Text

Proposed Tech Specs Providing TS for Operation of Oscillation Power Range Monitor Upscale Trip Function in Aprm,Which Is Part of Power Range Neutron Monitoring Sys
	ML18039A504
Person / Time
Site:	Browns Ferry
Issue date:	09/08/1998
From:	; TENNESSEE VALLEY AUTHORITY
To:	;
Shared Package
ML18039A503	List: ML18039A501; ML18039A504;
References
	NUDOCS 9809160041
	Download: ML18039A504 (683)
	v • d • e

ENCLOSURE 1 TENNESSEE VALLEYAUTHORITY BROWNS FERRY NUCLEAR PLANT (BFN)

UNIT 2 PROPOSED TECHNICAL SPECIFICATIONS (TS) CHANGE TS-354 DESCMPTION AND EVALUATIONOF THE PROPOSED CHANGE INDEX I. DESCRIPTION OF THE PROPOSED CHANGE El-2 II. REASON FOR THE PROPOSED CHANGE El-15 III. SAFETY ANALYSIS. El-16 IV NO SIGNIFICANT HAZARDS CONSIDERATION DETERlVIINATION El-21 V. ENVIRONMENTAI.IMPACT CONSIDERATION El-22 VI. REFERENCES E1-23

,9809i6004i 9809'08

'PDR'DOCK 05000260 P PDR

I. DESCRIPTION OF THE PROPOSED TS CHANGE K

TVA is requesting changes to the Unit 2 TS to include provisions for enabling the Oscillation Power Range Monitor (OPRM) Upscale trip function in the Average Power Range Monitor (APRM). The APRM is part of the Power Range Neutron Monitoring (PRNM) system. The OPRM Upscale trip function provides protection from exceeding the fuel Minimum Critical Power Ratio (MCPR) safety limit in the event of thermal-hydraulic power oscillations, and thereby, provides compliance with General Design Criteria (GDC) 10 and 12 of 10 CFR 50, Appendix A.

The PRNM upgrade was installed on BFN Unit 2 during the Fall 1997 Unit 2 refueling outage. A similar upgrade will be installed on BFH Unit 3 during the Fall 1998 Unit 3 refueling outage. TS changes supporting the PRNM installation were proposed in References 1 and 2, and were approved for Unit 2 by the NRC in Reference 3 for the Unit 2 custom TS. A separate submittal provided TS in STS format which were issued on July 14, 1998, as part of the BFN conversion to STS format. A TS change for Unit 3 OPRM will be submitted at a later date. The PRNM upgrade uses General Electric (GE)

Nuclear Measurement Analysis and Control (NUMAC) components. Its OPRM trip function implements the long-term stability solution designated as Option IIIin References 4 and 5. As described in References 1 and 2, the OPRM trip function is being operated on each unit in the "indicate only" mode for one cycle following installation and will be enabled for the following fuel cycles.

Provided below is a description of each requested TS change. The requested changes are based on examples presented in NUMAC PRNM Retrofit Plus Option III Stability Trip Function (Reference 6) which was approved by the NRC in Reference 7.

PROPOSED CHANGES TO TS The proposed changes to incorporate provisions for enabling the OPRM Upscale trip function on Unit 2 are based on the conversion package to ITS submitted to NRC as TS-362 on September 6, 1996 and approved on July 14, 1998. Subsequent submitted changes related to PRNM installation in Reference 2 are also used as the basis for these proposed changes.

El-2

1. Pages 3.3-1 and 3.3-2, LCO 3.3.1.1, Reactor Protection System (RPS)

Instrumentation The Actions table for LCO 3.3.1.1 is revised to add appropriate requirements applicable to the OPRM Upscale trip function, Function 2.f. In Required Action A.2, the Note is revised to say that the Required Action also is not applicable for new Function 2.f. In Condition B, the Note is revised to say that Condition B also is not applicable for new Function 2.f. The revised Note reads as follows (deleted words are shown with stakethreugh, and changed or added words are shown in bolrlerl italics):

NOTE-Not applicable for Functions 2.a, 2.b, 2.c,-er 2.d, or 2.f.

2. Page 3.3-3, LCO 3.3.1.1, RPS Instrumentation New Condition I and Condition J, together with Required Actions and Completion Times are added to the LCO Actions table. The new entries read as follows:

CONDITION RE UIRED ACTION COMPLETION TIME As required by I.1 Initiate alternate method to detect 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Required Action D. 1 and suppress thermal hydraulic and referenced in Table instability oscillations.

3.3.1.1-1. AND I.2 Restore required channels to 120 days OPERABLE.

J. Required Action and J. 1 Be in Mode 2. 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months associated Completion Time of Condition I not mct.

3. Page 3.3-6, Surveillance Requirements, RPS Instrumentation A new Surveillance, SR 3.3.1.1.17, is added to the Surveillance Requirements table. The new table entry reads as follows:

SURVEILLANCE FREQUENCY SR 3.3.1.1.17 Verify OPRM is not bypassed when APRM Simulated 24 months

)

Thermal Power is 25% and recirculation drive flow

(

is 60% of rated recirculation drive flow.

E1-3

Page 3.3-8, Table 3.3.1.1-1, RPS Instrumentation New APRM Function 2.f, the OPRM Upscale trip function, together with Applicable Modes, Required Channels, Conditions Referenced, Surveillance Requirements, and Allowable Value are added to Table 3.3.1.1-1. The new entry reads as follows:

APPLICABLE CONDITIONS MODES OR REQUIRED REFERENCED OTHER CHANNELS FROM SPECIFIED PER TRIP REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS SYSTEM ACTION D.1 REQUIREMENTS VALUE

2. Average Power Range Monitors (continued)

f. OPRM Upscale 3a) SR 3.3.1.1.1 NA SR 3.3.1.1.7 SR 3.3.1.1.13 SR 3.3.1.1.16 SR 3.3.1.1.17

~

5. Page 3.4-1, LCO 3.4.1, Recirculation Loops Operating LCO 3.4.1 is revised to delete the restrictions related to thermal-hydraulic stability regions, Figure 3.4.1-1. After the deletions, the LCO reads as follows (deleted words are shown with stFike&Feugh):

Qp

'~ hagi~~~I Two recirculation loops with matched flows shall be in operation-whl~re Page 3.4-1 and -2, LCO 3.4.1, Recirculation Loops Operating In the Actions table, Condition A, Condition B and Condition E, together with A i changed bi* d or added words are shown in h

boldeditnlics):

ih~

associated Required Actions and Completion Times are deleted. Conditions C and D are relabeled "A" and "B," respectively, and are revised. The changed kll (dl d d d E1-4

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One recirculation loop A. 1 Restore two 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months not in operation. recirculation loops to operation.

B. Required Action and 8.1 Be in Mode 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months associated Completion Time of Condition~

GA not met.

OR No recirculation loops in operation-while-in 540BK'rR.

eperatien-while-in 54QBB-k

7. Page 3.4-3, Surveillance Requirements, Recirculation Loops Operating Surveillance SR 3.4.1.2, to verify that the reactor is outside of Region I and II of Figure 3.4.1-1, and its associated Frequency are deleted in their entirety.

8. Page 3.4-4, Figure 3.4.1-1 Figure 3.4.1-1, Thermal Power Versus Core Flow Stability Regions, is deleted in its entirety.

E1-5

p ~

Page B 3.3-9, Bases Section 3.3.1.1, RPS Instrumentation In the Applicable Safety Analyses Bases for Avera e Power Ran e Monitor changes are made to reflect addition of the new OPRM Upscale trip function.

AAer the changes, the Average Power Range Monitor description reads as follows (deleted words are shown with sWke&reugh, and changed or added words are shown in bolrlerl italics):

The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases. The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core to provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater than RTP. EncIc APRM also inclurles an Oscillntion Power Rnnge Monitor (OPRM) Upscale Function which monitors sInall groups ofLPRM signals to detect thermal-hydrnulic instnbilities.

The APRM System is divided into four APRM channels and four 2-out-of-4 voter channels. Each APRM channel provides inputs to each of the four voter channels. The four voter channels are divided into two groups of two each, with each group of two providing inputs to one RPS trip system. The system is designed to allow one APRM channel, but no voter channels, to be bypassed. A trip from any one unbypassed APRM will result in a "half trip" in all four of the voter channels, but no trip inputs to either RPS trip system.

APRM trip Functions 2. a, 2. b, 2. c, anrl 2. d are voterl independently from OPRM Upscale Function 2 f. Therefore, any Function 2. a, 2.b, 2. c, or 2.rl

trip from any two unbypassed APRM channels will result in a full trip in each of the four voter channels, which in turn results in two trip inputs to each RPS trip system logic channel (Al, A2, B1, or B2). Similarly, a Function f

2 trip from nny two unbypassed APRM chnnnels willresult in a full trip from ench of tIce four voter channels. Three of the four APRM channels and

.all four voter channels are required to be OPERABLE to ensure that no single failure will preclude a scram on a valid signal. In addition, to provide adequate coverage of the entire core, consistent with the design bases for the APRM Functions 2.a, 2.b anrl 2.c, at least twenty (20) LPRM inputs, with at least three (3) LPRM inputs from each of the four axial levels at which the LPRMs are located, must be operable for each APRM channel. For the OPRM Upscale Function 2 f, LPRMs are assigned to "cells" with either 3 or 4 detectors, with a total of33 "cells" assigned to each OPRM chnnnel.

A minimum of 23 cells, each with a minimum of 2 LPRMs must be f

OPERABLEfor the OPRM Upscale Function 2 to be OPERABLE.

El-6

10. Page B 3.3-14, Bases Section 3.3.1.1, RPS Instrumentation 1 h Appli bl Sf A I B f APRMF i .d Power Ran e Monitor Ino an editorial change is made. The words "non-bypassed APRM channels" are revised to say "unbypassed APRM channels."

11. Page B 3.3-15, BASES Section 3.3.1.1, RPS Instrumentation In the Applicable Safety Analyses Bases for APRM Function 2.e 2-Out-Of-4 Voter the phrase "including the OPRM Upscale Function" is added into the first sentence of the section. See the mark-up for placement.

A new paragraph is also added to describe the independence of OPRM Upscale, Function 2.f from APRM Functions 2.a, 2.b, and 2.c and to discuss considerations that may go into declaring voter Function 2.e inoperable. See the mark-up for placement. The new paragraph reads as follows:

The 2-Out-Of-4 Voter Function votes APRM Functions 2.a, 2.b, 2.c, and 2.d independently of Function 2.f. The voter also includes separate outputs to RPS for the two independently voted sets of Functions, each of which is redundant (four total outputs). The voter Function 2.e must be declared inoperable ifany of its functionality is inoperable. However, due to the independent voting of APRM trips, and the redundancy of outputs, there may be conditions where the voter Function 2.e is inoperable, but trip capability for one or more of the other APRM Functions through that voter is still maintained. This may be considered when determining the condition of other APRM Functions resulting from partial inoperability of the Voter Function 2.e.

12. Page B 3.3-15, Bases Section 3.3.1.1, RPS Instrumentation In the Applicable Safety Analyses Bases a new section, 2.f Oscillation Power Ran e Monitor OP U scale is added to describe the new OPRM Upscale trip function. The new section reads as follows:

2.f. Oscillation Power Ran e Monitor OP U scale The OPRM Upscale Function provides compliance with GDC 10 and GDC 12, thereby providing protection from exceeding the fuel MCPR safety limit (SL) due to anticipated thermal-hydraulic power oscillations.

References 13, 14 and 15 describe three algorithms for detecting thermal-hydraulic instability related neutron flux oscillations: the period based detection algorithm, the amplitude based algorithm, and the growth rate algorithm. All three are implemented in the OPRM

Upscale Function, but the safety analysis takes credit only for the period based detection algorithm. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations. OPRM Upscale Function OPERABILITYfor Technical Specification purposes is based only on the period based detection algorithm.

The OPRM Upscale Function receives input signals from the local power range monitors (LPRMs) within the reactor core, which are combined into "cells" for evaluation of the OPRM algorithms.

The OPRM Upscale Function is required to be OPERABLE when the plant is in a region of power-flow operation where anticipated events could lead to thermal-hydraulic instability and related neutron flux oscillations. Within this region, the automatic trip is enabled when THERMALPOWER, as indicated by the APRM Simulated Thermal Power, is 2 25% RTP and reactor core flow, as indicated by recirculation drive flow is < 60% of rated flow, the operating region where actual thermal-hydraulic oscillations may occur. Requiring the OPRM Upscale Function to be OPERABLE in Mode I provides consistency with operability requirements for other APRM functions and assures that the OPRM Upscale Function is OPERABLE whenever reactor power could increase into the region of concern without operator action.

An OPRM Upscale trip is issued from an APRM channel when the period based detection algorithm in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals of the LPRM detectors in a cell, with period confirmations and relative cell amplitude exceeding specified setpoints. One or more cells in a channel exceeding the trip conditions willresult in a channel trip. An OPRM Upscale trip is also issued from the channel ifeither the growth rate or amplitude based algorithms detect growing oscillatory changes in the neutron flux for one or more cells in that channel.

Three of the four channels are required to be OPERABLE. Each channel is capable of detecting thermal-hydraulic instabilities, by detecting the related neutron flux oscillations, and issuing a trip signal before the MCPR SL is exceeded. There is no allowable value for this function.

El-8

13. Page B 3.3-30, Bases Section 3.3.1.1, RPS Instrumentation In the Actions Bases under the description of Actions A.1 and A.2, a sentence is revised to note that Action A.2 also is not applicable for APRM Function 2.f, the OPRM Upscale trip function. The revised sentence reads as follows (deleted words are shown with swkethreugh, and changed or added words are shown in bolrled italics):

As noted, Action A.2 is not applicable for APRM Functions 2.a, 2.b, 2.c,-and 2.d, or 2I.

14. Pages B 3.3-32, Bases Section 3.3.1.1, RPS Instrumentation In the Actions Bases under the description of Actions B.1 and B.2, a paragraph is revised to note that Condition B also in not applicable for APRM Function 2.f, the OPRM Upscale trip function. The revised paragraph reads as follows (deleted words are shown with stRkethre~, and changed or added words are shown in bokled italics):

As noted, Condition B is not applicable for APRM Functions 2.a, 2.b, 2.c,-and 2.d, or 2 f. Inoperability of an APRM channel sects both trip systems and is not associated with a specific trip system as are the APRM 2-out-of-4 voter and other non-APRM channels for which Condition B applies. For an inoperable APRM channel, Required Action A.1 must be satisfied, and is the only action (other than restoring operability) that will restore capability to accommodate a single failure. Inoperability of a Function in more than one required APRM channel results in loss of trip capability for that Function and entry into Condition C, as well as entry into Condition A for each channel. Because Conditions A and C provide Required Actions that are appropriate for the inoperability of APRM Functions 2.a, 2.b, 2.c, and 2.d, or 2 f, and these functions are not associated with specific trip systems as are the APRM 2-out-of-4 voter and other non-APRM channels, Condition B does not apply.

15. Page B 3.3-34, Bases Section 3.3.1.1, RPS Instrumentation In the Actions Bases the existing discussion of Actions E.1, F.1 and G.1 is made applicable for new action J.1 by adding "J.1" into the into the heading of this discussion. No other change to the existing discussion is made.

E1-9

16. Page B 3.3-35, Bases Section 3.3.1.1, RPS Instrumentation In the Actions Bases two new paragraphs are added to discuss new Actions I.1 and I.2. The new paragraphs read as follows:

If OPRM Upscale trip capability is not maintained, Condition I exists.

Reference 12 justified use of alternate methods to detect and suppress oscillations for a limited period of time. The alternate methods are procedurally established consistent with the guidelines identified in Reference 17 requiring manual operator action to scram the plant if certain predefined events occur. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed action time is based on engineering judgment to allow orderly transition to the alternate methods while limiting the period of time during which no automatic or alternate detect and suppress trip capability is formally in place. Based on the small probability of an instability event occurring at all, the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is judged to be reasonable.

I.2 The alternate method to detect and suppress oscillations implemented in accordance with I.1 was evaluated (Reference 12) based on use up to 120 days only. The evaluation, based on engineering judgment, concluded that the likelihood of an instability event that could not be adequately handled by the alternate methods during this 120 day period was negligibly small. The 120 day period is intended to be an outside limit to allow for the case where design changes or extensive analysis might be required to understand or correct some unanticipated characteristic of the instability detection algorithms or equipment. This action is not intended and was not evaluated as a routine alternative to returning failed or inoperable equipment to OPERABLE status. Correction of routine equipment failure or inoperability is expected to normally be accomplished within the completion times allowed for Actions for Conditions A and B.

17. Page B 3.3-44, Bases Section 3.3.1.1, SR 3.3.1.1.14 In the last paragraph describing the LOGIC SYSTEM FUNCTIONALTEST, the words "and OPRM" are added. See the mark-up for placement.

E1-10

18: Page B 3.3-45, Bases Section 3.3.1.1, RPS Instrumentation In the Surveillance Requirements Bases a new discussion of SR 3.3.1.1.17 is added. The new discussion reads as follows:

SR 3.3.].1.17 This SR ensures that scrams initiated from OPRM Upscale Function (Function 2.f) willnot be inadvertently bypassed when THERMAL POWER, as indicated by the APRM Simulated Thermal Power, is 2 25% RTP and core flow, as indicated by recirculation drive flow, is

< 60% rated core flow. This normally involves confirming the bypass setpoints. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. The actual surveillance ensures that the OPRM Upscale Function is enabled (not bypassed) for the correct values of APRM Simulated Thermal Power and recirculation drive flow. Other surveillances ensure that the APRM Simulated Thermal Power and recirculation flow properly correlate with THERMALPOWER and core flow respectively.

Ifany bypass setpoint is nonconservative (i.e., the OPRM Upscale Function is bypassed when APRM Simulated Thermal Power 2 25%

and recirculation drive flow < 60% rated), then the affected channel is considered inoperable for the OPRM Upscale Function. Alternatively, the bypass setpoint may be adjusted to place the channel in a conservative condition (unbypass). Ifplaced in the unbypassed condition, this SR is met and the channel is considered OPERABLE.

The Frequency of 24 months is based on engineering judgment and reliability of the components.

19. Page B 3.3-46, Bases Section 3.3.1.1, RPS Instrumentation The following new references are added to the list of

References:

13. NEDO-31960-A, "BWR Owners'roup Long-Term Stability Solutions Licensing Methodology," November 1995.

14. NEDO-31960-A, Supplement 1, "BWR Owners'roup Long-Term Stability Solutions Licensing Methodology," November 1995.

15. NEDO-32465-A, "BWR Owners'roup Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications," August 1996.

16. NEDC-32410P-A, Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function," August 1996.

0 17.. Letter, L.A. England (BWROG) to M.J Virgilio, "BWR Owners'roup Guidelines for Stability Interim Corrective Action," June 6, 1994.

20. Page B 3.4-4 and -5, Bases Section 3 4.1, Recirculation Loops Operating In the Applicable Safety Analyses Bases the following discussion of power oscillations and required operator actions is deleted:

Safety analyses performed for FSAR Chapter 14 implicitly assume core conditions are stable. However, at the high power/low flow corner of the power flow map, an increased probability for limit cycle oscillations exists (Ref. 3) depending on combinations of operating conditions (e.g., power shape, bundle power, and bundle flow).

Generic evaluations indicate that when regional power oscillations become detectable on the APRMs, the safety margin may be insufficient under some operating conditions to ensure actions taken to respond to the APRMs signals would prevent violation of the MCPR Safety Limit (Ref. 4). NRC Generic Letter 86-02 (Ref. 5) addressed stability calculation methodology and stated that due to uncertainties, 10 CFR 50, Appendix A, General Design Criteria (GDC) 10 and 12 could not be met using analytic procedures on a BWR 4 design.

However, Reference 5 concluded that operating limitations which provide for the detection (by monitoring neutron flux noise levels) and suppression of flux oscillations in operating regions of potential instability consistent with the recommendations of Reference 3 are acceptable to demonstrate compliance with GDC 10 and 12. The NRC concluded that regions of potential instability could occur at calculated decay rations of 0.8 or greater by the General Electric methodology.

Stability tests at operating BWRs were reviewed to determine a generic region of the power/flow map in which surveillance of neutron flux noise levels should be performed. A conservative decay ratio was chosen as the basis for determining the generic region for surveillance to account for plant to plant variability of decay ratio with core and fuel designs. This decay ratio also helps ensure sufficient margin to an instability occurrence is maintained. The generic region has been determined to be bounded by the 80% rod line and the 50% core flow line. BFN conservatively implements this generic region with the "Operation Not Permitted" Region and Regions I and II of Figure 3.4.1-1. This conforms to Reference 3 recommendations. Operation is permitted in Region II provided neutron flux noise levels are verified to be within limits. The reactor mode switch must be placed in the shutdown position (an immediate scram is required) ifRegion I is entered.

