Text

LLC Response to NRC Request for Additional Information No. 156 (Erai No. 9031) on the NuScale Design Certification Application
	ML17269A210
Person / Time
Site:	NuScale
Issue date:	09/26/2017
From:	Rad Z; NuScale
To:	; Document Control Desk, Office of New Reactors
References
	RAIO-0917-56153
	Download: ML17269A210 (175)
	v • d • e

RAIO-0917-56153 September 26, 2017 Docket No.52-048 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852-2738

SUBJECT:

NuScale Power, LLC Response to NRC Request for Additional Information No.

156 (eRAI No. 9031) on the NuScale Design Certification Application

REFERENCE:

U.S. Nuclear Regulatory Commission, "Request for Additional Information No.

156 (eRAI No. 9031)," dated August 08, 2017 The purpose of this letter is to provide the NuScale Power, LLC (NuScale) response to the referenced NRC Request for Additional Information (RAI).

The Enclosure to this letter contains NuScale's response to the following RAI Questions from NRC eRAI No. 9031:

16-2 16-3 16-4 16-5 16-6 This letter and the enclosed response make no new regulatory commitments and no revisions to any existing regulatory commitments.

If you have any questions on this response, please contact Steven Mirsky at 240-833-3001 or at smirsky@nuscalepower.com.

Sincerely, Zackary W. Rad Director, Regulatory Affairs Director NuScale Power, LLC NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com

RAIO-0917-56153 Distribution: Gregory Cranston, NRC, OWFN-8G9A Samuel Lee, NRC, OWFN-8G9A Anthony Markley, NRC, OWFN-8G9A : NuScale Response to NRC Request for Additional Information eRAI No. 9031 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com

RAIO-0917-56153 :

NuScale Response to NRC Request for Additional Information eRAI No. 9031 NuScale Power, LLC 1100 NE Circle Blvd., Suite 200 Corvalis, Oregon 97330, Office: 541.360.0500, Fax: 541.207.3928 www.nuscalepower.com

Response to Request for Additional Information Docket No.52-048 eRAI No.: 9031 Date of RAI Issue: 08/08/2017 NRC Question No.: 16-2 Paragraph (a)(11) of 10 CFR 52.47 and paragraph (a)(30) of 10 CFR 52.79 state that a design certification (DC) applicant and a combined license (COL) applicant, respectively, are to propose technical specifications (TS) prepared in accordance with 10 CFR 50.36 and 50.36a.

10 CFR 50.36 sets forth requirements for TS to be included as part of the operating license for a nuclear power facility. The model standard technical specifications (STS) in the following documents provide NRC guidance on format and content of TS as acceptable means to meet 10 CFR 50.36 requirements. These documents may be accessed using the Agencywide Documents Access and Management Systems (ADAMS) by their accession numbers.

NUREG-1431, STS Westinghouse Plants, Revision 4 (ADAMS Accession Nos.

ML12100A222 and ML12100A228)

NUREG-1432, STS Combustion Engineering Plants, Revision 4 (ADAMS Accession Nos.

ML12102A165 and ML12102A169)

NUREG-2194, STS Westinghouse Advanced Passive 1000 (AP1000) Plants, Revision 0 (ADAMS Accession No. ML16111A132)

The NRC staff needs to evaluate technical differences in the proposed generic TS (GTS) from applicable provisions in these documents, which are referenced by the DC applicant in Design Control Document (DCD) Tier 2, Section 16.1, and the docketed rationale for each difference because conformance to STS provisions is used in the safety review as the initial point of guidance for evaluating the adequacy of the GTS to ensure adequate protection of public health and safety, and the completeness and accuracy of the GTS Bases.

The NRC staff reviewed the technical report (TR) titled Technical Specifications Regulatory Conformance and Development (TSRCD), TR-1116-52011-NP, dated December 16, 2016 (ADAMS Accession No. ML17005A136), and concludes that it does not fully discuss the differences in presentation and content of GTS Section 1.1, Definitions, compared to equivalent definitions in Section 1.1 in Revision 4 of the STS for Westinghouse plants (NUREG-1431) and CE plants (NUREG-1432), or Revision 0 of the STS for Westinghouse AP1000 plants (NUREG-2194). In the following cases, the staff needs such discussions to complete the review of the NuScale definitions. Accordingly, the staff requests that the applicant revise the TSRCD to justify the noted defined term differences between the NuScale GTS and whichever STS is most appropriate (AP1000 STS, Westinghouse STS, CE STS, or NuScale Nonproprietary

other STS). If a proposed difference is derived from Section 1.1 of the General Electric (GE) economic simplified boiling water reactor (ESBWR) GTS (ADAMS Accession Nos.

ML14100A550 and ML14100A552), or the General Electric-Hitachi (GEH) advanced boiling water reactor (ABWR) plant-specific TS for South Texas Project, Unit 3 (STP-3) or Unit 4 (STP-4), the justification should say so.

The STP-4 plant-specific TS may be found in Revision 12 of the combined license (COL) application (COLA), dated April 21, 2015 (ADAMS Accession No. ML15124A421), and in Appendix A of the STP-4 COL (License No. NPF-098; Docket No.52-013) made effective on February 12, 2016 (ADAMS Accession Nos. ML16033A047 and ML16032A420). Also, see COLA Part 2, FSAR (ADAMS Accession Nos. ML15124A321 - ML15124A325)

COLA Part 4, Technical Specifications (ADAMS Accession No ML15316A454)

Design Certification Application (DCA) Revision 4, Part 4, Technical Specifications, dated May 12, 1997 (ADAMS Accesssion No. ML11126A173)

a. ACTUATION LOGIC TEST Paragraphs (a) and (b) are new and need to be discussed. In particular paragraph (a) states that a purpose of this test is to test digital computer hardware. Why is this test limited to hardware? Why not include testing of software?

b. CHANNEL CHECK Differences are neither identified nor discussed. Also request clarification of Channel Check surveillance description in FSAR Tier 2, Section 7.2.10, pages 7.2-47 & 7.2-48.

c. CHANNEL OPERATIONAL TEST (COT)

Paragraphs (a) and (b) are new and need to be discussed. In particular, paragraph (a) states that a purpose of this test is to test digital computer hardware. Why is the COT limited to hardware? Why not include testing of software? Also, the NuScale definition omits the STS definitions phrase injection of a simulated or actual signal into the channel as close to the sensor practicable; explain why this test performance condition is omitted. Finally, explain why only GTS Subsection 3.4.7 specifies a COT surveillance requirement (for the RCS LEAKAGE detection instrumentation gaseous radioactivity monitor on the containment evacuation system gas discharge line). In the May 17-18, 2017, meeting with the staff, NuScale said that self-testing and diagnostics, which is designed into the Highly Integrated Protection System (HIPS) platform, negates a need for manually checking the functioning of the instrument loop between CHANNEL CALIBRATION surveillances. NuScale suggested its position is consistent with digital instrumentation upgrades at Oconee, Wolf Creek, and Diablo Canyon. Hence no COT for reactor trip and SFAS instrument function channels.

However, DCA Part 2, FSAR Tier 2, Section 7.2.15.2, I&C system testing, states:

Periodic surveillance testing also verifies the continual self-testing functions. Performance of periodic surveillance testing does not involve disconnecting wires or installation of jumpers for at-power testing. The self-test features maintain separation group and division independence by being performed at within the separation group or within the division.

NuScale Nonproprietary

The applicant is requested to specify a COT for RTS and ESFAS instrumentation Function channels that is consistent with the above statement and with a Frequency consistent with the COT for RTS and ESFAS instrumentation Functions in the W-AP1000-STS (92 days).

d. DOSE EQUIVALENT XE-133 There is a mistake in the definition - the dose quantity should be effective dose equivalent (EDE), not committed effective dose equivalent (CEDE). The referenced Federal Guidance Report table is correct, but there is no such thing as CEDE for the external dose:

DOSE EQUIVALENT XE-133 shall be that concentration of Xe-133 (microcuries per gram) that alone would produce the same committed effective dose equivalent as the quantity and isotopic mixture of noble gases (Kr-85m, Kr-85, Kr-87, Kr-88, Xe-131m, Xe-133m, Xe-133, Xe-135m, Xe-135, and Xe-138) actually present. The dose conversion factors used for this calculation shall be those listed in Table III.1 of EPA Federal Guidance Report No. 12, External Exposure to Radionuclides in Air, Water, and Soil, EPA 402-R- 93-081, September 1993.

The applicant is requested to correct this error.

e. LEAKAGE Paragraph (a) regarding Identified LEAKAGE does not address LEAKAGE, such as that from seals or valve packing, that is captured and conducted to collection systems or a sump or collecting tank. Explain why these leakage pathways, which are included in the STS definition as stated, are omitted. Also, change Identified Leakage to Identified LEAKAGE in the title of paragraph (a).

f. LEAKAGE The definition of LEAKAGE in Section 1.1 of the NuScale generic technical specifications (GTS), paragraph (c) regarding Pressure Boundary LEAKAGE includes a statement, which is not found in the Westinghouse standard TS (W-STS): A fault in an RCS component body, pipe wall, or vessel wall is isolated if LEAKAGE through the isolation device is 0.5 gpm per nominal inch of valve size up to a maximum limit of 5 gpm.

The staff questions the need and appropriateness of this deviation from the W-STS LEAKAGE definition because no Pressure Boundary LEAKAGE should be allowed. The staff notes that the above deviation was included in withdrawn traveler TSTF-534, Clarify Application of Pressure Boundary Leakage Definition, Revision 0. In its response letter, dated September 4, 2012 (MLxxxcccvvv), to a staff request for supplemental information on TSTF-534, the industry (the Owners Groups TSTF) provided the requested supplemental information but also chose to withdraw the traveler.

The applicant is requested to withdraw from the GTS and Bases all corresponding changes to W-STS Section 1.1 and W-STS Bases Subsection B 3.4.13, proposed in TSTF-534.

Alternatively, the applicant may seek approval of the changes in this traveler, as applied to the NuScale Nonproprietary

NuScale design, taking into consideration the supplemental information in the industrys response letter, by providing justification for the changes that is acceptable to the Mechanical Engineering Branch staff in the Office of New Reactors.

f. OPERABLE-OPERABILITY The definition for OPERABLE-OPERABILITY includes a reference to seal water. Explain how this feature is applicable to the NuScale design. Also, should the phrase separation group be considered for inclusion in the definition? Lastly, since NuScale includes no Class 1E emergency electrical power source or distribution system, discuss how the control room operator should interpret the phrase when all necessary attendant ... normal or emergency electrical power that [is] required for the system, subsystem, train, component, or device to perform its specified safety function(s) are also capable of performing their related support function(s); especially if the preferred (normal) electrical power source or distribution is unavailable.

g. STAGGERED TEST BASIS Response time testing in the STS usually has a Frequency on a STAGGERED TEST BASIS.

Even though all such surveillance frequencies are specified by referencing the Surveillance Frequency Control Program (SFCP), this omitted definition is still necessary. See related question about including a value for the base surveillance frequency in all of the surveillance requirements (other than frequencies based on another program, such as In accordance with the INSERVICE TEST PROGRAM).

In addition, as indicated in the markup of Section 1.1 of the Westinghouse STS (NUREG-1431, Revision 3.1) in TSTF-425, Revision 3, the definition of STAGGERED TEST BASIS should be bracketed, as follows:

[STAGGERED A STAGGERED TEST BASIS shall consist of the testing of one of the TEST BASIS systems, subsystems, channels, or other designated components during the interval specified by the Surveillance Frequency, so that all systems, subsystems, channels, or other designated components are tested during n Surveillance Frequency intervals, where n is the total number of systems, subsystems, channels, or other designated components in the associated function.]

h. TRIP ACTUATING DEVICE OPERATIONAL TEST (TADOT)

The applicant is requested to explain why the TADOT definition is not included in the GTS.

Note that the AP1000 STS specifies a TADOT for the reactor trip on passive residual heat removal actuation function, manual reactor trip function, the reactor trip breakers (RTBs), all of the ESFAS manual initiation functions, the ESFAS initiation on reactor trip (P-4) function, and the remote shutdown workstation RTB open/closed indication. The staff observes that SR 3.3.4.1, Perform actuation device operational test, is the only specified surveillance that appears equivalent to the TADOT of the AP1000 STS. Also, the Bases for SR 3.3.4.1 does not include the statement found in the AP1000 STS Bases for SR 3.3.7.1, This test shall verify OPERABILITY by actuation of the end devices. for the reactor trip breakers. The applicant is requested to clarify the SR 3.3.4.1 Bases by indicating how the end device is actuated to NuScale Nonproprietary

demonstrate OPERABILTY of each of the Manual Actuation Functions (1 through 8) listed in Table 3.3.4-1.

i. MODE The applicant is requested to correct the words behind the acronym CVCS from Chemical Volume and Control System to Chemical and Volume Control System in accordance with Table 1-1, Acronyms, in Section 1.3, Abbreviations, of TR-1116-52011-NP, Technical Specifications Regulatory Conformance and Development, Revision 0.

j. MODULE The applicant is requested to consider clarifying the definitions first sentence by replacing a single modular unit with a single nuclear steam supply system to avoid using the word modular because it is similar to the defined term MODULE. The applicant is also requested to consider making the following editorial changes in the Specifications and Bases:

(1) Replace all occurrences of the words unit and units with the defined terms MODULE and MODULES, respectfully, throughout the Specifications and Bases. This request does not apply in cases where the term unit(s) appears in quotations, document titles, or when the term refers to a structure, system, or component other than a reactor and its associated containment vessel.

(2) Replace all occurrences of the words plant and plants with the defined terms MODULE and MODULES, respectfully, throughout the Specifications and Bases. This request does not apply in cases where the term plant(s) appears in quotations, document titles, or in relation to title of GTS Section 3.7. This request does not apply in cases where plant does not mean a single MODULE, but refers to the entire set of MODULES and associated SSCs within a NuScale facility; however, the intended meaning of plant in such cases must be clear.

In Part 7 of the DCA, the applicant proposed the following exemption to 10 CFR 50.54(m) by replacing these minimum licensed operator staffing requirements with NuScale-specific requirements. In the following quoted material, the terms facility, unit, site, module, and plant, are highlighted in blue colored font.

...NuScale proposes the following provisions be included in Section V, Applicable Regulations, of the NuScale Power Plant design certification rule.

V. Applicable Regulations C. A licensee referencing this appendix is exempt from portions of the following regulations:

1. Paragraph (m) of 10 CFR 50.54Conditions of licensescodified as of [date of NuScale Power Plant design certification]. In place, NuScale Nonproprietary

the following requirements shall be conditions of such licenses:

a. A senior operator licensed pursuant to part 55 of this chapter shall be present at the facility or readily available on call at all times during its operation, and shall be present at the facility during initial start-up and approach to power, recovery from an unplanned or unscheduled shutdown or significant reduction in power, and refueling, or as otherwise prescribed in the facility license.

b. Licensees shall meet the following requirements:

1. Each licensee shall meet the minimum licensed operator staffing requirements in the following table:

Minimum Requirements1 Per Shift for On-Site Staffing of NuScale Power Plants by Operators and Senior Operators Licensed Under 10 CFR Part 55 Number of nuclear power One to twelve units 2 Position units operating One control room Senior Operator 1 None Operator 2 Senior Operator 2 One to twelve Operator 3 1

Temporary deviations from the numbers required by this table shall be in accordance with criteria established in the unit's technical specifications.

2 For the purpose of this table, a nuclear power unit is considered to be operating when it is fueled, in an operating bay, and has the ability to communicate with a support system as defined by the unit's technical specifications.

2. Each licensee shall have at its site a person holding a senior operator license for all fueled units at the site who is assigned responsibility for overall plant operation at all times there is fuel in any unit.

3. When a nuclear power unit is fueled, in an operating bay, and has the ability to communicate with a support system, as defined by the unit's technical specifications, each licensee shall have a person holding a senior operator license for the nuclear power unit in the control room at all times. In addition to this senior operator a licensed operator or senior operator shall be present at the controls at all times. In addition to the senior operator and licensed operator or senior operator present at the controls, a licensed operator or senior licensed operator shall be in the control room envelope at all times.

4. Each licensee shall have present, during alteration or movement of the core of a nuclear power unit (including fuel loading, fuel transfer, or NuScale Nonproprietary

movement of a module that contains fuel), a person holding a senior operator license or a senior operator license limited to fuel handling to directly supervise the activity and, during this time, the licensee shall not assign other duties to this person.

The staff notes that GTS Subsection 5.2.2 is consistent with this exemption request. The applicant is requested to reconcile the need for the definition of MODULE in light of the contextual meanings of the highlighted terms. Also, it seems that including the word envelope in item (3) is unnecessary; the applicant is requested to consider removing it.

NuScale Response:

a. ACTUATION LOGIC TEST The ACTUATION LOGIC TEST definition is used in specifications 3.3.2, Reactor Trip System Logic and Actuation, and 3.3.3, ESFAS Logic and Actuation. The definition is consistent with the Module Protection System (MPS) design and establishes the means for verifying the OPERABILITY of the respective functions consistent with the NuScale design.

The definition specifies testing of digital hardware only because there is no operating software in the installed system which performs a safety related function. A software development process is used to develop the logic which is implemented in the digital hardware (FPGAs). The requirements for software development quality assurance are described in FSAR Tier 2, Section 7.2.1.

b. CHANNEL CHECK The NuScale definition of a CHANNEL CHECK is consistent with the NuScale MPS design as described in the approved NuScale Topical Report TR-1015-18653-P, Design of the Highly Integrated Protection System Platform. The definition leverages the highly automated nature of the control room, protective systems, and control systems. It incorporates continuous monitoring of parameters to assure the OPERABILITY of the associated channel. Details are provided in the FSAR Chapter 7 and the topical report.

The "checks" discussed in FSAR Tier 2, Section 7.2.10, are related only to the quality and validation checks performed by the MCS for median signal selection among the nonsafety related inputs being provided to the MCS from the MPS. The checks discussed in FSAR Tier 2, Section 7.2.10 are not the Channel Checks discussed in NuScale Technical Specifications.

c. CHANNEL OPERATIONAL TEST (COT)

The COT definition is being modified to align with that in NUREG-1431, Revision 4, with modifications described in TSTF traveler 563 appended.

NuScale Nonproprietary

The concept of a COT is only meaningful for certain NuScale RCS leakage detection systems and that is the only location it is used in the TS. Therefore a COT is not included for the RTS and ESFAS instrumentation and only Subsection 3.4.7 specifies a COT surveillance requirement.

Additionally, the first sentence of the paragraph from FSAR Section 7.2.15.2 is deleted to clarify the testing being performed.

As described in the approved NuScale Topical Report TR-1015-18653-P, Design of the Highly Integrated Protection System Platform, and the FSAR the MPS is continuously self-tested. The self-testing feature injects a signal at the front end of the input sub-module on the safety function module to simulate a sensor input from the reactor module. The self-testing feature verifies all of the logic functions once the signal is converted to digital. If a failure is detected, it is alarmed and the module is placed into a safe state. Therefore a COT would provide no additional assurance of OPERABILITY for the NuScale MPS design.

d. DOSE EQUIVALENT XE-133 The word committed has been removed from the definition of DOSE EQUIVALENT XE-133.

e. LEAKAGE The NuScale design does not include any seals or valve packing whose leakage is captured and conducted to collection systems or a sump or collecting tank.

The word LEAKAGE in the title of paragraph a. will be modified to be consistent with the usage as a defined term.

f. LEAKAGE The NuScale design is significantly different from that addressed in the Westinghouse STS.

NuScale is not a member of the Owners Groups Technical Specification Task Force (TSTF).

NuScale reviewed and considered TSTF travelers consistent with the Design Specific Review Standard for the NuScale FSAR during development of the Technical Specifications.

NuScale is not requesting approval of a change based upon a TSTF traveler - the NuScale Technical Specifications are submitted for review and approval based on the NuScale design.

Significant differences that support adoption of this specification include Relatively small RCS and associated pressure boundary Reduced RCS operating pressure Few connections to the RCS pressure boundary Emergency core cooling for loss of coolant accidents that opens the RCS to the containment volume NuScale Nonproprietary

Small containment vessel that supports emergency core cooling through heat transfer by its shell to the surrounding UHS pool Unique leak detection and monitoring design due to the above factors and the low pressure in the containment during operations.

Based on these factors, the Technical Specifications were written as submitted.

NuScale has reviewed and considered the September 4, 2012 letter Response to NRC Request for Supplemental Information and Withdrawal Regarding TSTF-534, Revision 0, Clarify Application of Pressure Boundary Leakage Definition. The discussion and responses provided in the attachment to that letter are generally consistent with and clarify the NuScale Technical Specifications. NuScale FSAR Chapter 5 provides details of the design to which the LEAKAGE specification will apply.

f. OPERABLE-OPERABILITY (miss-numbered as the second f. in draft questions)

The term seal water will be removed from the definition of OPERABLE-OPERABILITY.

The term separation group will be added to the definition of OPERABLE-OPERABILITY.

The terms normal or emergency will be removed in reference to availability of electrical power in the definition of OPERABLE-OPERABILITY.

g. STAGGERED TEST BASIS STAGGERED TEST BASIS is not used in the NuScale Technical Specifications or the base frequencies for performance of Surveillance Requirements, and therefore was omitted.

If a Surveillance Frequency is adopted in accordance with the SFCP that is similar to the legacy plant usage of STAGGERED TEST BASIS, then it would be evaluated in accordance with that program as a new frequency.

The revised frequency would be developed and adopted consistent with the technical basis for the specific surveillance test and incorporated into the applicable procedures.

Providing a definition for a term that is not used in the Technical Specification is contrary to the Writer's Guide and provides no value to the document.

See the future response to eRAI 9034 for additional information regarding the submission of SFCP initial surveillance frequencies.

h. TRIP ACTUATING DEVICE OPERATIONAL TEST (TADOT)

The NuScale design is significantly different from that of the AP1000 and other large PWR NuScale Nonproprietary

plants. Testing is not performed on the basis of it being equivalent to the testing of those designs. Therefore, the TADOT definition is not included in the GTS.

The NuScale reactor trip function includes actuation of the reactor trip breakers. NuScale ESFAS actuations consist of de-energizing contacts which cause valves to move to their fail-safe positions or for the case of the pressurizer heaters to cause the associated power supply breakers to open.

As described in Chapter 7 of the DCA, and further in the Bases, actuating device testing is performed in the surveillance testing described in LCOs 3.3.2 and 3.3.3. Trip and actuation devices are shared by the manual and automatic actuation functions in 3.3.2, 3.3.3, and 3.3.4.

Verification of manual actuation is performed by demonstrating test overlap with the surveillance testing performed in accordance with the requirements in 3.3.2 and 3.3.3.

i. MODE The correction to Chemical and Volume Control System will be incorporated into the definition.

j. MODULE The formerly defined term MODULE has been removed from section 1.1 of the NuScale Technical Specifications. A review of its use determined that it reduced clarity and resulted in more inconsistency with operator and staff expectations. The terms unit and plant were substituted throughout the Technical Specifications and Bases to indicate the equipment associated with a single reactor or the collection of reactors in a NuScale facility. The change includes the organization and staff requirements in Chapter 5. This change is consistent with the plain meaning of the terms unit and plant eliminating the need for a unique definition, and is in common with industry usage at other multi-reactor facilities.

The term module continues to be used in the Technical Specifications and Bases where it is appropriate, such as in reference to the Module Protection System.

The term envelope was retained as it is used in the facility description of the control room area as provided in FSAR 6.4.2.1, Definition of Control Room Envelope.

Impact on DCA:

The Technical Specifications have been revised as described in the response above and as shown in the markup provided in this response.

NuScale Nonproprietary

Definitions 1.1 1.1 Definitions (continued)

CHANNEL OPERATIONAL A COT shall be:

TEST (COT)

a. The use of diagnostic programs, or application of simulated or actual input combinations, to test digital computer hardware; and

b. The injection of simulated process data into the channel.

The COT shall verify channel OPERABILITY of all devices in the channel required for channel OPERABILITY and shall include adjustments, as necessary, of the required alarm, interlock, and trip setpoints such that the setpoints are within the necessary range and accuracy. The COT may be performed by means of any series of sequential, overlapping, or total channel steps,A COT shall be the injection of a simulated or actual signal into the channel as close to the sensor as practicable to verify OPERABILITY of all devices in the channel required for channel OPERABILITY. The COT shall include adjustments, as necessary, of the required alarm, interlock, and trip setpoints required for channel OPERABILITY such that the setpoints are within the necessary range and accuracy.

The COT may be performed by means of any series of sequential, overlapping, or total channel steps, and each step must be performed within the Frequency in the Surveillance Frequency Control Program for the devices included in the step.

CORE OPERATING LIMITS The COLR is the unit-specificMODULE specific document REPORT (COLR) that provides cycle specific parameter limits for the current reload cycle. These cycle specific parameter limits shall be determined for each reload cycle in accordance with Specification 5.6.3. MODULE operation within these parameter limits is addressed in individual Specifications.

NuScale 1.1-3 Draft Revision 1.0

Definitions 1.1 1.1 Definitions (continued)

DOSE EQUIVALENT I-131 DOSE EQUIVALENT I-131 shall be that concentration of I-131 (microcuries per gram) that alone would produce the same committed effective dose equivalent as the quantity and isotopic mixture of I-131, I-132, I-133, I-134, and I-135 actually present. The dose conversion factors used for this calculation shall be those listed in Table 2.1 of EPA Federal Guidance Report No. 11, Limiting Values of Radionuclide Intake and Air Concentration and Dose Conversion Factors for Inhalation, Submersion, and Ingestion, EPA-520/1-88-020, September 1988.

DOSE EQUIVALENT XE-133 DOSE EQUIVALENT XE-133 shall be that concentration of Xe-133 (microcuries per gram) that alone would produce the same committed effective dose equivalent as the quantity and isotopic mixture of noble gases (Kr-85m, Kr-85, Kr-87, Kr-88, Xe-131m, Xe-133m, Xe-133, Xe-135m, Xe-135, and Xe-138) actually present. The dose conversion factors used for this calculation shall be those listed in Table III.1 of EPA Federal Guidance Report No. 12, External Exposure to Radionuclides in Air, Water, and Soil, EPA 402-R-93-081, September 1993.

ENGINEERED SAFETY The ESF RESPONSE TIME shall be that time interval FEATURE (ESF) RESPONSE from when the monitored parameter exceeds its actuation TIME setpoint at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions). The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured. In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC.

INSERVICE TESTING The INSERVICE TESTING PROGRAM is the licensee PROGRAM program that fulfills the requirements of 10 CFR 50.55a(f).

NuScale 1.1-4 Draft Revision 1.0

Definitions 1.1 1.1 Definitions (continued)

LEAKAGE LEAKAGE shall be:

a. Identified LEAKAGELeakage

1. LEAKAGE from sources that are both specifically located and known either not to interfere with the operation of leakage detection systems or not to be pressure boundary LEAKAGE, or

2. Reactor Coolant System (RCS) LEAKAGE through a steam generator (SG) to the Secondary System (primary to secondary LEAKAGE),

b. Unidentified LEAKAGE All LEAKAGE that is not identified LEAKAGE, and

c. Pressure Boundary LEAKAGE LEAKAGE (except SG LEAKAGE) through a nonisolable fault in a RCS component body, pipe wall, or vessel wall. A fault in an RCS component body, pipe wall, or vessel wall is isolated if LEAKAGE through the isolation device is 0.5 gpm per nominal inch of valve size up to a maximum limit of 5 gpm.

MODE A MODE shall correspond to any one inclusive combination of Reactivity Condition, Reactor Coolant Temperature, control rod assembly (CRA) capability, Chemical and Volume and Control System (CVCS) and Containment Flood and Drain System (CFDS) configuration, and reactor vessel flange bolt tensioning specified in Table 1.1-1 with fuel in the reactor vessel.

MODULE A MODULE consists of structures, systems, and components that form a single modular unit designed to be disconnected from the power generation and support systems. A MODULE does not include installed jumpers or temporary equipment utilized to:

a. Place the MODULE in the operating position;

b. Support or monitor the MODULE during MODULE movement; or

c. Place the MODULE in the refueling location.

NuScale 1.1-5 Draft Revision 1.0

Definitions 1.1 1.1 Definitions (continued)

OPERABLE-OPERABILITY A system, subsystem, separation group, train, component, or device shall be OPERABLE or have OPERABILITY when it is capable of performing its specified safety function(s) and when all necessary attendant instrumentation, controls, normal or emergency electrical power, cooling and seal water, lubrication, and other auxiliary equipment that are required for the system, subsystem, train, component, or device to perform its specified safety function(s) are also capable of performing their related support function(s).

PASSIVELY COOLED - A moduleMODULE is in PASSIVE COOLING or is being PASSIVE COOLING PASSIVELY COOLED when:

a. Two or more reactor vent valves are open and one or more reactor recirculation valves is open, or

b. One or more trains of DHRS is in operation, or

c. Water level in the containment vessel is > 45 ft.

PHYSICS TESTS PHYSICS TESTS shall be those tests performed to measure the fundamental nuclear characteristics of the reactor core and related instrumentation. These tests are:

a. Described in Chapter 14, Initial Test Program and Inspections, Tests, Analyses, and Acceptance CriteriaInitial Test Program, of the FSAR;

b. Authorized under the provisions of 10 CFR 50.59; or

c. Otherwise approved by the Nuclear Regulatory Commission.

PRESSURE AND The PTLR is the unit-specificMODULE specific document TEMPERATURE LIMITS that provides the reactor vessel pressure and temperature REPORT (PTLR) limits, including heatup and cooldown rates, for the current reactor vessel fluence period. These pressure and temperature limits shall be determined for each fluence period in accordance with Specification 5.6.4.

RATED THERMAL POWER RTP shall be a total reactor core heat transfer rate to the (RTP) reactor coolant of 160 MWt.

NuScale 1.1-6 Draft Revision 1.0

Definitions 1.1 Table 1.1-1 (page 1 of 1)

MODES INDICATED REACTOR REACTIVITY COOLANT MODE TITLE CONDITION (keff) TEMPERATURES (°F) 1 Operations 0.99 All 420 2 Hot Shutdown < 0.99 Any 420 3 Safe Shutdown (a) < 0.99 All < 420 4 Transition (b)(c) < 0.95 N/A 5 Refueling (d) N/A N/A (a) Any CRA capable of withdrawal, any CVCS or CFDS connection to the moduleMODULE not isolated.

