to cool down the RCS to RHR entry conditions, assuming a coincident loss of offsite power and the most adverse single failure. In doing this, it must retain sufficient water to ensure adequate net positive suction head for the AFW pumps during cooldown, as well as account for any losses from the steam driven AFW pump turbine, or before isolating AFW to a broken line.

The CST level required is equivalent to a usable volume of 340,000 gallons (66% instrument span) which is based on holding the unit in MODE 3 for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, followed by a 5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> cooldown to RHR entry conditions at 50°F/hour with one Reactor Coolant Pump in operation. This basis is

(continued)

CST B 3.7.6 (continued)

Vogtle Units 1 and 2 B 3.7.6-3 Rev. 1-3/99 THIS PAGE APPLICABLE TO UNIT 1 ONLY BASES LCO established in Reference 4 and exceeds the volume required (continued) by the accident analysis.

The OPERABILITY of the CST is determined by maintaining the tank level at or above the minimum required level. Either CST V4001 or CST V4002 may be used to satisfy the LCO

requirement.

APPLICABILITY In MODES 1, 2, and 3, the CST is required to be OPERABLE.

Due to the reduced heat removal requirements and short period of time in MODE 4 and the availability of RHR in MODE 4, the LCO does not require a CST to be OPERABLE in this MODE.

In MODE 5 or 6, the CST is not required because the AFW System is not required.

CST B 3.7.6 (continued)

Vogtle Units 1 and 2 B 3.7.6-4 REVISION 14 THIS PAGE APPLICABLE TO UNIT 2 ONLY BASES LCO established in Reference 4 and exceeds the volume required (continued) by the accident analysis.

The OPERABILITY of the CST is determined by maintaining the tank level at or above the minimum required level. Either CST V4001 or CST V4002 may be used to satisfy the LCO

requirement.

For Unit 2 only, two CSTs are required to be OPERABLE with a

combined safety-related volume of 378,000 gallons, and the CST aligned to supply the auxiliary feedwater pumps shall have a safety-related volume 340,000 gallons. The basis for requiring an additional 38,000 gallons of safety-related usable CST inventory is to support the elimination of the bypass line and associated valve bonnet depressurization line for the 2HV-8701B RHR suction isolation valve.

The elimination of the bypass line and valve bonnet depressurization line requires an additional 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for a total of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> prior to placing RHR Train A in service. The additional time ensures that the 2HV-8701B valve bonnet and the space between the 2HV-8701B and 2HV-8701A RHR suction isolation valves have depressurized sufficiently to allow the suction isolation valves to be opened.

APPLICABILITY In MODES 1, 2, and 3, the CST is required to be OPERABLE.

Due to the reduced heat removal requirements and short period of time in MODE 4 and the availability of RHR in MODE 4, the LCO does not require a CST to be OPERABLE in this MODE.

In MODE 5 or 6, the CST is not required because the AFW System is not required.

CST B 3.7.6 (continued)

Vogtle Units 1 and 2 B 3.7.6-5 REVISION 14 THIS PAGE APPLICABLE TO UNIT 1 ONLY BASES (continued)

ACTIONS A.1 and A.2 If the required CST volume is not within limit, the Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> provides sufficient time for the three AFW pumps to be aligned to the OPERABLE CST. This Completion Time is acceptable based on: 1) Operating experience to perform the required valve operations; 2) The ACTIONS being entered as soon as the CST level decreased below the limit, which would most probably leave sufficient capacity in the inoperable CST to support AFW pump operation for at least the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time; and 3) The low probability of an event occurring during this interval that would require the CST to be fully OPERABLE.

B.1 and B.2 If the AFW pumps cannot be aligned to an OPERABLE CST within the required Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.6.1 REQUIREMENTS CST V4001 (LI-5101 and LI-5111A)

CST V4002 (LI-5104 and LI-5116A)

This SR verifies that the CST contains the required volume of cooling water. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

CST B 3.7.6 (continued)

Vogtle Units 1 and 2 B 3.7.6-6 REVISION 14 THIS PAGE APPLICABLE TO UNIT 2 ONLY BASES (continued)

ACTIONS A.1 and A.2 If one or both of the CST volumes are not within limits, the volume(s) must be restored to within limits within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This Completion Time is acceptable based on : 1) The ACTIONS being entered as soon as the CST level(s) decreased below limit(s), which would provide reasonable assurance of at least sufficient capacity to support AFW operation for at least the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time; and 2) The low probability of an event occurring during this interval that would require the CSTs to be fully OPERABLE.

B.1 and B.2 If the AFW pumps cannot be aligned to an OPERABLE CST within the required Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.6.1 REQUIREMENTS CST V4001 (LI-5101 and LI-5111A)

CST V4002 (LI-5104 and LI-5116A)

This SR verifies that the CSTs contain the required volumes of cooling water. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

CST B 3.7.6 Vogtle Units 1 and 2 B 3.7.6-7 REVISION 14 BASES (continued)

REFERENCES 1. FSAR, Subsection 9.2.6.

2. FSAR, Chapter 6.

3. FSAR, Chapter 15.

4. Branch Technical Position RSB 5-1, Rev. 2, July 1981, "Design Requirements of the Residual Heat Removal System."

CCW System B 3.7.7 (continued)

Vogtle Units 1 and 2 B 3.7.7-3 Rev. 1-8/05 BASES LCO A CCW train is considered OPERABLE when: (continued) a. Two pumps and associated surge tank are OPERABLE; and

b. The associated piping, valves, heat exchanger, and instrumentation and controls required to perform the safety related function are OPERABLE.

The isolation of CCW from other components or systems not required for safety may render those components or systems inoperable but does not necessarily make the CCW System inoperable. Consideration should be given to the size of the load isolated and the impact it will have on the rest of the CCW system

before determining OPERABILITY.

APPLICABILITY In MODES 1, 2, 3, and 4, the CCW System is a normally operating system, which must be prepared to perform its post accident safety functions, primarily RCS heat removal, which is achieved by cooling the RHR heat exchanger.

In Modes 5 or 6, there are no TS OPERABILITY requirements for the CCW System. However, the functional requirements of the CCW System are determined by the systems it supports.

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that the applicable Conditions and Required Actions of LCO 3.4.6, "RCS Loops - MODE 4," be entered if an inoperable CCW train results in an inoperable RHR loop. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.

If one CCW train is inoperable, action must be taken to restore OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In this Condition, the remaining OPERABLE CCW train is adequate to perform the heat removal function. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable, based on the redundant capabilities afforded by the OPERABLE train, and the low probability of a DBA occurring during this

period.

NSCW B 3.7.8 (continued)

Vogtle Units 1 and 2 B 3.7.8-1 Revision No. 33 B 3.7 PLANT SYSTEMS

B 3.7.8 Nuclear Service Cooling Water (NSCW) System

BASES BACKGROUND The NSCW System provides a heat sink for the removal of process and operating heat from safety related components during a Design Basis Accident (DBA) or transient. During normal operation, and a normal shutdown, the NSCW System also provides this function for various safety related and nonsafety related components. The safety related function is covered by

this LCO.

The NSCW System consists of two separate, 100% capacity, safety related, cooling water trains. Each train consists of three 50% capacity pumps, various safety and nonsafety related component heat exchangers, piping, valving, and instrumentation.

The pumps and valves are remote and manually aligned, except in the unlikely event of a loss of coolant accident (LOCA). The pumps are automatically started upon receipt of a safety injection signal, and all essential valves are aligned to their post accident positions.

Additional information about the design and operation of the NSCW System, along with a list of the components served, is presented in the FSAR, Subsection 3.5.3 (Ref. 4) and Subsection 9.2.1 (Ref. 1). The principal safety related function of the NSCW System is the removal of decay heat from the reactor via the CCW System.

APPLICABLE The design basis of the NSCW System is for one NSCW System SAFETY ANALYSES train, in conjunction with the CCW System and a 100% capacity containment cooling system, to remove core decay heat following a design basis LOCA as discussed in the FSAR, Section 6.2 (Ref. 2). This prevents the containment sump fluid from increasing in temperature during the recirculation phase following a LOCA and provides for a gradual reduction in the temperature of this fluid as it is supplied to the Reactor Coolant System by the ECCS pumps. The NSCW System is designed to perform its function with a single failure of any active component, assuming the loss of offsite power.

NSCW B 3.7.8 Vogtle Units 1 and 2 B 3.7.8-2 Rev. 2-8/05 BASES APPLICABLE The NSCW System, in conjunction with the CCW System, also SAFETY ANALYSES cools the unit from residual heat removal (RHR), as (continued) discussed in the FSAR, Subsection 5.4.7, (Ref. 3) entry conditions to MODE 5 during normal and post accident operations. The time required for this evolution is a function of the number of CCW and RHR System trains that are operating.

One NSCW System train is sufficient to remove decay heat during subsequent operations in MODES 5 and 6. This assumes a maximum NSCW System temperature of 95F occurring simultaneously with maximum heat loads on the system.

The NSCW System satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO Two NSCW System trains are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming that the worst case single active failure occurs coincident with the loss of offsite power.

An NSCW System train is considered OPERABLE during MODES 1, 2, 3, and 4 when:

a. Two pumps are OPERABLE; and

b. The associated piping, valves, and instrumentation and controls required to perform the safety related function are OPERABLE.

APPLICABILITY In MODES 1, 2, 3, and 4, the NSCW System is a normally operating system that is required to support the OPERABILITY of the equipment serviced by the NSCW System and required to be OPERABLE in these MODES.

In MODES 5 or 6, there are no TS OPERABILITY requirements for the NSCW System. However, the functional requirements of the NSCW System are determined by the systems it supports.

(continued)

UHS B 3.7.9 (continued)

Vogtle Units 1 and 2 B 3.7.9-1 REVISION 7 B 3.7 PLANT SYSTEMS

B 3.7.9 Ultimate Heat Sink (UHS)

BASES BACKGROUND The UHS provides a heat sink for processing and operating heat from safety related components during a transient or accident, as well as during normal operation. This is done by utilizing the

Nuclear Service Cooling Water (NSCW) System and the Component Cooling Water (CCW) System.

The UHS consists of the NSCW System mechanical draft towers.

Two 100% capacity redundant NSCW towers are provided for each unit. One tower is associated with each train of the NSCW System. Each NSCW tower consists of a basin that contains the ultimate heat sink water supply and an upper structure that contains four individual fan spray cells where the heat loads are transferred to the atmosphere. Each spray cell contains one safety-related temperature controlled fan. Instrumentation is provided for monitoring basin level and water temperature. The tower basins each contain a safety-related transfer pump to permit the use of the combined storage capacity of the basins.

The combined storage capacity of two tower basins provides greater than a 30 day cooling water supply assuming the worst combination of meteorological conditions and accident heat loads which maximize the tower heat load, basin temperature, and evaporative losses.

Additional information on the design and operation of the system, along with a list of components served, can be found in FSAR, Subsection 9.2.5 (Ref. 1).

APPLICABLE The UHS is the sink for heat removed from the reactor core SAFETY ANALYSES following all accidents and anticipated operational occurrences in which the unit is cooled down and placed on residual heat removal (RHR) operation. Its maximum post accident heat load occurs 20 minutes after a design basis loss of coolant accident (LOCA). Near this time, the unit switches from injection to recirculation and the containment cooling systems and RHR are required to remove the core decay heat.

UHS B 3.7.9 (continued)

Vogtle Units 1 and 2 B 3.7.9-2 REVISION 27 BASES APPLICABLE The operating limits are based on conservative heat transfer SAFETY ANALYSES analyses for the worst case LOCA. Reference 1 provides the (continued) details of the assumptions used in the analysis, which include worst expected meteorological conditions, conservative uncertainties when calculating decay heat, and worst case single active failure (e.g., single failure of a manmade structure). The UHS is designed in accordance with Regulatory Guide 1.27 (Ref. 2), which requires a 30 day supply of cooling water in the UHS. The UHS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO The UHS is required to be OPERABLE and is considered OPERABLE if it contains a sufficient volume of water at or below the maximum temperature that would allow the NSCW to operate for at least 30 days following the design basis LOCA without the loss of net positive suction head (NPSH), and without exceeding the maximum design temperature of the equipment served by the NSCW. In order to meet these requirements, two NSCW tower basins are required OPERABLE with the following:

1. Basin water level must be 80.25 feet as measured from the bottom of the basin (73% of instrument span),

2. Basin water temperature must be 90°F,

3. Two OPERABLE trains of NSCW tower fans/spray cells, each train with the required number of fans/spray cells as specified in Figure 3.7.9-1, and

4. Two OPERABLE NSCW basin transfer pumps.

APPLICABILITY In MODES 1, 2, 3, and 4, the UHS is required to support the OPERABILITY of the equipment serviced by the UHS and required to be OPERABLE in these MODES.

In MODES 5 or 6, there are no TS OPERABILITY requirements for the UHS. However, the functional requirements of the UHS are determined by the systems it supports.

UHS B 3.7.9 (continued)

Vogtle Units 1 and 2 B 3.7.9-3 REVISION 27 BASES (continued)

ACTIONS A.1 If one or more NSCW basins have a water temperature and/or water level not within the limits, action must be taken to restore

the water temperature and level to within the limits within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable based on the low probability of an accident occurring during the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the considerable cooling capacity still available in the basin(s), and the time required to reasonably complete the Required Action.

B.1 If one NSCW cooling tower has one required fan/spray cell inoperable when operating in the four fan/spray cell required region of Figure 3.7.9-1, action must be taken to restore the inoperable fan/spray cell to OPERABLE status within 7 days.

The 7-day Completion Time provides an acceptable time for evaluating and repairing problems with a fan/spray cell without allowing the plant to remain in an unacceptable condition for an extended period of time, and is reasonable due to the availability of the redundant OPERABLE NSCW cooling tower, and due to the low probability of an event requiring all four NSCW cooling tower fans/spray cells.

C.1 If one NSCW cooling tower has one or more required fan(s)/spray cell(s) inoperable for reasons other than Condition B, action must be taken to restore the inoperable fan(s)/spray cell(s) to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable based on the low probability of an accident occurring during the 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the number of available fans/spray cells, and the time required to reasonably complete the Required Action.

D.1, D.2.1, and D.2.2 If one NSCW basin transfer pump is inoperable, action must be taken to restore the pump to OPERABLE status or implement an alternate method of transferring the water from the affected basin within 8 days. If an alternate method is utilized, action still must be taken to restore the transfer pump to OPERABLE status within

31 days.

CREFS Both Units Operating B 3.7.10 (continued)

Vogtle Units 1 and 2 B 3.7.10-1 Rev. 1 - 11/08 B 3.7 PLANT SYSTEMS

B 3.7.10 Control Room Emergency Filtration System (CREFS) - Both Units Operating

BASES BACKGROUND The CREFS provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke.

The CREFS has a total of four redundant, completely independent, full capacity air filtration trains that recirculate and filter the air in the common Unit 1 and 2 control room envelope (CRE) and a CRE boundary that limits the inleakage of unfiltered air. Each CREFS train consists of carbon filter moisture eliminators, high efficiency particulate air (HEPA) filters, electric heaters, cooling coil, and supply and return fans. Ductwork, valves or dampers, doors, barriers, and instrumentation also form part of the system. The filter trains for Unit 1 are powered from the Unit 1 safety feature buses A and B and the filter trains for Unit 2 are powered from the Unit 2 safety feature buses A and B.

The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program.

The CREFS is actuated manually or upon receipt of a Control Room Isolation (CRI) signal. The CRI signal results from a safety injection signal or high radiation in the outside air intake. The CRI actuation instrumentation is addressed in LCO 3.3.7, "CREFS Actuation Instrumentation." A CRI signal also isolates the normal HVAC system. Normal open isolation dampers are arranged in series, so that the failure of one damper to close will not prevent

CREFS Both Units Operating B 3.7.10 BASES (continued)

Vogtle Units 1 and 2 B 3.7.10-2 Rev. 1 - 11/08 BACKGROUND isolation. The CREFS in each unit is equipped with a lead/lag (continued) logic control circuit designed to control the operation of the CREFS in such a manner so as to preclude extended automatic start. In each unit, train B is the lead train and will start immediately upon receipt of a CRI signal. If train B fails to start, train A will start.

During the emergency mode of operation, air within the CRE is recirculated continuously through the emergency air conditioning units which contain upstream HEPA filters, charcoal absorbers, downstream HEPA filters, cooling coil, and fan. Cooling water is supplied by the Essential Chilled Water System. The outside air required for pressurization is mixed with the return air before it enters the filtration unit. Each unit has one outside air intake duct located such that it is protected from high energy line breaks, the introduction of airborne radioactive material from release points, and diesel generator exhaust fumes.