0

21. Page B 3.4-5, Bases Section 3.4.1, Recirculation Loops Operating In the LCO Bases the following sentence is deleted:

In addition, the core flow expressed as a function of THERMAL POWER must be outside Regions I and II and the Operation Not Permitted Region of Figure 3.4.1-1.

22. Page B 3.4-6 and -7, Bases Section 3.4.1, Recirculation Loops Operating In the Actions Bases discussion of Actions A.1, B.1 and B.2 are deleted. These deleted discussions, related to potential occurrence of thermal hydraulic instability, read as follows:

A.1 The minimum margin to the onset of thermal hydraulic instability occurs when the plant is in Region I of Figure 3.4.1-1. Therefore, the reactor mode switch is required to be placed in the shutdown position upon entry into this region. This action is considered sufficient to preclude core oscillations which could challenge the MCPR safety limit.

B 1 and B2 Immediate action is required to exit Region II of Figure 3.4.1-1 upon entry by control rod insertion or flow increase. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for exiting the region is acceptable because it minimizes the risk while allowing time to exit the region without challenging plant systems. Because the probability of thermal hydraulic oscillations is lower and the margin to the MCPR safety limit is greater in Region II than in Region I, placing the mode switch in the shutdown position upon entry into the region is not necessary.

The mode switch must be placed in the shutdown position ifevidence of thermal hydraulic instability is observed. Formal surveillances are not performed while exiting Region II since delaying exit for sur veillance is undesirable.

One or more of the following conditions is an indication of reactor instability induced power oscillations when operating in or near the identified regions:

1. A sustained increase in APRM and/or LPRM peak-to-peak signal noise level, reaching two or more times its initial level at reduced core flow conditions. Any noticeable increase in noise level warrants closer monitoring of the LPRM signals.

The increased noise occurs with a characteristic period of less than 3 seconds.

2. LPRM and or APRM upscale and/or downscale annunciators that alarm with a characteristic period of less than 3 seconds.

23. Page B 3.4-7 and -8, BASES Section 3 4.1, Recirculation Loops Operating In the Actions Bases the Action C.1 is relabeled "A.1".

24. Page B 3.4-8, BASES Section 3.4.1, Recirculation Loops Operating In the Actions Bases the Action D.1 is relabeled "B.1," and the first sentence of the discussion is revised to make the action applicable in MODE 1. AAer dhgddd*dd I ihlllilij:

revision, the sentence reads as follows (deleted words are shown with With no recirculation loops in operation while in MODEST or 2 or the Required Action and associated Completion Time of Condition A er-G not met, the plant must be brought to a MODE in which the LCO does not apply.

25. Page B 3.4-9, Bases Section 3.4.1, Recirculation Loops Operating In the Actions Bases the description of Action E.1 is deleted in its entirety.

Before deletion, this discussion read as follows:

With the reactor in MODE 1 and no recirculation pumps operating, the reactor mode switch must be placed in the shutdown position immediately. An immediate scram is required since BFN does not have eA'ective automatic scram protection for regional oscillations.

This requirement was implemented to comply with Reference 4.

26. Page B 3.4-10, Bases Section 3.4.1, Recirculation Loops Operating In the Surveillance Requirements Bases the description of SR 3.4.1.2 is deleted in its entirety. Before deletion, this discussion read as follows:

SR 3.4.1.2 This SR ensures the reactor THERMALPOWER and core flow are within appropriate parameter limits to prevent uncontrolled power oscillations. At low recirculation flows and high reactor power, the

reactor exhibits increased susceptibility to thermal hydraulic instability. Figure 3.4.1-1 is based on guidance provided in Reference 3, which is used to respond to operation in these conditions. Performance immediately after any increase of more than

(

5% RTP while initial core flow is 50% of rated and immediately after any decrease of more than 10% rated core flow while initial

)

thermal power is 40% of rated is adequate to detect power oscillations that could lead to thermal hydraulic instability.

27. Page B 3.4-10, Bases Section 3.4.1, Recirculation Loops Operating In the References for this Bases, References 3, 4, 5 are deleted, and the reference numbers are designated as "Not used." Before this change, References 3, 4 and 5 read as follows:

3. GE Service Information Letter No. 380, "BWR Core Thermal Hydraulic Stability," Revision 1, February 10, 1984.

4. NRC Bulletin 88-07, "Power Oscillations in Boiling Water Reactors (BWRs)," Supplement 1, December 30, 1988.

5. NRC Generic Letter 86-02, "Technical Resolution of Generic Issue B-19, Thermal Hydraulic Stability," January 22, 1986.

II. REASON FOR THE PROPOSED CHANGE In response to Generic Letter 94-02, "Thermal-Hydraulic Instabilities in Boiling Water Reactors" (Reference 9), TVAselected Boiling Water Reactor Owners Group (BWROG)

Stability Option III as the long-term stability solution for BFN. Implementation of Option III provides compliance with 10 CFR 50, Appendix A, GDC 10 and GDC 12, by providing protection from exceeding the fuel MCPR safety limit due to anticipated thermal-hydraulic power oscillations. Option IIIdetects core instabilities and provides a reactor scram signal to the RPS.

As a platform to implement the Option IIIstability solution, TVA elected to replace the power range portion of the original BFN Neutron Monitoring System (NMS) with a GE NUMAC PRNM retrofit design. The NUMACPRNM equipment was installed on BFN Unit 2 during its Fall 1997 refueling outage. A similar modification is scheduled on Unit 3 during its Fall 1998 refueling outage.

The NUMACPRNM equipment implements Option IIIby use of an OPRM Upscale trip function. As described in References 1 and 2, the OPRM function is being operated in the "indicate only" mode during each unit's first cycle of operation, and the stability trip function will be enabled for the subsequent fuel cycles.

In this submittal, TVA is providing the TS changes required to enable the OPRM Upscale trip function for Unit 2. The TS changes are based on example TS mark-ups proposed by GE in NEDC-32410P, Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function," Licensing Topical Report, Supplement 1 (Reference 6), which was reviewed by the NRC and approved in Reference 7. The TS changes provide appropriate operability requirements, limiting conditions for operation, surveillance requirements, and bases discussions for the newly enabled OPRM Upscale trip function. In addition, the proposed changes delete certain existing stability monitoring restrictions on core flow as a function of thermal power. These restrictions were initially implemented as an interim solution to potential thermal-hydraulic stability related power oscillations. With implementation of the OPRM Upscale trip function, which automatically detects and suppresses thermal-hydraulic stability related power oscillations by automatic reactor scram action, these interim restrictions are no longer required.

III.SAFETYANALYSIS Under certain conditions, boiling water reactors (BWRs) may be susceptible to coupled neutronic/thermal-hydraulic instabilities. These instabilities are characterized by periodic power and flow oscillations. Ifpower and flow oscillations become large enough, the fuel cladding integrity Minimum Critical Power Ratio (MCPR) safety limit could be challenged.

Stability Long Term Solution (LTS) Option III, described in References 4 and 5, consists of hardware and software that provides for reliable, automatic detection and suppression of stability related power oscillations. The Option IIIhardware automatically initiates control rod insertion (scram) to terminate the power oscillation while it is still small. The combination of hardware, software, and system setpoints will provide protection against violation of the MCPR safety limit for oscillations.

Descriptions of the stability detect and suppress methodology and of the Option III solution were provided for NRC review in References 4 and 5. NRC acceptance of the concepts and associated recommendations are contained in the NRC Safety Evaluation Report (Reference 15). Specific hardware/software designs and related example TS changes were provided by GE for NRC review in References 6 and 16. NRC acceptance of these designs and of the example TS changes are contained in NRC Safety Evaluation Reports (References 7 and 17).

The TS changes proposed in this submittal are based on the examples presented in Reference 6. Evaluation of each of the proposed changes is provided below.

In TS 3.3.1.1, an existing note is modified to state that Required Action A.2 and Condition 8 are not applicable for the new OPRM Upscale trip function, 2.f. Required Action A.2, "Place associated trip system in trip," is not applicable to the OPRM Upscale trip function because the OPRM provides signals to both RPS trip systems. Condition B

is not applicable for the OPRM Upscale trip function because loss of more than one of the three required OPRM channel results in loss of OPRM scram capability and entry to Condition C.

In TS 3.3.1.1 new Conditions I and J, including Required Actions and Completion times are added. Condition I allows an alternate method to detect and suppress thermal-hydraulic instability. Because the OPRM Upscale trip is a new Function, it is remotely possible that experience may reveal some problem with the algorithm and/or implementation. The contingent alternate method will meet the requirements of the BWROG Interim Corrective Actions (ICAs) outlined in the letter to the NRC dated June 6, 1994 (Reference 18). The inclusion of the proposed Action Statement pre-plans for such a contingency with an established alternate method within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and requires OPRM OPERABILITYto be restored within 120 day. IfCondition I is not met, Condition J requires the plant to be in MODE 2, a safe power level below the regions of potential instability.

In TS 3.3.1.1, Table 3.3.1.1-1, RPS Instrumentation, a new Function 2.f, OPRM Upscale, is added. In support of this new Function, a new Surveillance Requirement, SR 3.3.1.1.17 is added into the Surveillance Requirements table of TS 3.3.1.1. Related Bases Section 3.3.1.1 is also revised.

Hardware to implement the OPRM Upscale trip, Function 2.f, is housed in the same chassis as the APRM trip functions, and the OPRM Upscale trip is considered a sub-function of the APRM System. Only the period based detect and suppress algorithm is used as the basis for the safety analysis for the OPRM Upscale trip function. The other two algorithms, amplitude based and growth based, discussed in the TS Bases provide defense in depth, will cause a trip but are not required for OPRM Upscale OPERABILITY.

Because of the integrated nature of the OPRM Upscale trip function into the APRM channel, the OPRM Inop function and the OPRM 2-Out-Of-4 Voter function are included with the corresponding APRM Inop and APRM 2-Out-Of-4 Voter function. The integration of the OPRM Inop with the APRM Inop reflect actual system design (i.e.,

conditions which cause an APRM Inop signal also cause an OPRM Inop signal, and vice versa). However, unlike the APRM trips, the OPRM Upscale trip is voted separately from the Inop trip in the 2-Out-Of-4 Voter function. Thus, an APRM/OPRM Inop trip in one APRM channel and an OPRM Upscale trip in another channel will result in two half-trips in each of the 2-Out-Of-4 Voter channels, but no RPS trip. Conversely, an Inop trip in any two APRM/OPRM channels or an OPRM Upscale trip in any two channels will result in RPS trip outputs from all four 2-Out-Of-4 Voter channels.

For the APRM Flux trip functions, an APRM/OPRM Inop trip in one APRM channel and an APRM Upscale trip in another channel will result in RPS trip outputs from all four voters. This reflects a somewhat more conservative APRM design in response to channel failures when compared with the OPRM design. This additional conservatism is of limited value in the OPRM design. IfOPRM Upscale trips were combined in logic with

t

~ '

Inop trips to generate RPS trip signals, spurious and unnecessary reactor scrams might result. However, an automatic trip will occur upon an unexpected systematic failure of multiple APRM channels; this will result in an APRM/OPRM Inop trip in two or more unbypassed channels, regardless of the OPRM Upscale (or APRM Flux) trip status.

Independent of the APRM/OPRM Inop logic, which originates in the APRM channel, a loss of communication from an APRM channel to a voter channel will result in both the APRM and OPRM voting logic in the 2-Out-Of-4 Voter channel declaring the inputs from that APRM channel inoperative. This condition is alarmed via the 2-Out-Of-4 Voter self-test diagnostics. A loss of communication may be the result of either a hardware failure (sects input to one or more voters ) or a loss of power to the APRM channel (affects inputs to all voters). Loss of power to the 2-Out-Of-4 Voter channel will result in immediate RPS trip outputs from that voter channel.

Combining the OPRM trip voting and the APRM trip voting into a single 2-Out-Of-4 Voter function simplifies overall operation and the decision-making process, because most conditions affecting OPERABILITYof the voter channel will acct both the APRM trip voting and the OPRM trip voting. However, the final voting and output relays from the voter for these two functions are different. In addition, the output relays for each function are redundant (i.e., two relay outputs for the APRM trips and two additional relays for the OPRM Upscale trip). Even though there is only one voter channel for both the APRM and OPRM trips, the LCO clock will start as soon as any portion of a voter channel is determined to be inoperable Consistent with the APRM Neutron Flux - High function, the OPRM Upscale function is required only when the plant is operating in the Run Mode (MODE 1). In addition, the OPRM Upscale is bypassed automatically when THERMALPOWER is below 25% RTP (as indicated by APRM Simulated Thermal Power) or with core flow above 60% rated (as indicated by recirculation drive flow). In the regions below 25% RTP and above 60%

rated core flow, thermal-hydraulic instabilities are not considered credible. The 25% RTP provides additional margin &om the nominal 30% RTP OPRM scram enable setpoint recommended in NEDO-32465-A (Reference 14). This additional margin will accommodate the proposed BFN power uprate of 5% RTP.

Identified events (e.g. recirculation pump trips or run-backs) can change flow to less than 60% without operator action. Other events (e.g., loss of feedwater heaters) can take the plant from a power less than 25% RTP to a power greater than 25% RTP without operator action. Therefore, even though the OPRM Upscale trip is bypassed above 60%

flow and below 25% RTP, the function must be OPERABLE so that ifone of the identified events occurs, the OPRM Upscale trip capability is immediately available without operator action. Requiring OPRM OPERABILITYin MODE 1 provides adequate margin to cover the operating region where oscillations may occur as well as the operating regions from which the plant might enter the potential instability region without operator action.

E1-18

The outputs of the OPRM channels are shared by each RPS trip system via the independent 2-Out-Of-4 Voter channels. Any two of the four OPRM channels and one of the 2-Out-Of-4 Voter channels in each RPS trip system are required to function for the OPRM Upscale trip function to be accomplished. Therefore, a minimum of three OPRM channels assures at least two OPRM channels can provide trip inputs to the 2-Out-Of-4 Voter channels, even the event of a single OPRM channel failure. The minimum of two 2-Out-Of-4 Voter channels per RPS trip system assures at least one voter channel will be OPERABLE per RPS trip system, even in the event of a single voter channel failure.

The 2-Out-Of-4 logic module is designed for simplicity to assure high reliability and to detect loss of input signals from the OPRM channels. This feature, combined with the highly reliable digital electronics implementing the OPRM Upscale trip function and the on-line automatic self-test functions, assures the four-channel OPRM configuration will provide reliability, relative to the safety trip functions, equal to or greater than the current APRM system. This level of reliability is adequate for the OPRM Upscale trip function.

Because the OPRM Upscale trip function is implemented in the same equipment as the APRM trip functions, equipment reliability is also the same. Except for new Surveillance SR 3.3.1.1.17, the OPRM Upscale Surveillance Requirements Channel Check, LPRM Calibration, Channel Calibration, and Channel Functional Test are the same as for the APRM flux trip functions. The expected demand for the OPRM Upscale trip function is equal to or less than the demand for the APRM flux trip functions. Therefore, the OPRM Upscale Surveillance Requirements are adequate.

A new SR 3.3.1.1.17 is added to provide verification that the OPRM Upscale trip is

)

enabled when APRM Simulated Thermal Power is 25% and recirculation flow is < 60%

rated flow. The OPRM auto-enable region is determined by Simulated Thermal Power and drive flow setpoints in the APRM channels. Even though these setpoints are unlikely to change once set, periodic confirmation is appropriate. Other Surveillances verify the relationships between reactor thermal power and APRM Simulated Thermal Power, and between core flow and recirculation flow are within acceptable tolerances. The combined Surveillances ensure the OPRM Upscale trip function is enabled in the intended region on the plant power/flow map. The 24 months maximum surveillance frequency is based on engineering judgment and the fact that the actual values are stored digitally, with no drift.

Any hardware failures affecting the Simulated Thermal Power and recirculation drive flow setpoints will likely be detected by the automatic self-test functions.

Based on the above discussion, adding the OPRM Upscale Function to the TS is reasonable and consistent with instability detect and suppress objectives.

In conjunction with the changes which support adding the OPRM Upscale Function to TS, certain restrictions on operation in regions of potential thermal-hydraulic instability are deleted. Figure 3.4.1-1, Thermal Power Versus Core Flow Stability Regions, which was originally placed in TS by Amendment 174 to DPR-52 and Amendment 179 to DPR-68 (see References 10, 11, 12 and 13). Addition of this figure in TS, together with associated restrictions and required actions, was done to implement requirements of NRC

Bulletin 88-07, Supplement 1 (Reference 19). Figure 3.4.1-1, together with associated restrictions and required actions, provided interim corrective actions (ICAs) while the BWROG worked with GE and NRC to develop a long-term resolution to stability concerns.

The ICAs require verification that the reactor is operating outside of Region I and II of Figure 3.4.1-1, and require corrective actions ifoperation within either of these regions should occur:

1. Ifoperation inside Region I occurs, an immediate manual scram is required by placing the mode switch in the shutdown position.

2. Ifoperation inside Region II occurs, immediate action to exit Region II is required, and a manual scram is required immediately upon discovery of thermal hydraulic instability.

3. With no recirculation loops in operation while in MODE 1 (resulting in entry to either Region I or Region II), an immediate manual scram is required by placing the mode switch in the shutdown position.

With the OPRM Upscale trip function enabled, the stability long term solution will be fully implemented, and the ICAs are no longer required. The OPRM will detect and automatically suppress any significant core wide or regional power oscillations over the region of the power-to-flow map included in Regions I and II of Figure 3.4.1-1. This automatic function provides more reliable protection that the three requirements proposed for deletion. Deletion of these requirements, together with their associated Bases discussions, will permit BFN to have the ability to manually insert control rods and restart a recirculation pump (instead of shutting down immediately) following a recirculation pump trip and is important to reduce the potential for unnecessary plant transients. During such recovery activities, the OPRM will provide reliable, automatic monitoring for potential thermal hydraulic stability related power oscillations and will immediately and automatically generate a reactor scram before any unacceptable power oscillations can occur.

Based on the above discussion, deletion of the stability related ICAs is reasonable and acceptable, and is consistent with and supported by implementation of the OPRM Upscale trip function.

E1-20

IV.NO SIGNIFICANT HAZARDS CONSIDERATION DETERMINATION TVAhas concluded that operation of BFN Unit 2 in accordance with the proposed change to the TS does not involve a significant hazards consideration. TVA's conclusion is based on its evaluation, in accordance with 10 CFR 50.91(a)(l), of the three standards set forth in 10 CFR 50.92(c).

A. The ro osed amendment does not involvea si nificantincreasein the robabili or conse uences of an accident reviousl evaluated.

The proposed amendment is to enable the OPRM Upscale trip function which is contained in 'the previously installed PRNM equipment. Enabling the OPRM hardware provides the long term stability solution required by Generic Letter 94-02.

This hardware incorporates the Option III detect and suppress solution reviewed and approved by the NRC in NEDO-31960, "BWROG Long Term Stability Solutions Licensing Methodology." The OPRM is designed to meet all requirements of GDC 10 and 12 by automatically detecting and suppressing design basis thermal-hydraulic power oscillations prior to violating the fuel MCPR Safety Limit. The OPRM system provides this protection in the region of the power-to-flow map where instabilities can occur, including the region where ICAs restricted operation because of stability concerns. Thus, the ICA restrictions on plant operations are deleted from the TS, including region avoidance and the requirement for the operator to manually scram the reactor with no recirculation loops operating. Operation at high core powers with low core flows may cause a slight, but not significant, increase in the probability that an instability can occur. This slight increase is acceptable because subsequent to the automatic detection of a design basis instability, the OPRM Upscale trip provides an automatic scram signal to the RPS which is faster'rotection than the operator-initiated manual scram required by the current ICAs. Because of this rapid automatic action, the consequences of an instability event are not increased as a result of the installation of the OPRM system because it eliminates dependence on operator actions.

Based on the above discussion, the proposed amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated.

B. The ro osed amendment does not create the ossibili of a new or different kind of accident from an accident reviousl evaluated.

The proposed amendment permits BFN to enable the OPRM power oscillation detect and suppress function provided in previously installed PRNM hardware, and it simultaneously deletes certain restrictions which preclude operation in regions of the power-to-flow map where oscillations potentially may occur. Enabling the OPRM Upscale trip function does not create any new system hardware interfaces nor create any new system interactions. Potential failures of the OPRM Upscale trip result either in failure to perform a mitigation action or in spurious initiation of a reactor scram.

0 These failures would not create the possibility of a new or different kind of accident.

Based on the above discussion, the proposed amendment does not create the possibility of a new or different kind of accident from any accident previously C. The ro osed amendment does notinvolveasi nlficant reduction in a mar in of safetf, The OPRM Upscale trip function implements BWROG Stability Option III, which was developed to meet the requirements of GDC 10 and GDC 12 by providing a hardware system that detects the presence of thermal-hydraulic instabilities and automatically initiates the necessary actions to suppress the oscillations prior to violating the MCPR Safety Limit. The NRC has reviewed and accepted the Option IIImethodology described in Licensing Topical Report NEDO-31960 and concluded this solution will provide the intended protection. Therefore, it is concluded that there will be no reduction in the margin of safety as defined in TS as a result of enabling the OPRM Upscale trip function and simultaneously removing the operating restrictions previously imposed by the ICAs.