(b) All CRAs incapable of withdrawal, CVCS and CFDS connections to the moduleMODULE isolated, and one or more reactor vent valves de-energized.

(c) All reactor vessel flange bolts fully tensioned.

(d) One or more reactor vessel flange bolts less than fully tensioned.

NuScale 1.1-8 Draft Revision 1.0

LCO Applicability 3.0 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY LCO 3.0.1 LCOs shall be met during the MODES or other specified conditions in the Applicability, except as provided in LCO 3.0.2, LCO 3.0.7, and LCO 3.0.8.

LCO 3.0.2 Upon discovery of a failure to meet an LCO, the Required Actions of the associated Conditions shall be met, except as provided in LCO 3.0.5 and 3.0.6.

If the LCO is met or is no longer applicable prior to expiration of the specified Completion Time(s), completion of the Required Action(s) is not required, unless otherwise stated.

LCO 3.0.3 When an LCO is not met and the associated ACTIONS are not met, an associated ACTION is not provided, or if directed by the associated ACTIONS, the unitMODULE shall be placed in a MODE or other specified condition in which the LCO is not applicable. Action shall be initiated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to place the unitMODULE, as applicable, in:

a. MODE 2 within 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months ; and

b. MODE 3 and PASSIVELY COOLED within 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months .

Exceptions to this Specification are stated in the individual Specifications.

Where corrective measures are completed that permit operation in accordance with the LCO or ACTIONS, completion of the actions required by LCO 3.0.3 is not required.

LCO 3.0.3 is only applicable in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED.

LCO 3.0.4 When an LCO is not met, entry into a MODE or other specified condition in the Applicability shall only be made:

a. When the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time; NuScale 3.0-1 Draft Revision 1.0

LCO Applicability 3.0 3.0 LCO APPLICABILITY LCO 3.0.4 (continued)

b. After performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate (exceptions to this Specification are stated in the individual Specifications); or

c. When an allowance is stated in the individual value, parameter, or other Specification.

This Specification shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS or that are part of a shutdown of the unitMODULE.

LCO 3.0.5 Equipment removed from service or declared inoperable to comply with ACTIONS may be returned to service under administrative control solely to perform testing required to demonstrate its OPERABILITY or the OPERABILITY of other equipment. This is an exception to LCO 3.0.2 for the system returned to service under administrative control to perform the testing required to demonstrate OPERABILITY.

LCO 3.0.6 When a supported system LCO is not met solely due to a support system LCO not being met, the Conditions and Required Actions associated with this supported system are not required to be entered.

Only the support system LCO ACTIONS are required to be entered.

This is an exception to LCO 3.0.2 for the supported system. In this event, an evaluation shall be performed in accordance with Specification 5.5.8, Safety Function Determination Program (SFDP). If a loss of safety function is determined to exist by this program, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.

When a support systems Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.

NuScale 3.0-2 Draft Revision 1.0

MPS Instrumentation 3.3.1 3.3 INSTRUMENTATION 3.3.1 ModuleMODULE Protection System (MPS) Instrumentation LCO 3.3.1 MPS instrumentation for each Function in Table 3.3.1-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.1-1.

ACTIONS

NOTE--------------------------------------------------------------

Separate Condition entry is allowed for each Function.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more Functions A.1 Place inoperable channel in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with one channel bypass or trip.

inoperable.

B. One or more Functions B.1 Place one inoperable 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with two automatic channel in bypass.

channels inoperable.

AND B.2 Place one inoperable 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months channel in trip.

C. Required Action and C.1 Enter Condition referenced Immediately associated Completion in Table 3.3.1-1 for the Time of Condition A or B channel(s).

not met.

OR One or more Functions with three or more channels inoperable.

NuScale 3.3.1-1 Draft Revision 1.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 1 of 7)

ModuleMODULE Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

1. High Power Range Linear Power

a. RTS 1, 2(a), 3(a) 4 D

b. DWSI 1, 2(a), 3(a) 4 H

2. High Power Range Positive and Negative Rate

a. RTS 1(b) 4 E

b. DWSI 1(b) 4 H

3. High Intermediate Range Log Power Rate

a. RTS 1(c), 2(a), 3(a) 4 D

b. DWSI 1(c), 2(a), 3(a) 4 H

4. High Source Range Count Rate

a. RTS 1(d), 2(a), 3(a) 4 D

b. DWSI 1(d), 2(a), 3(a) 4 H

5. High Source Range Log Power Rate

a. RTS 1(d), 2(a), 3(a) 4 D

b. DWSI 1(d), 2(a), 3(a) 4 H

6. High Subcritical Multiplication

a. DWSI 1(d), 2(a), 3(a) 4 H (a) When capable of CRA withdrawal.

(b) < 15% RTP (N-2H Interlock).

(c) 15% RTP (N-2L Interlock)

(d) When Intermediate Range Log Power less than N-1 interlock.

NuScale 3.3.1-7 Draft Revision 1.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 2 of 7)

ModuleMODULE Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

7. High Pressurizer Pressure

a. RTS 1, 2(a), 3(a) 4 D

b. DHRS 1, 2, 3(e) 4 I

c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G

d. DWSI 1, 2(a), 3(a) 4 H

8. Low Pressurizer Pressure

a. RTS 1(g) 4 D

b. DHRS 1(g) 4 D

c. CVCSI 1(g) 4 F

d. Pressurizer Heater Trip 1(g) 4 G

e. DWSI 1(g) 4 H

9. Low Low Pressurizer Pressure

a. RTS 1, 2(a) 4 D

b. DHRS 1, 2 4 I

c. CVCSI 1, 2 4 F

d. Pressurizer Heater Trip 1, 2 4 G

e. DWSI 1, 2(a) 4 H (a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

(g) With narrow range RCS hot temperature hot 600 F, (T-4 interlock).

NuScale 3.3.1-8 Draft Revision 1.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 3 of 7)

ModuleMODULE Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

10. High Pressurizer Level

a. RTS 1, 2(a), 3(a) 4 D

b. CVCSI 1, 2, 3 4 F

c. DWSI 1, 2(a), 3(a) 4 H

11. Low Pressurizer Level

a. RTS 1, 2(a), 3(a) 4 D

b. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G

c. DWSI 1, 2(a), 3(a) 4 H

12. Low Low Pressurizer Level

a. DHRS 1, 2, 3(h) 4 D

b. CIS 1, 2, 3(h) 4 L

c. CVCSI 1, 2, 3(h) 4 F

d. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G

13. High Narrow Range RCS Hot Temperature

a. RTS 1 4 D

b. DHRS 1, 2, 3(e) 4 I

c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G

d. DWSI 1 4 H

14. Low RCS Flow

a. DWSI 1, 2, 3 4 H (a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

(h) With wide range RCS hot temperature hot 200° F, (T-2 interlock) and containment water level 45 ft (L-1 interlock).

NuScale 3.3.1-9 Draft Revision 1.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 4 of 7)

ModuleMODULE Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

15. Low Low RCS Flow

a. RTS 1, 2(a), 3(a) 4 D

b. CVCSI 1, 2, 3 4 F

c. DWSI 1, 2(a), 3(a) 4 H

16. Low RPV Riser Level

a. ECCS 1, 2, 3 4 I

17. High Main Steam Pressure

a. RTS 1, 2(a) 4 per SG D

b. DHRS 1, 2, 3(e) 4 per SG I

c. Pressurizer Heater Trip 1, 2(f), 3(f) 4 per SG G

d. DWSI 1, 2(a) 4 per SG H

18. Low Main Steam Pressure

a. RTS 1(b) 4 per SG E

b. DHRS 1(b) 4 per SG E

c. Pressurizer Heater Trip 1(b) 4 per SG E

d. DWSI 1(b) 4 per SG H (a) When capable of CRA withdrawal.

(b) 15% RTP (N-2 Interlock).

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

NuScale 3.3.1-10 Draft Revision 1.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 5 of 7)

ModuleMODULE Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

19. Low Low Main Steam Pressure

a. RTS 1, 2(a) 4 per SG D

b. DHRS 1, 2 4 per SG K

c. Pressurizer Heater Trip 1, 2(f) 4 per SG G

d. DWSI 1, 2(a) 4 per SG H

20. High Steam Superheat

a. RTS 1 4 per SG D

b. DHRS 1 4 per SG D

c. Pressurizer Heater Trip 1 4 per SG G

d. DWSI 1 4 per SG H

21. Low Steam Superheat

a. RTS 1 4 per SG D

b. DHRS 1 4 per SG D

c. Pressurizer Heater Trip 1 4 per SG G

d. DWSI 1 4 per SG H (a) When capable of CRA withdrawal.

(f) With pressurizer heater trip breakers closed.

NuScale 3.3.1-11 Draft Revision 1.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 6 of 7)

ModuleMODULE Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

22. High Narrow Range Containment Pressure

a. RTS 1, 2(a), 3(a) 4 D

b. DHRS 1, 2, 3(e) 4 I

c. CIS 1, 2, 3(i) 4 L

d. CVCSI 1, 2, 3(i) 4 F

e. Pressurizer Heater Trip 1, 2(f), 3(f) 4 G

f. DWSI 1, 2(a), 3(a) 4 H

23. High Containment Water Level

a. ECCS 1, 2, 3(e) 4 I

24. High RCS Pressure - Low Temperature Overpressure Protection

a. LTOP 3(k) 4 J

25. Low AC Voltage to ELVS Battery Chargers

a. RTS 1, 2(a), 3(a) 4 per bus M

b. DHRS 1, 2, 3(e) 4 per bus M

c. CIS 1, 2, 3 4 per bus M

d. DWSI 1, 2(a), 3(a) 4 per bus M

e. Pressurizer Heater Trip 1, 2(f) 4 per bus M (a) When capable of CRA withdrawal.

(e) When not PASSIVELY COOLED.

(f) With pressurizer heater trip breakers closed.

(i) With wide range RCS hot temperature hot 350° F (T-3 interlock).

(k) With wide range RCS cold temperature LTOP enable temperature specified in PTLR (T-1 Interlock) and less than two reactor vent valves open.

NuScale 3.3.1-12 Draft Revision 1.0

MPS Instrumentation 3.3.1 Table 3.3.1-1 (page 7 of 7)

ModuleMODULE Protection System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED FUNCTION CONDITIONS CHANNELS CONDITIONS

26. High Under-the-Bioshield Temperature

a. RTS 1, 2(a), 3(a) 4 M

b. DHRS 1, 2, 3 4 M

c. CIS 1, 2, 3 4 M

d. DWSI 1, 2(a), 3(a) 4 M

e. Pressurizer Heater Trip 1, 2(f), 3(f) 4 M (a) When capable of CRA withdrawal.

(f) With pressurizer heater trip breakers closed.

NuScale 3.3.1-13 Draft Revision 1.0

Ultimate Heat Sink 3.5.3 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS) 3.5.3 Ultimate Heat Sink LCO 3.5.3 Ultimate Heat Sink shall be maintained within the limits specified below:

a. Level 68 ft,

b. Bulk average temperature 140 ºF, and

c. Bulk average boron concentration shall be maintained within the limit specified in the COLR.

APPLICABILITY: At all times.

ACTIONS

NOTE-----------------------------------------------------------

LCO 3.0.3 is not applicable.

CONDITION REQUIRED ACTION COMPLETION TIME A. Ultimate Heat Sink Level A.1 Suspend moduleMODULE Immediately

< 68 ft and > 55 ft. movements.

AND A.2 Suspend movement of Immediately irradiated fuel assemblies in the refueling area.

AND A.3 Restore Ultimate Heat Sink 30 Days Level to within limits.

NuScale 3.5.3-1 Draft Revision 1.0

Ultimate Heat Sink 3.5.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME E. Ultimate Heat Sink bulk E.1 Initiate action to restore Immediately average boron Ultimate Heat Sink bulk concentration not within average boron concentration limits. to within limits.

AND E.2 Terminate flow into Immediately containment vessel from Ultimate Heat Sink via the Containment Flood and Drain System.

AND E.3 Suspend containment vessel Immediately disassembly activities at containment tool.

AND E.4 Suspend moduleMODULE Immediately movements.

AND E.5 Suspend movement of Immediately irradiated fuel assemblies in the refueling area.

NuScale 3.5.3-3 Draft Revision 1.0

Responsibility 5.1 5.0 ADMINISTRATIVE CONTROLS 5.1 Responsibility The following programs shall be established, implemented, and maintained.

5.1.1 The [Plant Manager] shall be responsible for overall facility operations and shall delegate in writing the succession to this responsibility during his absence.

The [Plant Manager] or his designee shall approve, prior to implementation, each proposed test, experiment or modification to systems or equipment that affect nuclear safety.

5.1.2 The [Shift Manager (SM)] shall be responsible for the control room command function. During any absence of the SM from the control room while any unitMODULE is in MODE 1, 2, 3, 4, or 5, an individual with an active Senior Reactor Operator (SRO) license shall be designated to assume the control room command function.

NuScale 5.1-1 Draft Revision 1.0

Organization 5.2 5.2 Organization 5.2.2 Facility Staff (continued)

a. The minimum licensed operator staffing shall be:

Number of Reactor Senior Reactor unitsMODULES Operator Operator Operating(1)

None 2 1 One to twelve 3 3 (1) For the purpose of this table, a unitMODULE is considered to be operating when it is in MODE 1, 2, or 3.

b. A person holding a senior reactor operator license for all fueled units at the site who is assigned responsibility for overall plant operation shall be onsite at all times when there is fuel in any unitMODULE.

c. A senior reactor operator license shall be in the control room at all times.

In addition to this senior reactor operator, a licensed reactor operator or senior reactor operator shall be present at the controls at all times.

d. Shift crew composition may be less than the minimum requirement for a period of time not to exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in order to accommodate unexpected absence of on-duty shift crew members provided immediate action is taken to restore the shift crew composition to within the minimum requirements.

e. A radiation protection technician shall be on site when fuel is in any unitMODULE. The position may be vacant for not more than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , in order to provide for unexpected absence, provided immediate action is taken to fill the required position.

f. The operations manager or assistant operations manager shall hold an SRO license.

g. An individual shall provide advisory technical support to the facility operations shift crew in the areas of thermal hydraulics, reactor engineering, and plant analysis with regard to the safe operation of the facility. This individual shall meet the qualifications specified by the Commission Policy Statement on Engineering Expertise on Shift.

NuScale 5.2-2 Draft Revision 1.0

Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.2 Radioactive Effluent Control Program

a. This program conforms to 10 CFR 50.36a for the control of radioactive effluents and for maintaining the doses to members of the public from radioactive effluents as low as is reasonably achievable. The program shall be contained in the ODCM, shall be implemented by procedures, and shall include remedial actions to be taken whenever the program limits are exceeded. The program shall include the following elements:

1. Limitations on the functional capability of radioactive liquid and gaseous monitoring instrumentation including surveillance tests and setpoints determination in accordance with the methodology in the ODCM;

2. Limitations on the concentrations of radioactive material released in liquid effluents to unrestricted areas, conforming to ten times the concentration values in Appendix B, Table 2, Column 2 to 10 CFR 20;

3. Monitoring, sampling, and analysis of radioactive liquid and gaseous effluents in accordance with 10 CFR 20.1302 and with the methodology and parameters in the ODCM;

4. Limitations on the annual and quarterly doses or dose commitment to a member of the public for radioactive materials in liquid effluents released from each unitMODULE to unrestricted areas, conforming to 10 CFR 50, Appendix I;

5. Determination of cumulative dose contributions from radioactive effluents for the current calendar quarter and current calendar year in accordance with the methodology and parameters in the ODCM at least every 31 days. Determination of projected dose contributions from radioactive effluents in accordance with the methodology in the ODCM at least every 31 days;

6. Limitations on the functional capability and use of the liquid and gaseous effluent treatment systems to ensure that appropriate portions of these systems are used to reduce releases of radioactivity when the projected doses in a period of 31 days would exceed 2% of the guidelines for the annual dose or dose commitment, conforming to 10 CFR 50, Appendix I; NuScale 5.5-2 Draft Revision 1.0

Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.2 Radioactive Effluent Control Program (continued)

7. Limitations on the dose rate resulting from radioactive material released in gaseous effluents to areas beyond the site boundary shall be in accordance with the following:

i. For noble gases: a dose rate 500 mrem/yr to the whole body and a dose rate 3000 mrem/yr to the skin and ii. For iodine-131, iodine-133, tritium, and all radionuclides in particulate form with half-lives greater than 8 days: a dose rate 1500 mrem/yr to any organ;

8. Limitations on the annual and quarterly air doses resulting from noble gases released in gaseous effluents from each unitMODULE to areas beyond the site boundary, conforming to 10 CFR 50, Appendix I;

9. Limitations on the annual and quarterly doses to a member of the public from iodine-131, iodine-133, tritium, and all radionuclides in particulate form with half-lives > 8 days in gaseous effluents released from each unitMODULE to areas beyond the site boundary, conforming to 10 CFR 50, Appendix I; and

10. Limitations on the annual dose or dose commitment to any member of the public, beyond the site boundary, due to releases of radioactivity and to radiation from uranium fuel cycle sources, conforming to 40 CFR 190.

b. The provisions of SR 3.0.2 and SR 3.0.3 are applicable to the Radioactive Effluent Controls Program surveillance frequency.

5.5.3 Component Cyclic or Transient Limit This program provides controls to track the FSAR, Section 3.9, cyclic and transient occurrences to ensure that components are maintained within the design limits.

5.5.4 Steam Generator (SG) Program A Steam Generator Program shall be established and implemented to ensure that SG tube integrity is maintained. In addition, the Steam Generator Program shall include the following provisions:

NuScale 5.5-3 Draft Revision 1.0

Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.8 Safety Function Determination Program (SFDP) (continued)

1. Provisions for cross division checks to ensure a loss of the capability to perform the safety function assumed in the accident analysis does not go undetected;

2. Provisions for ensuring the unitplant is maintained in a safe condition if a loss of function condition exists;

3. Provisions to ensure that an inoperable supported systems Completion Time is not inappropriately extended as a result of multiple support systems inoperabilities; and

4. Other appropriate limitations and remedial or compensatory actions.

b. A loss of safety function exists when, assuming no concurrent single failure, a safety function assumed in the accident analysis cannot be performed. For the purpose of this program, a loss of safety function may exist when a support system is inoperable, and:

1. A required system redundant to the system(s) supported by the inoperable support system is also inoperable; or

2. A required system redundant to the system(s) in turn supported by the inoperable supported system is also inoperable; or

3. A required system redundant to the support system(s) for the supported systems (a) and (b) above is also inoperable.

c. The SFDP identifies where a loss of safety function exists. If a loss of safety function is determined to exist by this program, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered. When a loss of safety function is caused by the inoperability of a single Technical Specification support system, the appropriate Conditions and Required Actions to enter are those of the support system.

5.5.9 Containment Leakage Rate Testing Program

a. A program shall implement the leakage rate testing of the containment as required by 10 CFR 50.54(o) and 10 CFR 50, Appendix J, Option A, as modified by approved exemptions.

b. The maximum allowable containment leakage rate, La, at Pa, shall be 0.20% of containment air weight per day.

NuScale 5.5-9 Draft Revision 1.0

Programs and Manuals 5.5 5.5 Programs and Manuals 5.5.9 Containment Leakage Rate Testing Program (continued)

c. Containment leakage rate acceptance criterion is < 0.60 La. During the first unitMODULE startup following testing in accordance with this program, the leakage rate acceptance criteria are < 0.60 La for the Type B and Type C tests.

d. The provisions of SR 3.0.3 are applicable to the Containment Leakage Rate Testing Program.

e. Nothing in these Technical Specifications shall be construed to modify the testing Frequencies required by 10 CFR 50, Appendix J.

5.5.10 Setpoint Program (SP)

a. The Setpoint Program (SP) implements the regulatory requirement of 10 CFR 50.36(c)(1)(ii)(A) that technical specifications will include items in the category of limiting safety system settings (LSSS), which are settings for automatic protective devices related to those variables having significant safety functions.

b. The Nominal Trip Setpoint (NTSP), As-Found Tolerance (AFT), and As-Left Tolerance (ALT) for each Technical Specification required automatic protection instrumentation function shall be calculated in conformance with TR-0616-49121-P, "NuScale Instrument Setpoint Methodology."

c. For each Technical Specification required automatic protection instrumentation function, performance of a CHANNEL CALIBRATION or CHANNEL OPERATIONAL TEST (COT) surveillance in accordance with the Setpoint Program (SP) shall include the following:

1. The as-found value of the instrument channel trip setting shall be compared with the previously recorded as-left value.

i. If all as-found measured trip setpoint values during calibration and surveillance testing are inside the two-sided limits of Nominal Trip Setpoint (NTSP) plus or minus the Performance and Test Acceptance Criteria Band (PTAC),

then the channel is fully operable, no additional actions are required.

NuScale 5.5-10 Draft Revision 1.0

Reporting Requirements 5.6 5.6 Reporting Requirements 5.6.3 Core Operating Limits Report (COLR) (continued)

d. The COLR, including any mid-cycle revisions or supplements, shall be provided upon issuance for each reload cycle to the NRC.

5.6.4 Reactor Coolant System (RCS) PRESSURE AND TEMPERATURE LIMITS REPORT (PTLR)

a. RCS pressure and temperature limits for heat up, cooldown, low temperature operation, criticality, and hydrostatic testing as well as heatup and cooldown rates shall be established and documented in the PTLR for the following:

3.3.1, ModuleMODULE Protection System (MPS)

Instrumentation; 3.3.3, Engineered Safety Features Actuation System (ESFAS)

Logic and Actuation; 3.3.4, Manual Actuation Functions; 3.4.3, RCS Pressure and Temperature (P/T) Limits; and 3.4.4, Reactor Safety Valves (RSVs).

b. The analytical methods used to determine the RCS pressure and temperature limits shall be those previously reviewed and approved by the NRC, specifically those described in the following document:

TR-1015-18177, "Pressure and Temperature Limits Methodology."

(later)

c. The PTLR shall be provided to the NRC upon issuance for each reactor vessel fluency period and for any revision or supplement thereto.

NuScale 5.6-3 Draft Revision 1.0

RCS Pressure SL B 2.1.2 BASES APPLICABLE SAFETY ANALYSIS (continued)

The RCS pressure SL has been selected such that it is at a pressure below which it can be shown that the integrity of the system is not endangered. The reactor pressure vessel is designed to Section III of the ASME, Boiler and Pressure Vessel Code, [2013 Edition], which permits a maximum pressure transient of 110%, 2310 psia, of design pressure 2100 psia. The SL of 2285 psia, as measured in the pressurizer, is equivalent to 2310 psia at the lowest elevation of the RCS.

The RSVs are sized to prevent system pressure from exceeding the design pressure by more than 10%, as specified in Section III of the ASME Code for Nuclear Power Plant Components (Ref. 2). The transient that establishes the required relief capacity, and hence valve size requirements and lift settings, is a turbine trip at full power without bypass capability. During the transient, no control actions are assumed except that the Decay Heat Removal System valves on the secondary plant are assumed to open when the pressurizer pressure reaches the Decay Heat Removal System actuation setpoint.

The ModuleMODULE Protection System (MPS) setpoints provide pressure protection for normal operation and AOOs. The MPS high pressurizer pressure trip setpoint is set to provide protection against overpressurization (Ref. 4). The safety analyses for both the high pressurizer pressure trip and the RSVs are performed using conservative assumptions relative to pressure control devices.

More specifically, no credit is taken for operation of the following:

a. Turbine Bypass System;

b. Reactor Control System;

c. Pressurizer Level Control System; or

d. Pressurizer spray.

SAFETY LIMITS The maximum transient pressure allowed in the RCS pressure vessel, piping, valves, and fittings under the ASME Code,Section III, is 110% of design pressure; therefore, the maximum allowable pressurizer pressure is 2285 psia.

NuScale B 2.1.2-2 Draft Revision 1.0

LCO Applicability B 3.0 B 3.0 LIMITING CONDITIONS FOR OPERATION (LCO) APPLICABILITY BASES LCOs LCO 3.0.1 through LCO 3.0.8 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirements for when the LCO is required to be met (i.e. when the unitMODULE is in the MODES or other specified conditions of the Applicability statement of each Specification.)

LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that the ACTIONS Condition is entered, unless otherwise specified. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:

a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and

b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met.

This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unitMODULE in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the remedial measures that permit continued operation of the unitMODULE that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.

NuScale B 3.0-1 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.2 (continued)

Completing the Required Actions is not required when an LCO is met, or is no longer applicable, unless otherwise stated in the individual Specifications.

The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCOs ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.3, RCS Pressure and Temperature (P/T) Limits.

The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally.

Intentional entry into ACTIONS should not be made for operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems.Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Alternatives that would not result in redundant equipment being inoperable should be used instead. Doing so limits the time both subsystems/trains of a safety function are inoperable and limits the time other conditions could exist which result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.

When a change in MODE or other specified condition is required to comply with Required Actions, the unitMODULE may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.

NuScale B 3.0-2 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met; and:

a. An associated Required Action and Completion Time is not met and no other Condition applies; or ba. The condition of the unitMODULE is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unitMODULE.

Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.

This Specification delineates the time limits for placing the unitMODULE in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.

Upon entering into LCO 3.0.3, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to prepare for an orderly shutdown before initiating a change in unitMODULE operation.

This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to enter lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unitMODULE, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.

A unitMODULE shutdown required in accordance with LCO 3.0.3 may be terminated, and LCO 3.0.3 exited if any of the following occurs:

a. The LCO in now met,

b. The LCO is no longer applicable, NuScale B 3.0-3 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.3 (continued)

c. A Condition exists for which the Required Actions have now been performed, or

d. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition was initially entered and not from the time LCO 3.0.3 is exited.

The time limits of LCO 3.0.3 allow 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months for the unitMODULE to be in MODE 3 and PASSIVELY COOLED when a shutdown is required during MODE 1 operation. If the unitMODULE is in MODE 2 when a shutdown is required, the time limit for entering MODE 3 and PASSIVE COOLING applies. If MODE 2 is entered in less time than allowed, however, the total allowable time to enter MODE 3 and be PASSIVELY COOLED is not reduced. For example, if MODE 2 is entered in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then the time allowed for entering MODE 3 and to establish PASSIVE COOLING is the next 35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months , because the total time for entering MODE 3 and to be PASSIVELY COOLED is not reduced from the allowable limit of 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months . Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to enterreach a lower MODE of operation in less than the total time allowed.

The Completion Times are established considering the limited likelihood of a design basis event during the 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months allowed to enter MODE 3 and be PASSIVELY COOLED. They also provide adequate time to permit evaluation of conditions and restoration of OPERABILITY without unnecessarily challenging plant systems during a shutdown. Analysis shows that 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months from entry into 3.0.3 is a reasonable time to enter MODE 3 and be PASSIVELY COOLED using normal plant systems and procedures.

In MODES 1, 2, and MODE 3 when not PASSIVELY COOLED, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODE 3 when PASSIVELY COOLED, and MODES 4 and 5 because the unitMODULE is already in the most restrictive condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, or MODE 3 when not PASSIVELY COOLED) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

Exceptions to 3.0.3 are provided in instances where requiring a unitMODULE shutdown in accordance with LCO 3.0.3, would not NuScale B 3.0-4 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.3 (continued) provide appropriate remedial measures for the associated condition of the unitMODULE. An example of this is in LCO 3.5.3, Ultimate Heat Sink. This Specification has an Applicability of "At all times." Therefore, this LCO can be applicable during any or all MODES. If the LCO and the Required Actions of LCO 3.5.3 are not met while in MODE 1 or 2, there is no safety benefit to be gained by placing unitMODULES in a shutdown condition where they are dependent on the reactor pool to perform its safety function to remove decay heat. The Required Action of LCO 3.5.3 for a level not within its normal upper range limits include a requirement to Suspend movement of irradiated fuel assemblies in spent fuel pool and to Suspend moduleMODULE movements which are the appropriate Required Actions to complete in lieu of the actions of LCO 3.0.3 for those conditions. The Required Action of LCO 3.5.3 at a level, temperature, or boron concentration that could limit the ability to support decay heat removal or containment flooding after a shutdown include a requirement to immediately restore the affected parameters which is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3 for that condition that could challenge the functions supported by the ultimate heat sink that are inoperable. These exceptions are addressed in the individual Specifications.

LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unitMODULE in a MODE or other specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when unitMODULE conditions are such that the requirements of the LCO would not be met, in accordance with either LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c.

LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered following entry into the MODE or other specified condition in the Applicability will permit continued operation within the MODE or other specified condition for an unlimited period of time. Compliance with ACTIONS that permit continued operation of the unitMODULE for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unitMODULE before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made and the Required Actions followed after entry into the Applicability.

NuScale B 3.0-5 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)

For example, LCO 3.0.4.a may be used when the Required Action to be entered states that an inoperable instrument channel must be placed in the trip condition within the Completion Time. Transition into a MODE or other specified condition in the Applicability may be made in accordance with LCO 3.0.4 and the channel is subsequently placed in the tripped condition within the Completion Time, which begins when the Applicability is entered. If the instrument channel cannot be placed in the tripped condition and the subsequent default ACTION ("Required Action and associated Completion Time not met") allows the OPERABLE train to be placed in operation, use of LCO 3.0.4.a is acceptable because the subsequent ACTIONS to be entered following entry into the MODE include ACTIONS (place the OPERABLE train in operation) that permit safe unitplant operation for an unlimited period of time in the MODE or other specified condition to be entered.

LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.

The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4.b, must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope.

The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 3.

Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE or other specified condition change is acceptable. Consideration should also be NuScale B 3.0-6 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued) given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.

LCO 3.0.4.b may be used with single, or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components.

LCO 3.0.4.c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications which describe values and parameters (e.g., RCS Specific Activity) and may be applied to other Specifications based on NRC unit-specificplant specific approval.

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unitMODULE shutdown. In this context, a unitMODULE shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, and MODE 2 to MODE 3.

NuScale B 3.0-7 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)

Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unitMODULE is not within the Applicability of the Technical Specification.

Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.

LCO 3.0.5 LCO 3.0.5 establishes the allowance of restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate:

a. The OPERABILITY of the equipment being returned to service; or

b. The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance. LCO 3.0.5 should not be used in lieu of other practicable alternatives that comply with Required Actions and that do not require changing the MODE or other specified conditions in the Applicability in order to demonstrate equipment is OPERABLE. LCO 3.0.5 is not intended to be used repeatedly.

An example of demonstrating equipment is OPERABLE with the Required Actions not met is opening a manual valve that was closed to comply with Required Actions to isolate a flowpath with excessive Reactor Coolant System (RCS) pressure boundary leakage in order to perform testing to demonstrate that RCS pressure boundary leakage is now within limit.

NuScale B 3.0-8 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.5 (continued)

Examples of demonstrating equipment OPERABILITY include instances in which it is necessary to take an inoperable channel or trip system out of a tripped condition that was directed by a Required Action, if there is no Required Action Note for this purpose. An example of verifying OPERABILITY of equipment removed from service is taking a tripped channel out of the tripped condition to permit the logic to function and indicate the appropriate response during performance of required testing on the inoperable channel. Examples of demonstrating the OPERABILITY of other equipment are taking an inoperable channel or trip system out of the tripped condition 1) to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system, or 2) to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.

The administrative controls in LCO 3.0.5 apply in all cases to systems or components in Chapter 3 of the Technical Specifications, as long as the testing could not be conducted while complying with the Required Actions. This includes the realignment or repositioning of redundant or alternate equipment or trains previously manipulated to comply with ACTIONS, as well as equipment removed from service or declared inoperable to comply with ACTIONS.

LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for supported systems that have a support system LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unitMODULE is maintained in a safe condition are specified in the support system LCOs Required Actions. These Required Actions may include entering the supported systems Conditions and Required Actions or may specify other Required Actions.

When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However it is not necessary to enter into the supported systems Conditions and Required Actions unless directed to do so by the support systems Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems LCOs Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure NuScale B 3.0-9 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued) the unitMODULE is maintained in a safe condition in the support systems Required Actions.

However, there are instances where a support systems Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system.

This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support systems Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.

Specification 5.5.8, Safety Function Determination Program (SFDP),

ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.

Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety functions exists are required to be entered.

This loss of safety function does not require the assumption of additional single failures or loss of electrical power. Since operations are being restricted in accordance with the ACTIONS of the support system, any resulting temporary loss of redundancy or single failure protection is taken into account. There are no support system LCO requirements for electrical power based on the safety related passive design.

When loss of safety function is determined to exist, and the SFDP requires entry into the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely due to a single Technical Specification support system NuScale B 3.0-10 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)

(e.g., loss of automatic actuation capability due to inoperable instrumentation) the appropriate LCO is the LCO for the support system.

The ACTIONS for a support system LCO adequately address the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple support systems, the appropriate LCO is the LCO for the supported system.

LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unitMODULE. These special tests and operations are necessary to demonstrate select unitMODULE performance characteristics, to perform special maintenance activities, and to perform special evolutions. Test Exception LCO 3.1.8 allows specified Technical Specification (TS) requirements to be changed to permit performance of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.

The Applicability of a Test Exception LCO represents a condition not necessarily in compliance with the normal requirements of the TS.

Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.

[ ------------------------------ REVIEWERS NOTE ------------------------------------

A COL applicant who wants to adopt LCO 3.0.8 must perform or reference a risk assessment for the NuScale design that has been submitted to the NRC, and that was prepared consistent with the bounding generic risk assessment provided in TSTF-427, Allowance for Non-Technical Specification Barrier Degradation on Supported System OPERABILITY, Revision 2-A.

]

[LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems described in the Technical Specifications are considered to remain OPERABLE when required barriers are not capable of providing their related support function(s).

NuScale B 3.0-11 Draft Revision 1.0

LCO Applicability B 3.0 BASES LCO 3.0.8 (continued) protects against internal flooding and the affected barrier for the other train protects against tornado missiles. In this example, the affected barrier may be the same physical barrier but serve different protection functions for each train.

If during the time that LCO 3.0.8 is being used, the required OPERABLE train or subsystem becomes inoperable, it must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Otherwise, the train(s) or subsystem(s) supported by barriers that cannot perform their related support function(s) must be declared inoperable and the associated LCOs declared not met. This 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period provides time to respond to emergent conditions that would otherwise likely lead to entry into LCO 3.0.3 and a rapid unitplant shutdown, which is not justified given the low probability of an initiating event which would require the barrier(s) not capable of performing their related support function(s).

During this 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period, the unitplant risk associated with the existing conditions is assessed and managed in accordance with 10 CFR 50.65(a)(4).]

NuScale B 3.0-14 Draft Revision 1.0

SR Applicability B 3.0 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

SR 3.0.2 and SR 3.0.3 apply in Chapter 5 only when invoked by a Chapter 5 Specification.

SR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification ensures that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO. Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency. Additionally, the definitions related to instrument testing (e.g., CHANNEL CALIBRATION) specify that these tests are performed by means of any series of sequential, overlapping, or total steps.

Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:

a. The systems or components are known to be inoperable, although still meeting the SRs; or

b. The requirements of the Surveillance(s) are known not to be met between required Surveillance performances.

Surveillances do not have to be performed when the unitMODULE is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the requirements of a Specification.

Unplanned events may satisfy the requirements (including applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normally precluded in a given MODE or other specified condition.

NuScale B 3.0-15 Draft Revision 1.0

SR Applicability B 3.0 BASES SR 3.0.1 (continued)

Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met in accordance with SR 3.0.2 prior to returning equipment to OPERABLE status.

Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unitMODULE parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

An example of this process is the calibration of the excore neutron detectors, which cannot be accomplished until the reactor power is high enough to provide representative calorimetric information and the neutron flux can be measured by the instrumentation.

SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Actions with a Completion Time that requires the periodic performance of the Required Action on a once per interval.

SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers unitplant operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).

When a Section 5.5, "Programs and Manuals," Specification states that the provisions of SR 3.0.2 are applicable, a 25% extension of the testing interval, whether stated in the Specification or incorporated by reference, is permitted.

The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any NuScale B 3.0-16 Draft Revision 1.0

SR Applicability B 3.0 BASES SR 3.0.3 (continued)

There are two circumstances in which SR 3.0.3 may be used.

a. If it is not possible to perform a Surveillance within the specified Frequency (for example, due to a scheduling error, adverse operational conditions, or failure of equipment needed to perform the Surveillance), then SR 3.0.3 may be applied at the point the Surveillance is not performed within the specified Frequency (i.e., it may be anticipated that a Surveillance will not be performed within the specified Frequency, but discovery may only occur when the specified Frequency expires); and

b. If it is discovered that a Surveillance was not performed within the specified Frequency in the past, then SR 3.0.3 may be applied at the time of that discovery.

When a Section 5.5, "Programs and Manuals," Specification states that the provisions of SR 3.0.3 are applicable, it permits the flexibility to defer declaring the testing requirement not met in accordance with SR 3.0.3 when the testing has not been completed within the testing interval (including the allowance of SR 3.0.2 if invoked by the Section 5.5 Specification).

This delay period provides adequate time to perform thecomplete Surveillances that have been missed. This delay period permits the performancecompletion of a Surveillance before complying with Required Actions or other remedial measures that might preclude performancecompletion of the Surveillance.

The basis for this delay period includes consideration of unitMODULE Conditionsconditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in performingcompleting the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance with a Frequency based not on time intervals, but upon specified unitMODULE conditions, operational situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed within the specified Frequencywhen specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first NuScale B 3.0-18 Draft Revision 1.0

SR Applicability B 3.0 BASES LCOSR 3.0.3 (continued) reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

SR 3.0.3 is only applicable if there is a reasonable expectation the associated equipment is OPERABLE or that variables are within limits, and it is expected that the Surveillance will be met when performed.

Many factors should be considered, such as the period of time since the Surveillance was last performed, or whether the Surveillance, or a portion thereof, has ever been performed, and any other indications, tests, or activities that might support the expectation that the Surveillance will be met when performed. An example of the use of SR 3.0.3 would be a relay contact that was not tested as required in accordance with a particular SR, but previous successful performances of the SR included the relay contact; the adjacent, physically connected relay contacts were tested during the SR performance; the subject relay contact has been tested by another SR; or historical operation of the subject relay contact has been successful. It is not sufficient to infer the behavior of the associated equipment from the performance of similar equipment. The rigor of determining whether there is a reasonable expectation a Surveillance will be met when performed should increase based on the length of time since the last performance of the Surveillance. If the Surveillance has been performed recently, a review of the Surveillance history and equipment performance may be sufficient to support a reasonable expectation that the Surveillance will be met when performed. For Surveillances that have not been performed for a long period or that have never been performed, a rigorous evaluation based on objective evidence should provide a high degree of confidence that the equipment is OPERABLE. The evaluation should be documented in sufficient detail to allow a knowledgeable individual to understand the basis for the determination.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used repeatedly to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the unitplant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unitMODULE NuScale B 3.0-19 Draft Revision 1.0

SR Applicability B 3.0 BASES SR 3.0.3 (continued) conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," Revision 3. This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including unitplant shutdown.

The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances not performed within the specified Frequency for important components should be analyzed quantitatively.

If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances not performed within the specified Frequency will be placed in the licensees Corrective Action Program.

If a Surveillance is not performed and metcompleted within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

Performing and meetingCompletion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.

This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unitMODULE. The provisions of this Specification should not be interpreted as endorsing NuScale B 3.0-20 Draft Revision 1.0

SR Applicability B 3.0 BASES SR 3.0.4 (continued) the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

A provision is included to allow entry into a MODE or other specified condition in the Applicability when an LCO is not met due to a Surveillance not being met in accordance with LCO 3.0.4.

However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment.

When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability.

However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3.

The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unitMODULE shutdown. In this context, a unitMODULE shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, and MODE 2 to MODE 3.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into a MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCOs Applicability, would have NuScale B 3.0-21 Draft Revision 1.0

SDM B 3.1.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM)

BASES BACKGROUND According to GDC 26 (Ref. 1) the reactivity control systems must be redundant and capable of holding the reactor core subcritical when shutdown under cold conditions. Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel.

SDM requirements provide sufficient reactivity margin to assure that specified acceptable fuel design limits (SAFDLs) will not be exceeded for normal shutdown and anticipated operational occurrences (AOOs).

As such, the SDM defines the degree of subcriticality that would be obtained immediately following the insertion or scram of all shutdown and regulating group control rod assemblies (CRAs), assuming that the single CRA of highest reactivity worth is fully withdrawn.

Additionally SDM requirements provide sufficient reactivity margin to ensure that the reactor will remain shutdown at all temperatures with all control rods inserted.

The system design requires that two independent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These requirements are provided by the use of movable CRAs and soluble boric acid in the Reactor Coolant System (RCS). The CRA System provides the SDM during power operation and is capable of making the core subcritical rapidly enough to prevent exceeding acceptable fuel damage limits, following all AOOS and postulated accidents, assuming that the CRA of highest reactivity worth remains withdrawn.

The soluble boron system can compensate for fuel depletion during operation and all xenon burnout reactivity changes and maintain the reactor subcritical under cold conditions.

During power operation, SDM control is ensured by operating with the shutdown group fully withdrawn and the regulating group within the limits of LCO 3.1.6, Regulating Group Insertion Limits.

When the unitMODULE is in MODES 2, 3, 4 or 5, the SDM requirements are met by means of adjustments to the RCS boron concentration and the boron requirements for the pool, LCO 3.5.3, "Ultimate Heat Sink" and CRA controls.

NuScale B 3.1.1-1 Draft Revision 1.0

Core Reactivity B 3.1.2 BASES ACTIONS (continued) acceptable for continued operation, then the boron letdown curve may be renormalized and power operation may continue. If changes to operational restrictions are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined and implemented.

The required Completion Time of 7 days is adequate for preparing and implementing whatever operating restrictions that may be required to allow continued reactor operation.

B.1 If the core reactivity cannot be restored to within the 1% k/k limit, the unitplant must be brought to a MODE in which the LCO does not apply. To achieve this status, the unitplant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . If the SDM for MODE 2 is not met, then boration may be required to meet SR 3.1.1.1 prior to entry into MODE

2. The allowed Completion Time is reasonable, for reaching MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made considering that other core conditions are fixed or stable, including CRA position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. The Surveillance is performed prior to exceeding 5% RTP as an initial check on core conditions and design calculations at BOC. The Surveillance is performed again prior to exceeding 60 effective full power days (EFPDs) to confirm the core reactivity is responding to reactivity predictions and then periodically thereafter during the operating cycle in accordance with the Surveillance Frequency Control Program. The SR is modified by a Note indicating that the predicted core reactivity may be adjusted to the measured value provided this normalization is performed prior to exceeding a fuel burnup of 60 EFPDs. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations.

The subsequent Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale B 3.1.2-5 Draft Revision 1.0

MTC B 3.1.3 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Moderator Temperature Coefficient (MTC)

BASES BACKGROUND According to GDC 11 (Ref. 1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.

The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature). The reactor is designed to operate with a non-positive MTC during the majority of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self-limiting, and stable power operation will result. There are times at the beginning of cycle and at less than normal operating temperate the MTC be slightly positive.

MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the MTC is less than zero when reactor power is at RTP. The actual value of the MTC is dependent on core characteristics such as fuel loading and reactor coolant soluble boron concentration. The core design may require additional fixed distributed poisons (burnable absorbers) to yield an MTC within the range analyzed in the plant accident analysis.

The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics are evaluated to ensure that the MTC does not exceed the EOC limit.

The limitations on MTC are provided to ensure that the value of this coefficient remains within the limiting conditions assumed in the FSAR accident and transient analyses (Ref. 2).

If the LCO limits are not met, the unitplant response during transients may not be as predicted. The core could violate criteria that prohibit a return to criticality, or the departure from nucleate boiling ratio criteria of the approved correlation may be violated, which could lead to a loss of the fuel cladding integrity.

NuScale B 3.1.3-1 Draft Revision 1.0

MTC B 3.1.3 BASES BACKGROUND (continued)

The SRs for measurement of the MTC at the beginning and near the end of the fuel cycle are adequate to confirm that the MTC remains within its limits since this coefficient changes slowly, due principally to the RCS boron concentration associated with fuel burnup and burnable absorbers.

APPLICABLE The acceptance criteria for the specified MTC are:

SAFETY ANALYSES a. The MTC values must remain within the bounds of those used in the accident analysis (Ref. 2); and

b. The MTC must be such that inherently stable power operations result during normal operation and accidents, such as overheating and overcooling events.

FSAR Chapter 15 (Ref. 2) contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is one of the controlling parameters for core reactivity in these accidents. Both the least negative value and most negative value of the MTC are important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure that the accident results are bounding (Ref. 2).

Accidents that cause core overheating, either by decreased heat removal or increased power production, must be evaluated for results when the MTC is least negative. Reactivity accidents that cause increased power production include the control rod assembly (CRA) withdrawal transient from either zero or full power. The limiting overheating event relative to unitplant response is based on the maximum difference between core power and steam generator heat removal during a transient. The most limiting event with respect to a positive MTC is a CRA withdrawal accident from zero power, also referred to as a startup accident (Ref. 2).

Accidents that cause core overcooling must be evaluated for results when the MTC is most negative. The event that produces the most rapid cooldown of the RCS, and is therefore the most limiting event with respect to the negative MTC, is a steam line break (SLB) event.

Following the reactor trip for the postulated EOC SLB event, the large moderator temperature reduction combined with the large negative MTC may produce reactivity increases that are as much as the shutdown reactivity. When this occurs, a substantial fraction of core power is produced with all CRAs inserted, except the most reactive NuScale B 3.1.3-2 Draft Revision 1.0

MTC B 3.1.3 BASES APPLICABILITY (continued)

In MODE 3 with reactor coolant temperatureall RCS temperatures < 200°F and in MODES 4 and 5, this LCO is not applicable because no Design Basis Accidents (DBAs) using the MTC as an analysis assumption are initiated from these conditions.

ACTIONS A.1 MTC is a function of the fuel and fuel cycle designs, and cannot be controlled directly once the designs have been implemented in the core. If MTC exceeds its limits, the reactor must be placed in MODE 2.

This eliminates the potential for violation of the accident analysis bounds. The associated Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, considering the probability of an accident occurring during the time period that would require an MTC value within the LCO limits, and the time for reaching MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

B.1 Operating outside the lower MTC limit means the safety analysis assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the lower MTC limit is exceeded, the unitplant must be placed in a MODE or condition in which the LCO requirements are not applicable. In addition to Required Action A.1, Required Action B.1 also requires the unitplant to be in MODE 3 with reactor coolant temperaureall RCS temperatures < 200°F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

The allowed Completion Time is a reasonable time based the activities needed to reach the required MODE from full power operation in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.3.1 and SR 3.1.3.2 REQUIREMENTS The SRs for measurement of the MTC at the beginning and two-thirds of each fuel cycle provide for confirmation of the limiting MTC values.

The MTC changes smoothly from least negative to most negative value during fuel cycle operation, as the RCS boron concentration is reduced to compensate for fuel depletion.

The requirement for measurement prior to exceeding > 5% RTP satisfies the confirmatory check on the upper MTC value.

NuScale B 3.1.3-4 Draft Revision 1.0

Rod Group Alignment Limits B 3.1.4 BASES APPLICABILITY The requirements on CRA OPERABILITY and alignment are applicable in MODE 1 because this is the only MODE in which neutron (or fission) power is generated, and the OPERABILITY (i.e.,

trippability) and alignment of CRAs have the potential to affect the safety of the unitplant. In MODES 2, 3, 4, and 5, the alignment limits do not apply because the CRAs are bottomed, and the reactor is shut down and not producing fission power. In the shutdown Modes, the OPERABILITY of the shutdown and regulating CRAs has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS. See LCO 3.1.1, SHUTDOWN MARGIN (SDM), for SDM in MODE 1 with keff < 1.0, MODES 2, 3, and 4 and LCO 3.5.3, "Ultimate Heat Sink" in MODE 5,"

for boron concentration requirements during refueling.

ACTIONS A.1 1 and A.1.2 When one or more CRAs are inoperable (i.e. untrippable), there is a possibility that the required SDM may be adversely affected. Under these conditions, it is important to determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered.

When a CRA(s) becomes misaligned, it can usually be moved and is still trippable. If the CRA can be realigned within the Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , local xenon redistribution during this short interval will not be significant, and operation may proceed without further restriction. An alternative to realigning a single misaligned CRA to the group average position is to align the remainder of the group to the position of the misaligned CRA. However, this must be done without violating the bank sequence, overlap, and insertion limits specified in LCO 3.1.5, "Shutdown Group Insertion Limits," and LCO 3.1.6, "Regulating Group Insertion Limits." The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is adequate for determining SDM and, if necessary, for initiating boration and restoring SDM.

In this situation, SDM verification must include the worth of any untrippable CRA, in addition to the CRA of maximum worth.

A.2 When Required Action cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , which obviates concerns about the development of undesirable xenon and power NuScale B 3.1.4-3 Draft Revision 1.0

Shutdown Group Insertion Limits B 3.1.5 BASES LCO (continued) normally violate the LCO. This Note applies to each shutdown group as its moved below the insertion limit to perform the SR. This Note is not applicable should a malfunction stop performance of the SR.

APPLICABILITY The shutdown group CRAs must be within their insertion limits, with the reactor in MODE 1. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. In MODE 2, 3, 4 the shutdown group CRAs are fully inserted in the core and contribute to the SDM. Refer to LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM requirements in MODES 2, 3, and 4. LCO 3.5.3, "Ultimate Heat Sink," ensures adequate SDM in MODES 4 and 5.

ACTIONS A.1.1, A.1.2, and A.2 When one shutdown group CRA is not within insertion limits, 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months are allowed to restore the shutdown group CRA to within insertion limits. This is necessary because the available SDM may be significantly reduced with one showdown group CRA not within their insertion limits. Also, verification of the SDM or initiation of boration within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is required, since the SDM in MODE 1 is continuously monitored and adhered to, in part, by the control and shutdown group insertion limits (see LCO 3.1.1).

The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months provides an acceptable time for evaluating and repairing minor problems without allowing the unitplant to remain in an unacceptable condition for an extended period of time.

B.1 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE where the LCO is not applicable.

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

NuScale B 3.1.5-3 Draft Revision 1.0

Regulating Group Insertion Limits B 3.1.6 BASES ACTIONS A.1.1, A.1.2, and A.2 When the regulating group are outside the acceptance insertion limits, they must be restored to within those limits. This restoration can occur in two ways:

a. Reduce power to be consistent with rod position; or

b. Moving rods to be consistent with power.

Also, verification of SDM or initiation of boration to regain SDM is required in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , since the SDM in MODE 1 with keff is 1.0 is normally ensured by adhering to the control and shutdown group insertion limits (see LCO 3.1.1, "Shutdown Margin (SDM)) has been upset.

The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for restoring the regulating group to within insertion limits, provides an acceptable time for evaluating and repairing minor problems without allowing the unitplant to remain in an unacceptable condition for an extended period of time.

B.1 If the Required Actions cannot be completed within the associated Completion Times, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable for reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.6.1 REQUIREMENTS Verification of the regulating group insertion limits is sufficient to detect regulating groups that may be approaching the insertion limits.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10, GDC 26, and GDC 28.

2. 10 CFR 50.46.

3. FSAR, Chapter 15, Transient and Accident Analyses.

NuScale B 3.1.6-4 Draft Revision 1.0

Rod Position Indication B 3.1.7 BASES BACKGROUND (continued)

The Counter Position Indication counts the commands sent to the CRDM gripper coils from the Control Rod Drive System (CRDS) that moves the CRAs. There is one step counter for each CRDM. The CRA Position Indication System is considered highly precise

(+/- 1 step or +/- {3/8} inch). If a CRA does not move one step for each command signal, the step counter will still count the command and incorrectly reflect the position of the CRA.

The RPI function of the CRDS provides a highly accurate indication of actual CRA position, but at a lower precision than the step counters.

This system is based on inductive analog signals from a series of coils spaced along a hollow tube with a center to center distance of 1.125 inches, which is equivalent to 3 steps. To increase the reliability of the system, the inductive coils are alternately to two data systems. Thus, if one system fails, the RPI will go on half accuracy with an effective coil spacing of 2.25 inches, which is 6 steps. Therefore, the normal indication accuracy of the RPI System is +/- 3 steps (+/- 1.125 inches),

and the accuracy with one channel of RPI out-of-service is +/- 6 steps

(+/- 2.25 inches).

APPLICABLE The regulating and shutdown groups CRA position accuracy is SAFETY essential during power operation. Power peaking, ejected CRA worth, ANALYSES or SDM limits may be violated in the event of a Design Basis Accident (Ref. 2), with regulating or shutdown group CRAs operating outside their limits undetected. Therefore, the acceptance criteria for CRA position indication is that CRA positions must be known with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected CRA worth, and within minimum SDM (LCO 3.1.5, Shutdown Group Insertion Limits, LCO 3.1.6, Regulating group Insertion Limits). The CRA positions must also be known in order to verify the alignment limits are preserved (LCO 3.1.4, Rod Group Alignment Limits). CRA positions are continuously monitored to provide operators with information that assures the unitplant is operating within the bounds of the accident analysis assumptions.

The CRA position indicator channels satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii). The control rod position indicators monitor CRA position, which is an initial condition of the accident.

NuScale B 3.1.7-2 Draft Revision 1.0

Rod Position Indication B 3.1.7 BASES LCO LCO 3.1.7 specifies that the RPI System and the Counter Position Indication System be OPERABLE for each CRA. For the CRA position indicators to be OPERABLE requires meeting the SR of the LCO and the following:

a. The RPI System indicates within 6 steps of the CRA counter demand position as required by LCO 3.1.4, Rod Group Alignment Limits;

b. For the RPI System there are no failed coils; and

c. The Counter Position Indication System has been calibrated either in the fully inserted position or to the RPI System.

The 6 step agreement limit between the Rod Position Indication System and the CPI system indicates that the Rod Position Indication System is adequately calibrated and can be used for indication of the measurement of CRA position.

A deviation of less than the allowable limit given in LCO 3.1.4 in position indication for a single CRA ensures high confidence that the position uncertainty of the corresponding CRA group is within the assumed values used in the analysis (that specified CRA group insertion limits).

These requirements provide adequate assurance that CRA position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged.

OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositioned CRAs can be detected.

Therefore, power peaking, ejected CRA worth, and SDM can be controlled within acceptable limits.

APPLICABILITY The requirements on the RPI and step counters are only applicable in MODE 1 (consistent with LCOs 3.1.4, 3.1.5, and 3.1.6), because this is the only MODE in which power is generated, and the OPERABILITY and alignment of CRAs has the potential to affect the safety of the unitplant. In the shutdown MODES, the OPERABILITY of the shutdown and regulating groups has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the Reactor Coolant System (RCS).

NuScale B 3.1.7-3 Draft Revision 1.0

Rod Position Indication B 3.1.7 BASES ACTIONS (continued)

C.1 The Required Action clarify that when one or more CRAs with inoperable position indicators have been moved in excess of 6 steps in one direction since the position was last determined, the Required Actions of A.1 or B.1 are still appropriate but must be initiated promptly under Required Action C.1 to begin verifying that these CRAs are still properly positioned relative to their group positions.

D.1 and D.2 With one demand position indicator per group inoperable, the CRA positions can be determined by the RPI System. Since normal full power operation does not require excessive movement of CRAs, verification by administrative means that the CRDS position indicators are OPERABLE and the most withdrawn CRA and the least withdrawn CRA are 6 steps apart within the allowed Completion Time of once every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate E.1 If the Required Actions cannot be completed within the associated Completion Time, the unitplant must be brought to a MODE in which the requirement does not apply. To achieve this status, the unitplant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time is based on reaching the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.7.1 REQUIREMENTS Verification that the Counter Position Indication agrees with the direct-reading RPI and demand position within 6 steps provides assurance that the RPI is operating correctly.

This surveillance is performed prior to reactor criticality after coupling of one or more CRA to the associated CRDM, as there is the potential for unnecessary unitplant transients if the SR were performed with the reactor at power.

NuScale B 3.1.7-5 Draft Revision 1.0

PHYSICS TESTS Exceptions B 3.1.8 BASES ACTIONS A.1 and A.2 If the SDM requirement is not met, boration must be initiated promptly.

A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. The operator should begin boration with the best source available for the plant conditions. Boration will be continued until SDM is within limit.

Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification.

B.1 When THERMAL POWER is > 5% RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent operation of the reactor beyond its design limits. Immediately opening the RTBs will shut down the reactor and prevent operation of the reactor outside of its design limits.

SURVEILLANCE SR 3.1.8.1 REQUIREMENTS Verification that the THERMAL POWER is 5% RTP will ensure that the unitplant is not operating in a condition that could invalidate the safety analyses.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.8.2 The SDM is verified by performing a reactivity balance calculation, considering the following reactivity effects:

a. RCS boron concentration;

b. Regulating group position;

c. RCS average temperature;

d. Fuel burnup based on gross thermal energy generation;

e. Xenon concentration;

f. Samarium concentration; and

g. Isothermal temperature coefficient (ITC).

NuScale B 3.1.8-5 Draft Revision 1.0

Boron Dilution Control B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.9 Boron Dilution Control BASES BACKGROUND One of the principle functions of the Chemical Volume and Control System (CVCS) is to maintain the reactor coolant chemistry conditions by controlling the concentration of boron in the coolant for unitplant startups, normal dilution to compensate for fuel depletion, and shutdown boration. In the dilute mode of operation, unborated demineralized water may be supplied directly to the Reactor Coolant System (RCS).

Although the CVCS is not considered a safety related system, certain isolations of the system are considered safety related functions. The appropriate components have been classified and designed as safety related. A CVCS safety related function is the termination of inadvertent boron dilution.

There are two demineralized water isolation valves in series; one controlled by Division I of the MPS, and one controlled by Division II of the MPS. The boric acid storage tank contains the boric acid solution used to supply the CVCS to control the boron concentration of the reactor coolant system. The boron concentration of the boric acid storage tank is specified in the COLR so that it does not become an inadvertent source of uncontrolled dilution.

APPLICABLE One of the initial assumptions in the analysis of an inadvertent boron SAFETY dilution event (Ref. 1) is the assumption that the increase in core ANALYSES reactivity, created by the dilution event, can be detected by the NMS instrumentation. The NMS will provide neutron flux and flux rate signals to the MPS, and the MPS instrumentation will then determine if actuation of the CVCS demineralized water isolation valves is necessary to terminate the boron dilution event. Thus the demineralized water isolation valves are components which function to mitigate an AOO.

The demineralized water isolation valves isolate on actuation signals initiated by the low RCS flow, High Subcritical Multiplication or reactor trip system (RTS). The low RCS Flow actuation signal is designed to ensure boron dilution cannot be performed at low RCS flowrates where the loop time is too long to be able to detect the reactivity change in the core within sufficient time to mitigate the event. The High Subcritical Multiplication actuation signal is designed to detect and mitigate inadvertent subcritical boron dilution events in MODES 2 and 3.

NuScale B 3.1.9-1 Draft Revision 1.0

FH B 3.2.1 BASES APPLICABILITY The FH limits must be maintained in MODE 1 with THERMAL POWER 25% RTP to preclude core power distributions from exceeding the fuel design limits for CHFR. Applicability with THERMAL POWER < 25% RTP and in other modes is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power. Specifically, the design bases events that are sensitive to FH in other conditions and modes (with THERMAL POWER < 25% RTP and MODES 2 through 5) have significant margin to CHF, and therefore, there is no need to restrict FH in these modes.

ACTIONS A.1 With FH exceeding its limit, the unitplant must be placed in a mode or condition in which the LCO requirements are not applicable. This is done by reducing THERMAL POWER to 25% RTP within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provides sufficient time for the unit to restore FH to within its limits. This restoration may, for example, involve realigning any misaligned rods or reducing power enough to bring FH within its power dependent limit. When the FH limit is exceeded, the MCHFR limit is not likely violated in steady state operation, because events that could significantly perturb the FH value (e.g., static control rod misalignment) are considered in the safety analyses. However, the MCHFR may be violated if a CHF limiting event occurs. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on the time required to possibly restore the FH value and exit the ConditionONDITION and if unsuccessful, to reduce THERMAL POWER to 25% RTP from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.2.1.1 REQUIREMENTS The value of FH is determined by using the fixed incore detector system to obtain a flux distribution map. A data reduction computer program then calculates the maximum value of FH from the measured flux distributions.