The CREFS is designed to maintain a habitable environment in the CRE environment for 30 days of continuous occupancy after a Design Basis Accident (DBA) without exceeding a 5 rem whole body dose or equivalent to any part of the body. This is accomplished by the following CREFS functions:

1. Pressurizing the CRE to 0.125-inch water gage pressure relative to external areas adjacent to the CRE boundary to minimize any unfiltered inleakage into the CRE through the CRE boundary during a radiological accident, and

2. Removal of airborne radioactivity by circulating air through carbon adsorbers.

In addition, the CREFS is designed to ensure that the CRE temperature will not exceed equipment operational requirements following a CRI actuation. This is accomplished by the cooling coils supplied by the Essential Chilled Water System, LCO 3.7.14, "Engineered Safety Features (ESF) Room Cooler and Safety-Related Chiller System" that are part of each CREFS train. At the normal system air flow rate of 19,000 cfm, each CREFS train is capable of maintaining the CRE temperature 85°F. The CREFS operation in maintaining the CRE temperature and habitability is discussed in the FSAR, Section 6.4 (Ref. 1).

The CREFS contains heaters that are controlled by the relative humidity of the air flowing through the system. The heaters automatically turn on at 70% relative humidity to limit the moisture

CREFS Both Units Operating B 3.7.10 BASES (continued)

Vogtle Units 1 and 2 B 3.7.10-3 Rev. 2 - 11/08 BACKGROUND content of the carbon adsorbers. Periodic operation of each (continued) CREFs train with the heater control circuit energized ensures the moisture content of the adsorbers is maintained 70% relative humidity.

The CREFS is also designed to remain functional during the safe shutdown earthquake, design basis tornado, loss of coolant accident, main steam line or feedwater line break, and single failure of any component in the system.

APPLICABLE The CREFS components are arr anged in redundant, safety related SAFETY ANALYSES ventilation trains. The location of components and ducting within the CRE ensures an adequate supply of filtered air to all areas requiring access. The CREFS provides airborne radiological protection for the CRE occupants, as demonstrated by the CRE occupant dose analyses for the most limiting design basis accident fission product release presented in the FSAR, Chapter 15 (Ref. 2).

The CREFS provides protection from smoke and hazardous chemicals to the CRE occupants. The analysis of hazardous chemical releases demonstrates that the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> toxicity limit is not exceeded in the CRE and there is sufficient time between detection and reaching the short term toxicity limit, such that the operators have time to put on breathing apparatus following a toxic chemical release, as presented in Reference 1. CREFS is not required for toxic gas.

The evaluation of a smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels (Ref. 1).

The worst case single active failure of a component of the CREFS, assuming a loss of offsite power, does not impair the ability of the system to perform its design function.

The CREFS satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO Two independent and redundant CREFS trains per unit are required to be OPERABLE to ensure that at least one is available if a single active failure disables the other train. Total system failure, such as from a loss of all ventilation trains or from an inoperable CRE boundary, could result in exceeding a dose of 5 rem whole body or its equivalent to any part of the body to the CRE occupants in the event of a large radioactive release.

CREFS Both Units Operating B 3.7.10 BASES (continued)

Vogtle Units 1 and 2 B 3.7.10-4 REVISION 11 LCO Each CREFS train is considered OPERABLE when the individual (continued) components necessary to limit CRE occupant exposure and ensure a CRE temperature of 85°F are OPERABLE. A CREFS train is OPERABLE when the associated:

a. Fan is OPERABLE;

b. HEPA filters and charcoal adsorbers are not excessively restricting flow, and are capable of performing their filtration functions;

c. Heater, demister, ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained; and

d. Cooling coils and associated temperature control equipment are capable of performing their function.

In order for the CREFS trains to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke.

The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated.

APPLICABILITY In MODES 1, 2, 3, and 4, the CREFS must be OPERABLE to ensure that the CRE will remain habitable during and following a DBA.

CREFS Both Units Operating B 3.7.10 BASES (continued)

(continued)

Vogtle Units 1 and 2 B 3.7.10-5 Rev. 2 - 11/08 ACTIONS The following ACTIONS have been developed to take credit for the redundancy and inherent flexibility designed into the four 100% capacity CREFS trains. These ACTIONS were reviewed to ensure that the system function would be maintained under accident conditions coupled with a postulated single failure. The results of this review are documented in Reference 3.

A.1 With a single CREFS train inoperable for reasons other than Condition D, action must be taken to restore the CREFS train to OPERABLE status, or one train of CREFS in the unaffected unit must be placed in the emergency mode of operation within 7 days. In this condition, the remaining OPERABLE CREFS train is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE CREFS train could result in a loss of the CREFS function for the affected unit. Placing one CREFS train in the unaffected unit in the emergency mode of operation ensures the CRE protected for all postulated accident and single failure conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. The 7 day Completion Time is based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining OPERABLE CREFS train to provide protection for the CRE occupants.

B.1 With one CREFS train inoperable in each unit for reasons other than Condition D, action must be taken to restore the CREFS trains to OPERABLE status or the two remaining OPERABLE CREFS trains must be placed in the emergency mode of operation within 7 days. In this condition, the remaining OPERABLE CREFS trains are adequate to perform the CRE occupant protection function for each unit. However, the overall reliability is reduced because a failure in one of the OPERABLE CREFS trains could result in a loss of the CREFS function for the affected unit. Placing one CREFS train in the emergency mode of operation in each unit ensures the CRE occupants remain protected for all postulated accident and single failure conditions. In addition, the capability of the CREFS to pressurize the CRE,

CREFS Both Units Operating B 3.7.10 BASES (continued)

Vogtle Units 1 and 2 B 3.7.10-6 Rev. 3 - 11/08 ACTIONS B.1 (continued) limit the radiation dose, and provide adequate cooling remains undiminished. The 7 day Completion Time is based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining OPERABLE CREFS trains to provide protection for the

CRE occupants.

C.1 With two CREFS trains inoperable in one unit for reasons other than Condition D, action must be taken to protect the CRE occupants for the affected unit immediately. In this condition, there is no CREFS function for one unit. The two CREFS trains in the unaffected unit must be placed in the emergency mode of operation immediately. Placing two CREFS trains in the emergency mode of operation in the unaffected unit ensures the CRE occupants remain protected for all postulated accident and single failure conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. Due to the loss of the CREFS function for one unit, the completion time of immediately is specified.

D.1 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem whole body or its equivalent to any part of the body), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.

During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and

CREFS One Unit Operating B 3.7.11 (continued)

Vogtle Units 1 and 2 B 3.7.11-1 Rev. 2 - 11/08 B 3.7 PLANT SYSTEMS

B 3.7.11 Control Room Emergency Filtration System (CREFS One Unit Operating)

BASES BACKGROUND A description of the CREFS is provided in the Bases for LCO 3.7.10, "CREFS Both Units Operating." APPLICABLE The Applicable Safety Analyses section of the Bases for SAFETY ANALYSES LCO 3.7.10 also applies to this Bases section.

The CREFS provides airborne radiological protection for the control room envelope (CRE) occupants in the event of the most limiting design basis accident (DBA) in the operating unit as well as for a design basis fuel handling accident in the shutdown unit. The CREFS also provides protection from smoke and hazardous chemicals to the CRE occupants.

LCO As this LCO requires all four CREFS trains OPERABLE, the LCO section of the Bases for LCO 3.7.10 also applies to this Bases

section. The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated.

APPLICABILITY In MODES 1, 2, 3, and 4 the CREFS must be OPERABLE to ensure that the CRE will remain habitable and maintain the CRE temperature during and following a DBA in the operating unit.

The LCO requirements and ACTIONS of this LCO bound the movement of irradiated fuel or CORE ALTERATIONS in the shutdown unit as well. During movement of irradiated fuel or CORE ALTERATIONS, the CREFS must be OPERABLE to

CREFS One Unit Operating B 3.7.11 BASES (continued)

Vogtle Units 1 and 2 B 3.7.11-2 Rev. 2 - 11/08 APPLICABILITY ensure that the CRE will remain habitable and maintain the CRE (continued) temperature during and following a DBA.

ACTIONS The following ACTIONS have been developed to take credit for the redundancy and inherent flexibility designed into the four 100% capacity CREFS trains.

These ACTIONS were reviewed to ensure that the system function would be maintained under accident conditions coupled with a postulated single failure. The results of this review are

documented in Reference 1.

A.1 With a single CREFS train inoperable in the operating unit for reasons other than Condition F, action must be taken to restore the CREFS train to OPERABLE status or one CREFS train in the shutdown unit must be placed in the emergency mode of operation within 7 days. In this condition the remaining OPERABLE CREFS train is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE CREFS train could result in a loss of the CREFS function for the operating unit.

Placing one CREFS train in the shutdown unit in the emergency

mode of operation ensures the CRE occupants remain protected for all postulated accident and single failure conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. The 7 day Completion Time is based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining OPERABLE CREFS train to provide protection for the

CRE occupants.

B.1 and B.2

With a single CREFS train inoperable in the shutdown unit for reasons other than Condition F, action must be taken to restore the CREFS train to OPERABLE status or lock closed the outside air (OSA) dampers in the shutdown unit and lock open the OSA dampers in the operating unit or one train of CREFS in the operating unit must be placed in the emergency mode of

operation within 7 days.

In this condition the remaining OPERABLE CREFS train is adequate to perform the CRE occupant protection function.

CREFS One Unit Operating B 3.7.11 BASES (continued)

Vogtle Units 1 and 2 B 3.7.11-3 Rev. 2 - 11/08 ACTIONS B.1 and B.2 (continued)

However, the overall reliability is reduced because a failure in the OPERABLE CREFS train could result in a loss of the CREFS function for the shutdown unit. Locking closed the OSA dampers in the shutdown unit and locking open the OSA dampers in the operating unit ensure that all CRE air intake is monitored by redundant radiogas monitors that actuate OPERABLE CREFS trains. Placing one CREFS train in the operating unit in the emergency mode of operation ensures the CRE occupants remain protected for all postulated accident and single failure conditions.

In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. The 7 day Completion Time is based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining OPERABLE CREFS train to provide protection for the

CRE occupants.

C.1 and C.2 With one CREFS train inoperable in each unit for reasons other than Condition F, action must be taken to restore the CREFS trains to OPERABLE status or lock close the OSA dampers in the shutdown unit and lock open the OSA dampers in the operating unit and place the OPERABLE CREFS train in the shutdown unit in the emergency mode within 7 days. Locking closed the OSA dampers in the shutdown unit and locking open the OSA dampers in the operating unit ensure that all CRE air intake is monitored by redundant radiogas monitors that actuate an OPERABLE CREFS train. Placing the OPERABLE CREFS train of the shutdown unit in the emergency mode of operation ensures the CRE occupants remain protected for all postulated accident and single failure conditions.

In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. The 7 day Completion Time is based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining OPERABLE CREFS train to provide protection for the

CRE occupants.

CREFS One Unit Operating B 3.7.11 BASES (continued)

Vogtle Units 1 and 2 B 3.7.11-4 Rev. 2 - 11/08 ACTIONS D.1 (continued) With two CREFS trains inoperable in the operating unit for reasons other than Condition F, action must be taken to place other CREFS trains in the shutdown unit in the emergency mode immediately. In this condition, there is no CREFS function for the operating unit. The two CREFS trains in the shutdown unit must be placed in the emergency mode of operation immediately. Placing two CREFS trains in the emergency mode of operation in the shutdown unit ensures the CRE occupants remain protected for all postulated accident and single failure conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. Due to the loss of the CREFS function for one unit, the completion time of immediately is specified.

E.1 and E.2 With two trains inoperable in the shutdown unit for reasons other than Condition F, action must be taken to lock close the OSA dampers in the shutdown unit and lock open the OSA dampers in the operating unit or place both the operating unit CREFS trains in the emergency mode immediately. In this condition, there is no CREFS function for the shutdown unit. Locking closed the OSA dampers in the shutdown unit and locking open the OSA dampers in the operating unit ensure that all CRE air intake is monitored by redundant radiogas monitors that actuate OPERABLE CREFS trains. Placing two CREFS trains in the emergency mode of operation in the operating unit ensures the CRE occupants remain protected for all postulated accident and single failure conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. Due to the loss of the CREFS function for one unit, the completion time of immediately is specified.

F.1 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem whole body or its equivalent to any part of the body), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.

CREFS Both Units Shutdown B 3.7.12 (continued)

Vogtle Units 1 and 2 B 3.7.12-1 Rev. 1 - 11/08 B 3.7 PLANT SYSTEMS

B 3.7.12 Control Room Emergency Filtration System (CREFS) Both Units Shut Down

BASES BACKGROUND A description of the CREFS is provided in the Bases for LCO 3.7.10, "CREFS Both Units Operating." APPLICABLE The Applicable portions of the Safety Analyses section of SAFETY ANALYSES the Bases for LCO 3.7.10 also apply to this Bases section.

During movement of irradiated fuel or CORE ALTERATIONS, the CREFS ensures that the control room envelope (CRE) will remain habitable for the CRE occupants in the event of the most limiting design basis fuel handling accident in either shutdown unit. The CREFS provides protection from smoke and hazardous chemicals to the CRE occupants. The CREFS also functions to maintain the CRE temperature after a Control Room Isolation (CRI).

LCO As this LCO requires all four CREFS trains OPERABLE, the LCO section of the Bases for LCO 3.7.10 also applies to this Bases

section. The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated.

APPLICABILITY The Applicability specifies when both units have an average RCS temperature of 200°F during movement of irradiated fuel or CORE ALTERATIONS. The temperature related Applicability requires CREFS OPERABLE even in a defueled state where no MODE is applicable and fuel may still be moved or in movement.

CREFS Both Units Shutdown B 3.7.12 BASES (continued)

Vogtle Units 1 and 2 B 3.7.12-2 Rev. 1 - 11/08 APPLICABITLITY During the movement of irradiated fuel or CORE ALTERATIONS (continued) in either unit, the CREFS must be OPERABLE to provide a habitable environment for the CRE occupants and maintain the CRE temperature during and following a design basis radiological release.

ACTIONS The following ACTIONS have been developed to take credit for the redundancy and inherent flexibility designed into the four 100% capacity CREFS trains. These ACTIONS were reviewed to ensure that the system function would be maintained for the design basis accident. The results of this review are documented

in Reference 1.

A.1 and A.2

With a single CREFS train inoperable in one of the shutdown units, action must be taken to restore the CREFS train to OPERABLE status or lock closed the outside air (OSA) dampers in the affected unit and lock open the OSA dampers in the unaffected unit or one CREFS train in the unaffected unit must be placed in the emergency mode of operation within 7 days. In this condition, the remaining OPERABLE CREFS train is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE CREFS train could result in a loss of the CREFS function for the affected unit. Locking closed the OSA dampers in the affected unit and locking open the OSA dampers in the unaffected unit ensure that all CRE air intake is monitored by redundant radiogas monitors that actuate OPERABLE CREFS trains. Placing one CREFS train in the unaffected unit in the emergency mode of operation ensures the CRE occupants remain protected for all postulated accident and single failure conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. The 7 day Completion Time is based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining OPERABLE CREFS train to provide protection for the CRE occupants.

B.1 With a CREFS train inoperable in each shutdown unit, action must be taken to restore the CREFS train to OPERABLE status or place one train of CREFS in the emergency mode of operation within 7 days. In this condition, the remaining OPERABLE

CREFS Both Units Shutdown B 3.7.12 BASES (continued)

Vogtle Units 1 and 2 B 3.7.12-3 Rev. 1 - 11/08 ACTIONS B.1 (continued)

CREFS trains are adequate to perform the CRE occupant protection function.

However, the overall reliability is reduced. Placing one CREFS train in the emergency mode of operation ensures the CRE occupants remain protected for all postulated accident conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. The 7 day Completion Time is based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining OPERABLE CREFS trains to provide protection for the

CRE occupants.

C.1 and C.2

With two CREFS trains inoperable in one unit, action must be taken to lock closed the OSA dampers in the affected unit and lock open the OSA dampers in the unaffected unit or place one train of CREFS in the unaffected unit in the emergency mode of operation immediately. In this condition, the affected unit has no CREFS function. Locking closed the OSA dampers in the affected unit and locking open the OSA dampers in the unaffected unit ensures that all CRE air intake is monitored by redundant radiogas monitors that actuate OPERABLE redundant CREFS trains. Placing a CREFS train in the unaffected unit in the emergency mode of operation ensures the CRE occupants remain protected for all postulated accident conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. Since in this condition one unit has no CREFS function, an immediate Completion Time is specified.

D.1, D.2.1, D.2.2.1, and D.2.2.2

With three CREFS trains inoperable, action must be taken to place the remaining CREFS train in the emergency mode of operation or lock closed the OSA dampers in the unit with two inoperable systems and lock open the OSA dampers in the unit with one inoperable system immediately.

If the OSA dampers are positioned according to Required Action D.2.1, one train of CREFS must then be restored to

CREFS Both Units Shutdown B 3.7.12 BASES (continued)

Vogtle Units 1 and 2 B 3.7.12-4 Rev. 1 - 11/08 ACTIONS D.1, D.2.1, D.2.2.1, and D.2.2.2 (continued)

OPERABLE status or the remaining CREFS train must be placed in the emergency mode of operation within the following 7 days.