Based on the above discussion, the proposed amendment does not involve a significant reduction in a margin of safety.

V. ENVIRONMENTALIMPACT CONSIDERATION The proposed change does not involve a significant hazards consideration, a significant change in the types or significant increase in the amounts of any effluents that may be released offsite, or a significant increase in individual or cumulative occupational radiation exposure. Therefore, the proposed change meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), an environmental assessment of the proposed change is not required.

El-22

1 VI. REFERENCES Letter from TVA to NRC dated March 6, 1997, "Browns Ferry Nuclear Plant (BFN) - Units 1, 2, and 3 - Technical Specifications (TS) Change 353R1 - Power Range Neutron Monitor (PRNM) Upgrade with Implementation of Average Power Range Monitor (APRM) and Rod Block Monitor (RBM) TS (ARTS)

Improvements and Maximum Extended Load Line Limit (MELLL)Analyses-Revision 1."

Letter from TVA to NRC dated April 11, 1997, "Browns Ferry Nuclear Plant (BFN) - Units 1, 2, and 3 - Technical Specifications (TS) Change 353S1 - Power Range Neutron Monitor (PRNM) Upgrade with Implementation of Average Power Range Monitor (APRM) and Rod Block Monitor (RBM) TS (ARTS)

Improvements and Maximum Extended Load Line Limit (MELLL)Analyses-Supplement 1 - Improved Standard Technical Specifications (ISTS) Format."

Letter from NRC to TVA dated September 11, 1997, "Issuance of Amendment-Browns Ferry Nuclear Plant Unit 2 (TAC No. M92504) (TS 353)."

NEDO 31960, BWR Owners'roup Long-Term Stability Solutions Licensing Methodology, June 1991.

NEDO-31960, Supplement 1, BWR Owners'roup Long-Term Stability Solutions Licensing Methodology.

NEDC-32410P, Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, May 1996.

7. Letter from NRC to GE dated August 15, 1997, Licensing Topical Report NEDC-32410P, Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC-PRNM)Retrofit Plus Option III Stability Trip Function (TAC No. M95746).

Letter from TVA to NRC dated June 2, 1997, Browns Ferry Nuclear Plant (BFN)-

Units 1, 2, and 3 - Technical Specification (TS) 387 - Single Recirculation Loop Operation (SLO).

Generic Letter 94-02, "Long-Term Solutions and Upgrade of Interim Operating Recommendations for Thermal-Hydraulic Instabilities in Boiling Water Reactors, July 11, 1994.

10. Letter from TVA to NRC dated June 20, 1989, Browns Ferry Nuclear Plant (BFN)

- TVABFN Technical Specification No. 272 - Thermal-Hydraulic Stability Section 3.5/4.5-M.

E1-23

11. Letter from NRC to TVA dated October 5, 1989, Technical Specification Changes Involving Thermal-Hydraulic Stability, Section 3.5/4.5-M (TAC 73435) (TS 272)-

Browns Ferry Nuclear Plant, Unit 2.

12. Letter from TVA to NRC dated January 14, 1992, Browns Ferry Nuclear Plant (BFN) - TVABFN Technical Specification (TS) No. 300 - Reactor Core Thermal-Hydraulic Stability.

13. Letter from NRC to TVA dated May 31, 1994, Issuance of Technical Specification Amendments for the Browns Ferry Nuclear Plant Units 1 and 3 (TAC Nos.

M82650 and M82652) (TS-300)

14. NEDO-32465-A, Reactor Stability Detect and Suppress Solutions Licensing Basis Methodology for Reload Applications, August 1996.

15. Letter from NRC to BWROG dated July 12, 1993, Acceptance for Referencing of Topical Reports NEDO-31960 and NEDO-31960 Supplement 1, "BWR Owners Group Long-Term Stability Solutions Licensing Methodology" (TAC No. M75928)

16. NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC-PRNM)Retrofit Plus Option III Stability Trip Function, October 1995

17. Letter from NRC to GE dated September 5, 1995, Acceptance of Licensing Topical Report NEDC-32410P, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC-PRNM)Retrofit Plus Option III Stability Trip Function (TAC No. M90616).

18. Letter, LA England (BWROG) to MJ Virgilio, "BWR Owners'roup Guidelines for Stability Interim Corrective Action," June 6, 1994

19. NRC Bulletin 88-07, "Power Oscillations in Boiling Water Reactors (BWRs),"

Supplement 1, December 30, 1988.

El-24

ENCLOSURE 2 TENNESSEE VALLEYAUTHORITY BROWNS FERRY NUCLEAR PLANT (BFN)

UNIT 2 PROPOSED TECHNICAL SPECIFICATION (TS) CHANGE TS-354 MAI~DUPPAGES I. AFFECTED PAGE LIST UNIT 2 3.3-1 3.3-2 3.3-3 3.3-6 3.3-8 3.4-1 3.4-2 3.4-3 3.4-4 B 3.3-9 B 3.3-14 B 3.3-15 B 3.3-30 B 3.3-32 B 3.3-34 B 3.3-35 B 3.3-44 B 3.3-45 B 3.3-46 B 3.4-4 through B.3.4-10 II. REVISED PAGES See attached.

RPS Instrumentation 3.3.1.1 3.3 INSTRUMENTATION 3.3.1.1 Reactor Protection System (RPS) Instrumentation LCO 3.3.1.1 The RPS instrumentation for each Function in Table 3.3.1.1-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.1.1-1.

ACTIONS

-NOTE Separate Condition entry is allowed for each channel.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more required A.1 Place channel in trip. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months channels inoperable.

OR A..2 NOTE -

Not applicable for Functions 2.a, 2.b, 2.c Z.(g op g.y.

Place associated trip 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months system in trip.

(continued)

BFN-UNIT 2 3.3-1 Amendment No. 253

9 i ~ I t 'I RPS Instrumentation 3.3.1.1 ACTIONS continued CONDITION REQUIRED ACTION COMPLETION TIME B. -NOTE - B.1 Place channel in one trip 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Not applicable for system in trip.

Functions 2.a, 2.b, 2.c, Z.qg or Z.+, OR B.2 Place one trip system in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months One or more Functions trip.

with one or more required channels inoperable in both trip systems.

C. One or more Functions C.1 Restore RPS trip 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months with RPS trip capability capability.

not maintained.

D. Required Action and D.1 Enter the Condition Immediately associated Completion referenced in Time of Condition A, 8, or Table 3.3.1.1-1 for the C not met. channel.

E. As required by Required E.1 Reduce THERMAL 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Action D.1 and POWER to (30% RTP.

referenced in Table 3.3.1.1-1.

F. As required by Required F.1 Be in MODE 2. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action D.1 and referenced in Table 3.3.1.1-1.

(continued)

BFN-UNIT 2 3.3-2 Amendment No. 253

~ 'I ~

~

~ e ~ i C

f ls 7

P%

RPS Instrumentation 3.3.1.1 ACTIONS continued CONDITION REQUIRED ACTION COMPLETION TIME G. As required by Required G.1 Be in MODE 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Action D.1 and referenced in Table 3.3.1.1-1.

H. As required by Required H.1 Initiate action to fully Immediately Action D.1 and insert all insertable referenced in control rods in core cells Table 3.3.1.1-1. containing one or more fuel assemblies.

BFN-UNIT 2 3.3-3 Amendment No. 253

INSERT A I. As required by I.1 Initiate alternate method to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Required Action detect and suppress thermal D.1 and referenced hydraulic instability oscillations.

in Table 3.3.1.1-1. AND I.2 Restore required channels to 120 days OPERABLE.

J. Required Action J.l Be in Mode 2. 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and associated Completion Time of Condition I not met.

RPS Instrumentation 3.3.1.1 SURVEILLANCE REQUIREMENTS continued SURVEILLANCE FREQUENCY SR 3.3.1.1.10 Perform CHANNEL CALIBRATION. 184 days SR 3.3.1.1.11 (Deleted)

SR 3.3.1.1 12

~ Perform CHANNEL FUNCTIONALTEST. 18 months SR 3.3.1.1.13 NOTE Neutron detectors are excluded.

Perform CHANNEL CALIBRATION. 18 months SR 3.3.1.1.14 Perform LOGIC SYSTEM FUNCTIONAL 18 months TEST.

SR 3.3.1.1.15 Verify Turbine Stop Valve - Closure and 18 months Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are not bypassed when THERMAL POWER is a 30% RTP.

SR 3.3.1.1.16 -NOTE For Function 2.a, not required to be performed when entering MODE 2 from MODE 1 until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after entering MODE 2.

Perform CHANNEL FUNCTIONALTEST. 184 days BFN-UNIT 2 3.3-6 Amendment No. 253

INSERT B SR 3.3.1.1.17 Verify OPRM is not bypassed when APRM 24 months

)

Simulated Thermal Power is 25% and

(

recirculation drive flow is 60% of rated recirculation drive flow.

RPS Instrumentation 3.3.1.'I Table 3.3.1.1-1 (page 2 of 3)

Reactor Protection System Instrumentation APPLICABLE CONDITIONS MODES OR REQUIRED REFERENCED FUNCTION OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER TRIP REQUIRED REQUIREMENTS VALUE CONDITIONS SYSTEM ACTION D.1

2. Average Power Range Monitors (continued)

d. In op 1,2 3(b) SR 3.3.1.1.16 NA

e. 2-Out-Ofd Voter 1,2 SR 3.3.1.1.1 NA SR 3.3.1.1.14 SR 3.3.1.1.16

3. Reactor Vessel Steam Dome 12 SR 3.3.1 .1.1 s 1055 psig Pressure - High SR 3.3.1.1.8 SR 3.3.1.1.10 SR 3.3.1.1.14

4. Reactor Vessel Water Level- 12 G SR 3.3.1.1.1 a 538 inches Low, Level 3 SR 3.3.1.1.8 above vessel SR 3.3.1.1.13 zero SR 3.3.1.1.14

5. Main Steam Isolation Valve- SR 3.3.1.1.8 6 10% closed Closure SR 3.3.1.1.13 SR 3.3.1.1.14

6. Drywell Pressure - High 1,2 G SR 3.3.1.1.8 52.5 psig SR 3.3.1.1.13 SR 3.3.1.1.14

7. Scram Discharge Volume Water Level - High

a. Resistance Temperature 12 G SR 3.3.1.1.8 5 50 gallons Detector SR 3.3.1.1.13 SR 3.3.1.1.1 4 5(a) SR 3.3.1.1.8 6 50 gallons SR 3.3.1.1.13 SR 3.3.1.1.14

b. Float Switch 12 SR 3.3.1.1.8 5 50 gallons SR 3.3.1.1.13 SR 3.3.1.1.14 5(a) SR 3.3.1.1.8 5 50 gallons SR 3.3.1.1.13 SR 3.3.1.1.14 (continued)

(a) VINh any control rod withdravm from a core cell containing one or more fuel assemblies.

(b) Each APRM channel provides inputs to both trip systems.

BFN-UNIT 2 3.3-8 Amendment No. 253

~ 'h

INSERT C

f. OPRM Upscale 3A) SR 3.3.1.1.1 SR 3.3.1.1.7 SR 3.3.1.1.13 SR 3.3.1.1.16 SR 3.3.1.1.17

Recirculation Loops Operating 3.4.1 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.1 Recirculation Loops Operating LCO 3.4.1 Two recirculation loo s with matched flows shall be in o eration.

h re f w as func 'on of HER AL P W out de Re 'ons and I and t Ope tion ot P rmitt d Re ion o Fi ure .4.1-1 APPLICABILITY: MODES 1 and 2.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. Reactor eration A.1 Place modey itch in the Im ediately fl as a fun ion of shutdown 6sition.

w'ore TH IVIALPO R i ide of Reg' I of igure 3.4. 1.

B. React r operation cor low as a fu tion of TV RMAL PO ER ith B.1 lace mode swit shutdown posi '. in the Immy iately upon di Eovery of ermal hydrauli

'Aside of Re on II of instability Figure 3.4 -1.

AND B.2 E Region II. 2 uis

. One recirculation loop not .1 Restore two recirculation 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months in operation. loops to operation.

(continued)

BFN-UNIT 2 3.4-1 Amendment No. 253

k Recirculation Loops Operating 3.4.1 ACTIONS continued CONDITION REQUIRED ACTION COMPLETION TIME

. Required Action and .1 Be in MODE 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months associated Completion Time of Condition o C not met.

OR No recirculation loops in o eration. Ie i D

E. recir ulation ops in E.1 Plac mode sw ch in the Imm diatel perat' while n shu own posi on.

MOD 1.

BFN-UNIT 2 3.4-2 Amendment No. 253

l 4 l

h

Recirculation Loops Operating 3.4.1 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.4.1.1 -NOTE-Not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after both recirculation loops are in operation.

Verify recirculation loop jet pump flow 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mismatch with both recirculation loops in operation is:

a. s 10% of rated core flow when operating at ( 70% of rated core flow; and

b. c5% of rated core flowwhen operating at a 70% of rated core flow.

S 3.4.1 Ver fy the r actor i outsid of Re ~on I an II Im ediately a of igure .4.1-1. a increase

) 5% RTP hile

'tial core lowis (50% of ated AND Imm diately aft r any ecrease f

%rated ore fl wwhile i itial ermal p er is 40% o rated BFN-UNIT 2 3 4-3 Amendment No. 253

R irculation Loops perating 3.4.1 Region Region I II 1 /, Rod Line 00/. Rod LI e

'D 70 Cl at I /, Rod Line o 80 C

4I Nota operation V

a 50 Not permitted In This Region 0

o.

O 30 Natural circulation Line 10 0 5 10 15 20 25 30 40 45 50 55 80 85 70 75 80 85 05 100 105 Core Flow (pere t of rated)

Figure .4.1-1 THERMAL POW R VERSUS C E FLOW STABILITY EGIONS BFN-UNIT 2 3.4-4 Amendment No. 253

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE Avera e Power Ran e Monitor SAFETYANALYSES, LCO, and The APRM channels provide the primary indication of neutron APPLICABILITY flux within the core and respond almost instantaneously to (continued) neutron flux increases. The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core to provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of aver reactor power from a few percent to greater than RTP.

The APRM System is divided into four APRM channels and four 2-out-of-4 voter channels. Each APRM channel provides inputs to each of the four voter channels. The four voter channels are divided into two groups of two each, with each group of two providing inputs to one RPS trip system. The system is designed to allow one APRM channel, but no voter channels, to be bypassed. A trip from any one unbypassed APRM will result WnpeA F in a "half-tri " in all four of the voter channels, but no trip inputs to either RPS trip system. P trip from any two unbypassed APRM channels will result in a full trip in each of the four voter channels, which in turn results in two tri in uts to each RPS trip system logic channe A, A2, B1, or B2). Three of the four APRM channels and all four of the voter channels are required to be OPERABLE to ensure that no single failure will preclude a scram on a valid signal. In addition, to provide adequate coverage of thepntire core, consistent with the design bases for the APRM/iJnction at least twenty (20) LPRM inputs, with at least t ree RM inputs from each of the four axial levels at which the LPR are located must be operable for each APRM channel. ~rtye continued BFN-UNIT 2 B 3.3-9 Revision 0

l, T,

'P 5

0

INSERT D Each APRM also includes an Oscillation Power Range Monitor (OPRM) Upscale Function which monitors small groups of LPRM signals to detect thermal-hydraulic instabilities.

INSERT E APRM trip Functions 2.a, 2.b, 2.c and 2.d are voted independently from OPRM Upscale Function 2.f. Therefore, any Function 2.a, 2.b, 2.c, or 2.d INSERT F Similarly, a Function 2.f trip from any two unbypassed APRM channels will result in a full trip from each of the four voter channels.

INSERT G For the OPRM Upscale Function 2.f, LPRMs are assigned to "cells" with either 3 or 4 detectors, with a total of 33 "cells" assigned to each OPRM channel. A minimum of 23 cells, each with a minimum of 2 LPRMs must be OPERABLE for the OPRM Upscale Function 2.f to be OPERABLE.

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.d. Avera e Power Ran e Monitor - Ino SAFETYANALYSES, LCO, and Three of the four APRM channels are required to be APPLICABILITY OPERABLE for each of the APRM Functions. This Function (continued) (Inop) provides assurance that the minimum number of APRMs are OPERABLE. For any APRM channel, any time its mode switch is in any position other than "Operate," an APRM module is unplugged, or the automatic self-test system detects a critical fault with the APRM channel, an Inop tri is sent to all four vot channels. Inop trips from two or mor ypassed APRM channels result in a trip output from all four voter channels to their associated trip system.

This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

There is no Allowable Value for this Function.

This Function is required to be OPERABLE in the MODES where the APRM Functions are required.

continued BFN-UNIT 2 B 3.3-14 Revision 0

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.. 2-O t-Of-4Vot i~~ 9 SAFETYANALYSES, gpgcalg F<gdfi~ps ~

LCO, and The 2-Out-Of-4 Voter unction prowdes the interface between APPLICABILITY the APRM Functions and the final RPS trip system logic. As (continued) such, it is required to be OPERABLE in the MODES where the APRM Functions are required and is necessary to support the safety analysis applicable to each of those Functions.

Therefore, the 2-Out-Of-4 Voter Function needs to be OPERABLE in MODES 1 and 2.

All four voter channels are required to be OPERABLE. Each voter channel includes self-diagnostic functions. If any voter channel detects a critical fault in its own processing, a trip is issued from that voter channel to the associated trip system.

~st C-/

There is no Allowable Value for this Function.

continued BFN-UNIT 2 B 3.3-15 Revision 0

~ ~

Ib %

'I 1

INSERT H The 2-Out-Of-4 Voter Function votes APRM Functions 2.a, 2.b, 2.c, and 2.d independently of Function 2.f. The voter also includes separate outputs to RPS for the two independently voted sets ofFunctions, each of which is redundant (four total outputs). The voter Function 2.e must be declared inoperable ifany of its functionality is inoperable. However, due to the independent voting of APRM trips, and the redundancy of outputs, there may be conditions where the voter Function 2.e is inoperable, but trip capability for one or more of the other APRM Functions through that voter is still maintained. This may be considered when determining the condition of other APRM Functions resulting from partial inoperability of the Voter Function 2.e.

INSERT I 2.f. Oscillation Power Ran e Monitor OP U scale The OPRM Upscale Function provides compliance with GDC 10 and GDC 12, thereby providing protection from exceeding the fuel MCPR safety limit (SL) due to anticipated thermal-hydraulic power oscillations.

References 13, 14 and 15 describe three algorithms for detecting thermal-hydraulic instability related neutron flux oscillations: the period based detection algorithm, the amplitude based algorithm, and the growth rate algorithm. All three are implemented in the OPRM Upscale Function, but the safety analysis takes credit only for the period based detection algorithm. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations. OPRM Upscale Function OPERABILITY for Technical Specification purposes is based only on the period based detection algorithm.

The OPRM Upscale Function receives input signals from the local power range monitors (LPRMs) within the reactor core, which are combined into "cells" for evaluation of the OPRM algorithms.

The OPRM Upscale Function is required to be OPERABLE when the plant is in a region of power-flow operation where anticipated events could lead to thermal-hydraulic instability and related neutron flux oscillations. Within this region, the automatic trip is enabled when THERMALPOWER, as indicated by the APRM Simulated Thermal Power, is 2 25% RTP and reactor core flow, as indicated by recirculation drive flow is < 60% of rated flow, the operating region where actual thermal-hydraulic oscillations may occur.

Requiring the OPRM Upscale Function to be OPERABLE in Mode 1 provides consistency with operability requirements for other APRM functions and assures that the OPRM Upscale Function is OPERABLE whenever reactor power could increase into the region of concern without operator action.

An OPRM Upscale trip is issued from an APRM channel when the period based detection algorithm in that channel detects oscillatory changes in the neutron flux, indicted by the combined signals of the LPRM detectors in a cell, with period confirmations and relative

.cell amplitude exceeding specified setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM Upscale trip is also issued from the channel ifeither the growth rate or amplitude based algorithms detect growing oscillatory changes in the neutron flux for one or more cells in that channel.

Three of the four channels are required to be OPERABLE. Each channel is capable of detecting thermal-hydraulic instabilities, by detecting the related neutron flux oscillations, and issuing a trip signal before the MCPR SL is exceeded. There is no allowable value for this function.

RPS Instrumentation B 3.3.1.1 BASES ACTIONS A.1 and A.2 (continued)

Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months has been shown to be acceptable (Ref. 9 and 12) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function's inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions B.1, B.2, and C.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternatively, if it is not desired to place the channel (or trip system) in trip (e.g., as in the case where placing the inoperable channel in trip would result in a full scram),

Condition D must be en e d its Required Action taken.