After each refueling, FH must be determined in MODE 1 prior to exceeding 25% RTP. This requirement ensures that FH limits are met at the beginning of each fuel cycle and in accordance with the misload event analysis. (Ref. 1)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale B 3.2.1-3 Draft Revision 1.0

AO B 3.2.2 BASES APPLICABLE SAFETY ANALYSES (continued) important IE is the Uncontrolled Control Rod Assembly Withdrawal from Power. The most important accident is the Rod Ejection Accident.

The limits on the AO satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Information about the unitsplants AO is provided to the operator from the incore instrumentation system (ICIS). (Ref. 2) Separate signals are taken from the four detectors on each of the 12 strings of in-core instrumentation. The AO is defined in Section 1.1.

The AO limits are provided in the COLR. Figure B 3.2.2-1 shows a typical AO limit.

APPLICABILITY The AO requirements are applicable in MODE 1 greater than or equal to 25% RTP when the combination of THERMAL POWER and core peaking factors are of primary importance in safety analysis.

The value of the AO does not affect the limiting accident consequences with THERMAL POWER < 25% RTP and for lower operating power MODES.

ACTIONS A.1 AO is a controllable and measurable parameter. With AO not within LCO limits, action must be taken to place the unitplant in a MODE or condition in which the LCO requirements are not applicable. Reducing THERMAL POWER to < 25% RTP places the core in a condition for which the value of the AO is not important in the applicable safety analyses.

The associated Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, considering the probability of an accident occurring during the time period that would require AO to be within the LCO limits, and the time for reaching < 25%

RTP from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.2.2.1 REQUIREMENTS This Surveillance verifies that the AO, as indicated by the ICIS, is within its specified limits.

NuScale B 3.2.2-2 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 ModuleMODULE Protection System (MPS) Instrumentation BASES BACKGROUND The ModuleMODULE Protection System (MPS) initiates reactor trips and other safety systems to protect against violating specified acceptable fuel design limits, and inadvertent breaching of the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). It also initiates other safety systems to ensure acceptable consequences during accidents.

The MPS is designed to ensure safe operation of the reactor and MODULE. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the MPS, as well as LCOs on other reactor system parameters and equipment performance.

The MPS is separate and independent for each unitMODULE.

Technical Specifications are required by 10 CFR 50.36 to include LSSS.

LSSS are defined by the regulation as "settings for automatic protective devices related to those variables having significant safety functions.

Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded."

The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protective action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for channel uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the Setpoint Program (SP) controlled by 10 CFR 50.59.

The Limiting Trip Setpoint (LTSP) specified in the SP is a predetermined setting for a protective channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the LTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the LTSP ensures that SLs are not exceeded. As such, the LTSP meets the definition of a LSSS (Ref. 1).

NuScale B 3.3.1-1 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The trip and actuation setpoints used in the SFM core logic function are based on the analytical limits derived from accident analysis (Ref. 5). The calculation of the LTSP specified in the Setpoint Program (SP) is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those MPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), the LTSP specified in the SP is conservative with respect to the analytical limits. The nominal trip setpoint (NTSP) is the LTSP with margin added and is always equal to or more conservative than the LTSP. A detailed description of the methodology used to calculate the NTSPs is provided in the "NuScale Instrument Setpoint Methodology" (Ref. 7). The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found OPERABILITY limit for the purpose of the CHANNEL CALIBRATION is defined as the as-left limit plus the acceptable drift about the NTSP.

The NTSPs listed in the SP are based on the methodology described in Reference 7, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTSP. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.

The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The as-left and as-found tolerances listed in the SP define the OPERABILITY limits for a channel during a periodic CHANNEL CALIBRATION that requires trip setpoint verification.

NTSPs, in conjunction with the use of as-found and as-left tolerances, consistent with the requirements of the SP will ensure that SLs of Chapter 2.0, "SAFETY LIMITS (SLs)," are not violated during AOOs, and the consequences of DBAs will be acceptable, providing the unitMODULE is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

The MPS incorporates continuous system self-checking features wherever practical. Self-checking features include on-line diagnostics for the MPS hardware and communications tests. These self-checking tests do not interfere with normal system operation.

NuScale B 3.3.1-6 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES BACKGROUND (continued)

In addition to the self-checking features, the system includes functional testing features. Functional testing of the entire MPS, from SFM input through the opening of individual RTBs and actuation of ESFAS components, can be performed either at power or shutdown. The manual actuation switches in the MCR cannot be tested at power because they would cause a reactor trip or ESF actuation. FSAR, Chapter 7 (Ref. 4),

provides more detail on MPS testing.

The output of the three SFM core logic function signal paths are each routed to one of three independent safety data buses. Each of the safety data buses carry the trip determination data to one of three respective scheduling and bypass modules (SBMs). The SBM transmits the data to both divisions of the RTS and the ESFAS scheduling and voting modules (SVMs). Redundant data from all four separation groups are received by each divisions set of RTS and ESFAS SVMs. The failure of one or more components in one of the three safety data paths in any separation group has no impact on the safety function (i.e., SBM and SVM).

A trip is determined by two-out-of-four logic. If two or more of the four redundant channels call for trip, then a trip will be generated. If a channel is taken to maintenance bypass, two of the remaining three channels (two-out-of-three) are required to generate a trip. By placing one channel in maintenance trip, only one of the remaining three channels (one-out-of-three) is required to generate a trip.

Two-out-of-three and two-out-of-four logic prevents inadvertent trips caused by any single channel failure in a trip condition.

In addition to the channel maintenance bypasses, there are also operating bypasses on select trips or actuations. These bypasses are enabled automatically or manually, depending on the function, in both divisions when unitMODULE conditions do not warrant the specific trip or actuation protection. All operating bypasses are automatically removed when the permissive or interlock conditions are no longer satisfied.

Operating bypasses are implemented in the SVM.

Logic for Trip or Actuation Initiation The MPS logic, addressed in LCO 3.3.2 and LCO 3.3.3, is implemented in two divisions each of RTS and ESFAS. It employs a scheme that provides a reactor trip or ESFAS actuation when an SFM in any two of the four separation group channels sense and signal the same input parameter trip. The three SVMs in the RTS and the three SVMs in the NuScale B 3.3.1-7 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE Design Basis Definition SAFETY ANALYSES, LCO, The MPS is designed to ensure that the following operational criteria are and APPLICABILITY met:

The associated actuation will occur when the parameter monitored by each channel reaches its setpoint and the specific coincidence logic is satisfied; and

Separation and redundancy are maintained to permit a channel to be out of service for testing or maintenance while still maintaining redundancy within the MPS instrumentation architecture.

All design basis events can be mitigated by one or more MPS Functions.

The accident analysis takes credit for most of the MPS trip Functions.

Setpoints are specified in the [Technical Requirements Manual].

Each MPS setpoint is chosen to be consistent with the function of the respective trip. The basis for each setpoint falls into one of three general categories:

To ensure that the SLs are not exceeded during AOOs;

To actuate the RTS and ESFAS during accidents; and

To prevent material damage to major MODULE components (equipment protection).

The MPS maintains the SLs during AOOs and mitigates the consequences of DBAs in all MODES in which the RTBs are closed.

The ModuleMODULE Protection System instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Permissive and interlock setpoints automatically provide, or allow manual or automatic blocking of trips during unitMODULE evolutions. They are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the initial conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative initial conditions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.

Operational bypasses are addressed in the footnotes to Table 3.3.1-1.

They are not otherwise addressed as specific Table entries.

NuScale B 3.3.1-10 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The automatic bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are OPERABLE.

RTS and ESFAS Operational Bypass Interlocks and Permissives Reactor protection permissives and interlocks are provided to ensure reactor trips and ESF actuations are in the correct configuration for the current unitMODULE status (Ref. 4). This is to ensure that the protection system functions are not bypassed during unitMODULE conditions under which the safety analysis assumes the functions are OPERABLE.

Therefore, the permissive and interlock functions do not need to be OPERABLE when the associated reactor trip and ESF functions are outside the applicable MODES. Proper operation of these permissive and interlocks supports OPERABILITY of the associated reactor trip and ESF functions and/or the requirement for actuation logic OPERABILITY. The permissives and interlocks must be in the required state, as appropriate, to support OPERABILITY of the associated functions. The permissives and interlocks are:

Intermediate Range Log Power Permissive, N-1 The Intermediate Range Log Power, N-1 permissive is established when the Intermediate Range Log Power channel increases to approximately one decade above the channel lower range limit. The N-1 permissive performs the following:

1. On increasing power, the N-1 permissive allows the manual block of the following:

High Source Range Count Rate Reactor Trip and Demineralized Water System Isolation actuation; and

High Source Range Log Power Rate Reactor Trip and Demineralized Water System Isolation actuation.

This prevents the premature block of the High Source Range Count Rate and High Source Range Log Power Rate trips and allows the operator to ensure that the Intermediate Range channel is OPERABLE as power increases prior to leaving the source range.

2. On increasing power, the N-1 interlock automatically establishes an operating bypass for High Source Range Subcritical Multiplication Demineralized Water System Isolation actuation.

NuScale B 3.3.1-11 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Trip System and ESFAS Functions The specific safety analyses applicable to each protective function are identified below:

1. Excore Nuclear Power Neutron flux provides indication of reactor power and is measured at detectors located outside the containment vessel at the height of the core region. Wide range detectors are used at all power levels with continuous indication from subcritical conditions and startup to operating power levels. The neutron monitoring system provides indication from approximately 10E-6 to 125% RTP.

Neutron flux signals that exceed their setpoints or the rate of change limits cause the reactor trip breakers to open and the demineralized water supply valves to be isolated. Four channels of neutron flux are required to be OPERABLE when the unitMODULE is in a condition capable of withdrawing any CRA.

a. High Power Range Linear Power - Reactor Trip and Demineralized Water System Isolation The High Power Range Linear Power trip compares the measured power range neutron flux to setpoints to initiate actuations if reactor power level exceeds the expected levels. The trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Decrease in feedwater temperature;

Increase in feedwater flow;

Increase in steam flow;

Inadvertent opening of the turbine bypass system;

Control rod misoperation;

Inadvertent decrease in boron concentration in the RCS;

Spectrum of rod ejection accidents;

Uncontrolled control rod assembly (CRA) withdrawal at power; and NuScale B 3.3.1-17 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam system piping failures inside and outside of containment.

Four channels of High Power Range Linear Power are required to be OPERABLE in MODE 1 and in MODES 2 and 3 with the RTBs closed and the CRDMs capable of withdrawing any CRA. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unitMODULE. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Power Range Linear Power trip logic functions include a permissive, N-2L, that allows the operator to manually bypass the lower Power Range Neutron Flux High trip before exceeding predefined setpoints at 15% of RTP. The Power Range High Linear Power trip setpoint is automatically reset to the lower setpoint when power is reduced approximately 10% below the lower setpoint. Actual setpoints are established in accordance with the Setpoint Program.

b. High Power Range Positive and Negative Rate - Reactor Trip and Demineralized Water System Isolation The Power Range Rate is measured using the power range neutron monitors that measure neutron flux for the High Linear Power trip. The Power Range Rate function measures the rate-of-change in neutron flux received at the detectors. The SFM logic unit performs calculations to determine the rate of change and compares the result to a setpoint. The trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Inadvertent decrease in boron concentration in the RCS; and

Control Rod Misoperation.

These trips provide protection from the effects of transients that occur at power levels greater than or equal to 15% RTP. The High Positive and Negative Power Range Rate trips are automatically bypassed less than < N-2H and automatically enabled greater than > N-2H. Actual setpoints are established in accordance with the Setpoint Program.

NuScale B 3.3.1-18 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four channels of Power Range Rate are required to be OPERABLE in MODE 1 with reactor power greater than or equal to 15% RTP to limit the rate of change of the reactor power as measured by the excore neutron detectors. In MODE 1 with reactor power less than < 15% RTP, and MODES 2 and 3, the High Source and Intermediate Range Log Power Rate trips provide protection from transients that result in high rates of change in reactor power. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unitMODULE. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

c. High Intermediate Range Log Power Rate - Reactor Trip and Demineralized Water System Isolation The Neutron Monitoring System (NMS) provides an intermediate range doubling time signal which is used by the SFM to determine the rate of change and compares the result to a setpoint. The High Intermediate Range Log Power Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during an inadvertent decrease in boron concentration in the RCS that is postulated to occur at low power.

The High Intermediate Range Log Power Rate trip is only necessary for events that are postulated to occur from a subcritical condition or during the approach to critical operations and at low-power levels. It is not required to be OPERABLE at power levels greater than or equal to 15% RTP. The High Intermediate Range Log Power Rate trip is automatically bypassed when greater than or equal to 15% RTP and automatically enabled less than < N-2L.

Four channels of High Intermediate Range Log Power Rate are required to be OPERABLE in MODE 1 with reactor power < 15%

and in MODES 2 and 3 when capable of CRA withdrawal because the events that it is design to protect against occur at low power levels. This will limit the rate of change of the reactor power as measured by the excore neutron detectors. At power levels 15%

RTP the High Power Rate trip provides protection from events that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unitMODULE.

NuScale B 3.3.1-19 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

d. High Source Range Count Rate -- Reactor Trip and Demineralized Water System Isolation The NMS provides a source range log power signal which is used by the SFM to determine a source range count rate and compares the result to a setpoint. The High Source Range Count Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Inadvertent decrease in boron concentration in the RCS; and

Uncontrolled CRA withdrawal from a subcritical or low power.

Four channels of High Source Range Count Rate are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and in MODES 2 and 3 when capable of CRA withdrawal. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unitMODULE.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Source Range Count Rate trip can be manually bypassed when the intermediate range flux increases to approximately one decade above the channel lower limit (Above N-1) and is automatically enabled when the intermediate range flux decreases below N-1.

NuScale B 3.3.1-20 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

e. High Source Range Log Power Rate -- Reactor Trip and Demineralized Water System Isolation The NMS provides a source range doubling time signal which is used by the SFM to determine a source range log power rate and compares the result to a setpoint. The High Source Range Log Power Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Inadvertent decrease in boron concentration in the RCS; and

Uncontrolled CRA withdrawal from a subcritical or low power.

Four channels of Source Range Log Power Rate are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and in MODES 2 and 3 when capable of CRA withdrawal. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unitMODULE.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Source Range Log Power Rate trip can be manually bypassed above N-1 and is automatically enabled when the intermediate range flux decreases below N-1.

f. High Subcritical Multiplication - Demineralized Water System Isolation The NMS provides a source range log power signal which is used by the SFM to determine a subcritical multiplication rate and compares the result to a setpoint. The High Subcritical Multiplication trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Inadvertent decrease in boron concentration in the RCS; and NuScale B 3.3.1-21 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Uncontrolled CRA withdrawal from a subcritical or low power.

Four channels of Subcritical Multiplication are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and in MODES 2 and 3 when capable of CRA withdrawal. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unitMODULE.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single failure will disable this trip Function.

The High Subcritical Multiplication trip is automatically bypassed above N-1 and is automatically enabled when the intermediate range flux decreases below N-1.

2. Pressurizer Pressure Pressurizer pressure is measured to determine the RCS pressure, as represented by the steam space near the top of the reactor vessel.

The MPS is supplied signals from four sensors (one for each separation group) that measure pressure from about 1500 to 2200 psia.

a. High Pressurizer Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip and Demineralized Water System Isolation The High Pressurizer Pressure trip is designed to protect against exceeding RPV pressure limits for reactivity and heatup events.

The trip provides protection for the following events:

Loss of external load;

Turbine trip;

Loss of condenser vacuum;

Closure of a main steam isolation valve (MSIV);

NuScale B 3.3.1-22 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Loss of nonemergency AC power to station auxiliaries;

Loss of normal feedwater flow;

Pressurizer heater malfunction;

Inadvertent operation of DHRS;

Uncontrolled CRA withdrawal at power;

System malfunctions that increases reactor coolant inventory; and

Feedwater system pipe breaks inside and outside the containment vessel.

Four High Pressurizer Pressure Reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unitMODULE.

Four High Pressurizer Pressure DHRS channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. When PASSIVE COOLING is established sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Pressurizer Pressure DHRS and Pressurizer Heater Trip determination logic is automatically bypassed when containment water level is greater than > L-1 and automatically enabled when containment water level is less than < L-1.

NuScale B 3.3.1-23 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater trip breakers closed. In MODES 2 and 3 with the pressurizer heater trip breakers open and in MODES 4 and 5 this function is fulfilled.

The High Main Steam Pressure DHRS and Pressurizer Heater Trip channels are automatically bypassed when containment water level is greater than > L-1 and the RTBs are open. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

b. Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, Decay Heat Removal System Actuation, and Pressurizer Heater Trip The Low Main Steam Pressure trip provides protection for:

Increase in steam flow;

Inadvertent opening of the turbine bypass system;

Loss of feedwater flow;

Steam system piping failures inside and outside the containment vessel; and

Feedwater system pipe breaks inside and outside the containment vessel.

The Low Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, DWSI, and Pressurizer Heater Trip to actuate.

Four Low Main Steam Pressure reactor trip, DWSI, DHRS, and Pressurizer Heater Trip channels measuring pressure on each steam line are required to be OPERABLE when operating in MODES 1 with power range linear power above N-2H. In MODE 1 below N-2H and in MODE 2 the unitMODULE is protected by the Low Low Main Steam Pressure function. In MODES 3, 4, and 5 the reactor is subcritical.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

NuScale B 3.3.1-31 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Wide range RCS cold temperature cold is measured to determine a representative minimum temperature in the RCS as measured at four locations in the lower downcomer region of the reactor vessel. The MPS is supplied signals from four sensors (one for each separation group) that measure temperature from about 40 to 700°F.

a. High RCS Pressure - Low Temperature Overpressure Protection (LTOP)

The High RCS Pressure - Low Temperature trip provides protection for low temperature overpressure events.

The High RCS Pressure - Low Temperature trip signal causes the reactor vessel vent valves to open.

Four High RCS Pressure - Low Temperature trip channels are required to be OPERABLE when operating in MODE 3 with less than two RVVs open and wide range RCS cold temperature cold less than the LTOP enable temperature, T-1, that is specified in the PTLR. In MODES 1 and 2 the reactor vessel is at a higher temperature and overpressure protection is provided by the safety valves and the DHRS. In MODE 3 with two RVVs open, and MODES 4 and 5 the reactor vessel is protected from overpressure by the openings that exist between the reactor vessel and the containment or the conduction of heat between the reactor vessel and the refueling pool. The LTOP function is automatically bypassed when wide range RCS cold temperature cold is greater than > T-1 and automatically enabled when wide range RCS cold temperature cold is less than < T-1.

11. Low AC Voltage to ELVS Battery Chargers The Low AC Voltage function ensures the EDSS batteries supply power for their full mission time; 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for A and D power channels, and 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for B and C power channels. Power channels B and C provide power to the accident monitoring equipment. It also keeps ECCS from actuating for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to allow operators time to restore AC power. An ECCS actuation will occur if required by unitMODULE conditions. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after the loss of normal AC is called ECCS Hold.

NuScale B 3.3.1-37 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four High Under-the-Bioshield Temperature Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater trip breakers closed. In MODES 2 with the pressurizer heater trip breakers open and in MODES 3, 4 and 5 this function is fulfilled.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

ACTIONS The most common causes of channel inoperability are outright failure of a sensor or MPS SFM module sufficient to exceed the tolerance allowed by the unit-specificMODULE specific setpoint analysis. Typically, sensor drift is found to be small and results in a delay of actuation rather than a total loss of function. This determination is generally made during the performance of a CHANNEL CALIBRATION when the process sensor is verified to be within specification. If any as-found measured value is outside the as found tolerance band, then the channel is inoperable, and corrective action is required. The unitMODULE must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE.

When the number of inoperable channels in a trip Function exceeds that specified in any related Condition associated with the same trip Function, then the unitMODULE is outside the safety analysis. Therefore, LCO 3.0.3 is immediately entered if applicable in the current MODE of operation.

A Note has been added to the ACTIONS. The Note has been added to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.

A.1 Condition A applies to the failure of a single channel or associated instrument channel inoperable in any MPS automatic trip Function.

If one MPS channel is inoperable, operation is allowed to continue, providing the inoperable channel is placed in bypass or trip in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allotted to bypass or trip the channel is sufficient to allow the NuScale B 3.3.1-40 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued) operator to take all appropriate actions for the failed channel and still ensures that the risk involved in operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering the applicable MODE or specified condition if the unitMODULE is in a MODE not requiring that channel to be OPERABLE.

With a channel in bypass, the coincidence logic is now effectively two-out-of-three for the remaining operable channels.

B.1 and B.2 Condition B applies to the failure of two channels in any MPS automatic trip Function.

Required Actions B.1 and B.2 provide for placing one inoperable channel in bypass and the other channel in trip within the Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels while ensuring the risk involved in operating with the failed channels is acceptable. With one channel of protective instrumentation bypassed, the MPS is in a two-out-of-three logic; but with another channel failed, the MPS may be operating in a two-out-of-two logic. This is outside the assumptions made in the analyses and should be corrected. To correct the problem, one channel is placed in trip. This places the MPS in a one-out-of-two logic. If any of the other OPERABLE channels receives a trip signal, the MPS Function will trip.

One of the two inoperable channels will need to be restored to OPERABLE status prior to the next required CHANNEL CALIBRATION.

The channel can be tested in trip also.

C.1 Condition C is entered when the Required Action and associated Completion Time of Condition A or B is not met, or one or more functions have three or more channels inoperable.

The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.

D.1 Condition D is entered when Condition C applies to Functions that result in a reactor trip or DHRS actuation, as listed in Table 3.3.1-1.

NuScale B 3.3.1-41 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued)

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by opening the reactor trip breakers. The allowed Completion Time for D.1 of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner without challenging plant systems.

E.1 Condition E is entered when Condition C applies to Functions that result in a reactor trip signal when reactor THERMAL POWER is 15% of RTP, as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by reducing THERMAL POWER to < 15% RTP. The allowed Completion Time for E.1 of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required condition from full power conditions in an orderly manner without challenging plant systems.

F.1 Condition F is entered when Condition C applies to Functions that result in isolation of the CVCS system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by isolating the CVCS flowpath to the RCS. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for aligning the system in an orderly manner without challenging plant systems.

Required Action F.1 is modified by a Note that allows isolated penetration flow paths to be unisolated intermittently under administrative controls.

These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for isolation is indicated. This allowance permits the isolation signal to be reset when appropriate conditions exist to do so.

NuScale B 3.3.1-42 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued)

G.1 Condition G is entered when Condition C applies to Functions that result in automatic removal of electrical power from the pressurizer heaters as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by opening the power supply breakers to the pressurizer heaters. The allowed Completion Time for G.1 of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required conditions from full power conditions in an orderly manner without challenging plant systems.

H.1 Condition H is entered when Condition C applies to Functions that result in automatic isolation of the demineralized water system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by isolating the demineralized water flowpath to the RCS. The allowed Completion Time for H.1 of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on operating experience, for reaching the required condition from full power conditions in an orderly manner without challenging plant systems.

I.1 Condition I is entered when Condition C applies to Functions that result in a DHRS or ECCS actuation, as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions I.1 and I.2.

I.1 places the unitMODULE in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This action limits the time the unitMODULE may continue to operate with limited or inoperable automatic actuation logic.

NuScale B 3.3.1-43 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued)

I.2 requires the unitMODULE to be in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months of entering the ConditionCONDITION. These conditions assure adequate passive decay heat transfer to the UHS and result in the unitMODULE being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a LOCA event that would require ECCS or DHRS actuation. They also provide adequate time to permit evaluation of conditions and restoration of actuation logic OPERABILITY without unnecessarily challenging plant systems during a shutdown.

J.1 Condition J is entered when Condition C applies to Functions that result in actuation of the low temperature overpressure protection system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by opening at least two RVVs.

The allowed Completion Time for J.1 of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner without challenging plant systems.

K.1 Condition K is entered when Condition C applies to Functions that result in actuation of the DHRS on Low Low Main Steam Pressure as listed in Table 3.3.1-1.

If the Required Actions associated with this ConditionCONDITION cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE in which the LCO does not apply. This is accomplished by Required Actions K.1 and K.2. K.1 places the unitMODULE in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This action limits the time the unitMODULE may continue to operate with limited or inoperable DHRS automatic actuation logic. K.2 places the unitMODULE in MODE 3 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable to reach the required unitMODULE conditions from full power conditions in an orderly manner and without challenging unitMODULE systems.

NuScale B 3.3.1-44 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued)

L.1 Condition L is entered when Condition C applies to Functions that result in actuation of the Containment Isolation system as listed in Table 3.3.1-1.

If the Required Actions associated with this ConditionCONDITION cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE in which the LCO does not apply. This is accomplished by Required Actions L.1 and L.2. L.1 places the unitMODULE in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This action limits the time the unitMODULE may continue to operate with limited or inoperable CIS automatic actuation logic.

L.2 places the unitMODULE in MODE 3 with RCS hot temperature hot <

200°F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of entering the condition. This condition assures the unitMODULE will maintain the RCS depressurized and the unitMODULE being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of logic OPERABILITY without unnecessarily challenging plant systems during a shutdown. Analysis shows that 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months from entry into this condition is a reasonable time to reach MODE 3 with RCS wide range hot temperature hot < 200°F using normal plant systems and procedures.

M.1 ConditionCONDITION M is entered when ConditionCONDITION C applies to Functions that result in a reactor trip, CIS actuation, DHR actuation, DWSI, and Pressurizer Heater Trip due to the Low ELVS Voltage or High Under-the-Bioshield Temperature as listed in Table 3.3.1-1.

If the Required Actions associated with this ConditionCONDITION cannot be completed within the required Completion Time, the unitMODULE must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions M.1, M.2, M.3, M.4, and M.5.

M.1 places the unitMODULE in MODE 2 within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This action limits the time the unitMODULE may continue to operate with limited or inoperable automatic actuation logic. M.2 requires the unitMODULE to be in MODE 3 and PASSIVELY COOLED within 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months of entering the ConditionCONDITION. These conditions assure adequate passive decay heat transfer to the UHS and result in the unitMODULE being in a condition for which the DHRS OPERABILITY is no longer required.

NuScale B 3.3.1-45 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES ACTIONS (continued)

M.3 places the unitMODULE in MODE 3 with RCS hot temperature hot <

200°F within 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months of entering the condition. This condition assures the unitMODULE will maintain the RCS depressurized and the unitMODULE being in a condition for which the LCO no longer applies.

M.4 isolates the demineralized water flowpath to the RCS within 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months .

This completes the function of the DWSI.

M.5 opens the power supply breakers to the pressurizer heaters within 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months .

Completion Times are established considering the likelihood of a design basis event that would require automatic actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of logic OPERABILITY without unnecessarily challenging plant systems during a shutdown.

SURVEILLANCE SR 3.3.1.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is verification through the absence of alarms from the automatic analog and binary process signal monitoring features used to monitor channel behavior during operation. Deviation beyond the established acceptance criteria is alarmed to allow appropriate action to be taken.

This determination includes, where possible, comparison of channel indication and status to other indications or status derived from the independent channels measuring the same parameter. This determination is made using computer software or may be performed manually.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between CHANNEL CALIBRATIONS.

NuScale B 3.3.1-46 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment is operating outside its limits.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.2 A periodic calibration (heat balance) is performed when THERMAL POWER is 15%. The Linear Power Level signal and the nuclear instrumentation system addressable constant multipliers are adjusted to make the nuclear power calculations agree with the calorimetric calculation if the absolute difference is 1%. The value of 1% is adequate because this value is assumed in the safety analysis. These checks (and, if necessary, the adjustment of the nuclear power signal) are adequate to ensure that the accuracy is maintained within the analyzed error margins.

The power level must be > 15% RTP to obtain accurate data. At lower power levels, the accuracy of calorimetric data is questionable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The Surveillance is modified by three Notes. The first Note indicates that the neutron monitoring system nuclear instrument channel must must be calibrated when the absolute difference is > 1% when compared to the calorimetric heat balance. The second Note indicates that this Surveillance need only be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reaching 15%

RTP. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reaching 15% RTP is required for unitplant stabilization, data taking, and flow verification. The secondary calorimetric is inaccurate at lower power levels. A third Note is provided that permits operation at < 15% RTP without adjusting the instrument channel as long as the indicated nuclear instrument power is conservatively higher than the calorimetric heat balance results. This third Note is an exception to the first Note and only applies when < 15 RTP.

SR 3.3.1.3 This SR 3.3.1.3 verifies that the individual channel actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing criteria are included in FSAR Chapter 7.

NuScale B 3.3.1-47 Draft Revision 1.0

ModuleMODULE Protection System Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Response time may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the response time is verified. Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications. The response time testing of the RTS and ESFAS divisions are tested in accordance with LCO 3.3.2 and 3.3.3.

SR 3.3.1.3 is modified by a Note indicating that neutron detectors are excluded from response time testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.4 This SR is modified by a Note that indicates that neutron detectors are excluded from CHANNEL CALIBRATION.

The Surveillance verifies that the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. The test is performed in accordance with the SP. If all as-found measured values during calibration and surveillance testing are inside the as-left tolerance band, then the channel is fully operable, no additional actions are required.

If all as-found measured values during calibration testing and surveillance testing are within the as-found tolerance band but outside the as-left tolerance band, then the instrumentation channel is fully operable, however, calibration is required to restore the channel within the as-left tolerance band.

If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The unitMODULE must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE.

NuScale B 3.3.1-48 Draft Revision 1.0

ESFAS Logic and Actuation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Engineered Safety Features Actuation System (ESFAS) Logic and Actuation BASES BACKGROUND The ESFAS portion of the ModuleMODULE Protection System (MPS) protects against violating the core fuel design limits, ensures reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs) and postulated accidents, and ensures acceptable consequences during accidents by initiating necessary safety systems.