Placing the remaining CREFS train in the emergency mode of operation ensures the CRE occupants remain protected for all postulated accident conditions. In addition, the capability of the CREFS to pressurize the CRE, limit the radiation dose, and provide adequate cooling remains undiminished. Alternatively, locking closed the OSA dampers in the unit with two inoperable CREFS trains and locking open the OSA dampers in the unit with one OPERABLE CREFS train ensures that all CRE air intake is monitored by redundant radiogas monitors that actuate an OPERABLE CREFS train. Once the dampers have been positioned, 7 days are allowed before the remaining CREFS train must be placed in the emergency mode of operation. The 7 day Completion Time is based on the low probability of an event occurring during this time interval that would require CREFS operation and the capability of the remaining OPERABLE CREFS train to provide protection for the CRE occupants.

E.1 and E.2

With four trains of CREFS inoperable, or if the CREFS train required to be in the emergency mode of operation by the other Required Actions of this LCO is not capable of being powered by an OPERABLE emergency power source, or with one or more CREFS trains inoperable due to an inoperable CRE boundary, action must be taken to suspend movement of irradiated fuel assemblies and CORE ALTERATIONS immediately. In this condition, the CRE occupants cannot be fully protected from accidents resulting in significant releases of radioactivity.

Suspending the movement of irradiated fuel and CORE ALTERATIONS removes the potential for accidents that may release significant amounts of airborne radioactivity.

F.1 With the CRE air temperature outside its limit, action must be taken to restore the air temperature to within the limit within 7 days. If the CRE air temperature exceeds its limit, the ability of a single train of CREFS to maintain CRE temperature after a CRI may be affected. The completion time of 7 days is reasonable considering the number of CREFS trains available to perform the required temperature control function and the low probability of an event occurring that would require the CREFS operation during

that time.

CREFS Both Units Shutdown B 3.7.12 BASES (continued)

Vogtle Units 1 and 2 B 3.7.12-5 Rev. 2 - 11/08 SURVEILLANCE SR 3.7.12.1 REQUIREMENTS SR 3.7.12.1 requires that the SRs specified in LCO 3.7.10 be applicable for this LCO as well. The description and Frequencies of those required SRs are included in the Bases for LCO 3.7.10.

REFERENCES 1. VEGP Calculation No. X6CNA.09.01, Control Room HVAC Technical Specifications, October 21, 1988.

ESF Room Cooler and Safety-Related Chiller System B 3.7.14 (continued)

Vogtle Units 1 and 2 B 3.7.14-3 Rev. 2-8/05 BASES LCO b. The associated chilled water system, including the chiller, (continued) water pump, piping, valves, and instrumentation required to perform the safety-related function is OPERABLE.

The LCO is modified by a Note that allows one safety-related chiller train to be removed from service for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> under administrative controls for surveillance testing of the other chiller train. This note is required to allow surveillance testing to be performed separately on each safety-related chiller train. Such testing may include individual automatic starts of each chiller train. Administrative controls must be in place to ensure the train removed from service can be rapidly returned to service if the need arises. When this note is utilized, the train removed from service is not required OPERABLE during the testing of the other

train. APPLICABILITY In MODES 1, 2, 3, and 4, the ESF room cooler and safety-related chiller system must be OPERABLE to provide a safety-related cooling function consistent with the OPERABILITY requirements of the ESF equipment it supports. In MODES 5 or 6, there are no TS OPERABILITY requirements for the ESF room cooler and safety-related chiller system. However, the functional requirements of the ESF room cooler and safety-related chiller

system to provide supplemental cooling for normal HVAC are determined by the systems it supports. In these MODES, any supplemental cooling provided by the ESF room cooler and safety-related chiller system is not a required safety function of

the system.

ACTIONS A.1 If one ESF room cooler and safety-related chiller system train is inoperable, action must be taken to restore the train to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In this Condition, the remaining OPERABLE ESF room cooler and safety-related chiller system train is adequate to perform the heat removal function for its associated ESF equipment.

However, the overall reliability is reduced because a single failure in the OPERABLE ESF room cooler and safety-related chiller system train could result in loss of the ESF room cooler and safety-related chiller system function. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is based on the redundant capabilities afforded by the OPERABLE train, and the low probability of a DBA occurring during this time.

ESF Room Cooler and Safety-Related Chiller System B 3.7.14 (continued)

Vogtle Units 1 and 2 B 3.7.14-4 REVISION 14 BASES ACTIONS B.1 and B.2 (continued)

If the ESF room cooler and safety-related chiller system train cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.14.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and

automatic valves servicing safety-related equipment provides assurance that the proper flow paths exist for ESF room cooler and safety-related chiller system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since they are verified to be in the correct position prior to being locked, sealed, or secured. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.14.2 This SR verifies proper automatic operation of the ESF room cooler

and safety-related chiller system valves servicing safety-related equipment on an actual or simulated actuation signal. The safety-related chiller trains are also required to operate on a CRI signal.

This surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative

ESF Room Cooler and Safety-Related Chiller System B 3.7.14 Vogtle Units 1 and 2 B 3.7.14-5 REVISION 14 BASES SURVEILLANCE SR 3.7.14.2 (continued) REQUIREMENTS controls. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.14.3

This SR verifies proper operation of the ESF room cooler and safety-related chiller system fans and pumps on an actual or simulated actuation signal. The safety-related chiller system is also required to automatically start on a CRI signal.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 7.3.

2. FSAR, Section 9.4.

Fuel Storage Pool Water Level B 3.7.15 (continued)

Vogtle Units 1 and 2 B 3.7.15-1 REVISION 31 B 3.7 PLANT SYSTEMS

B 3.7.15 Fuel Storage Pool Water Level

BASES BACKGROUND The minimum water level in the fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident. The specified water level shields and minimizes the general area dose when the storage racks are filled to their maximum capacity. The water also provides shielding during the movement of spent fuel.

A general description of the fuel storage pool design is given in the FSAR, Subsection 9.1.2 (Ref. 1). A description of the Spent Fuel Pool Cooling and Cleanup System is given in the FSAR, Subsection 9.1.3 (Ref. 2). The assumptions of the fuel handling accident are given in the FSAR, Subsection 15.7.4 (Ref. 3).

APPLICABLE The minimum water level in the fuel storage pool meets SAFETY ANALYSES the assumptions of the fuel handling accident described in Regulatory Guide 1.195 (Ref. 4). The resultant 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> thyroid dose per person at the exclusion area boundary is a small fraction of the 10 CFR 100 (Ref. 5) limits.

According to Reference 4, there is 23 ft of water between the top of the damaged fuel bundle and the fuel pool surface during a fuel handling accident. With 23 ft of water, the assumptions of Reference 4 can be used directly. In practice, this LCO preserves this assumption for the bulk of the fuel in the storage racks. In the case of a single bundle dropped and lying horizontally on top of the spent fuel racks, however, there may be < 23 ft of water above the top of the fuel bundle and the surface, indicated by the width of the bundle. To offset this small nonconservatism, the analysis assumes that all fuel rods fail, although analysis shows that only the first few rows fail from a hypothetical maximum drop.

The analyses also assume a limited number of fuel rods are damaged in a second fuel bundle.

The fuel storage pool water level satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

Fuel Storage Pool Water Level B 3.7.15 (continued)

Vogtle Units 1 and 2 B 3.7.15-2 Revision No. 0 BASES (continued)

LCO The fuel storage pool water level is required to be 23 ft over the top of irradiated fuel assemblies seated in the storage racks. The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 3). As such, it is the minimum required for fuel storage and movement within the fuel storage

pool. APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the fuel storage pool, since the potential for a release of fission products exists.

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.

When the initial conditions for prevention of an accident cannot be met, steps should be taken to preclude the accident from occurring. When the fuel storage pool water level is lower than the required level, the movement of irradiated fuel assemblies in the fuel storage pool is immediately suspended to a safe position.

This action effectively precludes the occurrence of a fuel handling accident. This does not preclude movement of a fuel assembly to a safe position.

If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODES 1, 2, 3, and 4, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.15.1 REQUIREMENTS This SR verifies sufficient fuel storage pool water is available in the event of a fuel handling accident. The

Fuel Storage Pool Water Level B 3.7.15 Vogtle Units 1 and 2 B 3.7.15-3 REVISION 31 BASES SURVEILLANCE SR 3.7.15.1 (continued) REQUIREMENTS water level in the fuel storage pool must be checked periodically.

The Surveillance Frequency is controlled under the Surveillance

Frequency Control Program.

During refueling operations, the level in the fuel storage pool is in equilibrium with the refueling canal, and the level in the refueling canal is checked daily in accordance with SR 3.9.7.1.

REFERENCES 1. FSAR, Subsection 9.1.2.

2. FSAR, Subsection 9.1.3.

3. FSAR, Subsection 15.7.4.

4. Regulatory Guide 1.195, May 2003.

5. 10 CFR 100.11.

µ

µ

Secondary Specific Activity B 3.7.16 (continued)

Vogtle Units 1 and 2 B 3.7.16-3 REVISION 14 BASES LCO to place the unit in an operational MODE that would minimize (continued) the radiological consequences of a DBA.

APPLICABILITY In MODES 1, 2, 3, and 4, the limits on secondary specific activity apply due to the potential for secondary steam releases to the

atmosphere.

In MODES 5 and 6, the steam generators are not being used for heat removal. Both the RCS and steam generators are depressurized, and primary to secondary LEAKAGE is minimal.

Therefore, monitoring of secondary specific activity is not

required.

ACTIONS A.1 and A.2 DOSE EQUIVALENT I-131, exceeding the allowable value in the secondary coolant, is an indication of a problem in the RCS and contributes to increased post accident doses. If the secondary specific activity cannot be restored to within limits within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.16.1 REQUIREMENTS This SR verifies that the secondary specific activity is within the limits of the accident analysis. A gamma isotopic analysis of the secondary coolant, which determines DOSE EQUIVALENT I-131, confirms the validity of the safety analysis assumptions as to the source terms in post accident releases. It also serves to identify and trend any unusual isotopic concentrations that might indicate changes in reactor coolant activity or LEAKAGE.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Secondary Specific Activity B 3.7.16 Vogtle Units 1 and 2 B 3.7.16-4 Revision No. 0 BASES (continued)

REFERENCES 1. 10 CFR 100.11.

2. FSAR, Chapter 15.

Fuel Storage Pool Boron Concentration B 3.7.17 (continued)

Vogtle Units 1 and 2 B 3.7.17-1 Rev. 3-9/05 B 3.7 PLANT SYSTEMS

B 3.7.17 Fuel Storage Pool Boron Concentration

BASES BACKGROUND Fuel assemblies are stored in high density racks. The Unit 1 spent fuel storage racks contain storage locations for 1476 fuel assemblies, and the Unit 2 spent fuel storage racks contain storage locations for 2098 fuel assemblies. The Unit 1 racks use boral as a neutron absorber in a flux trap design. The Unit 2 racks contain Boraflex, however, no credit is taken for Boraflex.

Westinghouse 17x17 fuel assemblies with initial enrichments of up to and including 5.0 weight percent U-235 can be stored in any location in the Unit 1 or Unit 2 fuel storage pool provided the fuel burnup-enrichment combinations are within the limits that are specified in Figures 3.7.18-1 (Unit 1) or 3.7.18-2 (Unit 2) of the Technical Specifications. Fuel assemblies that do not meet the burnup-enrichment combination of Figures 3.7.18-1 or 3.7.18-2 may be stored in the storage pools of Units 1 or 2 in accordance with checkerboard storage configurations described in Figures 4.3.1-1 through 4.3.1-10. The acceptable fuel assembly storage configurations are based on NRC-approved acceptance criteria for crediting soluble boron as described in the NRC's safety evaluation report in WCAP-14416-P-A (Reference 4).

The Westinghouse Spent Fuel Rack Criticality Methodology ensures that the multiplication factor, K eff, of the fuel and spent fuel storage racks is less than or equal to 0.95 as recommended by ANSI 57.2-1983 (Reference 3) and NRC guidance (References 1, 2 and 6). The codes, methods, and techniques contained in the methodology are used to satisfy this criterion on K eff. The analysis methodology employs: (1) SCALE-PC, a personal computer version of the SCALE-4.3 code system, with the updated SCALE-4.3 version of the 44 group ENDF/B-V neutron cross section library, and (2) the two-dimensional integral transport code DIT with an ENDF/B-VI neutron cross section library.

SCALE-PC was used for calculations involving infinite arrays for the "2-out-of-4", "3-out-of-4", "All-Cell", and "3x3" fuel assembly storage configurations. In addition, it was employed in a full pool representation of the storage racks to evaluate soluble boron worth and postulated accidents.

SCALE-PC, used in both the benchmarking and the fuel assembly storage configurations, includes the control module CSAS25 and the following functional modules: BONAMI, NITAWL-II, and KENO V.a.

Fuel Storage Pool Boron Concentration B 3.7.17 (continued)

Vogtle Units 1 and 2 B 3.7.17-2 Rev. 3-9/05 BASES BACKGROUND The DIT code is used for simulation of in-reactor fuel assembly (continued) depletion. KENO V.a was used in the calculation of biases and uncertainties.

Reference 4 describes how credit for fuel storage pool soluble boron is used under normal storage configuration conditions. The storage configuration is defined using K eff calculations to ensure that the K eff will be less than 1.0 with no soluble boron under normal storage conditions including tolerances and uncertainties. Soluble boron credit is then used to maintain K eff less than or equal to 0.95. The analyses assumed 19.9% of the boron atoms have atomic weight 10 (B-10). However, to account for the effects of variations in the natural abundance of B-10, the calculated boron concentrations, as well as the concentrations for accidents, were adjusted to correspond to a B-10 fraction of 19.7%.

The Unit 1 pool requires 511 ppm and the Unit 2 pool requires 394 ppm to maintain K eff less than or equal to 0.95 for all allowed combinations of storage configurations, enrichments, and burnups.

This methodology was used to evaluate the storage of fuel with initial enrichments up to and including 5.0 weight percent U-235 in the Vogtle fuel storage pools. The resulting enrichment, and burnup limits for the Unit 1 and Unit 2 pools, respectively, are shown in Figures 3.7.18-1 and 3.7.18-2. Checkerboard storage configurations are defined to allow storage of fuel that is not within the acceptable burnup domain of Figures 3.7.18-1 and 3.7.18-2.

These storage requirements are shown in Figures 4.3.1-1 through 4.3.1-10. A boron concentration of 2000 ppm assures that no credible dilution event will result in a Keff of > 0.95.

APPLICABLE The soluble boron concentration, in units of ppm, required to maintain SAFETY ANALYSES K eff less than or equal to 0.95 under accident conditions is determined by first surveying all possible events which increase the K eff value of the spent fuel pool. The accident event which produced the largest increase in spent fuel pool K eff value is employed to determine the required soluble boron concentration necessary to mitigate this and all less severe accident events. The list of accident cases considered includes:

Dropped fresh fuel assembly on top of the storage racks, Misloaded fresh fuel assembly into an incorrect storage rack location, Misloaded fresh fuel assembly outside of the storage racks, Fuel Storage Pool Boron Concentration B 3.7.17 (continued)

Vogtle Units 1 and 2 B 3.7.17-3 Rev. 3-9/05 BASES Reduction in rack module-to-module water gap due to seismic event, Spent fuel pool temperature outside the normal range of 50 F to 185 F. From a criticality standpoint, a dropped assembly accident occurs when a fuel assembly in its most reactive condition is dropped onto the storage racks. The rack structure from a criticality standpoint is not excessively deformed. Previous accident analysis with unborated water showed that the dropped assembly which comes to rest horizontally on top of the rack has sufficient water separating it from the active fuel height of stored assemblies to preclude neutronic interaction. For the borated water condition, the interaction is even less since the water contains boron, an additional thermal neutron absorber.

Several fuel mishandling events were simulated with KENO V.a to assess the possible increase in the K eff value of the spent fuel pools. The fuel mishandling events all assumed that a fresh Westinghouse OFA fuel assembly enriched to 5.0 w/o 235U (and no burnable poisons) was misloaded into the described area of the spent fuel pool. These cases were simulated with the KENO V.a model for the entire spent fuel pool.

For Unit 1, the fuel mishandling event which produced the largest increase in spent fuel pool K eff value is the misloading of a fresh fuel assembly between a "3-out-of-4" fuel assembly storage configuration and the pool wall. The additional soluble boron concentration necessary to mitigate this and all less severe accident events is 340 ppm.

For Unit 2, the fuel mishandling event which produced the largest increase in spent fuel pool K eff value is the misloading of a fresh fuel assembly in an incorrect storage rack location for the "2-out-of-4" configuration. The additional soluble boron concentration necessary to mitigate this and all less severe accident events is 704 ppm.

For the accident due to a seismic event, the gap between rack modules was reduced to zero. For both Units 1 and 2, the reactivity increase is an order of magnitude less than that for the fuel mishandling events.