)or 2f.

As noted, Action A. no applicable for APRM Functions 2.a, 2.b, 2.c, .d noperability of one required.APRM channel affects bo trip systems. For that condition, Required Action A.1 must be satisfied, and is the only action (other than restoring operability) that will restore capability to accommodate a single failure.

Inoperability of more than one required APRM channel of the same trip function results in loss of trip capability and entry into Condition C, as well as entry into Condition A for each channel.

continued BFN-UNIT 2 B 3.3-30 Revision 0

~

1

RPS Instrumentation B 3.3.1.1 BASES ACTIONS B.1 and B.2 (continued)

The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram.

Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as in the case where placing the inoperable channel or associated trip system in trip would result in a scram or RPT), Condition D must be entered and its Required Action taken.

or 2R As noted, Condition B i not applicable for APRM Functions 2.a, 2.b, 2.c 2.d Inoperability of an APRM channel affects both trip systems and is not associated with a specific trip system as are the APRM 2-out-of-4 voter and other non-APRM channels for which Condition 8 applies. For an inoperable APRM channel, Required Action A.1 must be satisfied, and is the only action (other than restoring operability) that will restore capability to accommodate a single failure. Inoperability of g CaAGtiDll ih more than one required APRM channel results in loss of trip ca abilit and entry into Condition C, as well as entry into Con i ion A for each channel. Because Conditions A and gc r +~+ P'~ac.+iW provide Required Actions that are appropriate f r the ~~ Z.4~

inoperability of APRM Functions 2.a, 2.b, 2.c, 2.d, a these functions are not associated with specific trip systems as are the APRM 2-out-of-4 voter and other non-APRM channels, Condition B does not apply.

continued BFN-UNIT 2 B 3.3-32 Revision 0

P

~ r 1

'0 l

l 1 p

0

RPS Instrumentation 8 3.3.1.1 BASES ACTIONS D.1 (continued)

Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1. The applicable Condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A, B, or C and the associated Completion Time has expired, Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 F.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply.

The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Time of Required Action E.1 is consistent with the Completion Time provided in LCO 3.2.2, "MINIMUMCRITICAL POWER RATIO (MCPR)."

continued BFN-UNIT 2 8 3.3-34 Revision 0

0,

~ ~ 4 P "E

RPS Instrumentation 8 3.3.1.1 BASES ACTIONS (continued) the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply.

This is done by immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel Z'f assemblies. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.

WnSerk SURVEILLANCE As noted at the beginning of the SRs, the SRs for each RPS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains RPS trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RPS will trip when necessary.

continued BFN-UNIT 2 B 3.3-35 Revision 0

N ~

'l l

$ h

INSERT J IfOPRM Upscale trip capability is not maintained, Condition I exists. Reference 12 justified use of alternate methods to detect and suppress oscillations for a limited period of time. The alternate methods are procedurally established consistent with the guidelines identified in Reference 17 requiring manual operator action to scram the plant ifcertain predefined events occur. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed action time is based on engineering judgment to allow orderly transition to the alternate methods while limiting the period of time during which no automatic or alternate detect and suppress trip capability is formally in place. Based on the small probability of an instability event occurring at all, the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is judged to be reasonable.

I.2 The alternate method to detect and suppress oscillations implemented in accordance with I.1 was evaluated (Reference 12) based on use up to 120 days only. The evaluation, based on engineering judgment, concluded that the likelihood of an instability event that could not be adequately handled by the alternate methods during this 120 day period was negligibly small. The 120 day period is intended to be an outside limit to allow for the case where design changes or extensive analysis might be required to understand or correct some unanticipated characteristic of the instability detection algorithms or equipment. This action is not intended and was not evaluated as a routine alternative to returning failed or inoperable equipment to OPERABLE status. Correction of routine equipment failure or inoperability is expected to normally be accomplished within the completion times allowed for Actions for Conditions A and B.

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.11 REQUIREMENTS (continued) (Deleted)

SR 3.3.1.1.14 The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITYof the required trip logic for a specific channel.

The functional testing of control rods (LCO 3.1.3), and SDV vent and drain valves (LCO 3.1.8), overlaps this Surveillance to provide complete testing of the assumed safety function.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

The LOGIC SY TE FUNCTIONALTEST for APRM Function zd. OI gb4 2.e simulates APRM trip conditions at the 2-out-of-4 voter channel inputs to check all combinations of two tripped inputs to the 2-out-of-4 logic in the voter channels and APRM related redundant RPS relays.

continued BFN-UNIT 2 B 3.3-44 Revision 0

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.15 REQUIREMENTS (continued) This SR ensures that scrams initiated from the Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently

)

bypassed when THERMAL POWER is 30% RTP. This involves calibration of the bypass channels (PIS-1-81A, PIS-1-81B, PIS-1-91A, and PIS-1-91B). Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint.

If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at a 30% RTP, either due to open main turbine bypass valve(s) or other reasons), then the affected Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition (Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are enabled), this SR is met and the channel is considered OPERABLE.

The Frequency of 18 months is based on engineering judgment and reliability of the components.

(continued)

BFN-UNIT 2 B 3.3-45 Revision 0

INSERT K SR 3,3,1,1.17 This SR ensures that scrams initiated from OPRM Upscale Function (Function 2.f) will not be inadvertently bypassed when THERMALPOWER, as indicted by the APRM Simulated Thermal Power, is 2 25% RTP and core flow, as indicted by recirculation drive flow, is < 60% rated core flow. This normally involves confirming the bypass setpoints.

Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. The actual surveillance ensures that the OPRM Upscale Function is enabled (not bypassed) for the correct values of APRM Simulated Thermal Power and recirculation drive flow. Other surveillances ensure that the APRM Simulated Thermal Power and recirculation flow properly correlate with THERMALPOWER and core flow respectively.

Ifany bypass setpoint is nonconservative (i.e., the OPRM Upscale Function is bypassed when APRM Simulated Thermal Power 2 25% RTP and recirculation drive flow < 60%

rated), then the affected channel is considered inoperable for the OPRM Upscale Function.

Alternatively, the bypass setpoint may be adjusted to place the channel in a conservative condition (unbypass). Ifplaced in the unbypassed condition, this SR is met and the channel is considered OPERABLE.

The frequency of 24 months is based on engineering judgment and reliability of the components.

RPS Instrumentation B 3.3.1.1 BASES (continued)

REFERENCES 1. FSAR, Section 7.2.

2. FSAR, Chapter 14.

3. NEDO-23842, "Continuous Control Rod Withdrawal in the Startup Range," April 18, 1978.

4. FSAR, Appendix N.

5. FSAR, Section 14.6.2.

6. FSAR, Section 6.5.

7. FSAR, Section 14.5.

8. P. Check (NRC) letter to G. Lainas (NRC), "BWR Scram Discharge System Safety Evaluation," December 1, 1980.

9. NEDC-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System,"

March 1988.

10. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

11. MED-32-0286, "Technical Specification Improvement Analysis for Browns Ferry Nuclear Plant, Unit 2," October 1995.

12. NEDC-3241 0P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)

Retrofit Plus Option III Stability Trip Function," October 1995.

OSer L BFN-UNIT 2 B 3.3-46 Revision 0

INSERT L

13. NEDO-31960-A, "BWR Owners'roup Long-Term Stability Solutions Licensing Methodology," November 1995.

14. NEDO-31960-A, Supplement 1, "BWR Owners'roup Long-Term Stability Solutions Licensing Methodology," November 1995.

15. NEDO-32465-A, "BWR Owners'roup Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications," August 1996.

16. NEDC-32410P-A, Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMACPRNM) Retrofit Plus Option III Stability Trip Function," August 1996.

17. Letter, L.A. England (BWROG) to M.J. Virgilio, "BWR Owners'roup Guidelines for Stability Interim Corrective Action," June 6, 1994.

4 Recirculation Loops Operating B 34.1 BASES APPLICABLE Safety analyses g rformed for FSA Chapter 14 implicitly SAFETY ANALYSES assume core c editions are stabl . However, at the high (continued) power/low flo corner of the po er/flow map, an increase probability f r limit cycle oscil tions exists (Ref. 3) dep ding on combi tions of operati conditions (e.g., power ape, bundle ower, and bundl low). Generic evaluati s indicate that w en regional powy oscillations become ectable on the AP s, the safety m Fgin may be insufficie nder some op rating condition to ensure actions take to respond to the RMs signals w Id prevent violation (the MCPR Safety imit (Ref. 4). 5) C Generic Letter 8 2 (Ref. 5) addressed stability calcu Stion methodology ap stated that due to uncertaintie, 10 CFR 50, Appe fix A, General Design Cri ia (GDC) 10 nd 12 could not b et using analytic proce res on-a BWR design. However eference 5 concluded t t opera/ g limitations whi provide for the detectio (by mon'toring neutron flu oise levels) and suppr sion of flux os illations in opera regions of potential yi tability nsistent with th recommendations of R ference 3 are acceptable to d onstrate compliance th GDC 10 and 12.

The NRC cop luded that regions of p ential instability could occur at c Insulated decay ratios of .8 or greater by the Gener Electric ethodology.

Stag'ty tests at operating's were reviewed to de rmine a g Aerie region of the poyy4r/flow map in which surv 'nce of eutron flux noise leveg4 should be performed. conservative decay ratio was chop4n as the basis for dete ining the generic region for surveill Ace to account for the pg nt to plant variability of de y ratio with core and f 6l designs. This decay ratio also hei ensure sufficient mar n to an instability occurrence 'aintained. The ge ric region has been continued BFN-UNIT 2 B 3.4-4 Revision 0

Recirculation Loops Operating 8 3.4.1 BASES APPLICABLE determine obeboundedb he80%rodlinean the50%

SAFETYANALYSES core flow ine. BFN conse atively implements is generic (continued) region ith the "Operati Not Permitted" Re (on and Regions I and/ of Figure 3.4.1- . This conforms to ference 3 re 6mmendations. peration is permitte in Region II provid d utron flux nois evels are verified to e within limits. Th reactor mode s tch must be placed 'he shutdown pos'on (an immediat scram is required) if egion I is entere Recirculation loops operating satisfies Criterion 2 of the NRC Policy Statement (Ref. 6).

LCO Two recirculation loops are required to be in operation with their flows matched within the limits specified in SR 3.4.1.1 to ensure that during a LOCA caused by a break of the piping of one recirculation loop the assumptions of the LOCA analysis are satisfied. With the limits specified in SR 3.4.1.1 not met, the recirculation loo i h the lower flow must be cons e ot in o ation. In dditio, the c re flo express d as a nction HE IVIAL OWE must b outsi e Regio I and and th Op ation ot Per itted gion Figure .4.1-1.

APPLICABILITY In MODES 1 and 2, requirements for operation of the Reactor Coolant Recirculation System are necessary since there is considerable energy in the reactor core and the limiting design basis transients and accidents are assumed to occur.

In MODES 3, 4, and 5, the consequences of an accident are reduced and the coastdown characteristics of the recirculation loops are not important.

(continued)

BFN-UNIT 2 B 34-5 Revision 0

h Recirculation Loops Operating B 3.4.1 BASES (continued)

ACTIONS A.1 Then'mummargintot onsetoftherm hydraulicinstabil y occ i's when the plant i in Region I of Fi ure 3.4.1-1.

T refore, the reactor ode switch is ry uired to be place in e shutdown positi upon entry into his region. This a ion is considered suffici nt to preclude cor oscillations which could challenge the M PR safety limit.

B.1 a B.2 Im ediate action is quired to exit Re ion II of Figure .4.1-1 u on entrybycont ol rodinsertion or owincrease. T e2hour ompletion Time or exiting the regi is acceptable ecause it minimizes the ri while allowing ti e to exit the reg'on without challenging pl nt systems. Becau e the probabilit of thermal hydraulic os'ations is lower an the margin to t MCPR safety limit '6 greater in Region) than in Region, placing the mode swi h in the shutdown bsition upon ent into the region is not ne essary. The mode witch must be pl ced in the shutdo n position if eviden of thermal hydr ulic instability is obse ed. Formal surveill nces are not perf rmed while exitin Regi n II since delaying xit for surveillan 6 is undesirable.

0 e or more of the foll wing conditions i anindication of r actor instability ind ced power oscilla ons when operat' in r near the identifie regions:

continued BFN-UNIT 2 B 3.4-6 Revision 0

Recirculation Loops Operating 8 34.1 BASES ACTIONS B.1 nd B.2 ontinu )

1. A su ainedi rease in PRM ance r LPRM eak-to-pe sig al noise evel, re ing two (more ti es its initi level reduce core flo condition . Any no ceable inc ase in oise le el warra s closer nitoring f the LPR signals.

The'rease noise occ rswitha haracteri icperio of le than 3 conds.

2 LPRM a or APR upscale nd/or do scale annun ators tha larm wi a charac ristic p iod of les than seconds With the requirements of the LCO not met, the recirculation loops must be restored to operation with matched flows within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . A recirculation loop is considered not in operation when the pump in that loop is idle or when the mismatch between total jet pump flows of the two loops is greater than required limits. The loop with the lower flow must be considered not in operation. Should a LOCA occur with one recirculation loop not in operation, the core flow coastdown and resultant core response may not be bounded by the LOCA analyses. Therefore, only a limited time is allowed to restore the inoperable loop to operating status.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is based on the low probability of an accident occurring during this time period, on a reasonable time to complete the Required Action, and on frequent core monitoring by operators allowing abrupt changes in core flow conditions to be quickly detected.

continued BFN-UNIT 2 B 3.4-7 Revision 0

4 1

I

Recirculation Loops Operating B 3.4.1 BASES AGTIQNs gl (continued)

This Required Action does not require tripping the recirculation pump in the lowest flow loop when the mismatch between total jet pump flows of the two loops is greater than the required limits. However, in cases where large flow mismatches occur, low flow or reverse flow can occur in the low flow loop jet pumps, causing vibration of the jet pumps. If zero or reverse flow is detected, the condition should be alleviated by changing pump speeds to re-establish forward flow or by tripping the pump.

~cbE5 los With no recirculation loops in operation while in 0 E 2 or the Required Ac n and associated Completion Time of onditio o not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . In this condition, the recirculation loops are not required to be operating because of the reduced severity of DBAs and minimal dependence on the recirculation loop coastdown characteristics. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

continued BFN-UNIT 2 B 3.4-8 Revision 0

l l 0

Recirculation Loops Operating B 3.4.1 BASES ACTIONS (continued) th the actor in DE 1 and no ecirculationy mps perat g, the rea or mode swit must be plydedin the shu own positi immediatel . An immedi te scram is re ired sine BFN does n have effec e automatic s am rotectionj r regional o illations. TP's requiremen as implem Kted to compl ith Refer rfce 4.

SURVEILLANCE SR 3.4.1.1 REQUIREMENTS This SR ensures the recirculation loops are within the allowable

(

limits for mismatch. At low core flow (i.e., 70% of rated core flow), the MCPR requirements provide larger margins to the fuel cladding integrity Safety Limit such that the potential adverse effect of early boiling transition during a LOCA is reduced. A larger flow mismatch can therefore be allowed when core flow is

( 70% of rated core flow. The recirculation loop jet pump flow, as used in this Surveillance, is the summation of the flows from all of the jet pumps associated with a single recirculation loop.

The mismatch is measured in terms of percent of rated core flow. If the flow mismatch exceeds the specified limits, the loop with the lower flow is considered inoperable. The SR is not required when both loops are not in operation since the mismatch limits are meaningless during single loop or natural circulation operation. The Surveillance must be performed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after both loops are in operation. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is consistent with the Surveillance Frequency for jet pump OPERABILITYverification and has been shown by operating experience to be adequate to detect off normal jet pump loop flows in a timely manner.

continued BFN-UNIT 2 B 3.4-9 Revision 0

Recirculation Loops Operating B 3.4.1 BASES SURVEILLANCE SR .4.1.2 REQUIREMENTS (continued) is SR ense es the reac r THERMA POWER an core flow are within Ppropriate p rameter limi to prevent u controlled power os Ilations. At ow recirculate n flows and igh reactor power, e reactor e ibits increa hd susceptibil y to thermal hydra ic instability. Figure 3.4. -1 is based o guidance proy'ded in Refer nce 3, whic s used to resp nd to operation in hese conditio s. Perform ce immediate P after any

'rease of mgfe than 5% R P while initial ore flow is 50% (

of rated and j(nmediately aj er any decreq e of more than 1 /o

)

rated core f 6w while initiyfthermal pow f is 40% of rate is adequate o detect pow f oscillations t atcould lead tot ermal ydrauli instability.

REFERENCES 1. FSAR, Section 14.6.3.

2. FSAR, Section 4.3.5.

G Service Infory tion Letter N . 380, "BWR Core Ak KddA hermal Hydr dfic Stability," evision 1, Februa 10, 1984.

4. NRC P lletin 88-07, " ower Oscillation n Boiling Water Re Etors(BWRs 'upplement1, D cember30,1988.

n~e ~sea

5. RC Generi etter 86-02, "Te nical Resolution of Generic I ue B-19, Therm ydraulic Stability," anuary 22, 198 .

6. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

0 BFN-UNIT 2 B 3.4-10 Revision 0

4 k

1

ENCLOSURE 3 TENNESSEE VALLEYAUTHORITY BROWNS FERRY NUCLEAR PLANT (BFN)

UNIT 2 PROPOSED TECHNICAL SPECIFICATION (TS) CHANGE TS-354 REVISED PAGES I. AFFECTED PAGE LIST UNIT 2 3.3-1 3.3-2 3.3-3 3.3-6 3.3-8 3.3-9 3.4-1 3.4-2 3.4-3 3.4-4 i and ii (Bases) vii (Bases)

B 3.3-9 through B 3.3-281 B 3.4-4 through B 3.4-68 II. REVISED PAGES See attached.

RPS Instrumentation 3.3.1.1 3.3 INSTRUMENTATION 3.3.1.1 Reactor Protection System (RPS) Instrumentation LCO 3.3.'I.1 The RPS instrumentation for each Function in Table 3.3.1.1-1 shall be OPERABLE.

APPLICABILITY: According to Table 3.3.1.1-1.

ACTIONS NOTE Separate Condition entry is allowed for each channel.

CONDITION REQUIRED ACTION COMPLETION TIME A. One or more required A.1 Place channel in trip. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months channels inoperable.

OR A.2 NOTE Not applicable for Functions 2.a, 2.b, 2.c, 2.d, or 2.f.

Place associated trip 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months system in trip.

(continued)

BFN-UNIT 2 3.3-1

RPS Instrumentation 3.3.1.1 ACTIONS continued CONDITION REQUIRED ACTION COMPLETION TIME 8 -NOTE- B.1 Place channel in one trip 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Not applicable for system in trip.

Functions 2.a, 2.b, 2.c, 2.d, or 2.f. OR B.2 Place one trip system in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months One or more Functions trip.

with one or more required channels inoperable in both trip systems.

C. One or more Functions C.1 Restore RPS trip 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months with RPS trip capability capability.

not maintained.

D. Required Action and D.1 Enter the Condition Immediately associated Completion referenced in Time of Condition A, B, or Table 3.3.1.1-1 for the C not met. channel.

E. As required by Required E:1 Reduce THERMAL 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Action D.1 and POWER to < 30% RTP.

referenced in Table 3.3.1 1-1.

~

F. As required by Required F.1 Be in MODE 2. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Action D.1 and referenced in Table 3.3.1.1-1.

(continued)

BFN-UNIT 2 3.3-2

RPS Instrumentation 3.3.1.1 ACTIONS continued CONDITION REQUIRED ACTION COMPLETION TIME G. As required by Required G.1 Be in MODE 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Action D.1 and referenced in Table 3.3.1.1-1.

H. As required by Required H.1 Initiate action to fully Immediately Action'.1 and insert all insertable referenced in control rods in core cells Table 3.3.1.1-1. containing one or more fuel assemblies.

I. As required by Required l.1 Initiate alternate method 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Action D.1 and to detect and suppress referenced in Table thermal hydraulic 3.3.1.1-1. instability oscillations.

AND 1.2 Restore required 120 days channels to OPERABLE.

J. Required Action and J.1 Be in Mode 2. 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months associated Completion Time of Condition I not met.

BFN-UNIT 2 3.3-3

RPS Instrumentation 3.3.1.1 SURVEILLANCE REQUIREMENTS continued SURVEILLANCE FREQUENCY SR 3.3.1.1.10 Perform CHANNEL CALIBRATION. 184 days SR 3.3.1.1.11 (Deleted)

SR 3.3.1.1.12 Perform CHANNEL FUNCTIONAL TEST. 18 months SR 3.3.1.1.13 NOTE Neutron detectors are excluded.

Perform CHANNEL CALIBRATION. 18 months SR 3.3.1.1.14 Perform LOGIC SYSTEM FUNCTIONAL 18 'months TEST.