Details of the design and operation of the entire MPS are provided in the Bases for LCO 3.3.1, Module Protection System (MPS). Setpoints are specified in the [Technical Requirements Manual]. As noted there, the MPS transmits trip determination data to both divisions of the ESFAS scheduling and voting modules (SVMs). Redundant data from all four separation groups is received by each division of the ESFAS SVMs.

LCO 3.3.3 addresses only the logic and actuation portions of the MPS that perform the ESFAS functions. The scope of this LCO begins at the inputs to the scheduling and voting modules (SVMs) and extends through the actuating contacts on the actuated components. This LCO also includes the pressurizer heater trip breakers. Component OPERABILITY and surveillance requirements are provided in the system LCOs and by programmatic requirements identified in Chapter 5, Administrative Controls.

LCO 3.3.1, Module Protection System (MPS), and LCO 3.3.2, "Reactor Trip System (RTS) Logic and Actuation," provide requirements on the other portions of the MPS that automatically initiate the Functions described in Table 3.3.1-1.

The ESFAS logic and actuation consists of:

1. Emergency Core Cooling System (ECCS) actuation;

2. Decay Heat Removal System (DHRS) actuation;

3. Containment Isolation System (CIS) actuation;

4. Demineralized Water Supply Isolation (DWSI) actuation;

5. Chemical Volume and Control System Isolation (CVCSI) actuation;

6. Pressurizer Heater Trip (PHT); and

7. Low Temperature Overpressure Protection (LTOP) actuation.

NuScale B 3.3.3-1 Draft Revision 1.0

ESFAS Logic and Actuation B 3.3.3 BASES BACKGROUND (continued)

Logic for Actuation Initiation The MPS ESFAS logic is implemented in two divisions. The three SVMs, in each division, generate actuation signals when the safety function modules (SFMs) in any two of the four separation groups determine that an actuation is required. Both ESFAS divisions evaluate the input signals from the SFMs in each of three redundant SVMs. Each SVM compares the four inputs received from the SFMs, and generates an appropriate actuation signal if required by two or more of the four separation groups.

The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs). There are multiple EIMs associated with each division -

independent and redundant EIMs for each division of ESFAS.

The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate.

ESFAS Actuation Each ESFAS actuation consists of closing or opening components whose safety position is achieved by interruption of electrical power to breaker or valve controls.

Each division of ESFAS can control an independent component or in some cases either division can control one component. For example, there are two containment isolation valves in series, one controlled by Division I and the other controlled by Division II. There is only one safety-related MSIV, per steam line (two total), and either Division I or II actuation will close it.

Each ESFAS actuation can also be initiated by manual controls. The OPERABILITY of the manual controls and their function are addressed in LCO 3.3.4.

Most functional testing of the MPS from sensor input to the SFM and through the opening of individual contacts can be conducted at power, with the limited remaining scope tested at reduced power or when the unitplant is shutdown. FSAR, Chapter 7 (Ref. 1), describes MPS testing in more detail.

NuScale B 3.3.3-2 Draft Revision 1.0

ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE The Applicable Safety Analyses for the ESFAS are described in the SAFETY Bases of LCO 3.3.1, Module Protection System (MPS).

ANALYSES, LCO and APPLICABILITY The LCO requires the ESFAS Logic and Actuation to be OPERABLE in the MODES listed in Table 3.3.3-1. The MODES or other specified conditions when the ESFAS safety functions are required to be OPERABLE are described below.

1. ECCS Actuation The ECCS is designed to mitigate postulated LOCAs and is used to maintain shutdown after other events. Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED. In MODE 4 the RVVs and RRVs are open providing passive cooling, and in MODE 5 shutdown cooling heat transfer is provided either by direct conduction and convection from the reactor vessel or the reactor fuel to the reactor pool.

2. DHRS Actuation The DHRS is designed to provide passive core cooling for events that dont transition to ECCS cooling. Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED. In MODE 4 the RVVs and RRVs are open providing passive shutdown cooling, and in MODE 5 shutdown cooling heat transfer is provided either by direct contact of the reactor vessel or the reactor fuel to the reactor pool.

3. CIS Actuation The CIS is designed to protect and limit releases from postulated RCS or secondary leaks and to support DHRS and ECCS operation.

Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when the RCS temperature is 200°F.

4. DWSI Actuation The DWSI is designed to limit and mitigate postulated reactivity events due to inadvertent boron dilution by isolating the supply of demineralized water to the MODULE CVCS. Therefore it is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5 the demineralized water supply is physically isolated from the moduleMODULE and therefore cannot affect the boron concentration and reactivity in the reactor.

NuScale B 3.3.3-3 Draft Revision 1.0

ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

5. CVCSI Actuation The CVCSI is designed to mitigate postulated events that result from overfilling the reactor coolant system. It also mitigates primary system high energy line breaks postulated to occur outside of the containment. The actuation is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5 the CVCS is physically isolated from the moduleMODULE and therefore cannot affect the boron concentration and reactivity in the reactor nor can it overfill the RCS.

6. Pressurizer Heater Trip The PHT is designed to protect the pressurizer heaters from uncovering, overheating, and potentially compromising the RCS pressure boundary. The PHT is required to be OPERABLE when the pressurizer heaters are, or may be energized. The trip is required to be OPERABLE in MODE 1, and in MODES 2 and 3 if a PHT breaker is closed. In MODES 4 and 5 the power supply to the pressurizer heaters are physically isolated from the moduleMODULE and therefore cannot be energized.

7. LTOP Actuation The LTOP is designed to protect the reactor vessel integrity from postulated overpressure events that occur below the nil ductility transition (NDT) temperature below which the fracture toughness of the reactor vessel is reduced. Therefore the system must be OPERABLE in MODE 3 if the reactor coolant is below the NDT as specified in the PTLR and established as the LTOP enable temperature, the T-1 interlock. Alternatively, the function is satisfied if two RVVs are open. In MODES 1 and 2, the reactor vessel temperature is above the NDT temperature and the reactor safety valves provide overpressure protection. In MODE 4 the RVVs are de-energized and open which prevents pressurization of the reactor vessel. In MODE 5 the reactor coolant system is in open contact with the reactor pool and cannot be pressurized.

The ESFAS logic and actuation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Operability requirements for manual ESFAS actuation are described in LCO 3.3.4.

NuScale B 3.3.3-4 Draft Revision 1.0

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS When the required ESFAS logic for the Actuation Functions listed in Table 3.3.3-1 are inoperable, the unitMODULE is outside the safety analysis, if applicable in the current MODE of operation. Required Actions must be initiated to limit the duration of operation or to place the unitMODULE in a MODE or other applicable condition in which the Condition no longer applies.

A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Actuation Function. The Completion Time for the inoperable function will be tracked separately for each function, starting from the time the Condition was entered for that Actuation Function.

A.1 Condition A applies if one or more divisions of the LTOP Actuation Function are inoperable. The Required Action is to open two RVVs within one hour. This places the reactor in a condition in which the LCO no longer applies. The one hour completion time provides adequate time to either immediately restore the inoperable logic or take manual action to open the RVVs.

B.1 Condition B applies if one division of an ESFAS actuation logic function is inoperable. This Condition is not applicable to LTOP actuation logic.

The redundant signal paths and logic of the OPERABLE division provides robust capability to automatically actuate the required ESFAS function with a single division of logic OPERABLE.

If one division of ACTUATION FUNCTION logic cannot be restored to OPERABILITY within six hours, then the Conditions listed in Table 3.3.3-1 must be entered to limit the duration of operation with an inoperable division and to place the unitMODULE in a MODE or other applicable condition in which the LCO no longer applies. The six hour limit provides a reasonable time during which the actuation system may be restored to OPERABILITY.

NuScale B 3.3.3-5 Draft Revision 1.0

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)

C.1 and C.2 If Required Action B.1 directs entry into Condition C as specified in Table 3.3.3-1, or if both divisions of ECCS or DHRS are inoperable the unitplant is outside its design basis ability to automatically mitigate a postulated event.

With one division of logic inoperable the redundant signal paths and logic of the OPERABLE division provide robust capability to automatically actuate the ECCS or DHRS if required.

C.1 requires the unitMODULE to be in MODE 2 within 6. This action limits the time the unitMODULE may continue to operate with limited or inoperable automatic actuation logic.

C.2 requires the unitMODULE to be in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months of entering the ConditionCONDITION. This condition assures adequate passive decay heat transfer to the UHS and result in the unitMODULE being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a LOCA event that would require ECCS or DHRS actuation. They also provide adequate time to permit evaluation of conditions and restoration of actuation logic OPERABILITY without unnecessarily challenging plant systems during a shutdown.

D.1 and D.2 If Required Action B.1 directs entry into Condition D as specified in Table 3.3.3-1, or if both divisions of the containment isolation actuation function are inoperable then the unitMODULE is outside its design basis ability to automatically mitigate some design basis events.

With one division of logic inoperable, the redundant signal paths and logic of the OPERABLE division provide robust capability to automatically actuate the CIS if required.

D.1 requires the unitMODULE to be in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of entering the Condition. This action limits the time the unitMODULE may continue to operate with limited or inoperable CIS automatic actuation logic.

D.2 requires the unitMODULE to be placed in MODE 3 with RCS temperature < 200°F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of entering the Condition. This condition assures the unitMODULE will maintain the RCS depressurized, NuScale B 3.3.3-6 Draft Revision 1.0

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued) and the unitMODULE being in a condition for which the LCO no longer applies.

Completion Times are established considering the limited likelihood of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of logic OPERABILITY without unnecessarily challenging plant systems during a shutdown. Analysis shows that 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months from entry into this condition is a reasonable time to reach MODE 3 with RCS wide range Thot < 200°F using normal plant systems and procedures.

E.1 If Required Action B.1 directs entry into Condition E as specified in Table 3.3.3-1, or if both divisions of demineralized water supply isolation actuation are inoperable then the unitMODULE is outside its design basis ability to automatically mitigate some design basis events.

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide robust capability to automatically actuate the DWSI if required.

In this condition the demineralized water supply flow path(s) to the RCS must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to preclude an inadvertent boron dilution event.

Isolation can be accomplished by manually isolating the demineralized water isolation valve(s). Alternatively, the dilution path may be isolated by closing appropriate isolation valve(s) in the flow path(s) from the demineralized water storage tank to the RCS.

The Required Action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the main control room. In this way, the flow path can be isolated when a need for isolation is indicated.

F.1 If Required Action B.1 directs entry into Condition F as specified in Table 3.3.3-1, or if both divisions of the CVCS isolation actuation function are inoperable then the unitMODULE is outside its design basis ability to automatically mitigate some design basis events.

NuScale B 3.3.3-7 Draft Revision 1.0

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide robust capability to automatically actuate the CVCSI if required.

F.1 requires the isolation of flow paths from the CVCS to the reactor coolant system within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of entering the ConditionCONDITION. The Action is modified by a Note that permits the flow path(s) to be unisolated intermittently under administrative controls. This Note limits the likelihood of an event by requiring additional administrative control of the CVCS flow paths. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the main control room. In this way, the flow path(s) can be isolated when a need for isolation is indicated. This permits the unitMODULE to continue to operate while in the Condition.

G.1 If Required Action B.1 directs entry into Condition G as specified in Table 3.3.3-1, or if both divisions of the pressurizer heater trip function are inoperable then the unitMODULE is outside its design basis ability to automatically mitigate some design basis events.

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide robust capability to automatically actuate the PHT if required.

G.1 requires de-energization of the pressurizer heaters within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of entering the ConditionCONDITION. This action limits the time the unitMODULE may continue to operate with limited or inoperable PHT automatic actuation logic. The Action is modified by a Note that permits the heaters to be energized intermittently under administrative controls.

These administrative controls consist of stationing a dedicated operator at the breaker controls, who is in continuous communication with the main control room. In this way, the pressurizer heaters can be de-energized when a need for de-energization is indicated. This permits the unitMODULE to continue to operate while in the Condition.

The completion time was established considering the likelihood of a design basis event that would require automatic de-energization.

NuScale B 3.3.3-8 Draft Revision 1.0

Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued)

B.1 Condition B applies to the manual actuation functions identified in Table 3.3.4-1. Condition B addresses the situation where one or more Functions have both manual actuation divisions inoperable. One manual actuation division consists of an actuation switch and the associated hardware (such as contacts and wiring) up to but not including the affected EIMs. EIM OPERABILITY is addressed in LCO 3.3.2 and LCO 3.3.3.

With both manual actuation divisions inoperable, the Condition listed in Table 3.3.4-1 must be entered in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . In this Condition, the automatic MPS actuations remain available to perform the design basis safety functions consistent with the limits of LCO 3.3.1, 3.3.2, and 3.3.3. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provides adequate opportunity to identify and implement corrective actions to restore a manual actuation function without entering the Condition specified in Table 3.3.4-1.

C.1 If Required Actions A.1 or B.1 direct entry into Condition C as specified in Table 3.3.4-1, then the reactor trip breakers must be opened immediately.

Opening the reactor trip breakers satisfies the safety function of the system and places the unitMODULE in a MODE or specified conditions in which the LCO no longer applies.

The immediate completion time is consistent with the importance of the ability to initiate a manual reactor trip using the actuation function.

D.1 and D.2 If Required Actions A.1 or B.1 direct entry into Condition D as specified in Table 3.3.4-1, then Condition D provides 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to restore the manual actuation capability to OPERABLE status before the unitMODULE must be in MODE 2. The Actions requires the unitMODULE be in MODE 3 and PASSIVELY COOLED within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of entering the condition. The Completion Times provide opportunity for correction of the identified inoperability while maintaining the reactor coolant system closed, minimizing the transients and complexity of a return to operation when OPERABILITY is restored.

The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and NuScale B 3.3.4-3 Draft Revision 1.0

Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued) alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

E.1 If Required Actions A.1 or B.1 direct entry into Condition E as specified in Table 3.3.4-1, then Action E.1 requires the DWSI flow path to be isolated if the manual actuation function is not restored within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Action includes a Note that permits the flow path to be opened intermittently under administrative controls. This permits operation of the unitMODULE while actions to restore the function are underway.

The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

F.1 If Required Actions A.1 or B.1 direct entry into Condition F as specified in Table 3.3.4-1, then Action F.1 requires the CVCSI flow paths to be isolated if the manual actuation function is not restored within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Action includes a Note that permits the flow path to be opened intermittently under administrative controls. This permits operation of the unitMODULE while actions to restore the function are underway.

The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

G.1 If Required Actions A.1 or B.1 direct entry into Condition G as specified in Table 3.3.4-1, then Action G.1 requires the pressurizer heaters to be de-energized if the manual actuation function is not restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The Action includes a Note that permits the heaters to be energized intermittently under administrative controls. This permits operation of the unitMODULE while actions to restore the function are underway.

NuScale B 3.3.4-4 Draft Revision 1.0

Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued)

The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

H.1 If Required Actions A.1 or B.1 direct entry into Condition H as specified in Table 3.3.4-1, then Condition H requires two RVVs to be opened immediately which places the facility in a configuration in which an overpressure event in the reactor vessel is not possible. The Completion Time is reasonable given the need to ensure overpressure protection to the reactor vessel.

I.1 and I.2 If Required Actions A.1 or B.1 direct entry into Condition I as specified in Table 3.3.4-1, then the unitMODULE must be placed in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in MODE 3 with the RCS hot temperature hot < 200 °F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . Reducing the RCS temperature to < 200 °F places the unitMODULE in a MODE or specified condition in which the LCO no longer applies.

The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

SURVEILLANCE SR 3.3.4.1 REQUIREMENTS SR 3.3.4.1 is the performance of an actuation device operational test of manual actuation functions listed in Table 3.3.4-1. The test shall independently verify the OPERABILITY of the actuated devices that function as a result of the functions listed in Table 3.3.4-1. These tests verify that the manually actuated functions are capable of performing itstheir intended functions.

This surveillance addresses testing of the MPS from and including the manual actuation switches located in the control room to the hardwired modules and the input signals to the associated equipment interface modules for the function in test. The EIM functions are tested in accordance with LCO 3.3.2 and 3.3.3.

NuScale B 3.3.4-5 Draft Revision 1.0

RSS B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Remote Shutdown Station (RSS)

BASES BACKGROUND Instrumentation located in the RSS provides the control room operator with sufficient displays to ensure the unitMODULE reaches and remains stable in a safe shutdown condition from a location other than the control room. The RSS also ensures that control room signals are isolated preventing unintended signals from impacting the unitplant conditions.

This capability is necessary to protect against the possibility that the control room becomes inaccessible (Ref. 1). The passive core cooling systems provided by the Decay Heat Removal System or Emergency Core Cooling System can be used to remove core decay heat. The use of passive safety systems allows extended operation in MODE 3.

If the control room becomes inaccessible, the operators can monitor and maintain the unitMODULE in MODE 3 using the displays that are in the RSS. The unitMODULE can be passively maintained safely in MODE 3 for an extended period of time.

The RSS has several video display units which can be used by the operator. The video display units are comparable to those provided in the control room and the operator can display information on the video display units in a manner which is comparable to the way the information is displayed in the control room. The operator normally selects an appropriate set of displays based on the particular operational goals being monitored by the operator at the time.

The OPERABILITY of the remote shutdown display functions ensures there is sufficient information available on selected parameters to monitor the passive cooling system performance, verify that the unitMODULE transitions to MODE 3, and remains stable once MODE 3 is reached should the control room become inaccessible. Activation of the RSS also ensures that control room signals are isolated when control room evacuation is required.

APPLICABLE The RSS is required to provide equipment at appropriate locations SAFETY outside the control room with a capability to promptly shut down and ANALYSES maintain the unitMODULE in a safe condition in MODE 3. The RSS also ensures that control room signals are isolated preventing unintended signals from impacting unitplant conditions.

The criteria governing the design and the specific system requirements of instrumentation located in the RSS are specified in 10 CFR 50, Appendix A, GDC 19 (Ref. 2).

NuScale B 3.3.5-1 Draft Revision 1.0

RSS B 3.3.5 BASES APPLICABLE SAFETY ANALYSES (continued)

Passive core cooling systems alone can establish and maintain safe shutdown conditions for the unitMODULE.

The remote shutdown station satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO The RSS LCO provides the OPERABILITY requirements of the displays necessary to monitor the passive cooling system performance, verify that the unitMODULE transitions to MODE 3, and remains stable once MODE 3 is reached from a location other than the control room.

The appropriate instrumentation in the RSS is OPERABLE if the display instrument functions needed to support the required monitoring capability are OPERABLE.

The instrumentation located in the RSS covered by this LCO does not need to be energized or configured to perform its design function, to be considered OPERABLE. During normal operation, the RSS is in standby with the workstations powered and connected to the human machine interface network, but the displays not activated. This LCO is intended to ensure the instrumentation located in the RSS will be OPERABLE if unit conditions require that the RSS be placed in operation.

APPLICABILITY The instrumentation located in the RSS LCO is applicable in MODES 1 and 2. This is required so that the unitMODULE can be monitored to ensure the unitMODULE transitions to MODE 3 and remains stable in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 3, 4 or 5. In these MODES, the unitMODULE is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument functions if control room instruments or controls become unavailable.

ACTIONS A.1 Condition A addresses the situation where the instrumentation in the RSS is inoperable. The Required Action is to restore the instrumentation in the RSS to OPERABLE status within 30 days. The Completion Time is based on the system design for maintainability and the low probability of an event that would require evacuation of the control room.

NuScale B 3.3.5-2 Draft Revision 1.0

RSS B 3.3.5 BASES ACTIONS (continued)

B.1 and B.2 If the Required Action and associated Completion Time of Condition A is not met, the unitMODULE must be brought to a MODE in which the LCO does not apply. To achieve this status, the unitMODULE must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable to reach the required unitMODULE conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.5.1 REQUIREMENTS SR 3.3.5.1 verifies that the transfer protocol can be performed and that it performs the required functions. This ensures that if the control room becomes inaccessible, the passive cooling system performance can be monitored and evaluated to verify that the unitMODULE is transitioning to MODE 3, and remains stable once MODE 3 is reached from the RSS.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2 This Surveillance verifies that the workstations in the RSS receive indications from the MODULE Module Control System (MCS) and Plant Control System (PCS). The communication is accomplished by use of the MCS and PCS networks.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.3 SR 3.3.5.3 verifies the OPERABILITY of the RSS hardware and software by performing diagnostics to show that operator displays are capable of being called up and displayed to an operator at the RSS. The instrumentation in the RSS has several video display units which can be used by the operator.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale B 3.3.5-3 Draft Revision 1.0

RCS Pressure and Temperature CHF Limits B 3.4.1 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.1 RCS Pressure and Temperature Critical Heat Flux (CHF) Limits BASES BACKGROUND These Bases address requirements for maintaining RCS pressure and temperature within the limits assumed in the safety analyses. The safety analyses (Ref. 1) of normal operating conditions and anticipated operational occurrences assume initial conditions within the normal steady state envelope of operating conditions. The limits placed on RCS pressure and temperature ensure that the minimum critical heat flux ratio (CHFR) will be met for each of the transients analyzed.

The RCS pressure limit is consistent with operation within the nominal operational envelope. Pressurizer pressure indications are used to determine a value for comparison to the limit. A pressure below the limit will cause the reactor core to approach CHFR limits.

The RCS coolant cold temperature limit is consistent with full power operation within the nominal operational envelope. Indications of cold coolant temperature are averaged to determine a value for comparison to the limit. A RCS cold temperature above the limit will cause the core to approach CHF limits.

Operation for significant periods of time outside these CHF limits increases the likelihood of a fuel cladding failure in a CHF limited event.

APPLICABLE The requirements of this LCO represent the initial conditions for CHF SAFETY limited transients analyzed in the plant safety analyses (Ref. 1). The ANALYSES safety analyses have shown transients initiated within the requirements of this LCO will result in meeting the CHFR criterion. This is the acceptance limit for the RCS CHF parameters. Changes to the unitMODULE which could impact these parameters must be assessed for their impact on the CHFR criterion. The NSP2 correlation limit is used to evaluate non-LOCA as described in the FSAR (Ref. 1). The Extended Hench-Levy and Griffith-Zuber correlation limits are utilized to evaluate other transients that occur with high and low RCS flow rates respectively as also described in the FSAR Chapter 15 (Ref. 1). An assumption for the analysis of these events is that the core power distribution is within the limits of LCO 3.1.6, Regulating Group Insertion Limits; LCO 3.2.1, "Enthalpy Rise Hot Channel Factor (FH)," and LCO 3.2.2, AXIAL OFFSET (AO).

The pressurizer pressure limit and the RCS cold temperature limit specified in the COLR, as shown on the Thermal Margins Limit Map, NuScale B 3.4.1-1 Draft Revision 1.0

RCS Pressure and Temperature CHF Limits B 3.4.1 BASES APPLICABLE SAFETY ANALYSES (continued) correspond to analytical limits, with an allowance for steady state fluctuations and measurement errors.

The RCS CHF parameters satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO specifies limits on the monitored process variables, pressurizer pressure and RCS cold temperature to ensure the core operates within the limits assumed in the safety analyses. These variables are contained in the COLR to provide operating and analysis flexibility from cycle to cycle. Operating within these limits will result in meeting CHFR criterion in the event of a CHF-limited transient.

APPLICABILITY In MODE 1, the limits on pressurizer pressure and RCS cold temperature must be maintained during steady state unitplant operation in order to ensure CHFR criterion will be met in the event of a CHF-limiting transient.

In all other MODES, the power level is low enough that CHF is not a concern.

The CHFR limit is provided in SL 2.1.1, Reactor Core SLs. The conditions which define the CHFR limit are less restrictive than the limits of this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Should a violation of this LCO occur, the operator must check whether a SL may have been exceeded.

ACTIONS A.1 RCS pressure and RCS cold temperature are controllable and measurable parameters. With one or both of these parameters not within LCO limits, action must be taken to restore parameter(s).

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for restoration of the parameters provides sufficient time to adjust unitplant parameters, to determine the cause for the off normal condition, and to restore the readings within limits.

B.1 If Required Action A.1 is not met within the associated Completion Time, the unitplant must be brought to a MODE in which the LCO does not apply. To achieve this status, the unitplant must be brought to at least MODE 2 NuScale B 3.4.1-2 Draft Revision 1.0

RCS Minimum Temperature for Criticality B 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.2 RCS Minimum Temperature for Criticality BASES BACKGROUND This LCO is based upon meeting several major considerations before the reactor can be made critical and while the reactor is critical.

The first consideration is moderator temperature coefficient, LCO 3.1.3, Moderator Temperature Coefficient (MTC). In the transient and accident analyses, the MTC is assumed to be in a range from zero to negative and the operating temperature is assumed to be within the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the unitplant is operated consistent with these assumptions.

The second consideration is the protective instrumentation. Because certain protective instrumentation (e.g., excore neutron detectors) can be affected by moderator temperature, a temperature value within the nominal operating envelope is selected to ensure proper indication and response while the reactor is critical.

The third consideration is the pressurizer operating characteristics. The transient and accident analyses assume that the pressurizer is within its normal startup and operating range (i.e., saturated conditions and steam bubble present). It is also assumed that the RCS temperature is within its normal expected range for startup and power operation. Since the density of the water, and hence the response of the pressurizer to transients, depends upon the initial temperature of the moderator, a minimum value for moderator temperature within the nominal operating envelope is chosen.

The fourth consideration is that the reactor vessel is above its minimum nil-ductility reference temperature when the reactor is critical.

APPLICABLE The RCS minimum temperature for criticality is an initial condition SAFETY assumed in Design Basis Accidents (DBAs), such as the control rod ANALYSES assembly (CRA) withdrawal, CRA ejection, and main steam line break accidents performed at zero power that either assume the failure of, or presents a challenge to, the integrity of a fission product barrier.

All low power safety analyses assume initial RCS temperatures 420°F, as described in FSAR, Chapter 15 (Ref. 1).

The RCS minimum temperature for criticality parameter satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

NuScale B 3.4.2-1 Draft Revision 1.0

RCS Minimum Temperature for Criticality B 3.4.2 BASES LCO Compliance with the LCO ensures that the reactor will not be made or maintained critical (keff 1.0) at a temperature less than the minimum temperature assumed in the safety analysis. Failure to meet the requirements of this LCO may produce initial conditions inconsistent with the initial conditions assumed in the safety analysis.

APPLICABILITY In MODE 1 LCO 3.4.2 is applicable since the reactor can only approach critical (keff 1.0) in this MODE. In MODES 2, 3, 4, and 5, the reactor is maintained with keff < 0.99.

ACTIONS A.1 If the temperature cannot be restored, the unitplant must be brought to a MODE in which the LCO does not apply. To achieve this status, the unitplant must be brought to MODE 2 with keff < 0.99 within 30 minutes.

Rapid reactor shutdown can be readily and practically achieved within a 30 minute period. The allowed time is reasonable to reach MODE 2 with keff < 0.99 in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.2.1 REQUIREMENTS RCS loop temperatures are required to be verified at or above 420°F. The SR to verify RCS temperatures takes into account indications and alarms that are continuously available to the operator in the control room. In addition, operators are trained to be sensitive to RCS temperatures during approach to criticality and will ensure that the minimum temperature for criticality is met as criticality is approached.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR Chapter 15, Transient and Accident Analyses.

NuScale B 3.4.2-2 Draft Revision 1.0

RCS P/T Limits B 3.4.3 BASES APPLICABILITY The RCS P/T limits LCO provides a definition of acceptable operation for prevention of nonductile (brittle) failure in accordance with 10 CFR 50, Appendix G (Ref. 1). Although the P/T limits were developed to provide guidance for operation primarily during heatup or cooldown or required testing, they are applicable at all times in keeping with the concern for nonductile failure.

During MODE 1 other Technical Specifications provide limits for operation that can be more restrictive than, or can supplement these P/T limits.

LCO 3.4.1, RCS Pressure and Temperature Critical Heat Flux (CHF)

Limits. LCO 3.4.2, RCS Minimum Temperature for Criticality; and Safety Limit 2.1.2, Reactor Coolant System (RCS) Pressure SL, also provide operational restrictions for pressure and temperature and maximum pressure. Furthermore, MODE 1 is above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.

ACTIONS The actions of this LCO consider the premise that a violation of the limits occurred during normal unitplant maneuvering. Severe violations caused by abnormal transients, at times accompanied by equipment failures, may also require additional actions from abnormal operating procedures.

A.1 and A.2 Operation outside the P/T limits must be restored to within the limits. The RCPB must be returned to a condition that has been verified by stress analyses. Restoration is in the proper direction to reduce RCPB stress.

The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 6) may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

NuScale B 3.4.3-4 Draft Revision 1.0

RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable to accomplish the evaluation.

The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed before continuing to operate.

Condition A is modified by a Note requiring Required Action A.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration per Required Action A.1 alone is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the unitplant must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress, or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. In reduced pressure and temperature conditions, the possibility of propagation with undetected flaws is decreased.

If the required restoration activity cannot be accomplished in 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.

If the required evaluation for continued operation cannot be accomplished within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Action B.1 and Required Action B.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions.

Pressure and temperature are reduced by bringing the unitplant to MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months , with RCS pressure <

500 psia. The 500 psia is based on placing the RCS in a lower energy state and being less than the LTOP maximum pressure of 525 psia.

The allowed Completion Times are reasonable based on plant design, to reach the required unitplant conditions from full power condition in an orderly manner without challenging plant systems.

NuScale B 3.4.3-5 Draft Revision 1.0

RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)

C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than when in MODE 1, 2, or 3, so that the RCPB is returned to a condition that has been verified by stress analysis.

The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in a short period of time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 3. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

D.1, D.2 and D.3 Condition D is based on an unexpected containment flooding initiated when RCS temperature is in excess of the maximum allowable temperature limit for containment flooding specified in the PTLR. The containment flooding system transfers borated water between the reactor pool and the RXM. It is expected to be used during refuel preparations and during select beyond design basis events. Both of these functions are non-safety related.

The immediate completion time for Action D.1 is appropriate because the system is designed to be utilized for containment flooding when the module has already been shutdown. Allowing operation to flood containment in these MODES would place the unitplant in an unanalyzed condition.