An increase in the temperature of the water passing through the stored fuel assemblies causes a decrease in water density which results in an addition of negative reactivity for flux trap design racks such as the

APPLICABLE SAFETY ANALYSES (continued)

Fuel Storage Pool Boron Concentration B 3.7.17 (continued)

Vogtle Units 1 and 2 B 3.7.17-4 Rev. 3-9/05 BASES APPLICABLE Unit 1 racks. However, since Boraflex is not considered to be present SAFETY ANALYSES for the Unit 2 racks and the fuel storage pool water has a high (continued) concentration of boron, a density decrease causes a positive reactivity addition. The reactivity effects of a temperature range from 32 F to 240 F were evaluated. This bounds the temperature range assumed in the criticality analyses (50 F to 185 F). The increase in reactivity due to the decrease in temperature below 50 F is bounded by the misplacement of a fuel assembly between the rack and pool walls for the Unit 1 racks. The increase in reactivity due to the increase in temperature is bounded by the misload accident, for the Unit 2 racks.

Including the effects of accidents, the maximum required boron concentration to maintain Keff 0.95 is 851 ppm for Unit 1 and 1098 ppm for Unit 2 which is well below the limit of 2000 ppm.

The concentration of dissolved boron in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO The fuel storage pool boron concentration is required to be

> 2000 ppm. The specified concentration of dissolved boron in the fuel storage pool preserves the assumptions used in the analyses of the potential criticality accident scenarios as described in reference 5. The amount of soluble boron required to offset each of the above postulated accidents was evaluated for all of the proposed storage configurations. That evaluation established the amount of soluble boron necessary to ensure that Keff will be maintained less than or equal to 0.95 should pool temperature exceed the assumed range or a fuel assembly misload occur. The amount of soluble boron necessary to mitigate these events was determined to be 851 ppm for Unit 1 and 1098 ppm for Unit 2. The specified minimum boron concentration of 2000 ppm assures that the concentration will remain above these values. In addition, the boron concentration is consistent with the boron dilution evaluation that demonstrated that any credible dilution event could be terminated prior to reaching the boron concentration for a Keff of > 0.95. These values are 511 ppm for Unit 1 and 394 ppm for Unit 2.

APPLICABILITY This LCO applies whenever fuel assemblies are stored in the spent fuel storage pool.

Fuel Storage Pool Boron Concentration B 3.7.17 (continued)

Vogtle Units 1 and 2 B 3.7.17-5 REVISION 14 BASES (continued)

ACTIONS A.1, A.2.1, and A.2.2 The Required Actions are modified by a Note indicating that LCO 3.0.3 does not apply.

When the concentration of boron in the fuel storage pool is less than required, immediate action must be taken to preclude the occurrence of an accident or to mitigate the consequences of an accident in progress. This is most efficiently achieved by immediately suspending the movement of fuel assemblies. Immediate action to restore the concentration of boron is also

required simultaneously with suspending movement of fuel assemblies. This does not preclude movement of a fuel assembly to a safe position If the LCO is not met while moving irradiated fuel assemblies in MODE 5 or 6, LCO 3.0.3 would not be applicable. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation. Therefore, inability to suspend movement of fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.17.1 REQUIREMENTS This SR verifies that the concentration of boron in the fuel storage pool is within the required limit. As long as this SR is met, the analyzed accidents are fully addressed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The gate between the Unit 1 and Unit 2 fuel storage pool is normally open. When the gate is open the pools are considered to be connected for the purpose of conducting the surveillance.

REFERENCES 1. USNRC Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, LWR Edition.

NUREG-0800, June 1987.

2. USNRC Spent Fuel Storage Facility Design Bases (for Comment) Proposed Revision 2, 1981. Regulatory Guide 1.13.

3. ANS, "Design Requirements for Light Water Reactor Spent Fuel Storage Facilities at Nuclear Power Stations," ANSI/ANS-57.2-1983.

Fuel Storage Pool Boron Concentration B 3.7.17 Vogtle Units 1 and 2 B 3.7.17-6 Rev. 3-9/05 BASES REFERENCES 4. WCAP-14416 NP-A, Rev. 1, "Westinghouse Spent Fuel Rack (continued) Criticality Analysis Methodology," November 1996.

5. Vogtle FSAR, Section 4.3.2.

6. Nuclear Regulatory Commission, Letter to All Power Reactor Licensees from B. K. Grimes, "OT Position for Review and Acceptance of Spent Fuel Storage and Handling Applications,"

April 14, 1978.

Fuel Assembly Storage in the Fuel Storage Pool B 3.7.18 Vogtle Units 1 and 2 B 3.7.18-1 Rev. 3-9/05 B 3.7 PLANT SYSTEMS

B 3.7.18 Fuel Assembly Storage in the Fuel Storage Pool

BASES BACKGROUND The Unit 1 spent fuel storage racks contain storage locations for 1476 fuel assemblies, and the Unit 2 spent fuel storage racks contain storage locations for 2098 fuel assemblies.

Westinghouse 17X17 fuel assemblies with an enrichment of up to and including 5.0 weight percent U-235 can be stored in the acceptable storage configurations that are specified in Figures 3.7.18-1 (Unit 1), 3.7.18-2 (Unit 2), and 4.3.1-1 through 4.3.1-10. The acceptable fuel assembly storage configurations are based on NRC-approved acceptance criteria for crediting soluble boron as described in the NRC's safety evaluation report in WCAP-14416-P-A (Reference 1). Additional background discussion can be found in B 3.7.17.

Westinghouse 17x17 fuel assemblies with nominal enrichments no greater than 3.556 w/o 235U may be stored in all storage cell locations of the Unit 1 pool. Fuel assemblies with initial nominal enrichment greater than 3.556 w/o 235U must satisfy a minimum burnup requirement as shown in Figure 3.7.18-1 or a minimum Integral Fuel Burnable Absorber (IFBA) requirement as shown in Figure 4.3.1-7.

Westinghouse 17x17 fuel assemblies with nominal enrichments no greater than 5.0 w/o 235U may be stored in a 3-out-of-4 checkerboard arrangement with empty cells in the Unit 1 pool.

There are no minimum burnup requirements for this configuration.

Westinghouse 17x17 fuel assemblies with nominal enrichments no greater than 1.73 w/o 235U may be stored in all storage cell locations of the Unit 2 pool. Fuel assemblies with initial nominal enrichment greater than 1.73 w/o 235U must satisfy a minimum burnup requirement as shown in Figure 3.7.18-2.

Westinghouse 17x17 fuel assemblies with nominal enrichments no greater than 2.40 w/o 235U may be stored in a 3-out-of-4 checkerboard arrangement with empty cells in the Unit 2 pool.

Fuel assemblies with initial nominal enrichment greater than 2.40 w/o 235U must satisfy a minimum burnup requirement as shown in Figure 4.3.1-8.

(continued)

Fuel Assembly Storage in the Fuel Storage Pool B 3.7.18 Vogtle Units 1 and 2 B 3.7.18-2 Rev. 3-9/05 BASES BACKGROUND Westinghouse 17x17 fuel assemblies with nominal enrichments no (continued) greater that 5.0 w/o 235U may be stored in a 2-out-of-4 checkerboard arrangement with empty cells in the Unit 2 pool. There are no minimum burnup requirements for this configuration.

Westinghouse 17x17 fuel assemblies may be stored in the Unit 2 pool in a 3x3 array. The center assembly must have an initial enrichment no greater than 3.20 w/o 235U or satisfy a minimum IFBA requirement for higher initial enrichments as shown in Figure 4.3.1-9. The surrounding fuel assemblies must have an initial nominal enrichment no greater than 1.39 w/o 235U or satisfy a minimum burnup and decay time requirement for higher initial enrichments as shown in Figure 4.3.1-10.

APPLICABLE Most fuel st orage pool accident conditions will not result SAFETY ANALYSIS in an increase in K eff. However, accidents can be postulated for each storage configuration which could increase reactivity beyond the analyzed condition. A discussion of these accidents is contained in B 3.7.17.

The configuration of fuel assemblies in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36 (c)(2)(ii).

LCO The restrictions on the placement of fuel assemblies within the fuel storage pool ensure the K eff of the fuel storage pool will always remain < 0.95, assuming the pool to be flooded with borated water.

The combination of initial enrichment and burnup are specified in Figures 3.7.18-1 and 3.7.18-2 for all cell storage in the Unit 1 and Unit 2 pools, respectively. Other acceptable enrichment-burnup, enrichment-IFBA, and checkerboard combinations are described in Figures 4.3.1-1 through 4.3.1-10.

APPLICABILITY This LCO applies whenever any fuel assembly is stored in the fuel storage pool.

(continued)

Fuel Assembly Storage in the Fuel Storage Pool B 3.7.18 Vogtle Units 1 and 2 B 3.7.18-3 Rev. 4-9/05 BASES (continued)

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.

When the configuration of fuel assemblies stored in the fuel storage pool is not in accordance with the acceptable combination of initial enrichment, burnup, and storage configurations, the immediate action is to initiate action to make the necessary fuel assembly movement(s) to bring the configuration into compliance with Figures 3.7.18-1 (Unit 1),

3.7.18-2 (Unit 2), or Specification 4.3.1.1 (Unit 1) or 4.3.1.2 (Unit 2).

If unable to move irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not be applicable. If unable to move irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the action

is independent of reactor operation. Therefore inability to move fuel assemblies is not sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.7.18.1 REQUIREMENTS This SR verifies by administrative means that the initial enrichment and burnup of the fuel assembly is within the acceptable burnup domain of Figures 3.7.18-1 (Unit 1) or 3.7.18-2 (Unit 2). For fuel assemblies in the unacceptable range of Figures 3.7.18-1 and 3.7.18-2, performance of this SR will also ensure compliance with Specification 4.3.1.1 (Unit 1) or 4.3.1.2 (Unit 2).

Fuel assembly movement will be in accordance with preapproved plans that are consistent with the specified fuel enrichment, burnup, and storage configurations. These plans are administratively verified prior to fuel movement. Each assembly is verified by visual inspection to be in accordance with the preapproved plan prior to storage in the fuel storage pool.

Storage commences following unlatching of the fuel assembly in the fuel storage pool.

REFERENCES 1. WCAP-14416-NP-A, Revision 1, "Westinghouse Spent Fuel Rack Criticality Analysis Methodology," November 1996.

AC Sources - Operating B 3.8.1 (continued)

Vogtle Units 1 and 2 B 3.8.1-5 Rev. 2 - 6/05 BASES LCO train. For the DGs, separation and independence are complete. (continued)

For the offsite AC sources, separation and independence are to the extent practical. A circuit may be connected to more than one ESF bus while the bus is being transferred to the other circuit.

APPLICABILITY The AC sources and sequencers are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

The AC power requirements for MODES 5 and 6 are covered in LCO 3.8.2, "AC Sources - Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4b to an inoperable DG. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG, and the provisions of LCO 3.0.4b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition D, for two offsite circuits inoperable, is entered.

AC Sources - Operating B 3.8.1 (continued)

Vogtle Units 1 and 2 B 3.8.1-6 Rev. 2 - 6/05 BASES ACTIONS A.2 (continued) Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event coincident with a single failure of the associated DG will not result in a complete loss of safety function of critical redundant required features.

These features are powered from the redundant AC electrical power train. This includes motor driven auxiliary feedwater pumps. Single train systems, such as turbine driven auxiliary feedwater pumps, may not be included.

The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The train has no offsite power supplying its loads; and

b. A required feature on the other train is inoperable.

If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E Distribution System. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

AC Sources - Operating B 3.8.1 (continued)

Vogtle Units 1 and 2 B 3.8.1-7 REVISION 24 BASES ACTIONS A.3 (continued)

According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. With one required offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

AC Sources - Operating B 3.8.1 (continued)

Vogtle Units 1 and 2 B 3.8.1-8 REVISION 24 BASES ACTIONS (continued) B.1 To ensure a highly reliable power source remains with an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

B.2 The 13.8/4.16 kV Standby Auxiliary Transformer (SAT) is a qualified offsite circuit that may be connected to the onsite Class 1E distribution system independently of the RATs and may be utilized to meet the LCO 3.8.1 requirements for an offsite circuit. Its availability permits an extension of the allowable out-of-service time for a DG to 14 days from the discovery of failure to meet LCO 3.8.1. The SAT is available when it is:

• Operable in accordance with plant procedures;

• Not already being applied to any of the four 4.16 kV ESF buses for Units 1 and 2 in accordance with Specification 3.8.1 as either an offsite source or to meet the requirements of an LCO 3.8.1 Condition; and,

• Not providing power to the other unit when that unit is in MODE 5 or 6 or defueled.

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-1 Revision No. 0 B 3.8 ELECTRICAL POWER SYSTEMS

B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air

BASES BACKGROUND The diesel generators (DG) are provided with storage tanks having a total combined fuel oil capacity sufficient to operate a diesel for a period 7 days while the DG is supplying maximum post loss of coolant accident load demand discussed in the FSAR, Paragraph 9.5.4.2 (Ref. 1). The maximum load demand is calculated

using the assumption that a minimum of any two DGs is available.

This onsite fuel oil capacity is sufficient to operate the DGs for longer

than the time to replenish the onsite supply from outside sources.

Fuel oil is transferred from storage tank to day tank by either of two transfer pumps associated with each storage tank. Redundancy of

pumps and piping precludes the failure of one pump, or the rupture of

any pipe, valve or tank to result in the loss of more than one DG. All

outside tanks, pumps, and piping are located underground.

For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2)

addresses the recommended fuel oil practices as supplemented by

ANSI N195 (Ref. 3). The fuel oil properties governed by these SRs

are the water and sediment content, the kinematic viscosity, specific

gravity (or API gravity), and impurity level.

The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading

conditions. The system is required to circulate the lube oil to the

diesel engine working surfaces and to remove excess heat generated

by friction during operation. The onsite storage in addition to the

engine oil sump is sufficient to ensure 7 days of continuous operation.

This supply is sufficient to allow the operator to replenish lube oil from

outside sources.

Each DG has two redundant 100% capacity air start systems with adequate capacity for five successive start attempts each on the DG

without recharging the air start receiver(s).

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-2 REVISION 29 BASES BACKGROUND Each DG building contains two ventilation supply fans and associated (continued) dampers. The ventilation supply fans are required to limit the DG building air temperature to 120° F to support the operation of the associated DG. The fans in each DG building and associated

dampers start and actuate on different signals. Fans

1/2-1566-B7-001 (train A) and 1/2-1566-B7-002 (train B) start

automatically and the necessary intake and discharge dampers

actuate to the correct position on a train associated DG running signal

and fans 1/2-1566-B7-003 and 1/2-1566-B7-004 start automatically

and the necessary intake and discharge dampers actuate to the

correct position on high DG building temperature signal coincident

with a DG running signal.

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 4), and in the FSAR, Chapter 15 (Ref. 5), assume Engineered Safety Feature (ESF)

systems are OPERABLE. The DGs are designed to provide sufficient

capacity, capability, redundancy, and reliability to ensure the

availability of necessary power to ESF systems so that fuel, Reactor

Coolant System and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

Since diesel fuel oil, lube oil, air start, and ventilation subsystems support the operation of the standby AC power sources, they satisfy

Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO Combined stored diesel fuel oil per unit is required to have sufficient supply for 7 days of full load operation of at least one diesel generator. In MODES 1, 2, 3, and 4, a capacity equivalent to 86,932 gallons (Ref. 8) is required to provide for 7 days of operation supplying the maximum post loss of coolant accident load demand.

However, in MODES 5 and 6, the highest DG loading identified for

either train is significantly less than the maximum post loss of coolant

accident loading for MODES 1 through 4, and the capacity of one storage tank is sufficient to provide for 7 days of DG operation. It is also required to meet specific standards for quality. Additionally, sufficient lubricating

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-3 Rev. 1-9/97 BASES LCO oil supply must be available to ensure the capability to operate at full (continued) load for 7 days. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of

DGs required to shut down the reactor and to maintain it in a safe

condition for an anticipated operational occurrence (AOO) or a

postulated DBA with loss of offsite power. DG day tank fuel

requirements, as well as

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-4 REVISION 8 BASES LCO transfer capability from the storage tank to the day tank, are addressed (continued) in LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources

- Shutdown."

The starting air system is required to have a minimum capacity for five successive DG start cycles without recharging the air start receivers.

Two DG ventilation supply fans are required OPERABLE for each DG to limit the DG building air temperature to 120° F.

APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated

DBA. Since stored diesel fuel oil, lube oil, and starting air and

ventilation subsystems support LCO 3.8.1 and LCO 3.8.2, stored

diesel fuel oil, lube oil, and starting air are required to be within limits

and ventilation supply fans OPERABLE when the associated DG is

required to be OPERABLE.

ACTIONS The Actions Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable since the

Required Actions for each Condition provide appropriate compensatory

actions for each inoperable DG subsystem. Complying with the

Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) are governed by separate Condition entry and

application of associated Required Actions.