SR 3.3.1.1.15 Verify Turbine Stop Valve - Closure and 18 months Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are not bypassed when THERMAL POWER is ) 30% RTP.

SR 3.3.1.1.16 NOTE For Function 2.a, not required to be performed when entering MODE 2 from MODE 1 until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after entering MODE 2.

Perform CHANNEL FUNCTIONALTEST. 184 days SR 3.3.1.1.17 Verify OPRM is not bypassed when APRM 24 months Simulated Thermal Power is z 25% and recirculation drive flow is (60% of rated recirculation drive flow.

BFN-UNIT 2 3.3-6

RPS Instrumentation 3.3.1.1 Table 3.3.1.1-1 (page 2 of 3)

Reactor Protection System Instrumentation APPLICABLE CONDITIONS MODES OR REQUIRED REFERENCED FUNCTION OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER TRIP REQUIRED REQUIREMENTS VALUE CONDITIONS SYSTEM ACTION D.1

2. Average Power Range Monitors (continued)

d. Inop 1,2 3(b) SR 3.3.1.1.16 NA

e. 2-Out-Ofd Voter 12 SR 3.3.1.1.1 SR 3.3.1.1.14 SR 3.3.1.1.16

f. OPRM Upscale 3(b) SR 3.3.1.1.1 SR 3.3.1.1.7 SR 3.3.1.1.13 SR 3.3.1.1.16 SR 3.3.1.1.17

3. Reactor Vessel Steam Dome 12 G SR 3.3.1.1.1 6 1055 pslg Pressure - High SR 3.3.1.1.8 SR 3.3.1.1.10 SR 3.3.1.1.14

4. Reactor Vessel Water Level- 1,2 G SR 3.3.1.1.1 '2 538 inches Low, Level 3 SR 3.3.1.1.8 above vessel SR 3.3.1.1.13 2efo SR 3.3.1.1.14

5. Main Steam Isolation Valve- SR 3.3.1.1.8 6 10% closed Closure SR 3.3.1.1.13 SR 3.3.1.1.14

6. Drywell Pressure - High 1,2 G SR 3.3.1.1.8 S 2.5 psig SR 3.3.1.1.13 SR 3.3.1.1.14

7. Scram Discharge Volume Water Level - High

a. Resistance Temperature 1,2 SR 3.3.1.1.8 5 50 gallons Detector SR 3.3.1.1.13 SR 3.3.1.1.14 5(a) SR 3.3.1.1.8 s 50 gallons SR 3.3.1.1.13 SR 3.3.1.1.14 continued (a) With any control rod withdrawn from a core cell containing one or more fuel assemblies.

l (b) Each APRM channel provides inputs to both trip systems.

I 8FN-UNIT 2 3.3-8

RPS Instrumentation 3.3.1.1 Table 3.3.1.1-1 (page 3 of 3)

Reactor Protection System Instrumentation APPLICABLE CONDITIONS MODES OR REQUIRED REFERENCED FUNCTION OTHER CHANNELS FROM SURVEILLANCE ALLOWABLE SPECIFIED PER TRIP REQUIRED REQUIREMENTS VALUE CONDITIONS SYSTEM ACTION D.1

7. Scram Discharge Volume Water Level - High (continued)

b. Float Switch 12 G SR 3.3.1.1.8 5 50 gallons SR 3.3.1.1.13 SR 3.3.1.1.14 5(a) SR 3.3.1.1.8 5 50 gallons SR 3.3.1.1.13 SR 3.3.1.1.14

8. Turbine Stop Valve - Closure Z 30% RTP SR 3.3.1.1.8 S 10% closed SR 3.3.1.1.13 SR 3.3.1.1.14 SR 3.3.1.1.15

9. Turbine Control Valve Fast R30% RTP SR 3.3.1.1.8 Closure, Trip Oil Pressure- SR 3.3.1.1.13 Low SR 3.3.1.1.14 SR 3.3.1.1.15

10. Reactor Mode Switch- 1,2 SR 3.3.1.1.12 NA Shutdown Position SR 3.3.1.1.14 5(a) SR 3.3.1.1.12 NA SR 3.3.1.1.14

11. Manual Scram 1,2 SR 3.3.1.1.8 NA SR 3.3.1.1.14 5(a) SR 3.3.1.1.8 NA SR 3.3.1.1.14

12. RPS Channel Test Switches 1,2 G SR 3.3.1.1.4 NA 5(a) SR 3.3.1.1.4 NA

13. Low Scram Pilot Air Header 1,2 SR 3.3.1.1.13 250 psig Pressure SR 3.3.1.1.14 SR 3.3.1.1.16 5(a) SR 3.3.1.1.13 a 50 psig SR 3.3.1.1.14 SR 3.3.1.1.16 (a) With any control rod withdravm from a core cell containing one or more fuel assemblies.

BFN-UNIT 2 3.3-9

Recirculation Loops Operating 3.4.1 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.1 Recirculation Loops Operating LCO 3.4.1 Two recirculation loops with matched flows shall be in operation.

APPLICABILITY: MODES 1 and 2.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One recirculation loop not A.1 =

Restore two recirculation 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months in operation. loops to operation.

'continued)

BFN-UNIT 2 3.4-1

Recirculation Loops Operating 3.4.1 ACTIONS continued CONDITION REQUIRED ACTION COMPLETION TIME B. Required Action and B.1 Be in MODE 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months associated Completion Time of Condition A not met.

OR No recirculation loops in operation.

BFN-UNIT 2 3.4-2

Recirculation Loops Operating 3.4.1 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.4.1.1 NOTE Not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after both recirculation loops are in operation.

Verify recirculation loop jet pump flow 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mismatch with both recirculation loops in operation is:

a. s 10% of rated core flow when operating at ( 70% of rated core flow; and

b. s 5% of rated core flow when operating at z 70% of rated core flow.

BFN-UNIT 2 3.4-3

Recirculation Loops Operating 3.4.1 Figure 3.4.1-1 (Deleted Per TS 354)

BFN-UNIT 2 3.4-4

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (BASES)

TABLE OF CONTENTS Section ~Pe e No.

8 2.0 SAFETY LIMITS (SLs) . 8 2.0-1 8 2.1.1 Reactor Core SLs . 8 2.0-1 8 2.1.2 Reactor Coolant System (RCS) Pressure SL . 8 2.0-8 8 3.0 LIMITINGCONDITION FOR OPERATION (LCO)

APPLICABILITY 8 3.0-1 8 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY.... ... 8 3.0-12 8 3.1 REACTIVITYCONTROL SYSTEMS 8 3.1-1 8 3.1:1 SHUTDOWN MARGIN (SDM) 8 3.1-1 8 3.1.2 Reactivity Anomalies 8 3.1-9 8 3.1.3 Control Rod OPERABILITY. 8 3.1-15 8 3.1.4 Control Rod Scram Times 8 3.1-26 8 3.1.5 Control Rod Scram Accumulators.... 8 3.1-35 8 3.1.6 Rod Pattern Control 8 3.1-41 8 3.1.7 Standby Liquid Control (SLC) System. 8 3.1-47 8 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves 8 3.1-57 8 3.2 POWER DISTRIBUTION LIMITS 8 3.2-1 8 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR) . 8 3.2-1 8 3.2.2 MINIMUMCRITICAL POWER RATIO (MCPR).......... 8 3.2-6 8 3.2.3 LINEAR HEAT GENERATION RATE (LHGR) ........... 8 3.2-12 8 3.3 INSTRUMENTATION . 8 3.3-1 8 3.3.1.1 Reactor Protection System (RPS) Instrumentation .... .. 8 3.3-1 8 3.3.1.2 Source Range Monitor (SRM) Instrumentation .......... .. 8 3.3-51 8 3.3.2.1 Control Rod Block Instrumentation . 8 3.3-63 8 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation. . 8 3.3-79 8 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation....... .. 8 3.3-88 8 3.3.3.2 Backup Control System. . 8 3.3-1 03 (continued)

BFN-UNIT 2

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (BASES)

TABLE OF CONTENTS (continued)

Section ~Pe e No.

8 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT)

Instrumentation ~ 833 112 I 8 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ............. .. 8 3.3-124 I 8 3.3.5.1 Emergency Core Cooling System (ECCS)

Instrumentation . 8 3.3-135 I 8 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation . 8 3.3-183 8 3.3.6.1 Primary Containment Isolation Instrumentation ......... .. 8 3.3-194 8 3.3.6.2 Secondary Containment Isolation Instrumentation..... .. 8 3.3-230 8 3.3.7.1 Control Room Emergency Ventilation (CREV)

System Instrumentation. . 8 3.3-244 8 3.3.8.1 Loss of Power (LOP) Instrumentation. . 8 3.3-260 8 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring. . 8 3.3-273 I 8 3.4 REACTOR COOLANT SYSTEM (RCS) . 8 3.4-1 8 3.4.1 Recirculation Loops Operating . 8 34-1 8 3.4.2 Jet Pumps . 8 3.4-9 8 3.4.3 Safety/Relief Valves (S/RVs) .................... . 8 3.4-15 8 3.4.4 RCS Operational LEAKAGE . 8 3.4-21 8 3.4.5 RCS Leakage Detection Instrumentation . 8 3.4-28 8 3.4.6 RCS Specific Activity... . 8 3.4-35 8 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown ~ 8 3.4-40 I 8 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown. . 8 3.4-47 8 3.4.9 RCS Pressure and Temperature (P/T) Limits ... ... 8 3.4-53 8 3.4.10 Reactor Steam Dome Pressure. . 8 3.4-65 (continued) 8FN-UNIT 2

BROWNS FERRY NUCLEAR PLANT TECHNICAL SPECIFICATIONS (REQUIREMENTS)

LIST OF FIGURES Ficiure Pacae No.

Figure 3.1.7-1 ... 3.1-27 Figure 3.4.1-1 (Deleted). ... 3.4-4 Figure 3.4.9-1 ... 3.4-29 8FN-UNIT 2 Vll

RPS Instrumentation 8 3.3.1.1 BASES APPLICABLE Avera e Power Ran e Monitor SAFETY ANALYSES, LCO, and The APRIVI channels provide the primary indication of neutron APPLICABILITY flux within the core and respond almost instantaneously to (continued) neutron flux increases. The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core to provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater than RTP. Each APRM also includes an Oscillation Power Range Monitor (OPRIVI) Upscale Function which monitors small groups of LPRM signals to detect thermal hydraulic instabilities.

The APRM System is divided into four APRM channels and four 2-out-of-4 voter channels. Each APRM channel provides inputs to each of the four voter channels. The four voter channels are divided into two groups of two each, with each group of two providing inputs to one RPS trip system. The system is designed to allow one APRM channel, but no voter channels, to be bypassed. A trip from any one unbypassed APRM will result in a "half-trip" in all four of the voter channels, but no trip inputs to either RPS trip system. APRM trip Functions 2.a, 2.b, 2.c, and 2.d are voted independently from OPRM Upscale Function 2.f. Therefore, any Function 2.a, 2.b, 2.c, or 2.d trip from any two unbypassed APRM channels will result in a full trip in each of the four voter channels, which in turn results in two trip inputs to each RPS trip system logic channel (A1, A2, B1, or B2).

Similarly, a Function 2.f trip from any two unbypassed APRM channels will result in a full trip from each of the four voter channels. Three of the four APRM channels and all four of the voter channels are required to be OPERABLE to ensure that no single failure will preclude a scram on a valid signal. In addition, to provide adequate coverage of the entire core, consistent with the design bases for the APRM Functions 2.a, 2.b, and 2.c, at least twenty (20) LPRM inputs, with at least continued BFN-UNIT 2 B 3.3-9

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE Avera e Power Ran e Monitor (continued)

SAFETY ANALYSES, LCO, and three (3) LPRM inputs from each of the four axial levels at APPLICABILITY which the LPRMs are located, must be operable for each APRM channel. For the OPRM Upscale Function 2.f, LPRMs are assigned to "cells" with either 3 or 4 detectors, with a total of 33 "cells" assigned to each OPRM channel. A minimum of 23 cells, each with a minimum of 2 LPRMs must be OPERABLE for the OPRM Upscale Function 2.f to be OPERABLE.

2.a. Avera e Power Ran e Monitor Neutron Flux - Hi h Setdown For operation at low power (i.e., MODE 2), the Average Power Range Monitor Neutron Flux - High, (Setdown) Function is capable of generating a trip signal that prevents fuel damage resulting from abnormal operating transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux - High, (Setdown) Function will provide a secondary scram to the Intermediate Range Monitor Neutron Flux - High Function because of the relative setpoints. With the IRMs at Range 9 or 10, it is possible that the Average Power Range Monitor Neutron Flux - High, (Setdown) Function will provide the primary trip signal for a corewide increase in power.

No specific safety analyses take direct credit for the Average Power Range Monitor Neutron Flux - High, (Setdown)

Function. However, this Function indirectly ensures that before the reactor mode switch is placed in the run position, reactor power does not exceed 25% RTP (SL 2.1.1.1) when operating at low reactor pressure and low core flow. Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER < 25% RTP.

The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 25% RTP.

continued BFN-UNIT 2 B 3.3-10

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.a. Avera e Power Ran e Monitor Neutron Flux- Hi h SAFETYANALYSES, ~Setdown (continued)

LCO, and APPLICABILITY The Average Power Range Monitor Neutron Flux - High, (Setdown) Function must be OPERABLE during MODE 2 when control rods may be withdrawn since the potential for criticality exists. In MODE 1, the Average Power Range Monitor Neutron Flux - High Function provides protection against reactivity transients and the RWM and rod block monitor protect against control rod withdrawal error events.

2.b. Avera e Power Ran e Monitor Flow Biased Simulated Thermal Power - Hi h The Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function monitors neutron flux to approximate the THERMAL POWER being transferred to the reactor coolant. The APRM neutron flux is electronically filtered with a time constant representative of the fuel heat transfer dynamics to generate a signal proportional to the THERMAL POWER in the reactor. The trip level is varied as a function of recirculation drive flow (i.e., at lower core flows, the setpoint is reduced proportional to the reduction in power experienced as core flow is reduced with a fixed control rod pattern) but is clamped at an upper limit that is always lower than or equal to the Average Power Range Monitor Fixed Neutron Flux - High Function Allowable Value. The Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function provides protection against transients where THERMAL POWER increases slowly (such as the loss of feedwater heating event) and protects the fuel cladding integrity by insuring that the MCPR SL is not exceeded. During these events, the THERMAL POWER increase does not significantly lag the neutron flux response and, because of a lower trip setpoint, will initiate a scram before the high neutron flux scram.

continued B 3.3-11

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.b. Avera e Power Ran e Monitor Flow Biased Simulated SAFETYANALYSES, Thermal Power - Hi h (continued)

LCO, and APPLICABILITY For rapid neutron flux increase events, the THERMAL POWER lags the neutron flux'and the Average Power Range Monitor Fixed Neutron Flux - High Function will provide a scram signal before the Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function setpoint is exceeded.

Each APRM channel uses one total drive flow signal representative of total core flow. The total drive flow signal is generated by the flow processing logic, p'art of the APRM channel, by summing up the flow calculated from two flow transmitter signal inputs, one from each of the two recirculation loop flows. The flow processing logic OPERABILITY is part of the APRM channel OPERABILITYrequirements for this function.

The clamped Allowable Value is based on analyses that take credit for the Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function for the mitigation of the loss of feedwater heating event.'he THERMAL POWER time constant of ( 7 seconds is based on the fuel heat transfer dynamics and provides a signal proportional to the THERMAL POWER. The term "W'n the equation for determining the Allowable Value is defined as total recirculation flow in percent of rated.

The Average Power Range Monitor Flow Biased Simulated Thermal Power - High Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions provide protection for fuel cladding inte'grity.

continued BFN-UNIT 2 B 3.3-12

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.c. Avera e Power Ran e Monitor Fixed Neutron Flux-Hi h SAFETYANALYSES, LCO, and The Average Power Range Monitor Fixed Neutron Flux - High APPLICABILITY Function is capable of generating a trip signal to prevent fuel (continued) damage or excessive RCS pressure. For the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Fixed Neutron Flux - High Function is assumed to terminate the main steam isolation valve (MSIV) closure event and, along with the safety/relief valves (S/RVs), limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 5) takes credit for the Average Power Range Monitor Fixed Neutron Flux - High Function to terminate the CRDA.

The Allowable Value is based on the Analytical l.imit assumed in the CRDA analyses.

The Average Power Range Monitor Fixed Neutron Flux - High Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded.

Although the Average Power Range Monitor Fixed Neutron Flux

- High Function is assumed in the CRDA analysis, which is applicable in MODE 2, the Average Power Range Monitor Neutron Flux - High, (Setdown) Function conservatively bounds the assumed trip and, together with the assumed IRM

, trips, provides adequate protection. Therefore, the Average Power Range Monitor Fixed Neutron Flux - High Function is not required in MODE 2.

continued B 3.3-13

RPS Instrumentation B 3.3.1:1 BASES APPLICABLE 2.d. Avera e Power Ran e Monitor - Ino SAFETYANALYSES, LCO, and Three of the four APRM channels are required to be APPLICABILITY OPERABLE for each of the APRM Functions. This Function (continued) (Inop) provides assurance that the minimum number of APRMs are OPERABLE. For any APRM channel, any time its mode switch is in any position other than "Operate," an APRM module is unplugged, or the automatic self-test system detects a critical fault with the APRM channel, an Inop trip is sent to all four voter channels. Inop trips from two or more unbypassed APRM channels result in a trip output from all four voter channels to their associated trip system.

This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

There is no Allowable Value for this Function.

This Function is required to be OPERABLE in the MODES where the APRM Functions are required.

continued BFN-UNIT 2 B 3.3-14

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.e. 2-Out-Of-4 Voter SAFETY ANALYSES, LCO, and The 2-Out-Of-4 Voter Function provides the interface between APPLICABILITY the APRM Functions, including the OPRM Upscale Function, (continued) and the final RPS trip system logic. As such, it is required to be OPERABLE in the MODES where the APRM Functions are required and is necessary to support the safety analysis applicable to each of those Functions. Therefore, the 2-Out-Of-4 Voter Function needs to be OPERABLE in MODES 1 and 2.

All four voter channels are required to be OPERABLE. Each voter channel includes self-diagnostic functions. If any voter channel detects a critical fault in its own processing, a trip is issued from that voter channel to the associated trip system.

The 2-Out-Of-4 Voter Function votes APRM Functions 2.a, 2.b, 2.c, and 2.d independently of Function 2.f. The voter also includes separate outputs to RPS for the two independently voted sets of Functions, each of which is redundant (four total outputs). The Voter Function 2.e must be declared inoperable if any of its functionality is inoperable. However, due to the independent voting of APRM trips, and the redundancy of outputs, there may be conditions where the Voter Function 2.e is inoperable, but trip capability for one or more of the other APRM Functions through that voter is still maintained. This may be considered when determining the condition of other APRM Functions resulting from partial inoperability of the Voter Function 2.e.

There is no Allowable Value for this Function.

continued BFN-UNIT 2 B 3.3-15

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.f. Oscillation Power Ran e Monitor OPRM U scale SAFETYANALYSES, LCO, and The OPRM Upscale Function provides compliance with GDC 10 APPLICABILITY and GDC 12, thereby providing protection from exceeding the (continued) fuel MCPR safety limit (SL) due to anticipated thermal hydraulic power oscillations.

References 13, 14, and 15 describe three algorithms for detecting thermal-hydraulic instability related neutron flux oscillations: the period based detection algorithm, the amplitude based algorithm, and the growth rate algorithm. All three are implemented in the OPRM Upscale Function, but the safety analysis takes credit only for the period based detection algorithm. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations.

OPRM Upscale Function OPERABILITYfor Technical Specification purposes is based only on the period based detection algorithm.

The OPRM Upscale Function receives input signals from the local power range monitors (LPRMs) within the reactor core, which are combined into "cells" for evaluation of the OPRM algorithms.

The OPRM Upscale Function is required to be OPERABLE when the plant is in a region of power flow operation where anticipated events could lead to thermal hydraulic instability and related neutron flux oscillations. Within this region, the automatic trip is enabled when THERMAL POWER, as indicated by the APRM Simulated Thermal Power, is > 25%

RTP and reactor core flow, as indicated by recirculation drive flow is ( 60% of rated flow, the operating region where actual thermal hydraulic oscillations may occur. Requiring the OPRM Upscale Function to be OPERABLE in Mode 1 provides consistency with operability requirements for other APRM functions and assures that the OPRM Upscale Function is OPERABLE whenever reactor power could increase into the region of concern without operator action.

continued BFN-UNIT 2 B 3.3-16

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.f. Oscillation Power Ran e Monitor OPRM U scale SAFEYY ANALYSES, LCO, and

~ii d APPLICABILITY An OPRM U p scale trip is issued from an APRM charm el when the period based detection algorithm in that channel detects oscillatory changes ip the neutron flux, indicted by the combined signals of the LPRM detectors in a cell, with period confirmations and relative cell amplitude exceeding specified setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM Upscale trip is also issued from the channel if either the growth rate or amplitude based algorithms detect growing oscillatory changes in the neutron flux for one or more cells in that channel.