NuScale B 3.4.3-6 Draft Revision 1.0

RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)

The 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months completion time for Action D.2 allows sufficient time to cool down the unitplant to a condition that containment flooding is allowed.

Action D.3 requires evaluation of the RCS for continued operation prior to returning to MODE 2 after MODE 3 was entered to comply with the required actions. This is necessary to ensure P-T limits and cool down rates were not exceeded or an engineering evaluation performed if they were.

SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within PTLR limits is required when RCS P/T conditions are undergoing planned changes. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Pressurizer pressure instrumentation is utilized to monitor vessel pressure during planned changes. Use of temperature monitoring instrumentation is based on evolution being performed and delineated in PTLR.

Surveillance for heatup and cooldown, may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied.

This SR is modified by a Note that only requires this surveillance to be performed during system heatup and cooldown and inservice leak and hydrostatic testing.

REFERENCES 1. 10 CFR 50, Appendix G, Fracture Toughness Requirements.

2. ASME Boiler and Pressure Vessel Code,Section XI, Appendix G, "Fracture Toughness Criteria For Protection Against Failure." (2013)

3. ASTM E 185-82, Standard Practice for Conducting Surveillance Tests for Light-Water Cooled Nuclear Power Reactor Vessels, July 1982.

4. 10 CFR 50, Appendix H, Reactor Vessel Material Surveillance Program Requirements.

5. Regulatory Guide 1.99, Radiation Embrittlement of Reactor Vessel Materials, May 1988.

NuScale B 3.4.3-7 Draft Revision 1.0

RSVs B 3.4.4 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.4 Reactor Safety Valves (RSVs)

BASES BACKGROUND Two RSVs, in conjunction with the module protection system (MPS),

provide integrated overpressure protection for the RCS. The RSVs are pilot operated, self-contained, self-actuating valves located on the reactor pressure vessel head. The RSVs provide overpressure protection based on the ASME Code,Section III pressure limit (ASME pressure limit) of 110% design pressure of RCS (Ref. 1). The RSVs are designed to prevent RCS pressure from exceeding the pressure Safety Limit (SL),

2285 psia, which is based on preventing pressure from exceeding 110%

of the design pressure (2100 psia) at the bottom of the reactor pressure vessel of 2310 psia. The RSVs also prevent exceeding 110% of Steam Generator System (SGS) design pressure during design basis accidents and anticipated operational occurrences (AOO) that challenge this system. Both RSV's are 100% redundant, only one valve is required to function to provide overpressure protection.

Because the RSVs are self-contained and self-actuating, they are considered independent components. The minimum relief capacity for each valve is 63,360 lb/hr. This capacity is based on a postulated overpressure transient of a turbine trip without turbine bypass capability, resulting in rapid decrease in heat removal capability. This event results in the maximum volumetric surge rate into the pressurizer, and defines the minimum volumetric relief capacity for each of the RSVs. An actuation of a RSV is indicated by RSV open position indication and by an increase in containment temperature and pressure because the RSVs discharge into the containment environment.

Overpressure protection is required in MODES 1, 2, and 3; however, in MODE 3 when RCS cold temperature is the low temperature overpressure protection (LTOP) enable temperature, overpressure protection is provided by operating procedures and by meeting the requirements of the High RCS Pressure - Low Temperature LTOP Function requirements specified in LCO 3.3.1, "MODULE Module Protection System (MPS) Instrumentation" and low temperature overpressure protection (LTOP) requirements specified in LCO 3.3.3 "Engineered Safety Features Actuation System (ESFAS) Logic and Actuation." In MODE 4 and MODE 5 with the reactor vessel head on, overpressure protection is provided by at least one ECCS vent valve being open.

The upper and lower pressure limits are based on the +/-1% setpoint tolerance requirement (Ref. 1) for lifting pressures above 1000 psig. The lift settings are based on the differential pressure between the reactor NuScale B 3.4.4-1 Draft Revision 1.0

RSVs B 3.4.4 BASES LCO The setpoint of the two RSVs are established to ensure that the ASME pressure limit is satisfied. The ASME Code specifications require the lowest safety valve setpoint to be at or below vessel design pressure and the highest safety valve to be set so that the total accumulated pressure does not exceed 110% of the design pressure for overpressurization conditions. The upper and lower pressure limits are based on the +/- 1%

tolerance requirements for lifting pressures above 1000 psig (Ref. 1).

As-Found acceptance criteria of +/- 3% meets the criteria of ASME OM code I-1320(c)(1) (Ref 4).

The limits protected by this Specification are the reactor coolant pressure boundary (RCPB) SL of 110% of design pressure and 110% of external design pressure for the SGS. Inoperability of both RSVs could result in exceeding the reactor pressure SL or the 110% design pressure limit of the SGS, if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, damage to the SGS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation.

APPLICABILITY In MODES 1, 2, and MODE 3 when RCS cold temperature is greater than the LTOP enable temperature specified in Pressure and Temperature Limits Report (PTLR), the RSVs are required because the RCS and SGS are pressurized and limiting design basis overpressure transients are postulated to occur in MODES 1 and 2. MODE 3 is conservatively included although the FSAR Chapter 15 (Ref. 2) listed accidents and AOOs may not require the RSVs for protection. RCS cold temperature is considered to be greater than the LTOP enabling temperature when all RCS cold temperature instruments indicate greater than the LTOP enabling temperature specified in the PTLR.

The LCO is not applicable in MODE 3 when RCS cold temperature is at or below the LTOP enable temperature because overpressure protection is ensured by the High RCS Pressure - Low Temperature LTOP Function requirements specified in LCO 3.3.1. In MODES 4 and 5, overpressure events are precluded by at least one open ECCS vent valve providing a relief path from the RCS to the containment and isolation of the MODULE module from credible sources of system overpressure (e.g., CVCS injection and pressurizer heaters). Additionally, the steam generators are in wet layup conditions in MODES 4 and 5 with thermal relief valves providing overpressure protection for the steam generators.

NuScale B 3.4.4-3 Draft Revision 1.0

RSVs B 3.4.4 BASES ACTIONS A.1 With one RSV inoperable, the remaining OPERABLE RSV is capable of providing the necessary overpressure protection. Because of additional design margin, the ASME pressure limit for the RCPB and SGS can also be satisfied with one RSV inoperable.

However, the overall reliability of the pressure relief system is reduced because additional failure of the remaining OPERABLE RSV could result in failure to adequately relieve primary or secondary system pressure during a limiting event. For this reason, continued operation is permitted for a limited time only.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time to restore the inoperable RSV to OPERABLE status is based on the relief capability of the remaining RSV and the low probability of an event requiring RSV actuation.

B.1 and B.2 If the Required Action of Condition A cannot be met within the required Completion Time or if two RSVs are inoperable, the unitplant must be placed in a MODE in which the requirement does not apply. To achieve this status, the unitplant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 with RCS cold temperature LTOP enable temperature within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . RCS cold temperature is considered LTOP enabling temperature when two or more RCS cold temperature instruments indicate LTOP enabling temperature specified in the PTLR.

The allowed Completion Times are reasonable based on time to reach the required unitplant conditions from full power conditions in an orderly manner and without challenging plant systems. The change from MODE 1, or 2, to MODE 3 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer in-surges, and thereby removes the need for overpressure protection by the RSVs.

SURVEILLANCE SR 3.4.4.1 REQUIREMENTS SRs are specified in the INSERVICE TESTING PROGRAM. RSVs are to be tested in accordance with the requirements of ASME OM Code (Ref. 3), which provides the activities and Frequencies necessary to satisfy the SRs. No additional requirements are specified.

The RSV setpoint is +/- 3% for OPERABILITY, and the values are reset to remain within +/- 1% during the surveillance to allow for drift.

NuScale B 3.4.4-4 Draft Revision 1.0

RCS Operational LEAKAGE B 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.5 RCS Operational LEAKAGE BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core comprise the RCS. Component joints are made by welding, bolting, rolling, or pressure loading. Valves isolate connecting systems from the RCS.

During unitplant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of RCS Operational LEAKAGE.

10 CFR 50, Appendix A, GDC 30 (Ref. 1), requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.

The safety significance of RCS Operational LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE outside of the reactor coolant pressure boundary (RCPB) is necessary. When possible, separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur that is detrimental to the safety of the facility and the public.

This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).

APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses do not SAFETY address RCS Operational LEAKAGE. However, other forms of RCS ANALYSES Operational LEAKAGE are related to the safety analyses for LOCA. The amount of LEAKAGE can affect the probability of such an event.

The safety analysis for an event resulting in steam discharge to the atmosphere assumes a 150 gpd primary to secondary LEAKAGE as the initial condition.

NuScale B 3.4.5-1 Draft Revision 1.0

RCS Operational LEAKAGE B 3.4.5 BASES ACTIONS A.1 Unidentified LEAKAGE or identified LEAKAGE in excess of the LCO limits must be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce RCS Operational LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.

B.1, B.2 If any pressure boundary LEAKAGE exists, or primary to secondary LEAKAGE is not within limits, or if unidentified or identified LEAKAGE cannot be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , the reactor must be brought to lower pressure conditions to reduce the severity of the RCS Operational LEAKAGE and its potential consequences. To achieve this status, the unitplant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and exit the Applicability in MODE 3 with RCS hot temperature hot 200 °F, within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The allowed Completion Times are reasonable, based on operating requirements and normal cooling capabilities, to reach the required unitplant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.5.1 REQUIREMENTS Verifying RCS Operational LEAKAGE is within the LCO limits ensures the integrity of the RCPB is maintained. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE.

Unidentified LEAKAGE and identified LEAKAGE are determined by performance of a RCS water inventory balance. The RCS water inventory balance must be met with the reactor at steady state operating conditions.

Two Notes modify SR 3.4.5.1. The first Note states the SR is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation.

The 12 allowance provides sufficient time to collect and process all necessary data after stable unitplant conditions are established. The second Note states the SR is not applicable to primary to secondary LEAKAGE. SR 3.4.5.2 verifies the primary to secondary LEAKAGE.

Steady state operation is required to perform a proper inventory balance since calculations during maneuvering are not useful. For RCS operational LEAKAGE determination by inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, and makeup or letdown.

NuScale B 3.4.5-4 Draft Revision 1.0

CVCS Isolation Valves B 3.4.6 BASES LCO The requirement that two CVCS isolation valves be OPERABLE for each of the four flow path lines connected to the RCS assures that there will be redundant means available to isolate the CVCS from the RCS during a non-LOCA event or a steam generator tube failure accident should that become necessary. Also, the OPERABLE CVCS isolation valves provide isolation protection against postulated breaks outside of containment and reverse RCS flow events.

APPLICABILITY The requirement that two CVCS isolation valves for each of the four flow path lines connected to the RCS be OPERABLE is applicable in MODES 1, 2, and 3 because a pressurizer overfill event, steam generator tube failure accident, CVCS postulated break outside containment event, and reverse RCS flow event is considered possible in these MODES, and the automatic closure of these valves is assumed in the safety analysis.

In the applicable MODES, the need to isolate the CVCS makeup to the RCS is detected by the pressurizer level instruments, pressurizer pressure instruments, containment pressure, or RCS flow instruments.

This isolation function is not required in MODE 4 and 5. In these MODES, pressurizer overfill, steam generator overfill, CVCS breaks outside containment, and reverse RCS flow during startup is prevented by unitplant conditions.

ACTIONS The ACTIONS are modified by two notes. Note 1 allows isolated penetration flow paths to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated.

Note 2 provides clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation device. Complying with the Required Actions may allow for continued operation, and subsequent inoperable CVCS isolation valves are governed by subsequent Condition entry and application of associated Required Actions.

A.1 and A.2 In the event one CVCS isolation valve in one or more CVCS flow paths is inoperable the affected flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot NuScale B 3.4.6-2 Draft Revision 1.0

CVCS Isolation Valves B 3.4.6 BASES ACTIONS (continued) isolation device that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and deactivated automatic valve, a closed manual valve, and a blind flange.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.2. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the devices are operated under administrative controls and the probability of the misalignment is low.

C.1 and C.2 If the Required Actions and associated completion Times are not met, the unitplant must be brought to a MODE or condition in which containment isolation requirement no longer applies. To achieve this status, the unitplant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 with RCS hot temperature hot < 200F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

SURVEILLANCE SR 3.4.6.1 REQUIREMENTS Verifying that the isolation time of each automatic power operated CVCS isolation valve is within limits is required to demonstrate OPERABILITY.

The isolation time test ensures that the valve will isolate in a time period less than or equal to that assumed in the safety analysis.

Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

SR 3.4.6.2 This Surveillance demonstrates that each automatic CVCS isolation valve actuates to the isolated position on an actual or simulated actuation signal. This Surveillance is not required for valves that are locked sealed, or otherwise secured in the isolated position under administrative controls. The actuation logic is tested as part of Engineered Safety Features Actuation System Actuation and Logic testing., and valve performance is monitored as part of the Surveillance Frequency Control Program The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale B 3.4.6-4 Draft Revision 1.0

RCS Leakage Detection Instrumentation B 3.4.7 BASES APPLICABLE The need to evaluate the severity of an alarm or an indication is SAFETY important to the operators, and the ability to compare and verify ANALYSES with indications from other systems is necessary. The system response times and sensitivities are described in FSAR Sections 3.6, 5.2, and 11.5 (Refs. 3, 4, and 5).

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative information to the operators, to take corrective action should a leak occur.

RCS LEAKAGE detection instrumentation satisfies Criterion 1 of 10 CFR 50.36(c)(2)(ii).

LCO One method of protecting against large RCS LEAKAGE derives from the ability of instruments to rapidly detect extremely small leaks that indicate a possible RCPB degradation. This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide a high degree of confidence that small leaks are detected in time to allow actions to place the unitplant in a safe condition.

The LCO is satisfied when monitors of diverse measurement means are available. Thus, the CES sample vessel level monitors, in combination with CES inlet pressure channels and a CES gas discharge radioactivity monitor, provides five channels of leakage detection using three diverse methods. The specification requires two of the three diverse methods to be OPERABLE. CES inlet pressure monitoring is performed by two redundant, seismically qualified pressure instruments.

APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1 and 2, and the potential for elevated temperature and pressure in MODE 3 when RCS hot temperature hot is 200 °F, RCS leakage detection instrumentation is required to be OPERABLE.

In MODE 3 with RCS hot temperature hot < 200 °F the RCS pressure is low and the RCPB no longer requires monitoring because pressurization is due to operation of the CVCS, and the likelihood of leakage and crack propagation is much smaller.

In MODE 4 or 5, the RCPB is open to the containment or refueling pool and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1 and 2, or when applicable in MODE 3, the likelihood of leakage and crack NuScale B 3.4.7-2 Draft Revision 1.0

RCS Leakage Detection Instrumentation B 3.4.7 BASES APPLICABILITY (continued) propagation is much smaller. Therefore, the requirements of this LCO are also not applicable in MODES 4 and 5.

The applicability requirements are modified by a Note indicating the LCO requirements are suspended if one or more ECCS valves is open. In that condition the RCS is open to the containment and leakage detection no longer indicates a potential degradation of the RCPB.

The second Note suspends LCO applicability during a cooldown in MODE 3 when containment flooding is in progress. In this condition, the RCS is being rapidly depressurized and cooled to < 200 °F. With containment flooding in progress, the RCS leakage detection instrumentation is unavailable and the rapidly reduced RCS pressure reduces the likelihood of leakage and crack propagation.

ACTIONS The actions are modified by a Note that indicates that the provisions of LCO 3.0.4.c is applicable. As a result, a MODE change is allowed when required leakage detections channels are inoperable. This allowance is provided because liquid leakage detection systems and methods will not be OPERABLE during the MODE 3 conditions while the containment is being drained and evacuated.

A.1 and A.2 With one required leakage detection channels inoperable, the remaining OPERABLE channel(s) will provide indication of changes in leakage.

Additionally, the periodic surveillance for RCS water inventory balance, SR 3.4.5.1, must be performed at an increased frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to provide information that is adequate to detect leakage. A Note is added allowing that SR 3.4.5.1 is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown). The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable unitplant conditions are established.

Restoration of the channel to OPERABLE status is required to regain the function in a Completion Time of 14 days after the channel's failure. This time is acceptable considering the frequency and adequacy of the RCS water inventory balance required by Required Action A.1.

NuScale B 3.4.7-3 Draft Revision 1.0

RCS Leakage Detection Instrumentation B 3.4.7 BASES ACTIONS (continued)

B.1 With one required leakage detection method inoperable, the remaining OPERABLE method will provide indication of changes in leakage.

Additionally, Action A.1 will continue to apply and the periodic surveillance for RCS water inventory balance, SR 3.4.5.1, must be performed at an increased frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to provide information that is adequate to detect leakage.

However diversity of leakage detection instrumentation is not available. In addition to the Required Actions of Condition A, the required leakage method is required to regain the function in a Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months after the method's failure. This time is acceptable considering the frequency and adequacy of the RCS water inventory balance required by Required Action A.1.

C.1 and C.2 If the Required Action cannot be met within the required Completion Time or if all required leakage detection methods are inoperable, the unitplant must be brought to a MODE in which the requirement does not apply. To achieve this status, the unitplant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 with RCS hot temperature hot <200°F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . This action will place the RCS in a low pressure state which reduces the likelihood of leakage and crack propagation. The allowed Completion Times are reasonable, based on operating requirements and normal cooling capabilities, to reach the required unitplant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.7.1, SR 3.4.7.2, and SR 3.4.7.3 REQUIREMENTS These SRs require the performance of a CHANNEL CHECK for each of the required RCS leakage detection instrumentation channels. The check gives reasonable confidence that the channel is operating properly. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.7.4 SR 3.4.7.4 requires the performance of a COT on the CES gaseous radioactivity monitor when it is required to be OPERABLE. The test ensures that the monitor can perform its NuScale B 3.4.7-4 Draft Revision 1.0

RCS Specific Activity B 3.4.8 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.8 RCS Specific Activity BASES BACKGROUND The limits on RCS specific activity ensure that the doses due to postulated accidents are within the doses reported in FSAR Chapter 15.

The RCS specific activity LCO limits the allowable concentration of iodines and noble gases in the reactor coolant. The LCO limits are established to be intentionally conservative when compared with a fuel defect level of 0.028% assumed by the NuScale operating source term and to ensure that unitplant operation remains within the conditions assumed for Design Basis Accident (DBA) release analyses.

The LCO contains specific activity limits for both DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133. The allowable levels are intended to limit the doses due to postulated accidents to within the values calculated in the radiological consequences analyses (as reported in FSAR Chapter 15).

APPLICABLE The LCO limits on the reactor coolant specific activity are a factor in SAFETY accident analyses that assume a release of primary coolant to the ANALYSES environment either directly as in a small line break outside containment or indirectly by way of LEAKAGE to the secondary coolant system and then to the environment (the Steam Line Break).

The events which incorporate the LCO values for primary coolant specific activity in the radiological consequence analysis include the following:

Steam generator tube failure,

Control rod ejection,

Steam Line Break (SLB), and

Small line break outside containment The limiting event for release of primary coolant activity is the small line break. The small line break dose analysis considers the possibility of a pre-existing iodine spike (in which case the maximum LCO of 12 Ci/gm DOSE EQUIVALENT I-131 is assumed) as well as the more likely initiation of an iodine spike due to the reactor trip and depressurization. In the latter case, the LCO of 0.2 Ci/gm DOSE EQUIVALENT I-131 is assumed at the initiation of the accident, but the primary coolant specific NuScale B 3.4.8-1 Draft Revision 1.0

RCS Specific Activity B 3.4.8 BASES ACTIONS (continued)

A Note to the Required Action of Condition A states that LCO 3.0.4.c is applicable. This exception allows entry into the applicable MODE(S) when an allowance is stated in the ACTIONS even though the ACTIONS may eventually require unitplant shutdown. This exception is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the unitplant remains at, or proceeds to power operation.

B.1 With the DOSE EQUIVALENT XE-133 greater than the LCO limit, DOSE EQUIVALENT XE-133 must be restored to within limit within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

The allowed Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is acceptable since it is expected that, if there were a noble gas spike, the normal coolant noble gas concentration would be restored within this time period. Also, there is a low probability of a small line break occurring during this time period.

A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODES, relying on Required Action B.1 while the DOSE EQUIVALENT XE-133 LCO limit is not met. This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the unitplant remains at, or proceeds to, power operation.

C.1 and C.2 If the Required Action and associated Completion Time of Condition A or B is not met, or if the DOSE EQUIVALENT I-131 is > 12 Ci/gm, the reactor must be brought to MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating requirements, to reach the required unitplant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.8.1 REQUIREMENTS SR 3.4.8.1 requires performing a gamma isotopic analysis and calculating the DOSE EQUIVALENT XE-133 using the dose conversion factors in the DOSE EQUIVALENT XE-133 definition. This measurement is the sum of NuScale B 3.4.8-3 Draft Revision 1.0

RCS Specific Activity B 3.4.8 BASES SURVEILLANCE REQUIREMENTS (continued) the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveillance provides an indication of any increase in the noble gas specific activity.

Trending the results of this Surveillance allows proper remedial action to be taken before reaching the LCO limit under normal operating conditions.

If a specific noble gas nuclide listed in the definition of DOSE EQUIVALENT XE-133 is not detected, it should be assumed to be present at the minimum detectable activity.

The Surveillance Frequency is based on industry operating experience, equipment reliability, and unitplant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.4.8.2 This Surveillance is performed to ensure iodine specific activity, calculated using the dose conversion factors in the DOSE EQUIVALENT I-131 definition, remains within the LCO limit during normal operation and following fast power changes when iodine spiking is more likely to occur.

The normal Surveillance Frequency is based on industry operating experience, equipment reliability, and unitplant risk and is controlled under the Surveillance Frequency Control Program.

The conditional Frequency, between 2 and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a power change

> 15% RTP within a 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months period, is established because the iodine levels peak during this time following iodine spike initiation; samples at other times would provide inaccurate results.

REFERENCES 1. FSAR Chapter 15, Transient and Accident Analyses.

NuScale B 3.4.8-4 Draft Revision 1.0

SG Tube Integrity B 3.4.9 BASES LCO (continued)

The operational LEAKAGE performance criterion provides an observable indication of SG tube conditions during unitplant operation. The limit on operational LEAKAGE is contained in LCO 3.4.8, RCS Operational LEAKAGE, and limits primary to secondary LEAKAGE through any one SG to 150 gallons per day. This limit is based on the assumption that a single crack leaking this amount would not propagate to a SGTF under the stress conditions of a LOCA or a main steam line break. If this amount of LEAKAGE is due to more than one crack, the cracks are very small, and the above assumption is conservative.

APPLICABILITY Steam generator tube integrity is challenged when the pressure differential across the tubes is large. Large differential pressures across SG tubes can only be experienced in MODE 1, 2, or 3 and not PASSIVELY COOLED.

RCS conditions are far less challenging in MODE 3 and PASSIVELY COOLED, MODES 4 and 5 than during MODES 1, 2, and 3 and not PASSIVELY COOLED. In MODE 3 and PASSIVELY COOLED, MODES 4 and 5, primary to secondary differential pressure is low, resulting in lower stresses and reduced potential for LEAKAGE.

ACTIONS The ACTIONS are modified by a Note clarifying that the Conditions may be entered independently for each SG tube. This is acceptable because the Required Actions provide appropriate compensatory actions for each affected SG tube. Complying with the Required Actions may allow for continued operation, and subsequent affected SG tubes are governed by subsequent Condition entry and application of associated Required Actions.

A.1 and A.2 Condition A applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube repair criteria but were not plugged in accordance with the Steam Generator Program as required by SR 3.4.9.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG performance criteria described in the Steam Generator Program. The SG repair criteria define limits on SG tube degradation that allow for flaw growth between inspections while still providing assurance that the SG performance criteria will continue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an evaluation must be completed that demonstrates that the SG NuScale B 3.4.9-4 Draft Revision 1.0

SG Tube Integrity B 3.4.9 BASES ACTIONS (continued) performance criteria will continue to be met until the next refueling outage or SG tube inspection. The tube integrity determination is based on the estimated condition of the tube at the time the situation is discovered and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, Condition B applies.

A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of unitplant operation with a SG tube that may not have tube integrity.

If the evaluation determines that the affected tube(s) have tube integrity, Required Action A.2 allows unitplant operation to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported by an operational assessment that reflects the affected tubes. However, the affected tube(s) must be plugged prior to entering MODE 3 following the next unit refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment.

B.1 and B.2 If the Required Actions and associated Completion Times of Condition A are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the desired unitplant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.9.1 REQUIREMENTS During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref. 1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator Program ensures that the inspection is appropriate and consistent with accepted industry practices.

During SG inspections a condition monitoring assessment of the SG tubes is performed. The condition monitoring assessment determines the as found condition of the SG tubes. The purpose of the condition NuScale B 3.4.9-5 Draft Revision 1.0

ECCS B 3.5.1 BASES BACKGROUND (continued) actuation logic for ECCS actuation. In applicable design basis accident scenarios, this actuation setpoint is sufficient to ensure the core remains cooled and covered.

In MODE 3 with all ECCS valves closed, the RVVs provide Low Temperature Over-Pressure (LTOP) protection for the RCS. If RCS pressure exceeds an established setpoint while the RCS temperature is approaching or below the nil ductility temperature of the limiting components of the reactor pressure boundary, the MPS will actuate to open the RVVs. This actuation is described in Technical Specifications 3.3.1 and 3.3.3. Automatic LTOP protection is provided by the MPS during RCS operations at reduced temperatures.

Actuation logic of each ECCS RVV includes a mechanical actuation block to reduce the likelihood of inadvertent operation of the valve during power operations. The block exists when the difference between the containment pressure and RCS pressure is greater than approximately 1400 psid. This differential pressure is much greater than could exist when the LTOP protection is required to function.

Therefore the inadvertent actuation block will not prevent immediate opening of the RVVs if an LTOP actuation occurs.

In MODE 3 in PASSIVE COOLING, the ECCS is either performing its design function to support the transfer of decay heat from the reactor core to the containment vessel so the system or alternative means of removing decay heat have been established and the system is no longer required to be OPERABLE. With at least two RVVs open, the system also provides a vent path from the RCS to containment, preventing potential LTOP conditions.

In MODE 4 the ECCS is not required when the ECCS valves are open and de-energized, or the PASSIVELY COOLED ensuring decay heat removal is being accomplished. Additionally, in MODE 4 during moduleMODULE relocation between the containment tool and the reactor tool, the de-energized and opened RRVs provide direct communication between the reactor pool surface inside the containment and the RCS. During this period, and while in MODE 5, core cooling is accomplished by conduction through the reactor pressure vessel wall to the ultimate heat sink. Once the RPV is separated at the flange during disassembly the RCS is in direct contact with the reactor pool thereby ensuring adequate cooling by direct contact with the ultimate heat sink. Therefore the ECCS is not required to be OPERABLE in MODE 5.

NuScale B 3.5.1-3 Draft Revision 1.0

ECCS B 3.5.1 BASES LCO This LCO establishes the minimum conditions necessary to ensure that ECCS valves will be available to meet the initial conditions assumed in the safety analyses. Two RVVs and one RRV provide the safety function of the safety analyses for LOCA and SGTF events.

Two RVVs provide the LTOP safety function of the LTOP event. Loss of any system component eliminates the redundancy provided to meet its safety function.

APPLICABILITY The ECCS is relied upon to provide a passive response to loss of coolant accidents in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED. In MODE 3 the system provides low temperature over pressure protection. The ECCS valves are opened and performing their required function in MODE 3 when PASSIVELY COOLED. Additionally, the valves are ensured to open when power is removed when the moduleMODULE is disconnected at the operating position as part of the refueling process. In MODE 4 and 5 core cooling is provided by passive conduction through the containment vessel or direct communication and contact of the core with the ultimate heat sink. Therefore the ECCS valves are not required to be OPERABLE in MODE 4 or 5.

ACTIONS A.1 To meet the ECCS safety function at least two RVVs must open. If a single RVV is inoperable it eliminates the redundancy of this safety system. The valve must be restored to OPERABLE. A completion time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable based on the probability of a LOCA or LTOP condition occurring during this period, the reliability of the other RVVs, and the ability of the plant system to cope with this event using the chemical volume control system and the containment flooding and drain system.

B.1 To meet the ECCS safety function at least one RRV must open. If a single RRV is inoperable it eliminates the redundancy of the of this safety system. The valve must be restored to OPERABLE. A completion time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable based on the probability of a LOCA condition occurring during this period, the reliability of the other RRV, and the ability of the plant system to cope with this event using the chemical volume control system and the containment flooding and drain system.

NuScale B 3.5.1-5 Draft Revision 1.0

ECCS B 3.5.1 BASES ACTIONS (continued)

C.1 and C.2 If the Required Actions cannot be completed within the associated Completion Times, if two or more RVVs, or both RRVs are inoperable the unitplant must be placed in a condition that does not rely on the ECCS valves opening. To accomplish this, the unitplant must be shutdown and placed in a safe condition. To do this the unitplant is shutdown and enters MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

Additionally, within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months the PASSIVE COOLING must be established to ensure decay heat is removed and transferred to the UHS.

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS Verification that the RVVs and RRVs are OPERABLE by stroking the valves open ensures that each train of ECCS will function as designed when these valves are actuated. One RVV is designed to be actuated by either division of the MPS and it must be verified to open from each division without dependence on the other. The RVVs and RRVs safety function is to open as described in the safety analysis.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.2 Verifying that the open actuation time of each RVV and RRV is within limits is required to demonstrate OPERABILITY. The open actuation time test ensures that the valve will open in a time period less than or equal to that assumed in the safety analysis. The opening times are as specified in the INSERVICE TESTING PROGRAM. One RVV is designed to be actuated by either division of the MPS and its actuation time must be tested to from each division without dependence on the other.

Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

SR 3.5.1.3 Verification of the inadvertent actuation block function ensures that opening of the RVVs and RRVs is blocked when the RCS and the CNV is at or near operating pressure conditions. The IAB safety NuScale B 3.5.1-6 Draft Revision 1.0

DHRS B 3.5.2 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.2 Decay Heat Removal System (DHRS)

BASES BACKGROUND The Decay Heat Removal System (DHRS) is a passive heat removal system that is used whenever the normal unitplant feedwater and steam systems are unavailable due to failure or loss of normal AC power. The system is comprised of two trains; one connected to each of the two steam generators.