A.1 In this Condition, the 5.2 day fuel oil supply in a single storage tank for a DG is not available. However, the Condition is restricted to fuel oil

level reductions that maintain at least a 3.9 day supply in that tank.

The 3.9 day supply still allows ample time to transfer fuel from the other storage tank. These values are based on Reference 8.

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-5 REVISION 8 BASES ACTIONS A.1 (continued)

These circumstances may be caused by events, such as full load operation required after an inadvertent start while at minimum

required level, or feed and bleed operations, which may be

necessitated by increasing particulate levels or any number of other

oil quality degradations. This restriction allows sufficient time for

obtaining the requisite replacement volume and performing the

analyses required prior to addition of fuel oil to the tank. A period of

48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the

required level prior to declaring the DG inoperable. This period is

acceptable based on the remaining capacity (> 3.9 days), the fact that procedures will be initiated to obtain replenishment, and the low

probability of an event during this brief period.

Note that the above discussion is applicable to MODES 1, 2, 3, and 4.

In MODES 5 and 6, the highest load demand identified for the DGs is sufficiently small that a single storage tank will provide for 7 days of DG operation (Ref. 8). However, if the stored fuel oil in the required storage tank is found to be < 68,000 gallons and > 52,000 gallons during MODES 5 and 6, Condition A and Required Action A.1

continue to apply.

B.1 With lube oil inventory < 336 gal, sufficient lubricating oil to support 7 days of continuous DG operation at full load conditions may not be

available. However, the Condition is restricted to lube oil volume

reductions that maintain at least a 6 day supply. These values are

based on Reference 9. This restriction allows sufficient time to obtain the requisite replacement volume. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered

sufficient to complete restoration of the required volume prior to

declaring the DG inoperable. This period is acceptable based on the

remaining capacity (> 6 days), the low rate of usage, the fact that

procedures will be initiated to obtain replenishment, and the low

probability of an event during this brief period.

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-6 Rev. 1-9/97 BASES ACTIONS C.1 (continued)

This Condition is entered as a result of a failure to meet the acceptance criterion of the particulate component for stored fuel oil of

SR 3.8.3.3. Normally, trending of particulate levels allows sufficient

time to correct high particulate levels prior to reaching the limit of

acceptability. Poor sample technique (e.g., bottom sampling),

contaminated sampling equipment, and errors in laboratory analysis

can produce failures that do not follow

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-7 REVISION 8 BASES ACTIONS C.1 (continued)

a trend. Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, and particulate

concentration is unlikely to change significantly between Surveillance

Frequency intervals, and proper engine performance has been recently

demonstrated (within 31 days), it is prudent to allow a brief period prior

to declaring the associated DG inoperable. The 7 day Completion

Time allows for further evaluation, resampling and re-analysis of the

DG fuel oil.

D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient

time to test the stored fuel oil to determine that the new fuel oil, when

mixed with previously stored fuel oil, remains acceptable, or to restore

the stored fuel oil properties. This restoration may involve feed and

bleed procedures, filtering, or combinations of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that

the DG would still be capable of performing its intended function.

E.1 With both starting air receiver pressures < 210 psig, sufficient capacity for five successive DG start cycles does not exist. However, as long

as one receiver pressure is > 175 psig, there is adequate capacity for

at least one start attempt, and the DG can be considered OPERABLE

while one air receiver pressure is restored to the required limit. These

values are based on Reference 10. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration to the required pressure

prior to declaring the DG inoperable. This period is acceptable based

on the remaining air start capacity, the fact that most DG starts are

accomplished on the first attempt, and the low probability of an event

during this brief period.

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-8 Rev. 1-10/01 BASES ACTIONS F.1 (continued)

With one DG ventilation supply fan inoperable, the capability to maintain the DG building air temperature below the required limit is

degraded. In most cases, except for extreme ambient temperatures, one DG ventilation supply fan is sufficient to maintain the DG building

temperature below the limit. However, the remaining system capacity

is degraded and action must be taken to restore the inoperable fan to

operable status within 14 days. The Completion Time allowed is

reasonable considering the redundant DG, the remaining fan capacity

available for the affected DG, and the fact that an event requiring the

DG to operate would have to occur combined with ambient temperatures in excess of 93

°F that would require both fans to operate in the affected DG building. Furthermore, DG operation with a single ventilation supply fan combined with ambient temperatures in excess of 93

°F would result in temperatures in excess of the limit by a few degrees only (commensurate with the extent to which the ambient

temperature exceeds 93

°F). G.1 With a Required Action and associated Completion Time not met, or one or more DG's fuel oil, lube oil, or starting air subsystem not within

limits for reasons other than addressed by Conditions A through E, or

one or more DGs with both required ventilation fans inoperable, the

associated DG may be incapable of performing its intended function

and must be immediately declared inoperable.

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support one DG's operation for at least 7 days at full load. The 7 day period is sufficient time to place the unit

in a safe shutdown condition and to bring in replenishment fuel from an

offsite location.

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-9 REVISION 8 BASES SURVEILLANCE SR 3.8.3.1 (continued)

REQUIREMENTS Note that in MODES 1, 2, 3, and 4, a capacity equivalent to 86,932 gallons (Ref. 8) is required to provide for 7 days operation at full load. In MODES 5 and 6 only one storage tank is required to provide for 7 days DG operation.

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-10 REVISION 14 BASES SURVEILLANCE SR 3.8.3.1 (continued)

REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.2

This Surveillance ensures that sufficient lube oil inventory is available on the plant site to support at least 7 days of full load operation for each

DG. The 336 gal requirement is based on the worst case DG

consumption rate for full load operation (Reference 9). The 336 gallons

is the volume required in excess of the recommended minimum volume

required by the manufacturer. The 336 gallons may be contained in the

lube oil sump tanks and the engine sump, in onsite storage, or a

combination of the two. Implicit in this SR is the requirement to have the

ability to transfer the lube oil from its storage location to the DG, when

the DG lube oil sump does not hold adequate inventory for 7 days of full

load operation without the level reaching the manufacturer

recommended minimum level.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.3

The tests listed below are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with

substances that would have an immediate, detrimental impact on diesel

engine combustion. If results from these tests are within acceptable

limits, the fuel oil may be added to the storage tanks without concern for

contaminating the entire volume of fuel oil in the storage tanks. The

following tests are to be performed prior to adding new fuel oil to storage

tanks:

a. Sample the new fuel oil in accordance with ASTM D4057 (Ref. 6);

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-11 REVISION 32 BASES SURVEILLANCE SR 3.8.3.3 (continued)

REQUIREMENTS b. Verify in accordance with the tests specified in ASTM D975 (Ref. 7) that the sample has an API Gravity of within 0.3 degrees at 60

°F, or a specific gravity of within 0.0016 at 60/60

°F, when compared to the supplier's certificate or an absolute specific gravity at 60/60

°F of 0.82 and 0.89 or an API gravity at 60

°F of 27 degrees and 42 degrees when tested in accordance with ASTM D1298 (Ref. 6), a kinematic viscosity at 40

°C of 1.9 centistokes and 4.1 centistokes, if gravity was not determined by comparison with supplier's certification, and a

flash point of 125°F; and c. Verify that the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176.

Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel

oil is not added to the storage tanks.

Within 31 days following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of

ASTM D975 (Ref. 7) are met for new fuel oil when tested in accordance

with ASTM D975, except that the analysis for sulfur may be performed in

accordance with ASTM D1552, ASTM D2622, or ASTM D4294 (Ref. 6).

The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate

effect on DG operation. This Surveillance ensures the availability of high

quality fuel oil for the DGs.

Fuel oil degradation during long term storage shows up as an increase in particulates, due mostly to oxidation. The presence of particulates does

not mean the fuel oil will not burn properly in a diesel engine. The

particulates can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.

Particulate concentrations should be determined in accordance with ASTM D5452 (Ref. 6) which provides for obtaining a field sample and

subsequent laboratory testing.

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-12 REVISION 14 BASES SURVEILLANCE SR 3.8.3.3 (continued)

REQUIREMENTS The particulate concentration limit is 10 mg/l. Each tank must be considered and tested separately.

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change

significantly between Frequency intervals.

SR 3.8.3.4

This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design

requirements provide for a minimum of five engine start cycles without

recharging. The duration of each start cycle is about 3 seconds or two

to three engine revolutions. The pressure specified in this SR is

intended to reflect the lowest value at which the five starts can be

accomplished. (PI-9060, PI-9061, PI-9064, PI-9065)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.5

Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive.

Removal of water from the fuel storage tanks eliminates the necessary environment for bacterial survival. Thi s is the most effective means of controlling microbiological fouling. In addition, it eliminates the

potential for water entrainment in the fuel oil during DG operation.

Water may come from any of several sources, including condensation, ground water, rain water, and contaminated fuel oil, and from

breakdown of the fuel oil by bacteria. Frequent checking for and

removal of accumulated water minimizes fouling and provides data

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)

Vogtle Units 1 and 2 B 3.8.3-13 REVISION 14 BASES SURVEILLANCE SR 3.8.3.5 (continued)

REQUIREMENTS regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.6

This surveillance demonstrates that each DG ventilation supply fan starts automatically and the necessary dampers actuate to the correct

position on a simulated or actual actuation signal. The two fans in

each DG building and associated dampers start and actuate on

different signals. Fans 1/2-1566-B7-001 (train A) and 1/2-1566-B7-002 (train B) start automatically and the necessary intake and discharge

dampers actuate to the correct position on a train associated DG

running signal and fans 1/2-1566-B7-003 and 1/2-1566-B7-004 start

automatically and the necessary intake and discharge dampers

actuate to the correct position on high DG building temperature signal

coincident with a DG running signal.

SR 3.8.3.7

Draining of the fuel oil stored in the supply tanks, removal of accumulated sediment, and tank cleaning are required by Regulatory Guide 1.137 (Ref. 2), paragraph 2.f. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. To preclude the introduction of surfactants in the fuel oil system, the

cleaning should be accomplished using sodium hypochlorite solutions, or their equivalent, rather than soap or detergents. This SR is for

preventive maintenance. The presence of sediment does not

necessarily represent a failure of this SR, provided that accumulated

sediment is removed during performance of the Surveillance.

While this SR is being performed, the requirement for sufficient fuel oil to support 7 days of operation may be met by alternate means as discussed in FSAR section 9.5.4.2.2.

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 Vogtle Units 1 and 2 B 3.8.3-14 REVISION 32 BASES SURVEILLANCE SR 3.8.3.7 (continued)

REQUIREMENTS The SR is modified by a Note that excepts the performance of this SR when the associated DG is required OPERABLE by LCO 3.8.2. This

exception is consistent with the SR performance exceptions in

LCO 3.8.2 for SRs that might impact the OPERABILITY of the DGs.

REFERENCES 1. FSAR, Paragraph 9.5.4.2.

2. Regulatory Guide 1.137.

3. ANSI N195-1976, Appendix B.

4. FSAR, Chapter 6.

5. FSAR, Chapter 15.

6. ASTM Standards: D4057-06; D1298-06; D4176-04; D1552-07; D2622-07; D4294-08a; D5452-08.

7. ASTM Standards, D975-07.

8. Southern Company Services Calculation number X4C2403V08, Standby Diesel Generator Fuel Oil Consumption and Storage

Tank Capacity.

9. Southern Company Services Calculation numbers X4C2403V11 and X4C2403V12, Emergency Diesel Generator Lube Oil

Inventory Technical Specification Values.

10. Southern Company Services Calculation number X4C2403V09, Emergency Diesel Generator Starting Air Pressure Technical

Specification Value.

°

DC Sources-Operating B 3.8.4 (continued)

Vogtle Units 1 and 2 B 3.8.4-4 Rev. 2-5/05 BASES (continued)

LCO The DC electrical power sources, each source consisting of one battery, battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus within the train are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Loss of any train DC electrical power source does not prevent the minimum safety function from being performed (Ref. 4).

An OPERABLE DC electrical power source requires the battery and one charger per battery to be operating and connected to the associated DC bus.

APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LCO 3.8.5, "DC Sources-Shutdown."

ACTIONS A.1 Condition A represents one DC electrical source inoperable due to an inoperable battery A or B. This Condition contains a Completion Time that is risk-informed. The Configuration Risk Management Program (CRMP) is used to assess changes in core damage frequency resulting from applicable plant configurations. The CRMP uses the equipment out of service risk monitor, a computer-based tool that may be used to aid in the risk assessment of online maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based DC Sources-Operating B 3.8.4 (continued)

Vogtle Units 1 and 2 B 3.8.4-5 Rev. 2-5/05 BASES ACTIONS A.1 (continued) on current plant configuration and equipment condition. Because battery A is necessary for emergency diesel generator (EDG) A to start and for generator field flashing, and similarly battery B for EDG B, Required Action A.1 is modified by a Note directing that the applicable Conditions and Required Actions of LCO 3.8.1 be entered for the EDG made inoperable by the inoperable battery. In addition, with either battery A or B inoperable, the associated DC bus is being supplied by the OPERABLE battery charger. Any event that results in a loss of the AC bus supporting the battery charger will also result in loss of DC to the associated 120 V vital AC bus. Recovery of the AC bus supporting the charger, especially if it is due to a loss of offsite power, will be hampered by the fact that many of the components necessary for the recovery (e.g., diesel generator control and field flash, AC load shed and diesel generator output circuit breakers, etc.) likely rely upon the battery. In addition, the energization transients of any DC loads that are beyond the capability of the battery charger and normally require the assistance of the battery will not be able to be brought online. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limit allows sufficient time to effect restoration of an inoperable battery given that the majority of the conditions that lead to battery inoperability (e.g., loss of battery charger, battery cell voltage less than 2.07 V, etc.) are identified in Specifications 3.8.4, 3.8.5, and 3.8.6 together with additional specific completion times.

Compensatory measures are implemented to minimize the impact of the completion time for an inoperable battery. There should be no scheduled work or surveillance testing that could result in a reactor or turbine-generator trip hazard, cause a plant transient, or impact safety-related systems during the completion time for the LCO. This includes testing the solid-state protection system (SSPS) and the sequencer. Also, if the inoperable battery affects one of the Emergency Diesel Generators (EDG), the EDG would be declared inoperable, but would be available in the slow start mode. Finally, the completion time is not intended to provide for online preventive maintenance, but it is only to provide for more orderly corrective maintenance for a battery.

B.1 and B.2 Condition B represents one DC electrical source inoperable due to an inoperable battery C or D. This Condition contains a Completion Time that is risk-informed. The Configuration Risk Management Program DC Sources-Operating B 3.8.4 (continued)

Vogtle Units 1 and 2 B 3.8.4-6 Rev. 2-5/05 BASES ACTIONS B.1 and B.2 (continued)

(CRMP) is used to assess changes in core damage frequency resulting from applicable plant configurations. The CRMP uses the equipment out of service risk monitor, a computer-based tool that may be used to aid in the risk assessment of online maintenance and to evaluate the change in risk from a component failure. The equipment out of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition. Neither batteries C nor D are necessary for the EDGs to start and for generator field flashing. However, they are required for breaker control power, instrumentation, RHR suction isolation valve inverters, etc. Therefore, it is prudent to verify the availability of the standby auxiliary transformer (SAT), and Required Action B.1 does that within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter. With either battery C or D inoperable, the associated DC bus is being supplied by the OPERABLE battery charger. Any event that results in a loss of the AC bus supporting the battery charger will also result in loss of DC to the associated 120 V vital AC bus. Recovery of the AC bus supporting the charger, especially if it is due to a loss of offsite power, may be hampered by the fact that components necessary for the recovery likely rely upon the battery. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limit allows sufficient time to effect restoration of an inoperable battery given that the majority of the conditions that lead to battery inoperability (e.g., loss of battery charger, battery cell voltage less than 2.07 V, etc.) are identified in Specifications 3.8.4, 3.8.5, and 3.8.6 together with additional specific completion times.

Compensatory measures are implemented to minimize the impact of the completion time for an inoperable battery. There should be no scheduled work or surveillance testing that could result in a reactor or turbine-generator trip hazard, cause a plant transient, or impact safety-related systems during the completion time for the LCO. This includes testing the solid-state protection system (SSPS) and the sequencer. Also, if the inoperable battery affects one of the Emergency Diesel Generators (EDG), the EDG would be declared inoperable, but would be available in the slow start mode. Finally, the completion time is not intended to provide for online preventive maintenance, but it is only to provide for more orderly corrective maintenance for a battery.

DC Sources-Operating B 3.8.4 Vogtle Units 1 and 2 B 3.8.4-11 Rev. 0-5/05 Table B 3.8.4-1 DC Sources TYPE VOLTAGE TRAIN A TRAIN B DC sources 125 V

125 V System A Battery 1/2AD1B One charger 1/2AD1CA or 1/2AD1CB

• Bus powered by system A 1/2AD1 System C Battery 1/2CD1B One charger 1/2CD1CA or 1/2CD1CB

• Bus powered by system C 1/2CD1 System B Battery 1/2BD1B One charger 1/2BD1CA or 1/2BD1CB

• Bus powered by system B 1/2BD1 System D Battery 1/2DD1B One charger 1/2DD1CA or 1/2DD1CB

• Bus powered by system D 1/2DD1

• Operability requirements for the buses are addressed in Specifications 3.8.9, Distribution Systems-Operating, or 3.8.10, Distribution Systems-Shutdown.