Three of the four channels are required to be OPERABLE.

Each channel is capable of detecting thermal hydraulic instabilities, by detecting the related neutron flux oscillations, and issuing a trip signal before the MCPR SL is exceeded.

There is no allowable value for this function.

3. Reactor Vessel Steam Dome Pressure - Hi h (P IS-3-22AA, PIS-3-22BB, P IS-3-22C and P IS-3-22D)

An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes the neutron flux and THERMAL POWER transferred to the reactor coolant to increase, which could challenge the integrity of the fuel cladding and the RCPB. The Reactor Vessel Steam Dome Pressure - High Function initiates a scram for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power. For the overpressurization protection analysis of Reference 4, reactor scram (the analyses conservatively assume scram on the Average Power Range Monitor Fixed Neutron Flux - High signal, not the Reactor Vessel Steam continued BFN-UNIT 2 B 3.3-17

0 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 3. Reactor Vessel Steam Dome Pressure - Hi h SAFETYANALYSES, (PIS-3-22AA, PIS-3-22BB, PIS-3-22C and PIS-3-22D)

LCO, and (continued)

APPLICABILITY Dome Pressure - High signal), along with the S/RVs, limits the peak RPV pressure to less than the ASME Section III Code limits.

High reactor pressure signals are initiated from four pressure transmitters that sense reactor pressure. The Reactor Vessel Steam Dome Pressure - High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during the event.

Four channels of Reactor Vessel Steam Dome Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 when the RCS is pressurized and the potential for pressure increase exists.

4. Reactor Vessel Water Level - Low Level 3 (LIS-3-203A, LIS-3-203B, LIS-3-203C, and LIS-3-203D)

Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat generated in the fuel from fission. The Reactor Vessel Water Level - Low, Level 3 Function is assumed in the analysis of the recirculation line break (Ref. 6). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the Emergency Core Cooling Systems (ECCS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

continued BFN-UNIT 2" B 3.3-18

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 4. Reactor Vessel Water Level - Low Level 3 SAFETY ANALYSES, (LIS-3-203A, LIS-3-203B, LIS-3-203C, and LIS-3-203D)

LCO, and (continued)

APPLICABILITY Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

Four channels of Reactor Vessel Water Level - Low, Level 3 Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value is selected to ensure that (a) during normal operation the steam dryer skirt is not uncovered (this protects available recirculation pump net positive suction head (NPSH) from significant carryunder), and (b) for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS subsystems at Reactor Vessel Water - Low Low Low, Level 1 will not be required.

The Function is required in MODES 1 and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. ECCS initiations at Reactor Vessel Water Level - Low Low, Level 2 and Low Low Low, Level 1 provide sufficient protection for level transients in all other MODES.

continued BFN-UNIT 2 8 3.3-19

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 5. Main Steam Isolation Valve - Closure SAFETY ANALYSES, LCO, and MSIV closure results in loss of the main turbine and the APPLICABILITY condenser as a heat sink for the nuclear steam supply system (continued) and indicates a need to shut down the reactor to reduce heat generation. Therefore, a reactor scram is initiated on a Main Steam Isolation Valve - Closure signal before the MSIVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurization transient.

However, for the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Fixed Neutron Flux - High Function, along with the S/RVs, limits the peak RPV pressure to less than the ASME Code limits. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis. Additionally, MSIV closure is assumed in the transients analyzed in Reference 7 (e.g., low steam line pressure, manual closure of MSIVs, high steam line flow).

The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

MSIV closure signals are initiated from position switches located on each of the eight MSIVs. Each MSIV has two position switches; one inputs to RPS trip system A while the other inputs to RPS trip system B. Thus, each RPS trip system receives an input from eight Main Steam Isolation Valve-Closure channels, each consisting of one position switch. The logic for the Main Steam Isolation Valve - Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines must close in order for a scram to occur.

continued BFN-UNIT 2 B 3.3-20

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 5. Main Steam Isolation Valve - Closure (continued)

SAFETYANALYSES, LCO, and The Main Steam Isolation Valve - Closure Allowable Value is APPLICABILITY specified to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient.

Sixteen channels of the Main Steam Isolation Valve - Closure Function, with eight channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection.

6. D ellPressure-Hi h (PIS-64-56A, PIS-64-56B, PIS-64-56C, and PIS-64-56D)

High pressure in the drywell could indicate a break in the RCPB. A reactor scram is initiated to minimize the possibility of fuel damage and to reduce the amount of energy being added to the coolant and the drywell. The Drywell Pressure - High Function is a secondary scram signal to Reactor Vessel Water Level - Low, Level 3 for LOCA events inside the drywell.

However, no credit is taken for a scram initiated from this Function for any of the DBAs analyzed in the FSAR. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and indicative of a LOCA inside primary containment.

continued BFN-UNIT 2 B 3.3-21

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 6. D ell Pressure - Hi h SAFETY ANALYSES, (PIS-64-56A, PIS-64-56B, PIS-64-56C, and PIS-64-56D)

LCO, and (continued)

APPLICABILITY Four channels of Drywell Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS, resulting in the limiting transients and accidents.

7a 7b. Scram Dischar e Volume Water Level - Hi h (LS-85-45A, LS-85-45B, LS-85-45C, LS-85-45D, LS-85-45E, LS-85-45F, LS-85-45G, and LS-85-45H)

The SDV receives the water displaced by the motion of the CRD pistons during a reactor scram. Should this volume fill to a point where there is insufficient volume to accept the displaced water, control rod insertion would be hindered.

Therefore, a reactor scram is initiated while the remaining free volume is still sufficient to accommodate the water from a full core scram. The two types of Scram Discharge Volume Water Level - High Functions are an input to the RPS logic. No credit is taken for a scram initiated from these Functions for any of the design basis accidents or transients analyzed in the FSAR.

However, they are retained to ensure the RPS remains OPERABLE.

SDV water level is measured by two diverse methods. The level in each of the two SDVs is measured by two float type level switches and two thermal probes for a total of eight level signals. The outputs of these devices are arranged so that there is a signal from a level switch and a thermal probe to each RPS logic channel. The level measurement instrumentation satisfies the recommendations of Reference 8.

continued BFN-UNIT 2 B 3.3-22

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 7a 7b. Scram Dischar e Volume Water Level -Hi h SAFETY ANALYSES, (LS-85-45A, LS-85-45B, LS-85-45C, LS-85-45D, LCO, and LS-85-45E, LS-85-45F, LS-85-45G, and LS-85-45H)

APPLICABILITY (continued)

The Allowable Value is chosen low enough to ensure that there is sufficient volume in the SDV to accommodate the water from a full scram.

Four channels of each type of Scram Discharge Volume Water Level - High Function, with two channels of each type in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from these Functions on a valid signal. These Functions are required in MODES 1 and 2, and in MODE 5 with,any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. At all other times, this Function may be bypassed.

8. Turbine Sto Valve - Closure Closure of the TSVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated at the start of TSV closure in anticipation of the transients that would result from the closure of these valves.

The Turbine Stop Valve - Closure Function is the primary scram signal for the turbine trip event analyzed in Reference 7.

For this event, the reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the End of Cycle Recirculation Pump Trip (EOC-RPT) System, ensures that the MCPR SL is not exceeded.

continued BFN-UNIT 2 B 3.3-23

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 8. Turbine Sto Valve - Closure (continued)

SAFETYANALYSES, LCO, and Turbine Stop Valve - Closure signals are initiated from position APPLICABILITY switches located on each of the four TSVs. Two independent position switches are associated with each stop valve. One of the two switches provides input to RPS trip system A; the other, to RPS trip system B. Thus, each RPS trip system receives an input from four Turbine Stop Valve - Closure channels, each consisting of one position switch. The logic for the Turbine Stop Valve - Closure Function is such that three or more TSVs must be closed to produce a scram. This Function must be enabled at THERMAL POWER a 30% RTP. This is normally accomplished automatically by pressure transmitters sensing turbine first stage pressure; therefore, opening the turbine bypass valves may affect this function.

The Turbine Stop Valve - Closure Allowable Value is selected to be high enough to detect imminent TSV closure, thereby reducing the severity of the subsequent pressure transient.

Eight channels of Turbine Stop Valve - Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function if any three TSVs should close. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is a 30% RTP.

This Function is not required when THERMAL POWER is

( 30% RTP since the Reactor Vessel Steam Dome Pressure-High and the Average Power Range Monitor Fixed Neutron Flux

- High Functions are adequate to maintain the necessary safety margins.

continued BFN-UNIT 2 ,B 3.3-24

RPS Instrumentation 8 3.3.1.1 BASES APPLICABLE 9. Turbine Control Valve Fast Closure Tri Oil Pressure - Low SAFETY ANALYSES, (PS-47-142, PS-47-144, PS-47-146, and PS-47-148)

LCO, and APPLICABILITY Fast closure of the TCVs results in the loss of a heat sink that (continued) produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated on TCV fast closure in anticipation of the transients that would result from the closure of these valves. The Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Function is the primary scram signal for the generator load rejection'event analyzed in Reference 7. For this event, the reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the EOC-RPT System, ensures that the MCPR SL is not exceeded.

Turbine Control Valve Fast Closure, Trip Oil Pressure - Low signals are initiated by the electrohydraulic control (EHC) fluid pressure at each control valve. One pressure switch is associated with each control valve, and the signal from each switch is assigned to a separate RPS logic channel. This Function must be enabled at THERMAL POWER z 30% RTP.

This is normally accomplished automatically by pressure transmitters sensing turbine first stage pressure; therefore, opening the turbine bypass valves may affect this function.

The Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Allowable Value is selected high enough to detect imminent TCV fast closure.

continued BFN-UNIT 2 B 3.3-25

RPS Instrumentation 8 3.3.1.1 BASES APPLICABLE 9. Turbine Control Valve Fast Closure Tri Oil Pressure - Low SAFETY ANALYSES, (PS-47-142, PS-47-144, PS-47-146, and PS-47-148)

LCO, and (continued)

APPLICABILITY Four channels of Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Function with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is a 30% RTP. This Function is

(

not required when THERMAL POWER is 30% RTP, since the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor Fixed Neutron Flux - High Functions are adequate to maintain the necessary safety margins.

10. Reactor Mode Switch - Shutdown Position The Reactor Mode Switch - Shutdown Position Function provides signals, via the manual scram logic channels, directly to the scram pilot solenoid power circuits. These manual scram logic channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

The reactor mode switch is a single switch with four channels, each of which provides input into one of the RPS logic channels.

continued BFN-UNIT 2 8 3.3-26

RPS Instrumentation 8 3.3.1.1 BASES APPLICABLE 10. Reactor Mode Switch - Shutdown Position (continued)

SAFETY ANALYSES, LCO, and There is no Allowable Value for this Function, since the APPLICABILITY channels are mechanically actuated based solely on reactor mode switch position.

Two channels of Reactor Mode Switch - Shutdown Position Function, with one channel in each trip system, are available and required to be OPERABLE. The Reactor Mode Switch-Shutdown Position Function is required to be OPERABLE in MODES 1 and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

11. Manual Scram The Manual Scram push button channels provide signals, via the manual scram logic channels, directly to the scram pilot solenoid power circuits. These manual scram logic channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

There is one Manual Scram push button channel for each of the two RPS manual scram logic channels. In order to cause a scram it is necessary that each channel in both manual scram trip systems be actuated.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

continued BFN-UNIT 2 B 3.3-27

e RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 11. Manual Scram (continued)

SAFETYANALYSES, LCO, and Two channels of Manual Scram with one channel in each APPLICABILITY manual scram trip system are available and required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

12. RPS Channel Test Switches There are four RPS Channel Test Switches, one associated with each of the four automatic scram logic channels (A1, A2, B1, and B2). These keylock switches allow the operator to test the OPERABILITYof each individual logic channel without the necessity of using a scram function trip. When the RPS Channel Test Switch is placed in test, the associated scram logic channel is deenergized and OPERABILITY of the channel's scram contactors can be confirmed. The RPS Channel Test Switches are not specifically credited in the accident analysis. However, because the Manual Scram Function at Browns Ferry Nuclear Plant is not configured the same as the generic model in Reference 9, the RPS Channel Test Switches are included in the analysis in Reference 11.

Reference 11 concludes that the Surveillance Frequency extensions for RPS functions, described in Reference 9, are not affected by the difference in configuration since each automatic RPS channel has a test switch which is functionally the same as the manual scram switches in the generic model. Weekly testing of scram contactors is credited in Reference 9 with supporting the Surveillance Frequency extension of the RPS functions.

continued BFN-UNIT 2 B 3.3-28

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 12. RPS Channel Test Switches (continued)

SAFETYANALYSES, LCO, and There is no Allowable Value for this Function since the APPLICABILITY channels are mechanically actuated solely on the position of the switches.

Four channels of the RPS Channel Test Switch Function with two channels in each trip system arranged in a one-out-of-two logic are available and required to be OPERABLE. The function is required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

13. Low Scram Pilot Air Header Pressure (PS-85-35A1, PS-85-35A2, PS-85-35B1, and PS-85-35B2)

The Low Scram Pilot Air Header Pressure trip performs the same function as the high water level in the scram discharge instrument volume for fast fill events in which the high level instrument response time may not be adequate. A fast fill event is postulated for certain degraded control air events in which the scram outlet valves unseat enough to allow 5 gpm per drive leakage into the scram discharge volume but not enough to cause rod insertion.

The Allowable Value is chosen low enough to ensure that there is sufficient volume in the SDV to accommodate the water from a full scram.

'ontinued BFN-UNIT 2 B 3.3-29

RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 13. Low Scram Pilot Air Header Pressure SAFETY ANALYSES, (PS-85-35A1, PS-85-35A2, PS-85-35B1, and PS-85-35B2)

LCO, and (continued)

APPLICABILITY Four channels of Low Scram Pilot Air Header Pressure Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES arid other specified conditions when control rods are withdrawn. At all other times, this Function may be bypassed.

ACTIONS A Note has been provided to modify the ACTIONS related to RPS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPS instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RPS instrumentation channel.

continued BFN-UNIT 2 B 3.3-30

RPS Instrumentation B 3.3.1.1 BASES ACTIONS A.1 and A.2 (continued)

Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months has been shown to be acceptable (Ref. 9 and 12) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function's inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions B.1, 8.2, and C.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternatively, if it is not desired to place the channel (or trip system) in trip (e.g., as in the case where placing the inoperable channel in trip would result in a full scram),

Condition D must be entered and its Required Action taken.

As noted, Action A.2 is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f. Inoperability of one required APRM channel [

affects both trip systems. For that condition, Required Action A.1 must be satisfied, and is the only action (other than restoring operability) that will restore capability to accommodate a single failure.

Inoperability of more than one required APRM channel of the same trip function results in loss of trip capability and entry into Condition C, as well as entry into Condition A for each channel.

continued BFN-UNIT 2 8 3.3-31

RPS Instrumentation B 3.3.1.1 BASES ACTIONS B.1 and B.2 (continued)

Condition B exists when, for any one or more Functions, at least one required channel is inoperable in each trip system. In this condition, provided at least one channel per trip system is OPERABLE, the RPS still maintains trip capability for that Function, but cannot accommodate a single failure in either trip

, system.

Required Actions B.1 and B.2 limit the time the RPS scram logic, for any Function, would not accommodate single failure in both trip systems (e.g., one-out-of-one and one-out-of-one arrangement for a typical four channel Function). The reduced reliability of this logic arrangement was not evaluated in Reference 9 or 12 for the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time. Within the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the associated Function will have all required channels OPERABLE or in trip (or any combination) in one trip system.

Completing one of these Required Actions restores RPS to a reliability level equivalent to that evaluated in References 9 or 12, which justified a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowable out of service time as presented in Condition A. The trip system in the more degraded state should be placed in trip or, alternatively, all the inoperable channels in that trip system should be placed in trip (e.g., a trip system with two inoperable channels could be in a more degraded state than a trip system with four inoperable channels if the two inoperable channels are in the same Function while the four inoperable channels are all in different Functions). The decision of which trip system is in the more degraded state should be based on prudent judgment and take into account current plant conditions (i.e., what MODE the plant is in). If this action would result in a scram or RPT, it is permissible to place the other trip system or its inoperable channels in trip.

continued BFN-UNIT 2 B 3.3-32

RPS Instrumentation B 3.3.1.1 BASES ACTIONS B.1 and B.2 (continued)

The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram.

Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as in the case where placing the inoperable channel or associated trip system in trip would result in a scram or RPT), Condition D must be entered and its Required Action taken.

As noted, Condition B is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f. Inoperability of an APRM channel affects both trip systems and is not associated with a specific trip system as are the APRM 2-out-of-4 voter and other non-APRM channels for which Condition B applies. For an inoperable APRM channel, Required Action A.1 must be satisfied, and is the only action (other than restoring operability) that will restore capability to accommodate a single failure.

Inoperability of a function in more than one required APRM channel results in loss of trip capability for that function and entry into Condition C, as well as entry into Condition A for each channel. Because Conditions A and C provide Required Actions that are appropriate for the inoperability of APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f, and these functions are not associated with specific trip systems as are the APRM 2-out-of-4 voter and other non-APRM channels, Condition B does not apply.

continued BFN-UNIT 2 B 3.3-33

RPS Instrumentation B 3.3.1.1 BASES ACTIONS C.1 (continued)

Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same trip system for the same Function result in the Function not maintaining RPS trip capability. A Function is considered to be maintaining RPS trip capability when sufficient channels are OPERABLE or in trip (or the associated trip system is in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For the typical Function with one-out-of-two taken twice logic and the IRM Functions, this would require both trip systems to have one channel OPERABLE or i'n trip (or the associated trip system in trip). For Function 5 (Main Steam Isolation Valve - Closure),

this would require both trip systems to have each channel associated with the MSIVs in three main steam lines (not necessarily the same main steam lines for both trip systems)

OPERABLE or in trip (or the associated trip system in trip).

For Function 8 (Turbine Stop Valve - Closure), this would require both trip systems to have three channels, each OPERABLE or in trip (or the associated trip system in trip).

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

continued BFN-UNIT 2 B 3.3-34

4 RPS Instrumentation B 3.3.1.1 BASES ACTIONS D.1 (continued)

Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1. The applicable Condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A, B, or C and the associated Completion Time has expired,

,Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1 F.1 G.1 and J.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply.

The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Time of Required Action E.1 is consistent with the Completion Time provided in LCO 3.2.2, "MINIMUMCRITICAL POWER RATIO (MCPR)."

continued BFN-UNIT 2 B 3.3-35

0 RPS Instrumentation B 3.3.1.1 BASES ACTIONS H.1 (continued)

If the channel(s) is not restored to OPERABLE status or placed 'n trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply.

This is done by immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.

If OPRM Upscale trip capability is not maintained, Condition I exists. Reference 12 justified use of alternate methods to detect and suppress oscillations for a limited period of time.

The alternate methods are procedurally established consistent with the guidelines identified in Reference 17 requiring manual operator action to scram the plant if certain predefined events occur. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed action time is based on engineering judgment to allow orderly transition to the alternate methods while limiting the period of time during which no automatic or alternate detect and suppress trip capability is formally in place. Based on the small probability of an instability event occurring at all, the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is judged to.be reasonable.

continued BFN-UNIT 2 B 3.3-36

RPS Instrumentation B 3.3.1.1 BASES ACTIONS l.2 (continued)

The alternate method to detect and suppress oscillations implemented in accordance with 1.1 was evaluated (Reference

12) based on use up to 120 days only. The evaluation, based on engineering judgment, concluded that the likelihood of an instability event that could not be adequately handled by the alternate methods during this 120 day period was negligibly small. The 120 day period is intended to be an outside limit to allow for the case where design changes or extensive analysis might be required to understand or correct some unanticipated characteristic of the instability detection algorithms or equipment. This action is not intended and was not evaluated as a routine alternative to returning failed or inoperable equipment to OPERABLE status. Correction of routine equipment failure or inoperability is expected to normally be accomplished within the completion times allowed for Actions for Conditions A and B.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each RPS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains RPS trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RPS will trip when necessary.

continued BFN-UNIT 2 B 3.3-37

RPS Instrumentation 8 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

continued BFN-UNIT 2 B 3.3-38

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.2 REQUIREMENTS (continued) To ensure that the APRMs are accurately indicating the true core average power, the APRIVls are calibrated to the reactor power calculated from a heat balance. The Frequency of once per 7 days is based on minor changes in LPRM sensitivity, which could affect the APRM reading, between performances of SR 3.3.1.1.7.