Each train of decay heat removal includes a steam generator submersed in the reactor coolant system fluid, and a heat exchanger that is attached to the outside of the containment vessel and submerged in the reactor pool. The heat exchanger is located above midline of the steam generator. The top inlet of the DHRS heat exchanger is attached to the main steam line upstream of the main steam isolation valve of the associated steam generator. The bottom of the heat exchanger is attached to the feedwater line downstream of the feedwater isolation valve to the associated steam generator. Each DHR heat exchanger is normally isolated from the main steam lines by two valves, the DHRS Actuation valves, in parallel on the line between the top of the heat exchanger and the main steam line from the associated steam generator.

During normal operation the DHR heat exchanger is filled and maintained pressurized by the feedwater system. When decay heat removal is required to perform its design function the feedwater and main steam isolation valves are closed, and the DHRS Actuation valves open. The closed feedwater and main steam isolation valves form part of the DRHS pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1). This allows the water stored in the heat exchanger and piping to enter the steam generator via gravity as steam flows into the heat exchanger from the main steam line. Steam condenses on the inside of the tubes and continues to drain back to the steam generator in a closed loop. The inventory of the decay heat removal system is sufficient to support the operation of the system.

Only one train of DHRS is required to meet the decay heat removal requirements of the power module, and only one DHRS Actuation valve is required to open to ensure operation of a decay heat removal train. As a result there is no single active failure that will prevent the DHRS from performing its design function.

NuScale B 3.5.2-1 Draft Revision 1.0

DHRS B 3.5.2 BASES LCO This LCO ensures that sufficient DHRS equipment is OPERABLE to meet the initial conditions assumed in the safety analyses. One train of DHRS is required to function to meet the safety function of the system.

Loss of any system component impacts the redundancy needed to ensure that the system is capable of meeting its safety function if a single failure occurs.

APPLICABILITY The DHRS is relied upon to provide a passive means of decay heat removal in MODES 1 and 2. The DHRS must remain OPERABLE in MODE 3 until PASSIVE COOLING. In MODE 4, DHRS is not required because conductive shutdown cooling through the containment vessel to the reactor pool has been established. When being disassembled in MODE 4 and in MODE 5 when one or more reactor vessel flange bolts are less than fully tensioned, but before the upper module and lower reactor vessel are separated, the containment lower shell has been removed and the reactor vessel and RCS are cooled by direct contact with the reactor pool. In MODE 5 decay heat removal is by direct transfer to the refueling pool water which is in contact with the reactor fuel.

ACTIONS A.1 To meet the DHR safety function at least one train must function. If a single train of DHR is inoperable it eliminates the redundancy of of this safety system. The system must be restored to OPERABLE.

A completion time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable based on the probability of the DHR system being needed during this period, the reliability of the other train of DHR, and the ability of the unitplant to cope with this event using the ECCS.

B.1 and B.2 If the Required Actions cannot be completed within the associated Completion Time, or if both trains of DHRS are declared inoperable the unitplant must be placed in a mode that does not rely on the DHRS. To accomplish this the unitplant must be in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and PASSIVE COOLING must be established within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

This condition ensures decay heat is removed and transferred to the UHS.

NuScale B 3.5.2-3 Draft Revision 1.0

DHRS B 3.5.2 BASES SURVEILLANCE SR 3.5.2.1 REQUIREMENTS Verification that the DHRS including the heat exchanger is filled ensures that there is sufficient inventory in the loop to fulfill its design function, and that non-condensable gases have not accumulated in the system. Each train of the DHRS has four level sensors - two located on the DHRS piping below each of the two actuation valves that would indicate a reduced water level in the DHRS loop. Any level switch indicating a reduced water level is sufficient to determine the DHRS loop is not filled.

The DHRS is filled with feedwater during startup, and during normal plant operation it is maintained filled by feedwater pressure.

Feedwater flow through the DHRS loop does not occur because the DHRS actuation valves are closed.

Dissolved gas concentrations are maintained very low in feedwater during startup and operations by secondary water chemistry requirements. Therefore, significant levels of noncondensable gases are not expected to accumulate in the DHRS piping. However, maintaining the required DHRS inventory using the level sensors protects against buildup of noncondensable gases which could adversely affect DHRS operation. Monitoring the level switches ensures the system remains filled and non-condensable gas accumulation has not occurred.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2 Verifying that the open actuation time of each DHRS actuation valve is within limits is required to demonstrate OPERABILITY. The open actuation time test ensures that the valve will open in a time period less than or equal to that assumed in the safety analysis. The opening times are as specified in the INSERVICE TESTING PROGRAM. Each train of DHRS contains two actuation valves, one actuated from each division of the MPS ESFAS actuation logic.

Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

REFERENCES 1. FSAR Section 5.4, "Reactor Coolant System Component and Subsystem Design."

2. FSAR Chapter 15, Transient and Accident Analysis.

NuScale B 3.5.2-4 Draft Revision 1.0

Ultimate Heat Sink B 3.5.3 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.3 Ultimate Heat Sink BASES BACKGROUND The ultimate heat sink (UHS) consists of three areas identified as the reactor pool (RP), refueling pool (RFP), and spent fuel pool (SFP). The pool areas are open to each other with a weir wall partially separating the SFP from the RP and RFP. The UHS water level indicates the depth of water in the UHS from the reactor pool floor (25 ft building elevation). The UHS supports or provides multiple safety and important functions including:

a. Acts as ultimate heat sink during postulated design basis events,

b. Provides cooling and shielding of irradiated fuel in the spent fuel storage racks,

c. Limits releases from postulated fuel handling accidents,

d. Provides a reserve of borated water for filling the containment vessel in MODE 3,

e. Limits the temperature of the containment vessel and moduleMODULE during operations,

f. Provides shielding of radiation emitted from the core of an operating moduleMODULE, and

g. Provides buoyancy during moduleMODULE movement in MODE 4.

The UHS function is performed by providing a sufficient heat sink to receive decay heat from a moduleMODULE via the decay heat removal system (DHRS) heat exchangers and conduction through the containment vessel walls after a postulated Emergency Core Cooling System (ECCS) actuation and after transition to long-term shutdown cooling (Ref. 1).

Irradiated fuel is stored in the SFP portion of the UHS that is separated from the balance of the pool by a submerged wall. The submerged wall includes a weir that permits movement of new and irradiated fuel from the storage areas to a reactor during refueling, and also provides a means of inventory communication between the pool areas. The SFP provides cooling and shielding of the irradiated fuel in the storage racks, and provides sufficient water level to retain iodine fission product activity in the event of a fuel handling accident. Sufficient iodine activity NuScale B 3.5.3-1 Draft Revision 1.0

Ultimate Heat Sink B 3.5.3 BASES BACKGROUND (continued) will be retained to limit offsite doses from the accident to within the values reported in FSAR Chapter 15 (Ref. 1).

During transients and shutdowns which are not associated with design basis events in which DHRS or ECCS is actuated, water from the RP is added to the containment vessel by the Containment Flood and Drain System (CFDS). After reaching an appropriate level in the containment, the reactor vent valves (RVVs) and reactor recirculation valves (RRVs) are opened to permit improved heat transfer from the reactor coolant system (RCS) to the containment vessel walls.

During normal operations, the RP limits temperatures of the moduleMODULE by maintaining the containment vessel partially submerged in water. The water also provides shielding above and around the region of the core during reactor operations, limiting exposure to personnel and equipment in the area.

In MODE 4, the moduleMODULE is transported from the operating position to the RFP area of the UHS. The UHS provides buoyancy as the moduleMODULE displaces pool water during the movement, thereby reducing the load on the reactor building crane.

APPLICABLE During all MODES of operation and storage of irradiated fuel, the UHS SAFETY supports multiple safety functions.

ANALYSIS The UHS level is assumed and credited in a number of transient analyses. The 68 ft level provides buoyancy assumed in the reactor building crane analysis and design to ensure its single-failure proof capacity during moduleMODULE movement in MODE 4. A UHS level of 55 ft provides margin above the minimum level required to support DHRS and ECCS operation in response to LOCA and non-LOCA design basis events.

The UHS bulk average temperature is assumed and credited, directly or indirectly in design basis accidents including those that require DHRS and ECCS operation such as LOCA and non-LOCA design basis events. Note that the UHS sensible heat needed to heat the pool to boiling is not credited in the UHS safety analyses for pool inventory.

Additionally, the UHS bulk average temperature is assumed in the buoyancy calculation of the reactor building crane load during movement of the moduleMODULE.

The UHS bulk average boron concentration lower limit is established to ensure adequate shutdown margin during unit shut downs that are not NuScale B 3.5.3-2 Draft Revision 1.0

Ultimate Heat Sink B 3.5.3 BASES APPLICABLE SAFETY ANALYSIS (continued) associated with events resulting in DHRS or ECCS actuation, when the moduleMODULE is filled with RP inventory using the CFDS and the RRVs are opened. It also ensures adequate shutdown margin when the moduleMODULE is configured with the UHS inventory in contact with the reactor core, specifically in MODE 4 when the containment vessel is disassembled for removal, and in MODE 5.

The upper limit on boron concentration is established to limit the effect of moderator temperature coefficient (MTC) during localized or UHS bulk average temperature changes while the moduleMODULE and core are in contact with UHS water. The upper limit also provides assurance for criticality and boron dilution analyses.

The ultimate heat sink level, temperature, and boron concentration parameters satisfy Criterion 2 and 3 of 10 CFR 50.36(c)(2)(ii).

LCO The UHS must provide an adequate heat sink to perform its UHS function. This is accomplished by providing a sufficient mass of water that can be heated, and vaporized to steam if necessary, to remove decay heat via the decay heat removal system or conduction through the containment vessel walls and heat from irradiated fuel in the pool.

The UHS level limits ensure that this mass of water is available.

The UHS bulk average temperature is an initial assumption of safety analyses. The limit on temperature preserves the analysis assumptions and permits crediting the pool to mitigate these events. It also provides margin for performance of the UHS function in that the pool must be heated before vaporization of the contents will begin. Determination of the UHS bulk average temperature is in accordance with approved procedures.

The boron concentration must be within limits when the UHS contents are in communication with the RCS to preserve core reactivity assumptions and analyses. Determination of the bulk average boron concentration is in accordance with approved plant procedures.

APPLICABILITY The limits on UHS level, bulk average temperature and bulk average boron concentration are applicable at all times. The supported safety functions are applicable in all MODES and when irradiated fuel is being handled. The applicability is conservative and recognizes the passive nature and resistance to changes that are inherent in the pool design and operation.

NuScale B 3.5.3-3 Draft Revision 1.0

Ultimate Heat Sink B 3.5.3 BASES ACTIONS A.1, A.2, and A.3 With the UHS level less than< 68 ft but greater than> 55 ft the UHS safety function is preserved, however the margin in the safety analyses of events related to handling of spent fuel is reduced. Also, the assumed buoyancy provided by the water volume displaced by the moduleMODULE is reduced.

Required Actions A.1 and A.2 immediately suspend moduleMODULE movement and the movement of irradiated fuel assemblies. This reduces the likelihood of an event that would be adversely affected by the reduced water level. Suspension of movement does not preclude movement of a moduleMODULE or fuel assembly to a safe position.

Additionally, Required Action A.3, the UHS level must be restored to within limits within 30 days to restore the margin and assumptions of the safety analyses related to long-term cooling of the moduleMODULE and irradiated fuel. The 30 days is appropriate because the UHS safety function continues to be met even if a leak results in sudden draining of the pool to refill the dry dock. The level of > 55 ft ensures more than 3 days of decay heat removal without further action.

B.1 and B.2 If the UHS level is less than 55 ft, the assumptions of the safety analysis regarding decay heat removal may not be met if a leak results in sudden drainage to the dry dock or significant pool liner leakage.

Action must be immediately initiated and continued to restore the UHS level to > 55 ft.

C.1 and C.2 If the UHS bulk average temperature is > 140°F, actions must be taken to restore the UHS bulk average temperature to within the limit. 140°F is the initial temperature assumed in the UHS boiling analysis calculations, and consistent with the RB Crane lifting capacity calculation. Additionally, the SFPC system in conjunction with the RFP cooling system is designed to maintain a UHS bulk average temperature of 140°F.

D.1 and D.2 If the UHS level or bulk average temperature cannot be returned to within limits within the associated Completion Time, the unitplant must be brought to a condition where the decay heat of the unitplant with the potential to be rejected to the UHS is minimized. To achieve this status, NuScale B 3.5.3-4 Draft Revision 1.0

Ultimate Heat Sink B 3.5.3 BASES ACTIONS (continued) the unitplant must be brought to MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unitplant conditions from full power conditions in an orderly manner and without challenging plant systems.

E.1, E.2, E.3, E.4, and E.5 If the UHS bulk average boron concentration is not within limits, actions must be initiated and continued to restore the concentration immediately.

Additionally, activities that could place pool inventory in communication with the reactor core must be suspended. Therefore, CFDS flow into the containment must be immediately terminated, and disassembly of the containment vessel that would open the RCS to communication with the UHS also suspended. Additionally, moduleMODULE movement must be suspended and the movement of irradiated fuel suspended.

The suspension of module and/or fuel movement shall not preclude completion of movement to safe position.

SURVEILLANCE SR 3.5.3.1 REQUIREMENTS Verification that the UHS level is above the required minimum level will ensure that the assumed heat capacity of the pool is available and the pool will provide the credited mitigation if an irradiated fuel handling accident occurs. Indication of UHS level including alarms when not within limits are available in the main control room.

The Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.2 Verification that the UHS bulk average temperature is within limits ensures that the safety analyses assumptions and margins provided by the UHS remain valid. Key UHS temperatures are monitored and alarmed in the control room.

The Frequency is controlled under the Surveillance Frequency Control Program.

NuScale B 3.5.3-5 Draft Revision 1.0

Containment B 3.6.1 BASES LCO (continued)

Compliance with this LCO will ensure a containment configuration, including maintenance access manways, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.

APPLICABILITY In MODES 1, 2, and 3 with RCS hot temperature hot 200ºF, the RCS contains sufficient energy such that DBA could cause a release of radioactive material into containment. The containment limits the postulated release of radioactive fission products that could be released from the containment from the reactor core and reactor vessel. The containment supports the emergency core cooling system (ECCS) by providing a part of the means of passive heat transfer from the reactor core, coolant, and vessel to the reactor cooling pool. ECCS OPERABILITY is required as described in LCO 3.5.1, Emergency Core Cooling.

In MODE 3 with the RCS hot temperature hot < 200 F, MODES 4 and 5, the probability and consequences of these events are reduced due to unitplant conditions in these MODES. Therefore, containment is not required to be OPERABLE in these MODES.

ACTIONS A.1 In the event containment is inoperable, it must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment OPERABLE during MODES 1, 2, and 3 with the RCS hot temperature hot 200ºF. This time period also ensures that the probability of an accident (requiring containment OPERABILITY) occurring during periods when containment is inoperable is minimal.

B.1 and B.2 If containment cannot be restored to OPERABLE status within the required Completion Time, the unitplant must be brought to a MODE in which the LCO does not apply. To achieve this status, the unitplant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 with RCS hot temperature hot < 200ºF within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (Ref. 3). The allowed Completion Times are reasonable, to reach the required unitplant conditions from full power conditions in an orderly manner and without challenging plant systems.

NuScale B 3.6.1-3 Draft Revision 1.0

Containment Isolation Valves B 3.6.2 BASES LCO (continued)

This LCO provides assurance that the containment isolation valves will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the containment boundary during accidents.

APPLICABILITY In MODES 1, 2, and 3 with RCS hot temperature hot 200°F, a DBA could cause a release of radioactive material to containment. In MODE 3 with the RCS hot temperature hot < 200F, MODES 4 and 5, the probability and consequences of these events are reduced due to unitplant conditions in these MODES. Therefore, the containment isolation valves are not required to be OPERABLE in MODE 3 with RCS hot temperature hot < 200F and MODES 4 and 5.

ACTIONS The ACTIONS are modified by four notes. Note 1 allows isolated penetration flow paths to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated.

Note 2 provides clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation device. Complying with the Required Actions may allow for continued operation, and subsequent inoperable containment isolation valves are governed by subsequent Condition entry and application of associated Required Actions.

Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inoperable containment isolation device.

Note 4 requires entry into the applicable Conditions and Required Actions of LCO 3.6.1 when leakage results in exceeding the overall containment leakage limit.

A.1 and A.2 Condition A has been modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two containment isolation valves.

NuScale B 3.6.2-3 Draft Revision 1.0

Containment Isolation Valves B 3.6.2 BASES ACTIONS (continued)

B.1 Condition B has been modified by a note indicating that this Condition is only applicable to those penetration flow paths with two condition isolation valves.

With two containment isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation device that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, or a blind flange. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the devices are operated under administrative controls and the probability of the misalignment is low.

C.1 and C.2 If the Required Actions and associated Completion Times are not met, the unitplant must be brought to a MODE or condition in which the LCO does not apply. To achieve this status, the unitplant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 with RCS hot temperature hot < 200ºF within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

SURVEILLANCE SR 3.6.2.1 REQUIREMENTS This SR requires verification that each manual containment isolation valve and blind flange located outside containment, and not locked, sealed, or otherwise secured in position, and required to be closed during accident conditions, is closed. The SR helps to ensure that post accident leakage of fission products outside the containment boundary is within design limits. This SR does not require any testing or device manipulation. Rather, it involves verification that those containment isolation devices outside containment and capable of being mispositioned are in the correct position.

NuScale B 3.6.2-5 Draft Revision 1.0

MSIVs B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Isolation Valves (MSIVs)

BASES BACKGROUND Each main steam line has one safety-related MSIV and one non-safety MSIV to isolate steam flow when required to support decay heat removal system (DHRS) operation or containment system (CNTS) operation. The safety-related MSIV is located outside of, and close to the containment.

Each main steam line also includes a nonsafety-related secondary MSIV located downstream of the removable pipe spool between the moduleMODULE and the balance of the steam system. Each of the four MSIVs is provided with a bypass line that contains an associated bypass isolation valve. A description of the safety-related MSIVs is found in FSAR Section 6.2 (Ref. 1). A description of the nonsafety-related secondary MSIVs is found in FSAR Section 10.3. (Ref. 2).

The safety-related MSIVs and nonsafety-related secondary MSIVs, as well as normally-closed MSIV Bypass Valves, are closed on a steam line isolation signal, Decay Heat Removal System (DHRS) and Containment Isolation System actuations as described in Specification 3.3.1. Each MSIV and MSIV Bypass Valve closes on loss of power. Closing the associated Steam Generator (SG) MSIVs and MSIV Bypass Valve isolates the Turbine Bypass System and other steam flows from the SG to the balance of plant.

The MSIVs isolate steam flow from the secondary side of the associated SG following a high-energy line break and preserves the reactor coolant system (RCS) inventory in the event of a steam generator tube failure (SGTF). The MSIVs and MSIV Bypass Valves also form part of the boundary of the safety-related, closed-loop, DHRS described in FSAR Section 5.4 (Ref. 3) and applicable requirements are in Specification 3.5.2.

APPLICABLE The MSIVs and MSIV Bypass Isolation Valves close to isolate the SAFETY SGs from the power conversion system. Isolation limits ANALYSES postulated releases of radioactive material from the SGs in the event of a SG tube failure (Ref. 4) and terminates flow from SGs for postulated steam line breaks outside containment (Ref. 5). This minimizes radiological contamination of the secondary plant systems and components, and minimizes associated potential for activity releases to the environment, and preserves RCS inventory in the event of a SGTF.

The isolation of steam lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, NuScale B 3.7.1-1 Draft Revision 1.0

MSIVs B 3.7.1 BASES APPLICABLE SAFETY ANALYSES (continued) preserving the heat transfer capability of an unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss-of-coolant accident (non-LOCA) design basis events when normal secondary-side cooling is unavailable or otherwise not utilized. The DHRS removes post-reactor trip residual and core decay heat and allows transition of the reactor to safe shutdown conditions.

The safety related MSIV satisifies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

The non-safety related MSIV satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires the MSIVs and MSIV Bypass Valves in each of the two steam lines to be OPERABLE. The valves are considered OPERABLE when their isolation times are within limits and they close on an isolation actuation signal and their valve leakage is within limits.

This LCO provides assurance that the MSIVs and MSIV Bypass Valves will perform their design safety function to limit consequences of accidents that could result in offsite exposures comparable to the 10 CFR 50.34 limits or the NRC staff-approved licensing basis.

APPLICABILITY The MSIVs and MSIV Bypass Valves must be OPERABLE in MODE 1, 2, and MODE 3 when not PASSIVELY COOLED. Under these conditions, the isolation of the MSIVs ensures the DHRS can perform its design function and the valves provide a barrier to limit the release of radioactive material to the environment. Closure of the MSIVs also preserves the RCS inventory in the event of a SGTF. Therefore, these valves must be OPERABLE or closed. When these valves are closed they are performing their required function. In MODES 4 and 5, the unitMODULE is shutdown, the SGs do not contain significant energy or inventory, and therefore the MSIVs do not perform any credited safety function.

ACTIONS The ACTIONS are modified by two Notes. The first stating that a separate Condition entry is allowed for each inoperable valve. This is acceptable because the Required Actions provide appropriate compensatory actions for each inoperable isolation valve on each steam line. The second note indicating that MSIV flow paths may be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the MSIV flow path can be rapidly isolated when a need is indicated.

NuScale B 3.7.1-2 Draft Revision 1.0

MSIVs B 3.7.1 BASES ACTIONS (continued)

A.1 and A.2 With a required MSIV valve inoperable, isolation of the main steam flow path using the MSIV and MSIV Bypass Valves and supported safety functions can no longer accommodate a single failure. The redundant isolation valves in the affected flow path preserve the ability to isolate the steam flow path.

Action A.1 requires isolation of the main steam line within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Some repairs of the valves may be accomplished within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months period to restore OPERABILITY and exit the LCO. The 72 completion time is reasonable because the inoperable isolation valve only affects the capability of one of the two redundant DHR trains to function. Only if a single failure occurs that affects the remaining capability to isolate the steam flow path will the DHR train be affected.

The time is reasonable considering the availability of other means of mitigating design basis events, including Emergency Core Cooling System and the low probability of an accident occurring during this time period that would require closure of the specific flow path. Alternatively if the main steam line can be isolated by closing the inoperable valve within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months then its function is being performed. The capability to isolate steam flow if a single failure occurs remains unaffected. If the MSIV is inoperable and cannot be closed, then the steam line should be isolated by the other MSIV and associated bypass valve closed and deactivated, closed manual valve, or blind flange. An inoperable MSIV may be utilized to isolate the line only if its leak tightness has not been compromised. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable to adjust unitplant conditions and take action to isolate the line.

Required Action A.2 is modified by two notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position is small.

NuScale B 3.7.1-3 Draft Revision 1.0

MSIVs B 3.7.1 BASES ACTIONS (continued) bypass valve may be utilized to isolate the line only if its leak tightness has not been compromised. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable to adjust unitplant conditions and take action to isolate the line.

Required Action B.2 is modified by two notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position is small.

For inoperable components that are not restored to OPERABLE status prior to the required completion time in Required Action B.1 and now have their flow path isolated, Required Action B.2 is applicable. Action B.2 requires that the flow path be verified isolated on a periodic basis.

The 7 day Completion Time is reasonable based on engineering judgement, valve and system status indications available in the control room, and other administrative controls, to ensure these flow paths are isolated.

This condition applies if one MSIV bypass is inoperable in either or both main steam lines. In this case, capability to automatically isolate the steam flow path is preserved by the inner (closest to Containment) or outer (furthest from Containment) redundant valves. If isolation capability is not maintained because of the combination of multiple isolation valves in the same flow path being inoperable, then Condition C is applicable.

C.1 With a flow path with both an inner and outer required valve inoperable, isolation of the main steam flow path using the MSIV and MSIV Bypass Valves and supported safety functions can no longer accommodate a single failure. This action applies to both MSIVs and MSIV Bypass valves in the same flow path.

Action C.1 requires isolation of the main steam line flow path by use of at least one closed and deactivated automatic valve, closed manual valve, blind flange within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Some repairs of the valves may be NuScale B 3.7.1-5 Draft Revision 1.0

MSIVs B 3.7.1 BASES ACTIONS (continued) accomplished within the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months completion time is reasonable because the inoperable isolation valve only affect the capability of one of the two redundant DHR trains to function. Separate entries are allowed if more than one main steam line is affected.

The time is reasonable considering the availability of other means of mitigating design basis events, including Emergency Core Colling System and the low probability of an accident occurring during this time period that would require closure of the specific flow path.

This condition applies if a MSIV and/or MSIV bypass is inoperable in the inner (closest to Containment) set of valves and a MSIV and/or MSIV bypass is inoperable in the outer (furthest from Containment) set of redundant valves. In this case, capability to automatically isolate the steam flow path is compromised.

If the main steam line can be isolated by closing the inoperable valves within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months then its function is being performed. If the MSIV or Bypass valve is inoperable and cannot be closed, then the steam line should be isolated by the other MSIV and associated bypass valve closed and deactivated, closed manual valve, or blind flange. An inoperable MSIV or bypass valve may be utilized to isolate the line only if its leak tightness has not been compromised.

D.1 and D.2 With Required Actions and associated Completion Times not met, isolation capability of the main steam line(s) is not maintained. The associated DHRS and the ability to isolate postulated releases from the SGs are affected. The unitMODULE must be placed in a condition in which the LCO does not apply using Required Action D.1 and D.2.

Required Action D.1 requires the unitMODULE must be placed in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

Required Action D.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The Completion Times are reasonable based operating activities required to reach these conditions in an orderly manner, without challenging plant systems. The time permits use of normal means to exit the conditions of Applicability. It is also consistent with the Completion Times for an inoperable train of the DHRS.

NuScale B 3.7.1-6 Draft Revision 1.0

MSIVs B 3.7.1 BASES SURVEILLANCE REQUREMENTS SR 3.7.1.1 This SR verifies MSIV and MSIV Bypass Valve closure times are within limits on an actual or simulated actuation signal. The isolation time is assumed in the accident analyses. This Surveillance is normally performed upon returning the unit to operation following a refueling outage. The MSIVs and MSIV Bypass Valves are not tested at power since even a partial stroke exercise increases the risk of a valve closure when the unit is generating power. Because the isolation valves are not tested at power, they are exempt from the ASME OM Code (Ref. 6) requirements during operation in MODE 1.

The Frequency is in accordance with the INSERVICE TESTING PROGRAM.

This test is conducted with the unit in MODE 5. The valves cannot be fully stroked during unitplant operation because closing a secondary MSIV causes SG pressure and level transients and, most likely, a turbine trip and reactor trip.

SR 3.7.1.2 This SR verifies MSIV and MSIV Bypass Valves leakage are within limits.

The MSIVs and MSIV Bypass Valves serve as a boundary for the DHRS and route steam from the steam generator to the DHR condenser when the DHR system is actuated.

The Frequency is in accordance with the INSERVICE TESTING PROGRAM.

REFERENCES 1. FSAR Section 6.2, Containment Systems.

2. FSAR Section 10.3, Main Steam System.

3. FSAR Section 5.4, Reactor Coolant System Component and Subsystem Design.

4. FSAR Section 15.6, Decrease in Reactor Coolant Inventory.

5. FSAR Section 15.1, Increase in Heat Removal by Secondary System.

6. ASME OM Code, Code for Operation and Maintenance of Nuclear Power Plants.

NuScale B 3.7.1-7 Draft Revision 1.0

Feedwater Isolation B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Feedwater Isolation BASES BACKGROUND Each Feedwater line has one safety-related feedwater isolation valve (FWIV) to isolate feedwater flow when required to support decay heat removal system (DHRS) operation or the containment system (CNTS).

The safety-related FWIVs are located outside of and close to containment. Each feedwater line includes a non-safety related feedwater regulating valve (FWRV) located upstream of the removable pipe spool between the moduleMODULE and the balance of the feedwater system.

A description of the safety-related FWIVs is found in FSAR Section 6.2 (Ref. 1). A description of the non-safety related FWRVs is found in FSAR Section 10.4 (Ref. 2).

The safety related FWIVs and non-safety related FWRV are closed on Decay Heat Removal System (DHRS) and Containment Isolation System actuations as described in Specification 3.3.1. Each FWIV and FWRV closes on loss of power. Closing of the FWIVs and FWRVs isolates each Steam Generator (SG) from the other SG and isolates the feedwater flows to the SGs from the balance of plant.

The FWIV and FWRV isolate the feedwater flow from the secondary side of the associated SG following a high energy line break and preserve RCS inventory in the event of a steam generator tube failure (SGTF). The FWIVs and FWRVs form part of the boundary of the safety-related DHRS closed loop, as described in FSAR Section 5.4 (Ref. 3) and applicable requirements in Specification 3.5.2.

APPLICABLE The FWIVs and FWRVs close to isolate the SGs from the system SAFETY feedwater balance of plant. Isolation limits postulated releases of ANALYSES radioactive material from the SG in the event of a SG tube failure and terminates flow to the SGs in postulated feedwater line breaks inside and outside containment (Ref. 4). This minimizes radiological contamination of the secondary plant systems and components, and minimizes any associated potential for activity releases to the environment and preserves safety RCS inventory levels.

The isolation of the feedwater lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of the unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss of coolant accident (non-LOCA) design basis events when normal secondary side cooling is unavailable or otherwise not utilized. The DHRS NuScale B 3.7.2-1 Draft Revision 1.0

Feedwater Isolation B 3.7.2 BASES ACTIONS (continued) and deactivated automatic valve, closed manual valve, or blind flange. An inoperable FWIV/FWRV may be utilized to isolate the line only if its leak tightness has not been compromised. This action returns the system to a condition in which at least one valve in the affected flow path is performing the required safety function. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is a reasonable amount of time to complete the actions required to close the FWIV, or FWRV, which includes performing a controlled unitplant shutdown without challenging plant systems.

D.1, and D.2 If the FWIVs and FWRVs cannot be restored to OPERABLE status, or closed, or isolated within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unitplant must be placed in at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies that the closure time of each FWIV and FWRV is within limits, on an actual or simulated actuation signal. The FWIV and FWRV isolation times are assumed in the accident and containment analyses.