DC Sources-Shutdown B 3.8.5 Vogtle Units 1 and 2 B 3.8.5-2 Rev. 2-4/09 BASES LCO power distribution subsystems required by LCO 3.8.10, (continued) "Distribution Systems-Shutdown," shall be OPERABLE. At a minimum, at least one train of DC electrical power sources with each DC source within the train (Systems A and C OR Systems B and D) consisting of one battery, and one required battery charger per battery, and the corresponding control equipment and interconnecting cabling within the train, are required to be OPERABLE. The equipment associated with each train of DC Sources is shown in

Table B 3.8.4-1.

In the case where the requirements of LCO 3.8.10 call for portions of a second train of the distribution subsystems to be OPERABLE (e.g.,

to support two trains of RHR, two trains of CREFS, or instrumentation such as High Flux at Shutdown Alarm (HFASA), containment ventilation isolation actuation, and/or CREFS actuation), the associated required DC bus(es) are OPERABLE if energized to the

proper voltage from either:

• an OPERABLE DC Source, in accordance with LCO 3.8.5, or

• the associated charger(s) using the corresponding control equipment and interconnecting cabling within the train, in accordance with LCO 3.8.10.

(continued)

Battery Parameters B 3.8.6 (continued)

Vogtle Units 1 and 2 B 3.8.6-1 Rev. 2-3/05 B 3.8 ELECTRICAL POWER SYSTEMS

B 3.8.6 Battery Parameters BASES BACKGROUND This LCO delineates the limits on battery float current as well as electrolyte temperature, level, and float voltage for the DC power source batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, "DC Sources-Shutdown." In addition to the limitations of this Specification, the Battery Monitoring and Maintenance Program also implements a program specified in Specification 5.5.19 for monitoring various battery parameters that is based on the recommendations of IEEE Standard 450-1995, "IEEE Recommended Practice For Maintenance, Testing, And Replacement of Vented Lead-Acid Batteries For Stationary Applications" (Ref. 1).

The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit battery voltage of approximately 121.8 V for a 59 cell battery (i.e., cell voltage of 2.065 volts per cell (Vpc)). The open circuit voltage is the voltage maintained when there is no charging or discharging. Once fully charged with its open circuit voltage 2.065 Vpc, the battery cell will maintain its capacity for 30 days without further charging per manufacturer's instructions. Optimal long term performance however, is obtained by maintaining a float voltage 2.20 to 2.25 Vpc. This provides adequate over-potential which limits the formation of lead sulfate and self discharge. The nominal float voltage of 2.23 Vpc corresponds to a total float voltage output of 131.6 V for a 59 cell battery as discussed in the FSAR, Chapter 8 (Ref. 2).

APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 3) and Chapter 15 (Ref. 4), assume Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining at least one train of DC sources OPERABLE during accident conditions, in the event of:

Battery Parameters B 3.8.6 (continued)

Vogtle Units 1 and 2 B 3.8.6-2 Rev. 1-3/05 BASES APPLICABLE a. An assumed loss of all offsite AC power or all onsite AC power; SAFETY ANALYSES and (continued)

b. A worst case single failure.

Battery parameters satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO Battery parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Battery parameter limits are conservatively established, allowing continued DC electrical system function even with limits not met.

Additional preventative maintenance, testing, and monitoring performed in accordance with the Battery Monitoring and Maintenance Program are conducted as specified in Specification 5.5.19.

APPLICABILITY The battery parameters are required solely for the support of the associated DC electrical power sources. Therefore, battery parameter limits are only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussion in Bases for LCO 3.8.4 and LCO 3.8.5.

ACTIONS A.1, A.2, and A.3

With one or more cells in one battery < 2.07 V, battery capacity may be reduced. Within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage (SR 3.8.4.1) and of the overall battery state of charge by monitoring the battery float charge current (SR 3.8.6.1). This assures that there is still sufficient battery capacity to perform the intended function.

Therefore, the affected battery is not required to be considered inoperable solely as a result of one or more cells < 2.07 V, and continued operation is permitted for a limited period up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Since the Required Actions only specify "perform," a failure of SR 3.8.4.1 or SR 3.8.6.1 acceptance criteria does not result in this Required Action not met. However, if one of the SRs is failed the appropriate Condition(s), depending on the cause of the failures, is entered.

Battery Parameters B 3.8.6 (continued)

Vogtle Units 1 and 2 B 3.8.6-3 Rev. 1-3/05 BASES ACTIONS B.1 and B.2 (continued)

Condition B addresses the case where battery A or B has float current

> 2 amps; or battery C or D has float current > 1 amp. This indicates that a partial discharge of the battery capacity has occurred. This may be due to a temporary loss of a battery charger or possibly due to one or more battery cells in a low voltage condition reflecting some loss of capacity. Within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage. If the terminal voltage is found to be less than the minimum established float voltage there are two possibilities, the battery charger is inoperable or is operating in the current limit mode.

Condition A addressed charger inoperability. If the charger is operating in the current limit mode after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> that is an indication that the battery has been substantially discharged and likely cannot perform its required design functions. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (Required Action B.2). The battery must therefore be declared inoperable.

If the float voltage is found to be satisfactory but there are one or more battery cells with float voltage less than 2.07 V, the associated "OR" statement in Condition F is applicable and the battery must be declared inoperable immediately. If float voltage is satisfactory and there are no cells less than 2.07 V there is good assurance that, within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, the battery will be restored to its fully charged condition (Required Action B.2) from any discharge that might have occurred due to a temporary loss of the battery charger. A discharged battery with float voltage (the charger setpoint) across its terminals indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus there is good assurance of fully recharging the battery within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, avoiding a premature shutdown with its own attendant risk.

If the condition is due to one or more cells in a low voltage condition but still greater than 2.07 V and float voltage is found to be satisfactory, this is not indication of a substantially discharged battery and 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is a reasonable time prior to declaring the battery inoperable.

Battery Parameters B 3.8.6 (continued)

Vogtle Units 1 and 2 B 3.8.6-4 Rev. 1-3/05 BASES ACTIONS B.1 and B.2 (continued)

Since Required Action B.1 only specifies "perform," a failure of SR 3.8.4.1 acceptance criteria does not result in the Required Action not met. However, if SR 3.8.4.1 is failed, the appropriate Condition(s), depending on the cause of the failure, is entered.

C.1, C.2, and C.3

With one battery with one or more cells electrolyte level above the top of the plates, but below the minimum established design limits, the battery still retains sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of electrolyte level not met. Within 31 days the minimum established design limits for electrolyte level must be re-established.

With electrolyte level below the top of the plates there is a potential for dryout and plate degradation. Required Actions C.1 and C.2 address this potential (as well as provisions in Specification 5.5.19, Battery Monitoring and Maintenance Program). They are modified by a note that indicates they are only applicable if electrolyte level is below the top of the plates. Within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> level is required to be restored to above the top of the plates. The Required Action C.2 requirement to verify that there is no leakage by visual inspection and the Specification 5.5.19.b item to initiate action to equalize and test in accordance with manufacturer's recommendation are taken from Annex D of IEEE Standard 450-1995. They are performed following the restoration of the electrolyte level to above the top of the plates.

Based on the results of the manufacturer's recommended testing the battery may have to be declared inoperable and the affected cell(s) replaced.

D.1 With one battery with pilot cell temperature less than the minimum established design limits, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed to restore the temperature to within limits. A low electrolyte temperature limits the current and power available. Since the battery is sized with margin, while battery capacity is degraded, sufficient capacity exists to perform the intended function and the affected battery is not required to be considered inoperable solely as a result of the pilot cell temperature not met.

Battery Parameters B 3.8.6 (continued)

Vogtle Units 1 and 2 B 3.8.6-5 REVISION 14 BASES ACTIONS E.1 (continued)

With two or more batteries with battery parameters not within limits there is not sufficient assurance that battery capacity has not been affected to the degree that the batteries can still perform their required function, given that more than one battery is involved. With more than one battery involved, this potential could result in a total loss of function on multiple systems that rely upon the batteries. The longer completion times specified for battery parameters on a single battery not within limits are therefore not appropriate, and the parameters must be restored to within limits on at least three batteries within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

F.1 With one or more batteries with any battery parameter outside the allowances of the Required Actions for Condition A, B, C, D, or E, sufficient capacity to supply the maximum expected load requirement is not assured and the corresponding DC battery must be declared inoperable. Additionally, discovering a battery with one or more battery cells float voltage less than 2.07 V and float current greater than 2 amps for batteries A and B, or 1 amp for batteries C and D indicates that the battery capacity may not be sufficient to perform the intended functions. The battery must therefore be declared inoperable immediately. This condition is intended to apply when the battery is in the float mode. For example, if an individual cell is discovered below the 2.07 V limit, a possible corrective action would be to place the battery in the equalize mode. In this condition, the charger amperage is elevated and a measurement of 'float' current may be above the stated limits with an individual cell below the 2.07 V criteria. This is an expected condition; therefore, in this case, it is not appropriate to enter Condition F.

SURVEILLANCE SR 3.8.6.1 REQUIREMENTS Verifying battery float current while on float charge is used to determine the state of charge of the battery. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in a charged state. The float current requirements are based on the float current indicative of a charged battery. Use of float current to determine the state of charge of the battery is consistent with IEEE-450 (Ref. 1). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Battery Parameters B 3.8.6 (continued)

Vogtle Units 1 and 2 B 3.8.6-6 REVISION 14 BASES SURVEILLANCE SR 3.8.6.1 (continued) REQUIREMENTS This SR is modified by a Note that states the float current requirement is not required to be met when battery terminal voltage is less than the minimum established float voltage of SR 3.8.4.1. When this float voltage is not maintained the Required Actions of LCO 3.8.4 ACTION A.1 are being taken, which provide the necessary and appropriate verifications of the battery condition. Furthermore, the float current limits of 2 amps for batteries A and B, and 1 amp for batteries C and D are established based on the nominal float voltage value and are not directly applicable when this voltage is not maintained.

SR 3.8.6.2 and SR 3.8.6.5 Optimal long term battery performance is obtained by maintaining a float voltage greater than or equal to the minimum established design limits provided by the battery manufacturer, which corresponds to 129.8 V at the battery terminals, or 2.20 Vpc. This provides adequate over-potential, which limits the formation of lead sulfate and self discharge, which could eventually render the battery inoperable. Float voltage in this range or less, but greater than 2.07 Vpc, is addressed in Specification 5.5.19. SRs 3.8.6.2 and 3.8.6.5 require verification that the cell float voltages are equal to or greater than the short term absolute minimum voltage of 2.07 V. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.3

The limit specified for electrolyte level ensures that the plates suffer no physical damage and maintains adequate electron transfer capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.4

This Surveillance verifies that the pilot cell temperature is greater than or equal to the minimum established design limit (i.e., 70 °F). Pilot Battery Parameters B 3.8.6 (continued)

Vogtle Units 1 and 2 B 3.8.6-7 REVISION 14 BASES SURVEILLANCE SR 3.8.6.4 (continued) REQUIREMENTS cell electrolyte temperature is maintained above this temperature to assure the battery can provide the required current and voltage to meet the design requirements. Temperatures lower than assumed in battery sizing calculations act to inhibit or reduce battery capacity. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.6

A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity. The test is intended to determine overall battery degradation due to age and usage.

Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.6.6; however, only the modified performance discharge test may be used to satisfy the battery service test requirements of SR 3.8.4.3.

A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short, duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service test.

The modified discharge test may consist of just two rates; for instance, the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelop the duty cycle of the service test. Since the ampere-hours removed by a one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test must remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.

The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 1) and IEEE-485 (Ref. 5). These references Battery Parameters B 3.8.6 (continued)

Vogtle Units 1 and 2 B 3.8.6-8 REVISION 14 BASES SURVEILLANCE SR 3.8.6.6 (continued) REQUIREMENTS recommend that the battery be replaced if its capacity is below 80% of the manufacturer rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements. Furthermore, the battery is sized to meet the assumed cycle loads when the battery design capacity reaches this 80% limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. If the battery shows degradation, or if the battery has reached 85% of its expected life and capacity is < 100% of the manufacturer's ratings, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is reduced to only 24 months for batteries that retain capacity 100% of the manufacturer's ratings.

Degradation is indicated, according to IEEE-450 (Ref. 1), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is 10% below the manufacturer rating. These Frequencies are similar to those recommended by IEEE-450 (Ref. 1) and require that testing be performed in a

conservative manner relative to the battery life and degradation which in turn will ensure that battery capacity is adequately monitored and that the battery remains capable of performing its intended function.

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would perturb the electrical distribution system and challenge safety systems.

Credit may be taken for unplanned events that satisfy this SR. Examples of unplanned events may include:

1. Unexpected operational events which cause the equipment to perform the function specified by this Surveillance, for which adequate documentation of the required performance is available; and

2. Post Corrective maintenance testing that requires performance of this Surveillance in order to restore the component to OPERABLE, provided the maintenance was required, or performed in conjunction with maintenance required to maintain OPERABILITY or reliability.

Battery Parameters B 3.8.6 Vogtle Units 1 and 2 B 3.8.6-9 REVISION 14 BASES (continued)

REFERENCES 1. IEEE-450-1995.

2. FSAR, Chapter 8.

3. FSAR, Chapter 6.

4. FSAR, Chapter 15.

5. IEEE-485-1983, June 1983.

Inverters-Operating B 3.8.7 (continued)

Vogtle Units 1 and 2 B 3.8.7-1 REVISION 29 B 3.8 ELECTRICAL POWER SYSTEMS

B 3.8.7 Inverters-Operating

BASES BACKGROUND There are six Class 1E inverters that supply the six vital AC distribution panels that are specified in Table B 3.8.9-1. Each inverter is connected independently to one distribution panel. Each inverter/distribution panel is associated with one of four instrumentation and control power supply channels. Channels I and II have two inverters/distribution panels each; channels III and IV have only one inverter/distribution panel each. Channels I and III are associated with train A and channels II and IV are associated with train B. The six Class 1E inverters provide the preferred source of 120 V, 60 Hz power for the reactor protection system (RPS), the engineered safety feature actuation system (ESFAS), the nuclear steam supply system control and in strumentation, the post accident monitoring system, and the safety related radiation monitoring system. The power for the channel I, II, III, and IV inverters is from the Class 1E 125 VDC Train A, B, C, and D station batteries, respectively, or their associated chargers when the batteries are on float. The station batteries ensure continued operation of instrumentation systems in the event of a station blackout.

Each distribution panel may be connected to a backup source of Class 1E 120 VAC power in accordance with the ACTIONS provided for an inoperable inverter. The tie is through a local, manually operated breaker, which is mechanically interlocked with the breaker connecting the inverter to the distribution panel such that the distribution panel cannot be connected to both sources simultaneously. The backup 120 VAC power is derived from the train A and B vital 480 VAC distributing system via 480-120 V Class 1E regulating transformers that are qualified as isolation devices.

Since the inverters for each of the four channels are connected to independent battery systems, a loss of a single DC bus can only affect the DC power supply to one of the

Inverters-Shutdown B 3.8.8 Vogtle Units 1 and 2 B 3.8.8-2 Rev. 2-4/09 BASES (continued)

LCO The inverters ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Per LCO 3.8.10, "Distribution Systems-Shutdown," the necessary portions of the necessary AC vital bus electrical power distribution subsystems shall be OPERABLE to support equipment required to be OPERABLE. At a minimum, at least one train of AC vital bus electrical power subsystems energized from the associated inverters connected to the respective DC bus is required to be OPERABLE.

In the case where the requirements of LCO 3.8.10 call for portions of a second train of the distribution subsystems to be OPERABLE (e.g.,

to support two trains of RHR, two trains of CREFS, or instrumentation such as High Flux at Shutdown Alarm (HFASA), containment ventilation isolation actuation, and/or CREFS actuation), the required AC vital bus electrical power distribution subsystems may be energized from the associated inverters with the inverters connected to the respective bus, in accordance with LCO 3.8.8, or the Class 1E regulated transformer, in accordance with LCO 3.8.10. This ensures the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents).

APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6 provide assurance that:

a. Systems needed to mitigate a fuel handling accident are available;

b. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

c. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

Inverter requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.7.

(continued)

Inverters-Shutdown B 3.8.8 (continued)

Vogtle Units 1 and 2 B 3.8.8-3 Rev. 1-9/97 BASES (continued)

ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4

If two trains are required by LCO 3.8.10, "Distribution Systems-Shutdown," the remaining OPERABLE Inverters may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for positive reactivity additions. By the allowance of the option to declare required features inoperable with the associated inverter(s) inoperable, appropriate restrictions will be implemented in accordance with the affected required features LCOs'

Inverters-Shutdown B 3.8.8 Vogtle Units 1 and 2 B 3.8.8-4 REVISION 14 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 (continued)

Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving positive reactivity additions). The Required Action to suspend positive reactivity additions does not preclude actions to maintain or increase reactor vessel inventory, provided the required SDM is maintained.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required inverters and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required inverters should be completed as quickly as possible in order to minimize the time the unit safety systems may be without power or powered from a regulating transformer.

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized from the inverter. The verification of proper voltage output ensures that the required power is readily available for the instrumentation connected to the AC vital buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

Distribution Systems-Operating B 3.8.9 (continued)

Vogtle Units 1 and 2 B 3.8.9-5 REVISION 24 BASES (continued)

ACTIONS A.1

With one or more required AC buses, load centers, motor control centers, or distribution panels, except AC vital buses, inoperable, and the remaining AC electrical power distribution subsystems capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure, the overall system reliability is reduced. A single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required AC buses, load centers, motor control centers, and distribution panels must be restored to OPERABLE status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Condition A worst scenario is one train without AC power (i.e., no offsite power to the train and the associated DG inoperable). In this Condition, the unit is more vulnerable to a complete loss of AC power.

The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> time limit before requiring a unit shutdown in this Condition is acceptable because of:

a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train, to the actions associated with taking the unit to shutdown within this time limit; and

b. The potential for an event in conjunction with a single failure of a redundant component in the train with AC power.

Distribution Systems-Operating B 3.8.9 (continued)

Vogtle Units 1 and 2 B 3.8.9-6 REVISION 24 BASES ACTIONS B.1 With one or more AC vital buses inoperable and the remaining OPERABLE AC vital buses capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition, overall reliability is reduced. An additional single failure could result in the minimum required ESF functions not being supported. Therefore, the required AC vital buses must be restored to

OPERABLE status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> by powering the bus from the associated inverter with DC power available to the inverter or the Class 1E regulating transformer.

Condition B represents one or more AC vital buses without power; potentially both the DC source and the associated AC source are nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all noninterruptable power.

This 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is more conservative than Completion Times allowed for the vast majority of components that are without adequate vital AC power. Taking exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> if declared inoperable, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue;

b. The potential for decreased safety by requiring entry into numerous Applicable Conditions and Required Actions for

components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train;

and c. The potential for an event in conjunction with a single failure of a redundant component.

Distribution Systems-Operating B 3.8.9 (continued)

Vogtle Units 1 and 2 B 3.8.9-7 REVISION 24 BASES ACTIONS B.1 (continued)

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time takes into account the importance to safety of restoring the AC vital buses to OPERABLE status, the redundant capability afforded by the other OPERABLE vital buses, and the low probability of a DBA occurring during this period.

C.1 With one or more DC buses inoperable and the remaining DC electrical power distribution subsystems capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure, the overall system reliability is reduced. A single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the required DC buses must be restored to OPERABLE status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> by powering the bus from the associated battery or charger.

Condition C represents one or more DC subsystems without adequate DC power; potentially both with the battery significantly degraded and the associated charger nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all DC power.

This 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is more conservative than Completion Times allowed

for the vast majority of components that would be without power.

Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue;

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected train; and

c. The potential for an event in conjunction with a single failure of a redundant component.

Distribution Systems-Operating B 3.8.9 Vogtle Units 1 and 2 B 3.8.9-10 REVISION 24 Table B 3.8.9-1 (page 1 of 1) AC and DC Electrical Power Distribution Systems TYPE VOLTAGE TRAIN A* TRAIN B* AC safety buses 4160 V 480 V

480 V Switchgear ESF Bus 1/2AA02 Switchgear 1/2AB04 1/2AB05 1/2AB15 Motor Control Centers 1/2ABE, 1/2ABA, 1/2ABC, 1/2ABF, 1/2ABB, 1/2ABD Switchgear ESF Bus 1/2BA03 Switchgear 1/2BB06 1/2BB07 1/2BB16 Motor Control Centers 1/2BBE, 1/2BBA, 1/2BBC, 1/2BBF, 1/2BBB, 1/2BBD DC buses***

125 V

125 V Switchgear 1/2AD1 1/2CD1

Distribution Panels 1/2AD11, 1/2AD12, 1/2CD11 Switchgear 1/2BD1 1/2DD1

Distribution Panels 1/2BD11, 1/2BD12, 1/2DD11 AC vital buses 120 V Distribution Panels Channel I 1/2AY1A, 1/2AY2A Channel III 1/2CY1A Associated Regulating Transformers**

Distribution Panels Channel II 1/2BY1B, 1/2BY2B Channel IV 1/2DY1B Associated Regulating Transformers**

• Each train of the AC and DC electrical power distribution systems is a subsystem. ** A regulating transformer is a component of the Electrical Power Distribution Systems only when it is in service providing power to a 120 VAC vital bus. ***Operability of 125 V Motor Control Centers 1/2AD1M and 1/2BD1M is addressed by LCOs 3.4.11, 3.4.12, and 3.7.5. Operability of Motor Control Center 1/2CD1M is addressed by LCO

3.7.5.

Distribution Systems-Shutdown B 3.8.10 Vogtle Units 1 and 2 B 3.8.10-2 Rev. 2-4/09 BASES LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific

plant condition. Implicit in those requirements is the required

OPERABILITY of necessary support required features. This LCO

explicitly requires energization of the portions of the electrical

distribution system necessary to support OPERABILITY of required systems, equipment, and components-a ll specifically addressed in each LCO.

The necessary portions of the AC electrical power distribution subsystems are considered OPERABLE if they are energized to their

proper voltages.

The necessary portions of the DC electrical power subsystems are considered OPERABLE if the following criteria are satisfied:

• At least one train of the necessary portions of DC electrical subsystems is energized to the proper voltage by an OPERABLE

train of DC sources in accordance with LCO 3.8.5, "DC Sources,"

and

• In the case where portions of a second train of the DC electrical subsystems are required OPERABLE (to support two trains of RHR, two trains of CREFS, or instrumentation such as High Flux at Shutdown Alarm (HFASA), containment ventilation isolation actuation, and/or CREFS actuation), the required portions of DC

electrical subsystems are OPERABLE when energized to the

proper voltage from either:

• an OPERABLE DC source in accordance with LCO 3.8.5, or

• the associated charger using the corresponding control equipment and interconnecting cabling within the train. In some

cases where there is an increased potential for the addition or

removal of loads larger than breaker control power ("larger

loads"), as provided in plant administrative controls, both the

associated battery and associated charger are required to

(continued)

Distribution Systems-Shutdown B 3.8.10 (continued)

Vogtle Units 1 and 2 B 3.8.10-5 Revision No. 0 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued)

capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. By allowing the option

to declare required features associated with an inoperable distribution

subsystem inoperable, appropriate restrictions are implemented in

accordance with the affected distribution subsystem LCO's Required

Actions. In many instances, this option may involve undesired

administrative efforts. Therefore, the allowance for sufficiently

conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving

positive reactivity additions).

Suspension of these activities does not preclude completion of actions to establish a safe conservative condition. These actions

minimize the probability of the occurrence of postulated events. It is

further required to immediately initiate action to restore the required

AC and DC electrical power distribution subsystems and to continue

this action until restoration is accomplished in order to provide the necessary power to the unit safety systems.

Notwithstanding performance of the above conservative Required Actions, a required residual heat removal (RHR) subsystem may be

inoperable. In this case, Required Actions A.2.1 through A.2.5 do not

adequately address the concerns relating to coolant circulation and

heat removal. Pursuant to LCO 3.0.6, the RHR ACTIONS would not

be entered. Therefore, Required Action A.2.5 is provided to direct

declaring RHR inoperable, which results in taking the appropriate RHR actions.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the

required distribution subsystems should be completed as quickly as

possible in order to minimize the time the unit safety systems may be

without power.

SURVEILLANCE SR 3.8.10.1 REQUIREMENTS This Surveillance verifies that the AC, DC, and AC vital bus electrical power distribution subsystems are functioning properly, with all the

buses energized. The verification of

Distribution Systems-Shutdown B 3.8.10 Vogtle Units 1 and 2 B 3.8.10-6 REVISION 14 BASES SURVEILLANCE SR 3.8.10.1 (continued)

REQUIREMENTS

proper voltage availability on the buses ensures that the required power is readily available for motive as well as control functions for

critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

Boron Concentration B 3.9.1 (continued)

Vogtle Units 1 and 2 B 3.9.1-3 Rev. 3 - 6/05 BASES APPLICABLE The RCS boron concentration satisfies Criterion 2 of 10 CFR 50.36 SAFETY ANALYSES (c)(2)(ii).

(continued)

LCO The LCO requires that a minimum boron concentration be maintained in all filled portions of the RCS, the refueling canal, and the refueling cavity while in MODE 6. The boron concentration limit specified in the COLR ensures that a core k eff of 0.95 is maintained during fuel handling operations. Violation of the LCO could lead to an inadvertent criticality during MODE 6.

APPLICABILITY This LCO is applicable in MODE 6 to ensure that the fuel in the reactor vessel will remain subcritical. The required boron concentration ensures a k eff 0.95. In MODES 1 and 2, LCO 3.1.4, "Rod Group Alignment Limits," LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits," ensure an adequate amount of negative reactivity is available to shut down the reactor. In MODES 3, 4, and 5, LCO 3.1.1, "SHUTDOWN MARGIN" ensures an adequate amount of negative reactivity is available to shut down the reactor.

ACTIONS A.1 and A.2 Continuation of CORE ALTERATIONS or positive reactivity additions (including actions to reduce boron concentration) is contingent upon maintaining the unit in compliance with the LCO. If the boron concentration of any coolant volume in the filled portions of the RCS, the refueling canal, or the refueling cavity is less than its limit, all operations involving CORE ALTERATIONS or positive reactivity additions must be suspended immediately.

Suspension of CORE ALTERATIONS and positive reactivity additions shall not preclude moving a component to a safe position or normal cooldown of the coolant volume for the purpose of system temperature control.

Boron Concentration B 3.9.1 Vogtle Units 1 and 2 B 3.9.1-4 REVISION 14 BASES ACTIONS A.3 (continued)

In addition to immediately suspending CORE ALTERATIONS or positive reactivity additions, boration to restore the concentration must be initiated immediately.

There are no safety analysis assumptions of boration flow rate and concentration that must be satisfied. The only requirement is to restore the boron concentration to its required value as soon as possible. In order to raise the boron concentration as soon as possible, the operator should begin boration with the best source available for unit conditions.

Once actions have been initiated, they must be continued until the boron concentration is restored. The restoration time depends on the amount of boron that must be injected to reach the required concentration.

SURVEILLANCE SR 3.9.1.1 REQUIREMENTS This SR ensures that the coolant boron concentration in all filled portions of the RCS, the refueling canal, and the refueling cavity is within the COLR limits. The boron concentration of the coolant in

each volume is determined periodically by chemical analysis.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

2. FSAR, Subsection 15.4.6.

Unborated Water Source Isolation Valves B 3.9.2 (continued)

Vogtle Units 1 and 2 B 3.9.2-3 Revision No. 0 BASES LCO administrative control provided the reactor coolant system boron (continued) concentration is within the limit specified in the COLR and the high flux at shutdown alarm is OPERABLE. The high flux at shutdown alarm is not normally required OPERABLE in MODE 6, however for the purpose of meeting the requirement stated in this Note, the high flux at shutdown alarm is considered OPERABLE if the applicable surveillance requirements of LCO 3.3.8, High Flux at Shutdown Alarm and LCO 3.9.3, Nuclear Instrumentation are met.

APPLICABILITY In MODE 6, this LCO is applicable to prevent an inadvertent boron dilution event by ensuring isolation of all sources of unborated water to the RCS.

For all other MODES, the boron dilution accident was analyzed and was found to be capable of being mitigated.

ACTIONS The ACTIONS do not apply to valves in the flow path from the RMWST, through the chemical mixing tank, to the suction of the charging pumps, when opened under administrative control in accordance with the Note in the LCO. The ACTIONS table has been modified by a Note that allows separate Condition entry for each

unborated water source isolation valve.

A.1 Continuation of CORE ALTERATIONS is contingent upon maintaining the unit in compliance with this LCO. With any valve used to isolate unborated water sources not secured in the closed position, all operations involving CORE ALTERATIONS must be suspended immediately. The Completion Time of "immediately" for performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position.

Condition A has been modified by a Note to require that Required Action A.3 be completed whenever Condition A is entered.

Unborated Water Source Isolation Valves B 3.9.2 Vogtle Units 1 and 2 B 3.9.2-4 REVISION 14 BASES ACTIONS A.2 (continued)

Preventing inadvertent dilution of the reactor coolant boron concentration is dependent on maintaining the unborated water isolation valve(s) secured closed. Securing the valve(s) in the closed position ensures that the valve(s) cannot be inadvertently opened.

The Completion Time of "immediately" requires an operator to initiate actions to close an open valve and secure the isolation valve in the closed position immediately. Once actions are initiated, they must be continued until the valves are secured in the closed position.

A.3 Due to the potential of having diluted the boron concentration of the reactor coolant, SR 3.9.1.1 (verification of boron concentration) must be performed whenever Condition A is entered to demonstrate that the required boron concentration exists. The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient to obtain and analyze a reactor coolant sample for boron concentration.

SURVEILLANCE SR 3.9.2.1 REQUIREMENTS These valve(s) are to be secured closed to isolate possible dilution paths. The likelihood of a significant reduction in the boron concentration during MODE 6 operations is remote due to the large mass of borated water in the refueling cavity and the fact that all unborated water sources are isolated, precluding a dilution. The boron concentration is checked every 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> during MODE 6 under SR 3.9.1.1. This Surveillance demonstrates that the valves are closed through a system walkdown. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Subsection 15.4.6.

2. NUREG-0800, Section 15.4.6.

Nuclear Instrumentation B 3.9.3 Vogtle Units 1 and 2 B 3.9.3-1 Rev. 3-4/09 B 3.9 REFUELING OPERATIONS

B 3.9.3 Nuclear Instrumentation

BASES BACKGROUND The source range neutron flux monitors are used during refueling operations to monitor the core reactivity condition. The installed source range neutron flux monitors (NI-0031 and NI-0032) are part of the Nuclear Instrumentation System (NIS). These detectors are located external to the reactor vessel and detect neutrons leaking from the core. Temporary neutron flux detectors which provide equivalent indication may be utilized in place of installed

instrumentation.

The installed source range neutron flux monitors are fission chamber detectors. The detectors monitor the neutron flux in counts per second. The instrument range covers seven decades of neutron flux (1E-1 cps to 1E +6 cps) with a 2% instrument accuracy. The

detectors also provide continuous visual indication in the control room.

The NIS is designed in accordance with the criteria presented in Reference 1.

APPLICABLE Two OPERABLE source range neutron flux monitors are required SAFETY ANALYSES to provide a signal to alert the operator to unexpected changes in core reactivity such as an improperly loaded fuel assembly. The need for a safety analysis for an uncontrolled boron dilution accident is minimized by isolating all unborated water sources except as provided for by LCO 3.9.2, "Unborated Water Source Isolation Valves."

The source range neutron flux monitors satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).

LCO This LCO requires that two source range neutron flux monitors be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity. To be OPERABLE each monitor must provide visual indication.

When any of the safety-related busses supplying power to one of the detectors (NI-0031 or NI-0032) associated with the source range neutron flux monitors are taken out of service, the corresponding source range neutron flux monitor may be considered OPERABLE when its detector is powered from a temporary nonsafety-related (continued)

Nuclear Instrumentation B 3.9.3 Vogtle Units 1 and 2 B 3.9.3-2 Rev. 1-4/09 BASES LCO source of power, provided the detector for the opposite source range (continued) neutron flux monitor is powered from its normal source.

APPLICABILITY In MODE 6, the source range neutron flux monitors must be OPERABLE to determine changes in core reactivity. There are no other direct means available to check core reactivity levels. In MODES 2, 3, 4, and 5, the operability requirements for the installed source range detectors and circuitry are specified in LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." ACTIONS A.1 and A.2 With only one source range neutron flux monitor OPERABLE, redundancy has been lost. Since these instruments are the only direct means of monitoring core reactivity conditions, CORE ALTERATIONS and positive reactivity additions must be suspended immediately. Performance of Required Action A.1 shall not preclude completion of movement of a component to a safe position or normal cooldown of the coolant volume for the purpose of system temperature control.

B.1 Condition B is modified by a Note to clarify the requirement that entry into or continued operation in accordance with Condition A is required

for any entry into Condition B. The Note reinforces conventions of LCO applicability as stated in LCO 3.0.2 and as reflected in examples in 1.3, Completion Times.

With no source range neutron flux monitor OPERABLE, action to restore a monitor to OPERABLE status shall be initiated immediately.

Once initiated, actions shall be continued until a source range neutron flux monitor is restored to OPERABLE status.