This Surveillance is normally performed upon returning the unit to operation following a refueling outage. These valves are tested when the unitplant is in a shutdown condition, since even a part stroke exercise increases the risk of a valve closure when the unit is generating power.

Because the isolation valves are not tested when the unitplant is in a shutdown condition, they are exempt from ASME OM Code (Ref. 5) requirements during operation in MODE 1.

The Frequency is in accordance with the INSERVICE TESTING PROGRAM.

NuScale B 3.7.2-4 Draft Revision 1.0

Nuclear Instrumentation B 3.8.1 B 3.8 REFUELING OPERATIONS B 3.8.1 Nuclear Instrumentation BASES BACKGROUND Three refueling neutron flux channels are provided to monitor the core reactivity during refueling operations. These detectors are located external to the reactor vessel below the reactor vessel flange and detect neutrons leaking from the core with the ability to be extended and retracted to facilitate moduleMODULE disassembly and reassembly.

The refueling neutron flux detectors are proportional counters. The detectors monitor the neutron flux in counts per second. The instrument range covers five decades of neutron flux (from 1E0 cps to 1E5 cps) with a 5% instrument accuracy. The refueling neutron flux channels also provide continuous visual indication in the control room and continuous visual and audible indication at the refueling panel located in the reactor building at elevation 100 ft in close proximity to the refueling area.

After the RPV is placed on the RPV refueling stand, a retractable support mechanism positions the refuel neutron monitors in the detector sleeves on the RPV. This ensures the refuel neutron monitors are placed in the same position for each refueling. The refuel neutron monitors are located in the refuel pool bay area and are separate from the normal excore detectors used during operation. These are the only neutron monitors utilized during refueling.

APPLICABLE Two OPERABLE refueling neutron flux channels are required to SAFETY provide a signal to alert the operator to unexpected changes in core ANALYSES reactivity. During initial fuel loading, or when otherwise required, temporary neutron detectors may be used to provide additional reactivity monitoring (Ref. 1).

The audible count rate from the refueling neutron flux channels provides prompt and definite indication of any change in reactivity. The count rate increase is proportional to subcritical multiplication and allows operators to promptly recognize any change in reactivity. Prompt recognition of unintended reactivity changes is consistent with the assumptions of the safety analysis and is necessary to assure sufficient time is available to initiate action before SHUTDOWN MARGIN is lost (Ref. 1). The refueling neutron flux channels satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

NuScale B 3.8.1-1 Draft Revision 1.0

Nuclear Instrumentation B 3.8.1 BASES LCO This LCO requires two of the three refueling neutron flux channels to be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity during removal of the upper reactor vessel assembly and during fuel movement in the reactor vessel. To be OPERABLE, each channel must provide visual indication in the control room. In addition, at least one of the two required channels must provide an OPERABLE audible count rate function to alert the operators to the initiation of a boron dilution event.

APPLICABILITY In MODE 5 when the reactor vessel upper assembly is not seated on the reactor vessel flange, the refueling neutron flux channels are required to be OPERABLE to determine possible unexpected changes in core reactivity. There are no other direct means available to monitor the core reactivity conditions. The Applicability allows the retractable refueling neutron flux channels to be installed on the lower reactor vessel assembly following entry into MODE 5 (i.e., after detensioning the first reactor vessel flange bolt) and prior to the reactor vessel upper assembly lift. In MODES 1, 2, and 3 the ModuleMODULE Protection System neutron detectors and associated circuitry are required to be OPERABLE by LCO 3.3.1, ModuleMODULE Protection System (MPS) Instrumentation. In MODE 4, the moduleMODULE is disconnected from unborated water sources and the moduleMODULE Neutron Monitoring System. No changes to the core reactivity can occur in MODE 4 because a boron dilution event or fuel loading error cannot occur in this condition.

Therefore, neutron monitoring is not required in MODE 4.

ACTIONS A.1 and A.2 Redundancy has been lost if only one refueling neutron flux channel is OPERABLE. In addition, if the required refueling neutron flux audible count rate channel is inoperable, prompt and definite indication of a boron dilution event, consistent with the assumptions of the safety analysis, is lost. Since these instruments are the only direct means of monitoring core reactivity conditions, positive reactivity additions and introduction of water into the reactor pool with boron concentration less than required to meet the minimum boron concentration of LCO 3.5.3, Ultimate Heat Sink, must be suspended immediately. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation. Introduction of water inventory must be from sources that have a boron concentration greater than that which would be required in the reactor pool for minimum refueling boron concentration. This may result in an overall reduction in reactor pool boron concentration, but provides acceptable margin to maintaining NuScale B 3.8.1-2 Draft Revision 1.0

Nuclear Instrumentation B 3.8.1 BASES ACTIONS (continued) subcritical conditions. Performance of Required Action A.1 shall not preclude completion of actions to establish a safe condition.

B.1 and B.2 If no refueling neutron flux channels are OPERABLE, actions to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, actions shall be continued until a refueling neutron flux channel is restored to OPERABLE status.

If no refueling neutron flux channels are OPERABLE, there is no direct means of detecting changes in core reactivity. However, since positive reactivity additions are discontinued, the core reactivity condition is stabilized and no changes are permitted until the refueling neutron flux channels are restored to OPERABLE status. This stablized condition is confirmed by performing SR 3.5.3.3 to verify that the required boron concentration exists.

The Completion Time of once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that unplanned changes in boron concentration would be identified. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable considering the low probability of a change in core reactivity during this time period and the volume of the reactor pool.

SURVEILLANCE SR 3.8.1.1 REQUIREMENTS SR 3.8.1.1 is the performance of a CHANNEL CHECK, which is the comparison of the indicated parameter values monitored by each of these instruments. It is based on the assumption that the two required indication channels should be consistent for the existing core conditions. Changes in core geometry due to fuel loading can result in significant differences between the refueling neutron flux monitor channels, however each channel should be consistent with its local conditions.

The Frequency specified in the Surveillance Frequency Control Program is consistent with the CHANNEL CHECK Frequency specified for similar instruments in LCO 3.3.1, ModuleMODULE Protection System (MPS)

Instrumentation."

NuScale B 3.8.1-3 Draft Revision 1.0

Decay Time B 3.8.2 B 3.8 REFUELING OPERATIONS B 3.8.2 Decay Time BASES BACKGROUND The movement of irradiated fuel assemblies requires allowing at least 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months for radioactive decay before initiating handling of irradiated fuel.

During fuel handling, this LCO ensures that sufficient radioactive decay has occurred in the event of a fuel handling accident (Refs. 1 and 2).

Sufficient radioactive decay of short lived fission products would have occurred to limit offsite doses from the accident to within the values reported in FSAR Chapter 15 (Ref. 2).

APPLICABLE The minimum radioactivity decay time is an initial condition assumed SAFETY in the analysis of a fuel handling accident, as postulated by Regulatory ANALYSES Guide 1.183 (Ref. 1) and described in Reference 3.

It is assumed that all of the fuel rods in one irradiated fuel assembly are damaged to the extent that all the gap activity in the rods is released instantaneously. The damaged fuel assembly is assumed to be the assembly with the highest fission product inventory. The fission product inventories from which the highest is selected are those inventories present 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after the reactor becomes subcritical.

The decay time requirement satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires the reactor be subcritical for at least 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months prior to commencing movement of irradiated fuel within the reactor pressure vessel. This LCO does not preclude core movement associated with module movementMODULE MOVEMENT. A minimum radioactive decay time ensures that the radiological consequences of a postulated fuel handling accident are within the values calculated in Reference 2.

APPLICABILITY This LCO is applicable when moving irradiated fuel assemblies in the reactor pressure vessel. The LCO minimizes the possibility of radioactive release due to a fuel handling accident that is beyond the assumptions of the safety analysis. If irradiated fuel assemblies are not being moved, a postulated fuel handling accident is precluded. Requirements for fuel handling accidents in the spent fuel pool are also covered by LCO 3.5.3, Ultimate Heat Sink.

NuScale B 3.8.2-1 Draft Revision 1.0

NuScale Final Safety Analysis Report System Features measurements, as required by the technical specifications to verify that I&C safety systems perform required safety functions.

The normal configuration of MPS is designed with one-way communication from the MPS safety function modules to the MWS through the MPS gateway. Adjustments to parameters are performed in accordance with plant operating procedures that govern the parameter adjustment. Technical specifications establish the minimum number of redundant safety channels that must remain operable for the current operating mode and conditions.

Changing of setpoints and tunable parameters within the MPS is not allowed when the SFM is in service. Using one MWS, only one separation group may be calibrated at a time during normal operation at power. To perform calibrations on the MPS, the affected SFM must be taken out of service subject to technical specification limits (see Section 7.2.4). Any SFM in maintenance bypass will generate an alarm in the MCR.

While a channel is bypassed, the redundant MPS separation groups are fully capable of completing the safety function with the remaining three redundant channels.

Once the SFM is out of service, a temporary cable is connected between the MWS and the calibration and test bus communication port on the associated monitoring and indication bus communications module. The removal from service of an SFM, corrective maintenance, parameter update, and return to service processes are administratively controlled.

The MPS provides the capability to bypass an NMS channel to support NMS system calibration.

7.2.15.2 I&C system testing The MPS is designed to support testing as specified in IEEE Standard 338-1987 as endorsed and modified by RG 1.118, Revision 3, and IEEE Standard 603-1991 (Reference 7.2-11) with supplemental guidance in RG 1.22, Revision 0, and RG 1.47, Revision 1.

The MPS and NMS allow SSCs to be tested while retaining the capability to accomplish required safety functions. The MPS uses modules from the HIPS platform which are designed to eliminate non-detectable failures through a combination of built-in self-testing and periodic surveillance testing.

Testing from the sensor inputs of the MPS through to the actuated equipment is accomplished through a series of overlapping sequential tests, and the majority of the tests may be performed with the NPM at power. Where testing final equipment at power has the potential to upset plant operation or damage equipment, provisions are made to test the equipment when the NPM is shut down.

RAI 16-2 Periodic surveillance testing also verifies the continual self-testing functions.

Performance of periodic surveillance testing does not involve disconnecting wires or installation of jumpers for at-power testing. The self-test features maintain separation Tier 2 7.2-71 Draft Revision 1

Response to Request for Additional Information Docket No.52-048 eRAI No.: 9031 Date of RAI Issue: 08/08/2017 NRC Question No.: 16-3 Paragraph (a)(11) of 10 CFR 52.47 and paragraph (a)(30) of 10 CFR 52.79 state that a design certification (DC) applicant and a combined license (COL) applicant, respectively, are to propose technical specifications (TS) prepared in accordance with 10 CFR 50.36 and 50.36a.

10 CFR 50.36 sets forth requirements for TS to be included as part of the operating license for a nuclear power facility. The model standard technical specifications (STS) in the following documents provide NRC guidance on format and content of TS as acceptable means to meet 10 CFR 50.36 requirements. These documents may be accessed using the Agencywide Documents Access and Management Systems (ADAMS) by their accession numbers.

NUREG-1431, STS Westinghouse Plants, Revision 4 (ADAMS Accession Nos.

ML12100A222 and ML12100A228)

NUREG-1432, STS Combustion Engineering Plants, Revision 4 (ADAMS Accession Nos.

ML12102A165 and ML12102A169)

NUREG-2194, STS Westinghouse Advanced Passive 1000 (AP1000) Plants, Revision 0 (ADAMS Accession No. ML16111A132)

The NRC staff needs to evaluate technical differences in the proposed generic TS (GTS) from applicable provisions in these documents, which are referenced by the DC applicant in Design Control Document (DCD) Tier 2, Section 16.1, and the docketed rationale for each difference because conformance to STS provisions is used in the safety review as the initial point of guidance for evaluating the adequacy of the GTS to ensure adequate protection of public health and safety, and the completeness and accuracy of the GTS Bases.

In Section 1.3, Completion Times, the Description section includes a new second paragraph, based on TSTF-529-A, as follows:

Unless otherwise specified, the Completion Time begins when a senior licensed operator on the operating shift crew with responsibility for plant operations makes the determination that an LCO is not met and an ACTIONS Condition is entered. The otherwise specified exceptions are varied, such as a Required Action Note or Surveillance Requirement Note that provides an alternative time to perform specific tasks, such as testing, without starting the Completion Time. While utilizing the Note, should a Condition be applicable for any NuScale Nonproprietary

reason not addressed by the Note, the Completion Time begins. Should the time allowance in the Note be exceeded, the Completion Time begins at that point....

In TSTF-529-A, Revision 4, this paragraph continues with the following example of a third way to specify a completion time exception:

...The exceptions may also be incorporated into the Completion Time. For example, LCO 3.8.1, "AC Sources - Operating," Required Action B.2, requires declaring required feature(s) supported by an inoperable diesel generator, inoperable when the redundant required feature(s) are inoperable. The Completion Time states, "4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from discovery of Condition B concurrent with inoperability of redundant required feature(s)." In this case the Completion Time does not begin until the conditions in the Completion Time are satisfied.

a. The second sentence about the use of otherwise specified exceptions does not have a Section 1.3 example illustrating the various ways a delay in starting a completion time clock is specified. The applicant is requested to list all such exceptions contained in the NuScale GTS and propose one or more (as appropriate) examples to explain how to correctly implement such completion time exceptions. Such an example may be appended to the proposed second paragraph (consistent with the traveler), or provided as an additional enumerated example in Section 1.3.

b. Based on the remainder of the proposed paragraph, it appears that all GTS completion time exceptions are stated within a required action note or a surveillance column note. If this is not the case, please clarify the paragraph by describing the other ways the GTS specify a completion time exception.

c. In the Section 1.3 Description section, the fourth and fifth paragraphs end with the clause, unless otherwise specified, which was added by TSTF-529; these paragraphs state:

If situations are discovered that require entry into more than one Condition at a time within a single LCO (multiple Conditions), the Required Actions for each Condition must be performed within the associated Completion Time. When in multiple Conditions, separate Completion Times are tracked for each Condition starting from the discovery of the situation that required entry into the Condition, unless otherwise specified.

Once a Condition has been entered, subsequent trains, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition, unless specifically stated. The Required Actions of the Condition continue to apply to each additional failure, with Completion Times based on initial entry into the Condition, unless otherwise specified.

The applicant is requested to identify where, and consider providing an example of, these otherwise specified completion time exceptions occur in the GTS. Also, restore the travelers article the in the fourth paragraph, last sentence, which the GTS Bases omitted.

d. The first sentence about when a completion time begins should be clarified so that NuScale Nonproprietary

consistency with other guidance, such as for operability determinations, is ensured; or explain why such clarification is not needed.

NuScale Response:

The NuScale Technical Specifications were developed based on the design and operation of the facility, the applicable regulations and guidance, and with consideration of the 'standard' terminology and framework established in Chapter 1 and sections 3.0 of the standard technical specifications. To the extent practicable and appropriate the approved TSTF travelers were also incorporated.

TSTF-529-A, Revision 4 was adopted and incorporated into section 1.3 of the proposed generic Technical Specifications. However some portions of the TSTF were not specifically relevant to the design, or were not relevant to the TS content as it exists at this time.

For example, a fundamental design concept of the NuScale plant is that it does not depend on emergency AC power as typically included in legacy plant design's LCO 3.8.1. Therefore that portion of the new second paragraph of section 1.3, Completion Times as revised by TSTF-529 was excluded.

However, the concept of 'as otherwise specified' is more generic in nature without reference to a specific LCO or specification. NuScale therefore chose to include this aspect of the TSTF-529 traveler even though there are no specific locations where it is relevant at this time. The concept of defining other specified means of compliance are commonly utilized in the industry Standard Technical Specifications. Without a specific use, an example was not available for inclusion in lieu of the TSTF-provided example, so none was provided.

The omitted word 'the' from the fourth paragraph as identified in this RAI is being added to the specifications as shown below.

Item d. of the RAI requested clarification of when a completion time begins. The description of when a Completion Time begins provided by the TSTF paragraph that was retained is adequate. If plant-specific practices result in the need for additional clarification then a COL holder may, subject to 10 CFR 50.59 and the Bases Control Program in Chapter 5, choose to add reference to operational procedures or practices such as an 'operability determination' process that is not a part of the DCA.

A change to the fourth paragraph of section 1.3 has been made.

Impact on DCA:

Technical Specification Section 1.3 has been revised as described in the response above and as shown in the markup provided in this response.

NuScale Nonproprietary

Completion Times 1.3 1.0 USE AND APPLICATION 1.3 Completion Times PURPOSE The purpose of this section is to establish the Completion Time convention and to provide guidance for its use.

BACKGROUND Limiting Conditions for Operation (LCOs) specify minimum requirements for ensuring safe operation of the unit. The ACTIONS associated with an LCO state Conditions that typically describe the ways in which the requirements of the LCO can fail to be met. Specified with each stated Condition are Required Action(s) and Completion Time(s).

DESCRIPTION The Completion Time is the amount of time allowed for completing a Required Action. It is referenced to the discovery of a situation (e.g.,

inoperable equipment or variable not within limits) that requires entering an ACTIONS Condition unless otherwise specified, providing the unit is in a MODE or specified condition stated in the Applicability of the LCO.

Unless otherwise specified, the Completion Time begins when a senior licensed operator on the operating shift crew with responsibility for plant operations makes the determination that an LCO is not met and an ACTIONS Condition is entered. The "otherwise specified" exceptions are varied, such as a Required Action Note or Surveillance Requirement Note that provides an alternative time to perform specific tasks, such as testing, without starting the Completion Time. While utilizing the Note, should a Condition be applicable for any reason not addressed by the Note, the Completion Time begins. Should the time allowance in the Note be exceeded, the Completion Time begins at that point.

Required Actions must be completed prior to the expiration of the specified Completion Time. An ACTIONS Condition remains in effect and the Required Actions apply until the Condition no longer exists or the unit is not within the LCO Applicability.

If situations are discovered that require entry into more than one Condition at a time within a single LCO (multiple Conditions), the Required Actions for each Condition must be performed within the associated Completion Time. When in multiple Conditions, separate Completion Times are tracked for each Condition starting from the discovery of the situation that required entry into the Condition, unless otherwise specified.

NuScale 1.3-1 Draft Revision 1.0

Response to Request for Additional Information Docket No.52-048 eRAI No.: 9031 Date of RAI Issue: 08/08/2017 NRC Question No.: 16-4 Paragraph (a)(11) of 10 CFR 52.47 and paragraph (a)(30) of 10 CFR 52.79 state that a design certification (DC) applicant and a combined license (COL) applicant, respectively, are to propose technical specifications (TS) prepared in accordance with 10 CFR 50.36 and 50.36a.

10 CFR 50.36 sets forth requirements for TS to be included as part of the operating license for a nuclear power facility. The model standard technical specifications (STS) in the following documents provide NRC guidance on format and content of TS as acceptable means to meet 10 CFR 50.36 requirements. These documents may be accessed using the Agencywide Documents Access and Management Systems (ADAMS) by their accession numbers.

NUREG-1431, STS Westinghouse Plants, Revision 4 (ADAMS Accession Nos.

ML12100A222 and ML12100A228)

NUREG-1432, STS Combustion Engineering Plants, Revision 4 (ADAMS Accession Nos.

ML12102A165 and ML12102A169)

NUREG-2194, STS Westinghouse Advanced Passive 1000 (AP1000) Plants, Revision 0 (ADAMS Accession No. ML16111A132)

The NRC staff needs to evaluate technical differences in the proposed generic TS (GTS) from applicable provisions in these documents, which are referenced by the DC applicant in Design Control Document (DCD) Tier 2, Section 16.1, and the docketed rationale for each difference because conformance to STS provisions is used in the safety review as the initial point of guidance for evaluating the adequacy of the GTS to ensure adequate protection of public health and safety, and the completeness and accuracy of the GTS Bases.

The staff reviewed the Bases for Reactor Core SAFETY LIMIT (SL) 2.1.1.1 on critical heat flux ratio (CHFR) and found no explanation of when each of the three listed CHF correlations are most limiting as a function of core THERMAL POWER and RCS conditions of pressure, core inlet temperature, and coolant flow rate. That is, it is unclear how a violation of the CHFR SL would be determined. The applicant is requested to explain how the core SLs are implemented.

In addition, explain why the Griffith-Zuber CHF correlation SL value of 1.37 is specified with three significant figures, while the NSP2 (1.262) and Extended Hench-Levy (1.122) CHF correlation SLs specified with four significant figures.

NuScale Nonproprietary

NuScale Response:

The proposed Generic Technical Specifications Reactor Core Safety Limits have been revised including removal of reference to the Griffith Zuber Correlation and the associated limit. Each of the Safety Limits is specified to three significant figures.

Additionally, the Safety Limit on peak Linear Heat Rate that was specified in section 2.1.1.2 has been replaced with a peak fuel centerline temperature limit of less than 4791ºF.

These changes were also incorporated into revisions to the Bases of Chapter 2 of the Technical Specifications. The revised Generic Technical Specifications and Bases are attached.

As noted in the revised Safety Limits portion of the Bases for 2.1.1:

The NSP2 correlation limit is applicable to non-LOCA transients.

The Extended Hench-Levy correlation limit is used to evaluate other transients.

Additional discussion of the applicable CHF limit used in analyses is provided in Chapter 15 of the DCA.

A violation of a safety limit would exist if an analysis indicated that the applicable Safety Limit had been exceeded. A violation of a Safety Limit could exist if any of the variables listed in the Applicable Safety Analyses discussion in the Bases were outside of limits. The revised Bases specifically list RCS temperature, RCS pressure, and thermal power in combination with the other LCOs in the Technical Specifications.

For example, if it was determined that a variable (e.g., pressure or thermal power) described in the Bases as protecting the safety limit was not within limits, it could adversely affect compliance with either or both correlation safety limits. A violation of either correlation represents a condition that is a safety limit violation as addressed in the applicable portion of the specification.

Impact on DCA:

The Technical Specifications have been revised as described in the response above and as shown in the markup provided in this response.

NuScale Nonproprietary

SLs 2.0 2.0 SAFETY LIMITS (SLs) 2.1 SLs 2.1.1 Reactor Core SLs 2.1.1.1 In MODE 1 the critical heat flux ratio shall be maintained at or above the following critical heat fluxCHF correlation safety limits:

Correlation Safety Limit NSP2 1.2621.17 Extended Hench-Levy 1.1221.06 Griffith-Zuber 1.37 2.1.1.2 In MODE 1 the peak Linear Heat Rate shall be maintained 21.22 kW/ft. In MODE 1 the peak fuel centerline temperature shall be maintained < 4791°F.

2.1.2 RCS Pressure SL In MODES 1, 2, and 3 pressurizer pressure shall be maintained 2285 psia.

2.2 Safety Limit Violations 2.2.1 If SL 2.1.1 is violated, restore compliance and be in MODE 2 within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

2.2.2 If SL 2.1.2 is violated:

2.2.2.1 In MODE 1, restore compliance and be in MODE 2 within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

2.2.2.2 In MODE 2 or 3, restore compliance within 5 minutes.

NuScale 2.0-1 Draft Revision 1.0

Reactor Core SLs B 2.1.1 BASES APPLICABLE The fuel cladding must not sustain damage as a result of normal SAFETY operation and AOOs. The reactor core SLs are established to preclude ANALYSES violation of the following fuel design criteria:

a. There must be at least 95% probability at a 95% confidence level (the 95/95 CHF criterion) that the hot fuel rod in the core does not experience CHF; and

b. The hot fuel pellet in the core must not experience centerline fuel melting.

The Module Protection System (MPS) setpoints (Ref. 2), in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, RCS Flow, I, and THERMAL POWER level that would result in a critical heat flux ratio (CHFR) of less than the CHFR limit and preclude the existence of flow instabilities.

Automatic enforcement of these reactor core SLs is provided by the appropriate operation of the MPS and the decay heat removal system.

The SLs represent a design requirement for establishing the MPS Trip System setpoints (Ref. 2). LCO 3.4.1, RCS Pressure, and Temperature Critical Heat Flux (CHF) Limits, or the assumed initial conditions of the safety analyses (as indicated in FSAR Section 7.2Chapter 15, Ref. 32) provide more restrictive limits to ensure that the SLs are not exceeded.

SAFETY LIMITS The reactor core SLs are established to preclude violation of the following fuel design criteria:

a. There must be at least a 95% probability at a 95% confidence level (the 95/95 CHF criterion) that the hot fuel rod in the core does not experience CHF; and

b. There must be at least a 95% probability at a 95% confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.

The reactor core SLs are used to define the various MPS functions such that the above criteria are satisfied during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs).

The NSP2 correlation limit is used to evaluate non-LOCA transients as described in the FSAR (Ref. 3). The Extended Hench-Levy and Griffith-Zuber correlation limit iss are usedtilized to evaluate other transients that occur with high and low RCS flow rates respectively as also described in the NuScale B 2.1.1-2 Draft Revision 1.0

Reactor Core SLs B 2.1.1 BASES SAFETY LIMITS (continued)

FSAR Chapter 15 (Ref. 3). To ensure that the MPS precludes violation of the above criteria, additional criteria are applied to the low pressurizer pressure reactor trip functions. That is, it must be demonstrated that the core exit quality is within the limits defined by the CHFR correlation and that the low pressurizer pressure reactor trip protection functions continues to provide protection if core exit streams approach saturation temperature. Appropriate functioning of the MPS ensures that for variations in the THERMAL POWER, RCS Pressure and, RCS cold temperature, and RCS flow rate that the reactor core SLs will be satisfied during steady state operation, normal operational transients, and AOOs.

APPLICABILITY SL 2.1.1 only applies in MODE 1 because this is the only MODE in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODE 1 to ensure operation within the reactor core SLs. The decay heat removal system and automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function which forces the unit into MODE 2. Setpoints for the reactor trip functions are describedspecified in LCO 3.3.1, Module Protection System (MPS) Instrumentation. and specified in the

[Technical Requirements Manual]. In MODES 2, 3, 4, and 5, applicability is not required since the reactor is not generating significant THERMAL POWER.

SAFETY LIMIT The following SL violation responses are applicable to the reactor core VIOLATIONS SLs. If SL 2.1.1 is violated, the requirement to go to MODE 2 places the unit in a MODE in which this SL is not applicable.

The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probability of fuel damage.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. FSAR Section 7.2, Reactor Trip.Chapter 7, "Instrumentation and Controls."

3. FSAR Chapter 15, "Transient and Accident Analyses."

NuScale B 2.1.1-3 Draft Revision 1.0

Response to Request for Additional Information Docket No.52-048 eRAI No.: 9031 Date of RAI Issue: 08/08/2017 NRC Question No.: 16-5 Paragraph (a)(11) of 10 CFR 52.47 and paragraph (a)(30) of 10 CFR 52.79 state that a design certification (DC) applicant and a combined license (COL) applicant, respectively, are to propose technical specifications (TS) prepared in accordance with 10 CFR 50.36 and 50.36a. 10 CFR 50.36 sets forth requirements for TS to be included as part of the operating license for a nuclear power facility. The model standard technical specifications (STS) in the following documents provide NRC guidance on format and content of TS as acceptable means to meet 10 CFR 50.36 requirements. These documents may be accessed using the Agencywide Documents Access and Management Systems (ADAMS) by their accession numbers.

NUREG-1431, STS Westinghouse Plants, Revision 4 (ADAMS Accession Nos.

ML12100A222 and ML12100A228)

NUREG-1432, STS Combustion Engineering Plants, Revision 4 (ADAMS Accession Nos.

ML12102A165 and ML12102A169)

NUREG-2194, STS Westinghouse Advanced Passive 1000 (AP1000) Plants, Revision 0 (ADAMS Accession No. ML16111A132)

The NRC staff needs to evaluate technical differences in the proposed generic TS (GTS) from applicable provisions in these documents, which are referenced by the DC applicant in Design Control Document (DCD) Tier 2, Section 16.1, and the docketed rationale for each difference because conformance to STS provisions is used in the safety review as the initial point of guidance for evaluating the adequacy of the GTS to ensure adequate protection of public health and safety, and the completeness and accuracy of the GTS Bases.

a. The staff compared the Applicable Safety Analyses section of Subsection B 2.1.2, the Bases for RCS Pressure SL 2.1.2, to the Applicable Safety Analyses section of Subsection B 2.1.2, the AP1000 STS Bases for RCS Pressure SL 2.1.2, and noted that the (similar) next to last paragraph references 10 CFR 50.34 instead of FSAR Section 7.2.

The GTS SL 2.1.2 Bases ASA section should reference FSAR Chapter 7, "Instrumentation and Controls," as Reference 4; and the SAFETY LIMIT Violations section should reference 10 CFR 50.34 as Reference 5. The applicant is requested to resolve this apparent referencing error in the References section of the Bases.

NuScale Nonproprietary

b. In the last paragraph of the Applicable Safety Analyses section of Subsection B 2.1.1, the Bases for Reactor Core SL 2.1.1.1 and Reactor Core SL 2.1.1.2, The first sentence should reference FSAR Section 7.2 as Reference 2, as shown in the following markup:

The SLs represent a design requirement for establishing the MPS Trip System setpoints (Ref. 2).

In addition, the References section of Subsection B 2.1.1 should not label FSAR Section 7.2 as Reactor Trip System, since the actual label is System Features.

The second sentence should refer to FSAR Chapter 15, as Reference 3 in place of FSAR Section 7.2, as shown in the following markup:

LCO 3.4.1, RCS Pressure, and Temperature Critical Heat Flux (CHF) Limits, or the assumed initial conditions of the safety analyses (as indicated in FSAR Chapter 15 Section 7.2, (Ref. 2 3) provide more restrictive limits to ensure that the SLs are not exceeded.

NuScale Response:

The identified changes have been incorporated. Additionally, Reference 2 in Subsection B 2.1.1 is changed to refer to Chapter 7, Instrumentation and Controls rather than Section 7.2, Reactor Trip. This is consistent with the content and format of the NuScale FSAR presentation of the Instrumentation and Controls systems information.

The Bases of Chapter 2 of the Technical Specifications have been revised as described above.

Impact on DCA:

The Technical Specification Bases have been revised as described in the response above and as shown in the markup provided in this response.