B.2 With no source range neutron flux monitor OPERABLE, there are no direct means of detecting changes in core reactivity. However, since CORE ALTERATIONS and positive reactivity additions are not to be (continued)

Nuclear Instrumentation B 3.9.3 (continued)

Vogtle Units 1 and 2 B 3.9.3-3 REVISION 14 BASES ACTIONS B.2 (continued)

made, the core reactivity condition is stabilized until the source range neutron flux monitors are OPERABLE. This stabilized condition is determined by performing SR 3.9.1.1 to ensure that the required boron concentration exists.

The Completion Time of once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient to obtain and analyze a reactor coolant sample for boron concentration and to ensure that unplanned changes in boron concentration would be identified. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is reasonable, considering the low probability of a change in core reactivity during this time

period.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS SR 3.9.3.1 is the performance of a CHANNEL CHECK, which is a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that the two indication channels should be consistent with core conditions. Changes in fuel loading and core geometry can result in significant differences between source range channels, but each channel should be consistent with its local conditions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.3.2 SR 3.9.3.2 is the performance of a CHANNEL CALIBRATION. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the source range neutron flux monitors includes obtaining the detector preamp discriminator curves and evaluating those curves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Nuclear Instrumentation B 3.9.3 Vogtle Units 1 and 2 B 3.9.3-4 Revision No. 0 BASES (continued)

REFERENCES 1. 10 CFR 50, Appendix A, GDC 13, GDC 26, GDC 28, and GDC 29.

Containment Penetrations B 3.9.4 (continued)

Vogtle Units 1 and 2 B 3.9.4-3 REVISION 31 BASES BACKGROUND In MODE 6, the 24 inch main or shutdown purge and exhaust (continued) valves are used to exchange large volumes of containment air to support refueling operations or other maintenance activities. During CORE ALTERATIONS or movement of irradiated fuel assemblies within containment any open 24 inch valves are capable of being closed (LCO 3.3.6). The 14 inch mini-purge and exhaust valves, though typically not opened during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment, if opened are also capable of being closed (LCO 3.3.6).

The other containment penetrations that provide direct access from containment atmosphere to outside atmosphere must be isolated on at least one side. Isolation may be achieved by a closed automatic isolation valve, a manual isolation valve, blind flange, or equivalent. Equivalent isolation methods allowed under the provisions of 10 CFR 50.59 may include use of a material that can provide a temporary, atmospheric pressure, ventilation barrier for the other containment penetrations during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment (Ref. 1).

APPLICABLE During CORE ALTERATIONS or movement of irradiated fuel SAFETY ANALYSES assemblies within containment, the most severe radiological consequences result from a fuel handling accident. The fuel handling accident is a postulated event that involves damage to irradiated fuel (Ref. 2). Fuel handling accidents, analyzed in Reference 2, include dropping a single irradiated fuel assembly onto another irradiated fuel assembly.

To support the plant configuration of both air lock doors open (personnel and/or emergency air locks), and to further minimize an unmonitored, untreated release, the designated individual for closure of the air lock will have the air lock closed within 15 minutes of the fuel handling accident. The 15 minute duration was chosen as the limit for the response capability for the person who is designated for closing the air lock door. The NRC

Containment Penetrations B 3.9.4 (continued)

Vogtle Units 1 and 2 B 3.9.4-4 REVISION 31 BASES APPLICABLE acceptance of this specification was based on doses for a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> SAFETY ANALYSES release as well as a licensee commitment for a person (continued) designated to close the door quickly.

The requirements of LCO 3.9.7, "Refueling Cavity Water Level," and the minimum decay time of 90 hours0.00104 days <br />0.025 hours <br />1.488095e-4 weeks <br />3.4245e-5 months <br /> prior to CORE ALTERATIONS ensure that the release of fission product radioactivity, subsequent to a fuel handling accident, results in doses that are well within the guideline values specified in 10 CFR 100. The acceptance limits for offsite radiation exposure will be 25% of 10 CFR 100 values as specified in Regulatory Guide 1.195 (Ref. 3). The radiological consequences of a fuel handling accident in containment have been evaluated assuming that the containment is open to the outside atmosphere. All airborne activity reaching the containment atmosphere is assumed to be exhausted to the environment within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of the accident. The calculated offsite and control room operator doses are within the acceptance criteria of Regulatory Guide 1.195 and GDC 19. Therefore, although the containment penetrations do not satisfy any of the 10 CFR 50.36 (c)(2)(ii) criteria, LCO 3.9.4 provides containment closure capability to minimize potential offsite doses.

LCO This LCO limits the consequences of a fuel handling accident in containment by limiting the potential escape paths for fission product radioactivity released within containment. The LCO requires the equipment hatch, the air locks, and any penetration providing direct access to the outside atmosphere to be closed or capable of being closed. Personnel air lock closure capability is provided by the availability of at least one door and a designated individual to close it.

Emergency air lock closure capability is provided by the availability of at least one door and a designated individual to close it. Equipment hatch closure capability is provided by a designated trained hatch closure crew and the necessary equipment. For the OPERABLE containment ventilation penetrations, this LCO ensures that each penetration is isolable by the Containment Ventilation Isolation valves.

The OPERABILITY requirements for LCO 3.3.6, Containment Ventilation Isolation Instrumentation ensure that radiation monitor inputs to the control room alarm exist so that operators can take

timely

Containment Penetrations B 3.9.4 (continued)

Vogtle Units 1 and 2 B 3.9.4-5 Rev. 10 BASES LCO action to close containment penetrations to minimize potential offsite (continued) doses. The LCO requirements for penetration closure may also be met by the automatic isolation capability of the CVI system. Temporary non-1E power may be supplied to the air operated and/or solenoid operated CVI valves. The temporary non-1E power must be connected in such a way that it cannot affect the capability of the valves to close either automatically or manually from the control room handswitch.

Item b of this LCO includes requirements for both the emergency air lock and the personnel air lock. The personnel and emergency air locks are required by Item b of this LCO to be isolable by at least one air lock door in each air lock. Both containment personnel and emergency air lock doors may be open during movement of irradiated fuel in the containment and during CORE ALTERATIONS provided at least one air lock door is isolable in each air lock. An air lock is isolable when the following criteria are satisfied:

1. one air lock door is OPERABLE, 2. at least 23 feet of water shall be maintained over the top of the reactor vessel flange in accordance with Specification 3.9.7, 3. a designated individual is available to close the door.

OPERABILITY of a containment air lock door requires that the door seal protectors are easily removed, that no cables or hoses are being run through the air lock, and that the air lock door is capable of being quickly closed.

The equipment hatch is considered isolable when the following criteria are satisfied:

1. the necessary equipment required to close the hatch is available.

2. at least 23 feet of water is maintained over the top of the reactor vessel flange in accordance with Specification 3.9.7, 3. a designated trained hatch closure crew is available.

Similar to the air locks, the equipment hatch opening must be capable of being cleared of any obstruction so that closure can be achieved as soon as possible.

Containment Penetrations B 3.9.4 (continued)

Vogtle Units 1 and 2 B 3.9.4-6 REVISION 14 BASES (continued)

APPLICABILITY The containment penetration requirements are applicable during CORE ALTERATIONS or movement of irradiated fuel assemblies within containment because this is when there is a potential for a fuel handling accident. In MODES 1, 2, 3, and 4, containment penetration requirements are addressed by LCO 3.6.1, "Containment." In MODES 5 and 6, when CORE ALTERATIONS or movement of irradiated fuel assemblies within containment are not being conducted, the potential for a fuel handling accident does not exist.

Therefore, under these conditions no requirements are placed on containment penetration status.

ACTIONS A.1 and A.2 If the containment equipment hatch, air locks, or any containment penetration that provides direct access from the containment atmosphere to the outside atmosphere is not in the required status, the unit must be placed in a condition where the isolation function is not needed. This is accomplished by immediately suspending CORE ALTERATIONS and movement of irradiated fuel assemblies within containment. Performance of these actions shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.4.1 REQUIREMENTS This Surveillance demonstrates that each of the containment penetrations required to be in its closed position is in that position.

The Surveillance on the required open containment ventilation isolation valves will demonstrate that the valves are not blocked from closing. Also the Surveillance will demonstrate that each required valve operator has motive power, which will ensure that each valve is capable of being closed.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Containment Penetrations B 3.9.4 Vogtle Units 1 and 2 B 3.9.4-7 REVISION 31 BASES SURVEILLANCE SR 3.9.4.2 REQUIREMENTS (continued) This Surveillance demonstrates that each containment ventilation isolation valve in each open containment ventilation penetration actuates to its isolation position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.4.3

The equipment hatch is provided with a set of hardware, tools, and equipment for moving the hatch from its storage location and installing it in the opening. The required set of hardware, tools, and equipment shall be inspected to ensure that they can perform the required functions.

The 7 day frequency is adequate considering that the hardware, tools, and equipment are dedicated to the equipment hatch and not used for any other functions.

The SR is modified by a Note which only requires that the surveillance be met for an open equipment hatch. If the equipment hatch is installed in its opening, the availability of the means to install the hatch is not required.

REFERENCES 1. GPU Nuclear Safety Evaluation SE-0002000-001, Rev. 0, May 20, 1988.

2. FSAR, Subsection 15.7.4.

3. Regulatory Guide 1.195, May 2003.

RHR and Coolant Circulation - High Water Level B 3.9.5 (continued)

Vogtle Units 1 and 2 B 3.9.5-3 Revision No. 0 BASES APPLICABILITY because it corresponds to the 23 ft requirement established (continued) for fuel movement in LCO 3.9.7, "Refueling Cavity Water Level." Requirements for the RHR System in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS), and Section 3.5, Emergency Core Cooling Systems (ECCS). RHR loop requirements in MODE 6 with the water level < 23 ft are located in LCO 3.9.6, "Residual Heat Removal (RHR) and Coolant Circulation -

Low Water Level."

ACTIONS RHR loop requirements are met by having one RHR loop OPERABLE and in operation, except as permitted in the Note to the LCO.

A.1 If RHR loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron concentrations cannot occur by the addition of water with a lower boron concentration than that contained in the RCS because all of unborated water sources are isolated.

A.2 If RHR loop requirements are not met, actions shall be taken immediately to suspend loading of irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core. A minimum refueling water level of 23 ft above the reactor vessel flange provides an adequate available heat sink. Suspending any operation that would increase decay heat load, such as loading a fuel assembly, is a prudent action under this condition.

A.3 If RHR loop requirements are not met, actions shall be initiated and continued in order to satisfy RHR loop requirements. With the unit in MODE 6 and the refueling

RHR and Coolant Circulation - Low Water Level B 3.9.6 Vogtle Units 1 and 2 B 3.9.6-1 Rev. 1-10/01 B 3.9 REFUELING OPERATIONS

B 3.9.6 Residual Heat Removal (RHR) and Coolant Circulation - Low Water Level

BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant, and to prevent boron stratification. Heat is removed from the RCS by circulating reactor coolant through the RHR heat exchangers where the heat is transferred to the Component Cooling Water System. The coolant is then returned to the RCS via the RCS cold leg(s).

Operation of the RHR System for normal cooldown decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by controlling the flow of reactor coolant through the RHR heat exchanger(s) and the bypass lines. Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the RHR System.

APPLICABLE While there is no explicit analysis assumption for the decay SAFETY ANALYSES heat removal function of the RHR system in MODE 6, if the reactor coolant temperature is not maintained below 200

°F, boiling of the reactor coolant could result. This could lead to a loss of refueling cavity water level. In addition, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to the boron plating out on components near the areas of the boiling activity. The loss of reactor coolant and the reduction of boron concentration in the reactor coolant will eventually challenge the integrity of the fuel cladding, which is a fission product barrier. Two trains of the RHR System are required to be OPERABLE, and one train in operation, in order to prevent this challenge.

RHR and coolant circulation - Low Water Level satisfies Criterion 4 of 10 CFR 50.36 (c)(2)(ii).

LCO In MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, both RHR loops must be OPERABLE.

(continued)

RHR and Coolant Circulation - Low Water Level B 3.9.6 (continued)

Vogtle Units 1 and 2 B 3.9.6-3 REVISION 19 BASES ACTIONS A.1 and A.2 (continued) restored to OPERABLE status and to operation or until 23 ft of water level is established above the reactor vessel flange. When the water

level is 23 ft above the reactor vessel flange, the Applicability changes to that of LCO 3.9.5, and only one RHR loop is required to be OPERABLE and in operation. An immediate Completion Time is necessary for an operator to initiate corrective actions.

B.1 If no RHR loop is in operation, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron concentrations cannot occur by the addition of water with a lower boron concentration than that contained in the RCS, because all of the unborated water sources are isolated.

B.2 If no RHR loop is in operation, actions shall be initiated immediately, and continued, to restore one RHR loop to operation. Since the unit is in Conditions A and B concurrently, the restoration of two OPERABLE RHR loops and one operating RHR loop should be accomplished expeditiously.

B.3 If no RHR loop is in operation, all containment penetrations providing direct access from the containment atmosphere to the outside atmosphere must be closed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. With the RHR loop requirements not met, the potential exists for the coolant to boil and release radioactive gas to the containment atmosphere. Closing containment penetrations that are open to the outside atmosphere ensures that dose limits are not exceeded.

The Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is reasonable, based on the low probability of the coolant boiling in that time.

Refueling Cavity Water Level B 3.9.7 (continued)

Vogtle Units 1 and 2 B 3.9.7-1 REVISION 31 B 3.9 REFUELING OPERATIONS

B 3.9.7 Refueling Cavity Water Level

BASES BACKGROUND The movement of irradiated fuel assemblies or performance of CORE ALTERATIONS, except during latching and unlatching of control rod

drive shafts, within containment requires a minimum water level of

23 ft above the top of the reactor vessel flange. During refueling, this

maintains sufficient water level in the containment, refueling canal, fuel transfer canal, refueling cavity, and spent fuel pool. Sufficient water

is necessary to retain iodine fission product activity in the water in the

event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine

activity would be retained to limit offsite doses from the accident to < 25% of 10 CFR 100 limits, as provided by the guidance of Reference 3.

APPLICABLE During CORE ALTERATIONS and movement of irradiated fuel SAFETY ANALYSES assemblies, the water level in the refueling canal and the refueling cavity is an initial condition design parameter in the analysis of a fuel

handling accident in containment, as postulated by Regulatory

Guide 1.195 (Ref. 1). A minimum water level of 23 ft allows a decontamination factor of 200 to be used in the accident analysis for iodine. This relates to the assumption that 99.5% of the total iodine released from the pellet to cladding gap of all the dropped fuel

assembly rods is retained by the refueling cavity water.

The fuel handling accident analysis inside containment is described in Reference 2. With a minimum water level of 23 ft and a minimum

decay time of 90 hours0.00104 days <br />0.025 hours <br />1.488095e-4 weeks <br />3.4245e-5 months <br /> prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel

handling accident is adequately captured by the water and offsite

doses are maintained within allowable limits (Refs. 3 and 4).

Refueling Cavity Water Level B 3.9.7 (continued)

Vogtle Units 1 and 2 B 3.9.7-2 Rev. 1-10/01 BASES APPLICABLE Refueling cavity water level satisfies Criterion 2 of 10 CFR 50.36 SAFETY ANALYSES (c)(2)(ii).

(continued)

LCO A minimum refueling cavity water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences

of a postulated fuel handling accident inside containment are within

acceptable limits, as provided by the guidance of Reference 3.

APPLICABILITY LCO 3.9.7 is applicable during CORE ALTERATIONS, except during latching and unlatching of control rod drive shafts, and when moving

irradiated fuel assemblies within containment. Unlatching and latching

of control rod drive shafts includes drag testing of the associated rod

cluster control assembly. The LCO ensures a sufficient level of water

is present in the reactor cavity to minimize the radiological

consequences of a fuel handling accident in containment. If irradiated

fuel assemblies are not present in containment, there can be no

significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel pool are covered by LCO 3.7.15, "Fuel Storage Pool Water

Level."

ACTIONS A.1 and A.2

With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving CORE ALTERATIONS or movement of

irradiated fuel assemblies within the containment shall be suspended

immediately to ensure that a fuel handling accident cannot occur.

The suspension of CORE ALTERATIONS and fuel movement shall not preclude completion of movement of a component to a safe position.

Refueling Cavity Water Level B 3.9.7 Vogtle Units 1 and 2 B 3.9.7-3 REVISION 31 BASES (continued)

SURVEILLANCE SR 3.9.7.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the reactor vessel flange ensures that the design basis for the analysis of

the postulated fuel handling accident during refueling operations is

met. Water at the required level above the top of the reactor vessel

flange limits the consequences of damaged fuel rods that are

postulated to result from a fuel handling accident inside containment (Ref. 2).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Regulatory Guide 1.195, May 2003.

2. FSAR, Subsection 15.7.4.

3. 10 CFR 100.11

4. Malinowski, D. D., Bell, M. J., Duhn, E., and Locante, J., WCAP-7828, Radiological Consequences of a Fuel Handling

Accident, December 1971.