A restriction to satisfying this SR when < 25% RTP is provided that requires the SR to be met only at ) 25% RTP because it is difficult to accurately maintain APRM indication of core THERMAL POWER consistent with a heat balance when

< 25% RTP. At low power levels, a high degree of accuracy is unnecessary because of the large, inherent margin to thermal limits (MCPR and APLHGR). At a 25% RTP, the Surveillance is required to have been satisfactorily performed within the last 7 days, in accordance with SR 3.0.2. A Note is provided which allows an increase in THERMAL POWER above 25% if the 7 day Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reaching or exceeding 25% RTP. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

continued BFN-UNIT 2 B 3.3-39

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.3 REQUIREMENTS (continued) A CHANNEL FUNCTIONALTEST is performed on each required channel to ensure that the entire channel will perform the intended function.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

As noted, SR 3.3.1.1.3 is not required to be performed when entering MODE 2 from MODE 1, since testing of the MODE 2 required IRIVI Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This allows entry into MODE 2 if the 7 day Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after entering MODE 2 from MODE 1. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

A Frequency of 7 days provides an acceptable level of system average unavailability over the Frequency interval and is based on reliability analysis (Ref. 9).

SR 3.3.1.1.4 A CHANNEL FUNCTIONALTEST is performed on each required channel to ensure that the entire channel will perform the intended function. 'A Frequency of 7 days provides an acceptable level of system average availability over the Frequency and is based on the reliability analysis of Reference 9. (The RPS Channel Test Switch Function's CHANNEL FUNCTIONALTEST Frequency was credited in the analysis to extend many automatic scram Functions'requencies.)

continued BFN-UNIT 2 B 3.3-40

0 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.5 and SR 3.3.1.1.6 REQUIREMENTS (continued) These Surveillances are established to ensure that no gaps in neutron flux indication exist from subcritical to power operation for monitoring core reactivity status.

The overlap between SRMs and IRMs is required to be demonstrated to ensure that reactor power will not be increased into a neutron flux region without adequate indication. This is required prior to withdrawing SRMs from the fully inserted position since indication is being transitioned from the SRMs to the IRMs.

The overlap between IRMs and APRMs is of concern when reducing power into the IRM range. On power increases, the system design will prevent further increases (by initiating a rod block) if adequate overlap is not maintained. Overlap between IRMs and APRMs exists when sufficient IRMs and APRMs concurrently have onscale readings such that the transition between MODE 1 and MODE 2 can be made without either APRM downscale rod block, or IRM upscale rod block. Overlap between SRMs and IRMs similarly exists when, prior to withdrawing the SRMs from the fully inserted position, IRMs are above mid-scale on range 1 before SRMs have reached the upscale rod block.

As noted, SR 3.3.1.1.6 is only required to be met during entry into MODE 2 from MODE 1. That is, after the overlap requirement has been met and indication has transitioned to the IRMs, maintaining overlap is not required (APRMs may be reading downscale once in MODE 2).

continued BFN-UNIT 2 B 3.3-41

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.5 and SR 3.3.1.1.6 (continued)

REQUIREMENTS If overlap for a group of channels is not demonstrated (e.g.,

IRM/APRM overlap), the reason for the failure of the Surveillance should be determined and the appropriate channel(s) declared inoperable. Only those appropriate channels that are required in the current MODE or condition should be declared inoperable.

A Frequency of 7 days is reasonable based on engineering judgment and the reliability of the IRMs and APRIVls.

SR 3.3.1.1.7 LPRM gain settings are determined from the local flux profiles, measured by the Traversing Incore Probe (TIP) System. This establishes the relative local flux profile for appropriate representative input to the APRM System. The 1000 MWD/T average core exposure Frequency is based on operating experience with LPRM sensitivity changes.

SR 3.3.1.1.8 SR 3.3.1.1.12 and SR 3.3.1.1.16 A CHANNEL FUNCTIONALTEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The 92 day Frequency of SR 3.3.1.1.8 is based on the reliability analysis of Reference 9.

continued BFN-UNIT 2 B 3.3-42

l

~

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.8 SR 3.3.1.1.12 and SR 3.3.1.1.16 (continued)

REQUIREMENTS The 184 day Frequency of SR 3.3.1.1.16 for the APRM Functions supplements the automatic self-test functions that operate continuously in the APRM and voter channels. The APRM CHANNEL FUNCTIONAL TEST covers the APRM channels (including recirculation flow processing - applicable to Function 2.b only), the 2-out-of-4 voter channels, and the-interface connections into the RPS trip systems from the voter channels. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 184 day Frequency of SR 3.3.1.1.16 for the APRM Functions is based on the reliability analysis of Reference 12.

(NOTE: The actual voting logic of the 2-out-of-4 Voter Function is tested as part of SR 3.3.1.1.14.) A Note for SR 3.3.1.1.16 is provided that requires the APRM Function 2.a SP to be performed within,12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 from MODE 1.

Testing of the MODE 2 APRM Function cannot be performed in MODE 1 without utilizing jumpers or lifted leads. This Note allows entry into MODE 2 from MODE 1 if the associated frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

The 184 day Frequency of SR 3.3.1.1.16 for the scram pilot air header low pressure trip function is based on the functional reliability previously demonstrated by this function, the need for minimizing the radiation exposure associated with the functional testing of this function, and the increased risk to plant availability while the plant is in a half-scram condition during the performance of the functional testing versus the limited increase in reliability that would be obtained by the more frequent functional testing.

continued BFN-UNIT 2 B 3.3-43

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.8 SR 3.3.1.1.12 and SR 3.3.1.1.16 (continued)

REQUIREMENTS The 18 month Frequency of SR 3.3.1.1.12 is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

SR 3.3.1.1.9 SR 3.3.1.1.10 and SR 3.3.1.1.13 A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for. instrument drifts between successive calibrations consistent with the plant specific setpoint methodology. For the APRM Simulated Thermal Power - High Function, SR 3.3.1.1.13 also includes calibrating the associated recirculation loop flow channel. For MSIV - Closure, SDV Water Level - High (Float Switch), and TSV - Closure Functions, SR 3.3.1.1.13 includes physical inspection and actuation of the switches.

continued BFN-UNIT 2 B 3.3-44

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.9 SR 3.3.1.1.10 and SR 3.3.1.1.13 (continued)

REQUIREMENTS A Note to SR 3.3.1.1.9 and SR 3.3.1.1.13 states that neutron detectors are excluded from CHANNEL CALIBRATIONbecause they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Changes in neutron detector sensitivity are compensated for by performing the 7 day calorimetric calibration (SR 3.3.1.1.2) and the 1000 MWD/T LPRM calibration against the TIPs (SR 3.3.1.1.7).

A second Note for SR 3.3.1.1.9 is provided that requires the IRM SRs to be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 from MODE 1. Testing of the MODE 2 IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2.

Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

The Frequency of SR 3.3.1.1.9 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.1.1.10 is based upon the assumption of a 184 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.1.1.13 is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-45

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.11 REQUIREMENTS (continued) (Deleted)

SR 3.3.1.1.14 The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITYof the required trip logic for a specific channel.

The functional testing of control rods (LCO 3.1.3), and SDV vent and drain valves (LCO 3.1.8), overlaps this Surveillance to provide complete testing of the assumed safety function.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

The LOGIC SYSTEM FUNCTIONALTEST for APRM Function 2.e simulates APRM and OPRM trip conditions at the 2-out-of-4 voter channel inputs to check all.combinations of two tripped inputs to the 2-out-of-4 logic in the voter channels and APRM related redundant RPS relays.

continued BFN-UNIT 2 B 3.3-46

RPS Instrumentation

.B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.15 REQUIREMENTS (continued) This SR ensures that scrams initiated from the Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently bypassed when THERMAL POWER is a 30% RTP. This involves calibration of the bypass channels (PIS-1-81A, PIS-1-81B, PIS-1-91A, and PIS-1-91B). Adequate margins for

'he instrument setpoint methodologies are incorporated into the actual setpoint.

If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at a 30% RTP, either due to open main turbine bypass valve(s) or other reasons), then the affected Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition (Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are enabled), this SR is met and the channel is considered OPERABLE.

The Frequency of 18 months is based on engineering judgment and reliability of the components.

continued BFN-UNIT 2 B 3.3-47

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.17 REQUIREMENTS (continued) This SR ensur es that scrams initiated from OPRM Upscale Function (Function 2.f) will not be inadvertently bypassed when THERMAL POWER, as indicted by the APRM Simulated Thermal Power, is z 25% RTP and core flow, as indicted by recirculation drive flow, is ( 60% rated core flow. This normally involves confirming the bypass setpoints. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. The actual surveillance ensures that the OPRM Upscale Function is enabled (not bypassed) for the correct values of APRM Simulated Thermal Power and recirculation drive flow. Other surveillances ensure that the APRM Simulated Thermal Power and recirculation flow properly correlate with THERMAL POWER and core flow respectively.

If any bypass setpoint is nonconservative (i.e., the OPRM Upscale Function is bypassed when APRM Simulated Thermal Power >

25% RTP and'recirculation drive flow (60% rated), then the affected channel is considered inoperable for the OPRM Upscale Function. Alternatively, the bypass setpoint may be adjusted to place the channel in a conservative condition (unbypass). If placed in the unbypassed condition, this SR is met and the channel is considered OPERABLE.

The frequency of 24 months is based on engineering judgment and reliability of the components.

(continued)

BFN-UNIT 2 B 3.3-48

RPS Instrumentation B 3.3.1.1 BASES (continued)

REFERENCES 1. FSAR, Section 7.2.

2. FSAR, Chapter 14.

3. NEDO-23842, "Continuous Control Rod Withdrawal in the Startup Range," April 18, 1978.

4. FSAR, Appendix N.

5. FSAR, Section 14.6.2.

6. FSAR, Section 6.5.

7. FSAR, Section 14.5.

8. P. Check (NRC) letter to G. Lainas (NRC), "BWR Scram Discharge System Safety Evaluation," December 1, 1980.

9. NEDC-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System,"

March 1988.

10. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

11. MED-32-0286, "Technical Specification Improvement Analysis for Browns Ferry Nuclear Plant, Unit 2," October 1995.

12. NEDC-32410P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)

Retrofit Plus Option III Stability Trip Function," October 1995.

13. NEDO-31960-A, "BWR Owners'roup Long-Term Stability Solutions Licensing Methodology," November 1995.

continued BFN-UNIT 2 B 3.3-49

RPS Instrumentation B 3.3.1.1 BASES REFERENCES 14. NEDO-31960-A, Supplement 1, "BWR Owners'roup (continued) Long-Term Stability Solutions Licensing Methodology,"

November 1995.

15. NEDO-32465-A, "BWR Owners'roup Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications," August 1996.

16. NEDC-32410P-A, Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUIVIAC PRNM) Retrofit Plus Option III Stability Trip Function," August 1996.

17. Letter, L.A. England (BWROG) to M.J. Virgilio, "BWR Owners'roup Guidelines for Stability Interim Corrective Action," June 6, 1994.

BFN-UNIT 2 B 3.3-50

SRM Instrumentation 8 3.3.1.2 B 3.3 INSTRUMENTATION 8 3.3.1.2 Source Range Monitor (SRM) Instrumentation BASES BACKGROUND The SRMs provide the operator with information relative to the neutron flux level at very low flux levels in the core. As such, the SRM indication is used by the operator to monitor the approach to criticality and determine when criticality is achieved. The SRMs are maintained fully inserted until the count rate is greater than a minimum allowed count rate (a control rod block is set at this condition). After SRM to intermediate range monitor (IRM) overlap is demonstrated (as required by SR 3.3.1.1.5), the SRMs are normally fully withdrawn from the core.

The SRM subsystem of the Neutron Monitoring System (NMS),

as described in Reference 1, consists of four channels. Each of the SRM channels can be bypassed, but only one at any given time, by the operation of a bypass switch. Each channel includes one detector that can be physically positioned in the core. Each detector assembly consists of a miniature fission chamber with associated cabling, signal conditioning equipment, and electronics associated with the various SRM functions. The signal conditioning equipment converts the current pulses from the fission chamber to analog DC currents that correspond to the count rate. Each channel also includes indication, alarm, and control rod blocks. However, this LCO specifies OPERABILITYrequirements only for the monitoring and indication functions of the SRMs.

continued BFN-UNIT 2 B 3.3-51

SRM Instrumentation

'B 3.3.1.2 BASES BACKGROUND During refueling, shutdown, and low power operations, the (continued) primary indication of neutron flux levels is provided by the SRMs or special movable detectors connected to the normal SRM circuits. The SRMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operatoj early indication of subcritical multiplication that could be indicative of an approach to criticality.

APPLICABLE Prevention and mitigation of prompt reactivity excursions during SAFETY ANALYSES refueling and low power operation is provided by LCO 3.9.1, "Refueling Equipment Interlocks;" LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"; LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"; IRM Neutron Flux - High and Average Power Range Monitor (APRM) Neutron Flux - High, (Setdown)

Functions; and'LCO 3.3.2.1, "Control Rod Block Instrumentation."

The SRMs have no safety function and are not assumed to function during any FSAR design basis accident or transient analysis. However, the SRIVls provide the only on scale monitoring of neutron flux levels during startup and refueling.

Therefore, they are being retained in Technical Specifications.

LCO During startup in MODE 2, three of the four SRM channels are required to be OPERABLE to monitor the reactor flux level prior to and during control rod withdrawal, subcritical multiplication and reactor criticality, and neutron flux level and reactor period until the flux level is sufficient to maintain the IRMs on Range 3 or above. All but one of the channels are required in order to provide a representation of the overall core response during those periods when reactivity changes are occurring throughout the core.

continued BFN-UNIT 2 B 3.3-52

SRM Instrumentation B 3.3.1.2 BASES LCO In MODES 3 and 4, with the reactor shut down, two SRM (continued) channels provide redundant monitoring of flux levels in the core.

In MODE 5, during a spiral offload or reload, an SRM outside the fueled region will no longer be required to be OPERABLE, since it is not capable of monitoring neutron flux in the fueled region of the core. Thus, CORE ALTERATIONS are allowed in a quadrant with no OPERABLE SRM in an adjacent quadrant provided the Table 3.3.1.2-1, footnote (b), requirement that the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE SRM is met. Spiral reloading and offloading encompass reloading or offloading a cell on the edge of a continuous fueled region (the cell can be reloaded or offloaded in any sequence).

In nonspiral routine operations, two SRMs are required to be OPERABLE to provide redundant monitoring of reactivity changes occurring in the reactor core. Because of the local nature of reactivity changes during refueling, adequate coverage is provided by requiring one SRM to be OPERABLE in the quadrant of the reactor core where CORE ALTERATIONS are being performed, and the other SRM to be OPERABLE in an adjacent quadrant containing fuel. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS.

continued BFN-UNIT 2 B 3.3-53

SRM Instrumentation B 3.3.1.2 BASES LCO Special movable detectors, according to footnote (c) of (continued) Table 3.3.1.2-1, may be used in place of the normal,SRM nuclear detectors. These special detectors must be connected to the normal SRM circuits in the NMS, such that the applicable neutron flux indication can be generated. These special detectors provide more flexibility in monitoring reactivity changes during fuel loading, since they can be positioned anywhere within the core during refueling. They must still meet the location requirements of SR 3.3.1.2.2 and all other required SRs for SRMs.

For an SRM channel to be considered OPERABLE, it must be providing neutron flux monitoring indication.

APPLICABILITY The SRMs are required to be OPERABLE in MODES 2, 3, 4, and 5 prior to the IRMs being on scale on Range 3 to provide for neutron monitoring. In MODE 1, the APRMs provide adequate monitoring of reactivity changes in the core; therefore, the SRMs are not required. In MODE 2, with IRMs on Range 3 or above, the IRMs provide adequate monitoring and the SRMs are not required.

ACTIONS A.1 and B.1 In MODE 2, with the IRMs on Range 2 or below, SRMs provide the means of monitoring core reactivity and criticality. With any number of the required SRMs inoperable, the ability to monitor neutron flux is degraded. Therefore, a limited time is allowed to restore the inoperable channels to OPERABLE status.

continued BFN-UNIT 2 B 3.3-54

SRM Instrumentation B 3.3.1.2 BASES ACTIONS A.1 and B.1 (continued)

Provided at least one SRM remains OPERABLE, Required Action A.1 allows 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to restore the required SRMs to OPERABLE status. This time is reasonable because there is adequate capability remaining to monitor the core, there is limited risk of an event during this time', and there is sufficient time to take corrective actions to restore the required SRMs to OPERABLE status or to establish alternate IRM monitoring capability. During this time, control rod withdrawal and power increase is not precluded by this Required Action. Having the ability to monitor the core with at least one SRM, proceeding to IRM Range 3 or greater (with overlap required by SR 3.3.1.1.5),

and thereby exiting the Applicability of this LCO, is acceptable for ensuring adequate core monitoring and allowing continued operation.

With three required SRMs inoperable, Required Action B.1 allows no positive changes in reactivity (control rod withdrawal must be immediately suspended) due to inability to monitor the changes. Required Action A.1 still applies and allows 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to restore monitoring capability prior to requiring control rod insertion. This allowance is based on the limited risk of an event during this time, provided that no control rod withdrawals are allowed, and the desire to concentrate efforts on repair, rather than to immediately shut down, with no SRMs OPERABLE.

continued BFN-UNIT 2 B 3.3-55

SRM Instrumentation B 3.3.1.2 BASES ACTIONS C.1 (continued)

In MODE 2, if the required number of SRMs is not restored to OPERABLE status within the allowed Completion Time, the reactor shall be placed in MODE 3. With all control rods fully inserted, the core is jn its least reactive state with the most margin to criticality. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach

'ODE 3 in an orderly manner and without challenging plant systems.

D.1 and D.2 With one or more required SRMs inoperable in MODE 3 or 4, the neutron flux monitoring capability is degraded or nonexistent. The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level while no neutron monitoring capability is available. Placing the reactor mode switch in the shutdown position prevents subsequent control rod withdrawal by maintaining a control rod block. The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is sufficient to accomplish the Required Action, and takes into account the low probability of an event requiring the SRM occurring during this interval.

continued BFN-UNIT 2 B 3.3-56

0 SRM Instrumentation 8 3.3.1.2 BASES ACTIONS E.1 and E.2 (continued)

With one or more required SRM inoperable in MODE 5, the ability to detect local reactivity changes in the core during refueling is degraded. CORE ALTERATIONS must be immediately suspended and action must be immediately initiated to insert all insertable control rods in core cells containing one or more fuel assemblies. Suspending CORE ALTERATIONS prevents the two most probable causes of reactivity changes, fuel loading and control rod withdrawal, from occurring. Inserting all insertable control rods ensures that the reactor will be at its minimum reactivity given that fuel is present in the core. Suspension of CORE ALTERATIONS shall not preclude completion of the movement of a component to a safe, conservative position.

Action (once required to be initiated) to insert control rods must continue until all insertable rods in core cells containing one or more fuel assemblies are inserted.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each SRM REQUIREMENTS Applicable MODE or other specified conditions are found in the SRs column of Table 3.3.1.2-1.

SR 3.3.1.2.1 and SR 3.3.1.2.3 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

continued 8FN-UNIT 2 B 3.3-57

SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.1 and SR 3.3.1.2.3 (continued)

REQUIREMENTS Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency of once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for SR 3.3.1.2.1 is based on operating experience that demonstrates channel failure is rare. While in MODES 3 and 4, reactivity changes are not expected; therefore, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is relaxed to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for SR 3.3.1.2.3. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.1.2.2 To provide adequate coverage of potential reactivity changes in the core when the fueled region encompasses more than one SRM, one SRM is required to be OPERABLE in the quadrant where CORE ALTERATIONS are being performed, and the other OPERABLE SRM must be in an adjacent quadrant continued BFN-UNIT 2 B 3.3-58

SRM Instrumentation 8 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.2 (continued)

REQUIREMENTS containing fuel. Note 1 states that the SR is required to be met only during CORE ALTERATIONS. It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring. This Surveillance consists of a review of plant logs to ensure that SRMs required to be OPERABLE for given CORE ALTERATIONS are, in fact, OPERABLE. In the event that only one SRM is required to be OPERABLE (when the fueled region encompasses only one SRM), per Table 3.3.1.2-1, footnote (b), only the a. portion of this SR is required. Note 2 clarifies that more than one of the three requirements can be met by the same OPERABLE SRM. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is based upon operating experience and supplements operational controls over refueling activities that include steps to ensure that the SRMs required by the LCO are in the proper quadrant.

I SR 3.3.1.2.4 This Surveillance consists of a verification of the SRM instrument readout to ensure that the SRM reading is greater than a specified minimum count rate, which ensures that the detectors are indicating count rates indicative of neutron flux levels within the core. With few fuel assemblies loaded, the SRMs will not have a high enough count rate to satisfy the SR.

Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the minimum count rate.

continued BFN-UNIT 2 B 3.3-59

0 SRM Instrumentation 8 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.4 (continued)

REQUIREMENTS To accomplish this, the SR is modified by a Note that states that the count rate is not required to be met on an SRM that has less than. or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant. With four or less fuel assemblies loaded around each SRM and no other fuel assemblies in the associated core quadrant, even with a control rod withdrawn, the configuration will not be critical.

The Frequency is based upon channel redundancy and other information available in the control room, and ensures that the required channels are frequently monitored while core reactivity changes are occurring. When no reactivity changes are in progress, the Frequency is relaxed from 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

SR 3.3.1.2.5 and SR 3.3.1.2.6 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly.

SR 3.3.1.2.5 is required in MODE 5, and the 7 day Frequency ensures that the channels are OPERABLE while core reactivity changes could be in progress. This Frequency is reasonable, based on operating experience and on other Surveillances (such as a CHANNEL CHECK), that ensure proper functioning between CHANNEL FUNCTIONALTESTS.

continued BFN-UNIT 2 B 3.3-60

SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.5 and SR 3.3.1.2.6 (continued)

REQUIREMENTS SR 3.3.1.2.6 is required in MODE 2 with IRMs on Range 2 or below, and in MODES 3 and 4. Since core reactivity changes do not normally take place in MODES 3 and 4 and core reactivity changes are due mainly to control rod movement in MODE 2, the Frequency has been extended from 7 days to 31 days. The 31 day Frequency is based on operating experience and on other Surveillances (such as CHANNEL CHECK) that ensure proper functioning between CHANNEL FUNCTIONALTESTS.

Verification of the signal to noise ratio also ensures that the detectors are inserted to an acceptable operating level. In a fully withdrawn condition, the detectors are sufficiently removed from the fueled region of the core to essentially eliminate neutrons from reaching the detector. Any count rate obtained while the detectors are fully withdrawn is assumed to be "noise" only.

The Note to SR 3.3.1.2.6 allows the Surveillance to be delayed until entry into the specified condition of the Applicability (THERMAL POWER decreased to IRM Range 2 or below). The SR must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after IRMs are on Range 2 or below. The allowance to enter the Applicability with the 31 day Frequency not met is reasonable, based on the limited time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e.,

satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

continued BFN-UNIT 2 8 3.3-61

SRM Instrumentation

~

8 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.7 REQUIREMENTS (continued) Performance of a CHANNEL CALIBRATIONat a Frequency of 92 days verifies the performance of the SRM detectors and associated circuitry. The Frequency considers the plant conditions required to perform the test, the ease of performing the test, and the likelihood of a change in the system or component status. The neutron detectors are excluded from the CHANNEL CALIBRATION(Note 1) because they cannot readily be adjusted. The detectors are fission chambers that are designed to have a relatively constant sensitivity over the range and with an accuracy specified for a fixed useful life.

Note 2 to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability. The SR must be performed in MODE 2 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 with IRMs on Range 2 or below. The allowance to .

enter the Applicability with the 92 day Frequency not met is reasonable, based on the limited time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

REFERENCES 1. FSAR, Section 7.5.4.

BFN-UNIT 2 B 3.3-62

Control Rod Block Instrumentation B 3.3.2.1 B 3.3 INSTRUMENTATION 8 3.3.2.1 Control Rod Block Instrumentation BASES BACKGROUND Control rods provide the primary means for control of reactivity changes. Control rod block instrumentation includes channel sensors, logic circuitry, switches, and relays that are designed to ensure that specified fuel design limits are not exceeded for postulated transients and accidents. During high power operation, the rod block monitor (RBM) provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM) enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA). During shutdown conditions, control rod blocks from the Reactor Mode Switch - Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent criticalities.

The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations. It is assumed to function to block further control rod withdrawal to preclude a MCPR Safety Limit (SL) violation. The RBM supplies a trip signal to the Reactor Manual Control System (RMCS) to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint. The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint. One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit. The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals at various core heights surrounding the control rod being withdrawn. A signal from one of the four redundant continued 8FN-UNIT 2 B 3.3-63

Control Rod Block Instrumentation

'B 3.3.2.1 BASES BACKGROUND average power range monitor (APRM) channels supplies a (continued) reference signal for one of the RBM channels and a signal from another of. the APRM channels supplies the reference signal to the second RBM channel. This reference signal is used to determine which RBM range setpoint (low, intermediate or high) is enabled. If the APRM is indicating less than the low power setpoint, the RBM is automatically bypassed. The RBM is also automatically bypassed if a peripheral control rod is selected (Ref. 1).

The purpose of the RWM is to control rod patterns during startup and shutdown, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 10% RTP. The sequences effectively limit the potential amount and rate of reactivity increase during a CRDA. Prescribed control rod sequences are stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored sequence. The RWM determines the actual sequence based on position indication for each control rod. The RWM also uses feedwater flow and steam flow signals to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 2). The RWM is a single channel system that provides input into both RMCS rod block circuits.

With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the shutdown position. The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control I ods.

(continued)

BFN-UNIT 2 8 3.3-64

Control Rod Block Instrumentation 8 3.3.2.1 BASES (continued)

APPLICABLE 1. Rod Block Monitor SAFETYANALYSES, LCO, and The RBM is designed to prevent violation of the MCPR SL and APPLICABILITY the cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference 3. A statistical analysis of RWE events was performed to determine the RBM response for both channels for each event. From these responses, the fuel thermal performance as a function of RBM Allowable Value was determined. The Allowable Values are chosen as a function of power level. Based on the specified Allowable Values, operating limits are established.

The RBIVI Function satisfies Criterion 3 of the NRC Policy Statement (Ref. 10).

Two channels of the RBM are required to be OPERABLE, with their setpoints within the appropriate Allowable Value for the associated power range to ensure that no single instrument failure can preclude a rod block from this Function. The setpoints are calibrated consistent with applicable setpoint methodology (nominal trip setpoint).

Nominal trip setpoints are specified in the setpoint calculations.

The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Values between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those continued 8FN-UNIT 2 8 3.3-65

Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 1. Rod Block Monitor (continued)

SAFETYANALYSES, LCO, and predetermined values of output at which an action should take APPLICABILITY place. The setpoints are compared to the actual process parameter (e.g., reactor power), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

The RBM is assumed to mitigate the consequences of an RWE

)

event when operating 27% RTP. Below this power level, the consequences of an RWE event will not exceed the MCPR SL and, therefore, the RBM is not required to be OPERABLE (Ref. 3). Analyses (Ref. 3) have shown that for specified initial MCPR values, the RBM is not required to be OPERABLE.

These MCPR values are provided in the COLR for operations z90% RTP, and for operations a27% and < 90% RTP. For these power ranges with the initial MCPR a the COLR value, no RWE event will result in exceeding the MCPR SL (Ref. 3).

Therefore, under these conditions, the RBM is also not required to be OPERABLE.

continued BFN-UNIT 2 B 3.3-66

1 P

Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE APPLICABILITY (continued)

SAFETYANALYSES, LCO, and Rod Worth Minimizer The RWM enforces the banked position withdrawal sequence (BPWS) to ensure that the initial conditions of the CRDA analysis are not violated. The analytical methods and assumptions used in evaluating the CRDA are summarized in References 4, 5, 6, and 7. The BPWS requires that control rods be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions.

Requirements that the control rod sequence is in compliance with the BPWS are specified in LCO 3.1.6, "Rod Pattern Control."

The RWM Function satisfies Criterion 3 of the NRC Policy

. Statement (Ref. 10).

Since the RWM is designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to be OPERABLE (Ref. 7). Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY,"and LCO 3.1.6 may necessitate bypassing the RWIVI to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed.

Compliance with the BPWS, and therefore OPERABILITY of the RWM, is required in MODES 1 and 2 when THERMAL POWER is s 10% RTP. When THERIVIALPOWER is ) 10% RTP, there is no possible control rod configuration that results in a control continued BFN-UNIT 2 B 3.3-67

0 Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 2. Rod Worth Minimizer (continued)

SAFETY ANALYSES, LCO, and rod worth that could exceed the 280 cal/gm fuel damage limit APPLICABILITY during a CRDA (Refs. 5 and 7). In MODES 3 and 4, all control rods are required to be inserted into the core; therefore, a CRDA cannot occur.. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a

'RDA are acceptable, since the reactor will be subcritical.

3. Reactor Mode Switch - Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is required to be in the shutdown position, the core is assumed to be subcritical; therefore, no positive reactivity insertion events are analyzed. The Reactor Mode Switch-Shutdown Position control rod withdrawal block ensures that the reactor remains subcritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis.

The Reactor Mode Switch - Shutdown Position Function satisfies Criterion 3 of the NRC Policy Statement (Ref. 10).

Two channels are required to be OPERABLE to ensure that no single channel failure will preclude a rod block when required.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position.

continued BFN-UNIT 2 B 3.3-68

0 Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 3. Reactor Mode Switch - Shutdown Position (continued)

SAFETY ANALYSES, LCO, and During shutdown conditions (MODE 3, 4, or 5), no positive APPLICABILITY reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality. Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal block is required to be OPERABLE. During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock")

provides the required control rod withdrawal blocks.

ACTIONS A.1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A.1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is based on the low probability of an event occurring coincident with a failure in the remaining OPERABLE channel.

continued BFN-UNIT 2 B 3.3-69

e Control Rod Block Instrumentation 8 3.3.2.1 BASES ACTIONS B.1 (continued)

If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . If both RBM channels are inoperable, the RBM.is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels.

C.1 C.2.1.1 C.2.1.2 and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed control rod sequence. However, the overall reliability is reduced because a single operator error can result in violating the control rod sequence. Therefore, control rod movement must be immediately suspended except by scram. Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM during withdrawal of one or more of the first 12 rods was not performed in the last 12 months. These requirements minimize the number of reactor startups initiated with the RWM inoperable.

Required Actions C.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications. Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily completed, control rod withdrawal may proceed in continued BFN-UNIT 2 B 3.3-70

Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS C.1 C.2.1.1 C.2.1.2 and C.2.2 (continued) accordance with the restrictions imposed by Required Action C.2.2. Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff (e.g.,

a qualified shift technical advisor or reactor engineer).

The RWM may be bypassed under these conditions to allow continued operations. In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken.

D.1 With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescribed control rod sequence. Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow the reactor shutdown to continue.

continued BFN-UNIT 2 B 3.3-71

Control Rod Block Instrumentation 8 3.3.2.1 BASES ACTIONS E.1 and E.2 (continued)

With one Reactor Mode Switch - Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function. However, since the Required Actions are consistent with the normal action of an OPERABLE Reactor Mode Switch - Shutdown Position Function (i.e.,

maintaining all control rods inserted), there is no distinction between having one or two channels inoperable.

In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SDM ensured by LCO 3.1.1. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are therefore not required to be inserted. Action must continue until all insertable control rods in core. cells containing one or more fuel assemblies are fully inserted.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Control REQUIREMENTS Rod Block instrumentation Function are found in the SRs column of Table 3.3.2.1-1.

The Surveillances are modified by a second Note (Note 2) to indicate that when an RBM channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains control rod block capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable continued BFN-UNIT 2 8 3.3-72

Control Rod Block Instrumentation 8 3.3.2.1 BASES SURVEILLANCE Condition entered and Required Actions taken. This Note is REQUIREMENTS based on the reliability analysis (Ref. 9) assumption of the (continued) average time required to perform a channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that a control rod block will be initiated when. necessary.

SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the entire channel will perform the intended function. It includes the Reactor Manual Control System input.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 184 days is based on reliability analyses (Ref. 11).

SR 3.3.2.1.2 and SR 3.3.2.1.3 A CHANNEL FUNCTIONALTEST is performed for the RWM to ensure that the entire system will perform the intended function.

The CHANNEL FUNCTIONAL TEST for the RWIVI is performed by attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod block occurs. This test is performed as soon as possible after the applicable conditions are entered. As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after continued BFN-UNIT 2 8 3.3-73

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.2 and SR 3.3.2.1.3 (continued)

REQUIREMENTS any control rod is withdrawn at s 10% RTP in MODE 2. As noted, SR 3.3.2.1.3 is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after THERMAL POWER is reduced to s 10% RTP in MODE 1.

This allows entry into MODE 2 for SR 3.3.2.1.2, and THERMAL POWER reduction to s 10% RTP for SR 3.3.2.1.3, to perform the required Surveillance if the 92 day Frequency is not met per SR 3.0.2. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs. The. Frequencies are based on reliability analysis (Ref. 8).

SR 3.3.2.1.4 A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

As noted, neutron detectors are excluded from the CHANNEL CALIBRATIONbecause they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.7.

The Frequency is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-74

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.'I.5 REQUIREMENTS (continued) The RWM is automatically bypassed when power is above a specified value. The power level is determined from feedwater flow and steam flow signals. The automatic bypass setpoint must be verified periodically to be > 10% RTP. If the RWM low power setpoint is nonconservative, then the RWM is considered inoperable. Alternately, the low power setpoint channel can be placed in the conservative condition (nonbypass). If placed in the nonbypassed condition, the SR is met and the RWM is not considered inoperable. The Frequency is based on the trip setpoint methodology utilized for the low power setpoint channel.

SR 3.3.2.1.6 A CHANNEL FUNCTIONALTEST is performed for the Reactor Mode Switch - Shutdown Position Function to ensure that the entire channel will perform the intended function. The CHANNEL FUNCTIONALTEST for the Reactor Mode Switch-Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs.

As noted in the SR, the Surveillance is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links. This allows entry into MODES 3 and 4 if the 18 month Frequency is not met per SR 3.0.2. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs.

continued BFN-UNIT 2 B 3.3-75

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.6 (continued)

REQUIREMENTS The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency.

SR 3.3.2.1.7 The RWM will only enforce the proper control rod sequence if the rod sequence is properly input into the RWM computer.

This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function. The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible.

continued BFN-UNIT 2 B 3.3-76

Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.8 REQUIREMENTS (continued) The RBM setpoints are automatically varied as a function of power. Three Allowable Values are specified in Table 3.3.2.1-1 and the COLR, each within a specific power range. The powers at which the control rod block Allowable Values automatically change are based on the APRM signal's input to each RBM channel. Below the minimum power setpoint, the RBM is automatically bypassed. These power Allowable Values must be verified periodically to be less than or equal to the specified values. If any power range setpoint is nonconservative, then the affected RBM channel is considered inoperable.

Alternatively, the power range channel can be placed in the conservative condition (i.e., enabling the proper RBM setpoint).

If placed in this condition, the SR is met and the RBM channel is not considered inoperable. As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.7. The 18 month Frequency is based on the actual trip setpoint methodology utilized for these channels.

(continued)

BFN-UNIT 2 B 3.3-77

Control Rod Block Instrumentation B 3.3.2.1 BASES (continued)

REFERENCES FSAR, Section 7.5.8.2.3.

FSAR, Section 7.16.5.3.1.k.

NEDC-32433P, "Maximum Extended Load Line Limit and ARTS Improvement Program Analyses for Browns Ferry Nuclear Plant Unit 1, 2 and 3," April 1995.

NEDE-24011-P-A-US, "General Electrical Standard Application for Reload Fuel," Supplement for United States, (revision specified in the COLR).

"Modifications to the Requirements for Control Rod Drop Accident Mitigating Systems," BWR Owners'roup, July 1986.

NEDO-21231, "Banked Position Withdrawal Sequence,"

January 1977.

NRC SER, "Acceptance of Referencing of Licensing Topical Report NEDE-24011-P-A," "General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17," December 27, 1987.

NEDC-30851-P-A, Supplement 1, "Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation," October 1988.

GENE-770-06-1, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

10. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

NEDC-3241 OP-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)

Retrofit Plus Option III Stability Trip Function," October 1995.

BFN-UNIT 2 B 3.3-78

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 B 3.3 INSTRUMENTATION B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow.

With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level reference point, causing the trip of the three feedwater pump turbines and the main turbine.

Reactor Vessel Water Level - High signals are provided by level sensors that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Two channels of Reactor Vessel Water Level-High instrumentation per trip system are provided as input to a two-out-of-two initiation logic that trips the three feedwater pump turbines and the main turbine. There are two trip systems, either of which will initiate a trip. The channels include electronic equipment, LS-3-208A, LS-3-208B, LS-3-208C, and LS-3-208D (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a main feedwater and turbine trip signal to the trip logic.

A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the turbine from damage due to water entering the turbine.

(continued)

BFN-UNIT 2 B 3.3-79

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES (continued)

'I APPLICABLE The feedwater and main turbine high water level trip SAFETYANALYSES instrumentation is assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller failure, maximum demand event (Ref. 1). The reactor vessel high water level trip indirectly initiates a reactor scram from the main turbine trip (above 30% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR.

Feedwater and main turbine high water level trip instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 3).

LCO The LCO requires two channels of the Reactor Vessel Water Level - High instrumentation per trip system to be OPERABLE to ensure that no single instrument failure will prevent the feedwater pump turbines and main turbine trip on a valid Reactor Vessel Water Level - High signal. Both channels in either trip system are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.3. The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

continued BFN-UNIT 2 B 3.3-80

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES LCO Trip setpoints are those predetermined values of output at (continued) which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g.,

trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for. channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

APPLICABILITY The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at a 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases for LCO 3.2.1, "Average Planar Linear Heat Generation Rate (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (IVICPR)," sufficient margin to these limits exists below 25% RTP; therefore, these requirements are only necessary when operating at or above this power level.

(continued)

BFN-UNIT 2 B 3.3-81

Feedwater and Main Turbine High Water Level Trip Instrumentation 8 3.3.2.2 BASES (continued)

ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel.

A.1 With one or more channels inoperable in one trip system, the remaining two OPERABLE or in trip channels in the other trip system can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the two channels in the OPERABLE trip system concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only allowed for a limited time with channels inoperable. If the inoperable channel(s) cannot be restored to OPERABLE status continued BFN-UNIT 2 B 3.3-82

Feedwater and Main Turbine High Water Level Trip Instrumentation 8 3.3.2.2 BASES ACTIONS A.1 (continued) within the Completion Time, the channel(s) must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel(s) in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel(s) in trip (e.g., as in the case where placing the inoperable channel(s) in trip would result in a feedwater or main turbine trip), Condition C must be entered and its Required Action taken.

The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel.

B.1 With one or more channels inoperable in each trip system, the feedwater and main turbine high water level trip instrumentation cannot perform its design function (feedwater and main turbine high water level trip capability is not maintained). Therefore, continued operation is only permitted for a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period, during which feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip signal on a valid signal. This requires that two channels in one trip system be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken.

continued BFN-UNIT 2 B 3.3-83

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS 8.1 (continued)

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.

C.1 With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to

( 25% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . As discussed in the Applicability section of the Bases, operation below 25% RTP re'suits in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is based on operating experience to reduce THERMAL POWER to < 25% RTP from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains feedwater and main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status continued BFN-UNIT 2 B 3.3-84

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE or the applicable Condition entered and Required Actions REQUIREMENTS taken. This Note is based on the reliability analysis (Ref. 2)

(continued) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the feedwater pump turbines and main turbine will trip when necessary.

SR 3.3.2.2.1 Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limits.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with the channels required by the LCO.

continued BFN-UNIT 2 B 3.3-85

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE SR 3.3.2.2.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on reliability analysis (Ref. 2).

SR 3.3.2.2.3 CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-86

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE SR 3.3.2.2.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITYof the required trip logic for a specific channel.

The system functional test of the feedwater and main turbine valves is included as. part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONALTEST to provide complete testing of the assumed safety function. Therefore, if a valve is incapable of operating, the associated instrumentation would also be inoperable. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

REFERENCES 1. FSAR, Section 14.5.7.

2. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

3. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.3-87

PAM Instrumentation B 3.3.3.1 B 3.3 INSTRUMENTATION B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events. The instruments that monitor these variables are designated as Type A, Category 1, and non-Type A, Category 1, in accordance with Regulatory Guide 1.97 (Ref. 1).

The OPERABILITYof the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident. This capability is consistent with the recommendations of Reference 1.

APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of SAFETY ANALYSES Regulatory Guide 1.97, Type A variables so that the control room operating staff can:

~ Perform the diagnosis specified in the Emergency Operating Instructions (EOIs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs), (e.g., loss of coolant accident (LOCA)), and

~ Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function.

continued BFN-UNIT 2 B 3.3-88

PAM Instrumentation B 3.3.3.1 BASES APPLICABLE The PAM instrumentation LCO also ensures OPERABILITY of SAFETY ANALYSES Category 1, non-Type A, variables so that the control room (continued) operating staff can:

~ Determine whether systems important to safety are performing their intended functions;

~ Determine the potential for causing a gross breach of the barriers to radioactivity release;

~ Determine whether a gross breach of a barrier has occurred; and

~ Initiate action necessary to protect the public and for an estimate of the magnitude of any impending threat.

The plant specific Regulatory Guide 1.97 Analysis (Ref. 2) documents the process that identified Type A and Category 1, non-Type A, variables.

Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of the NRC Policy Statement (Ref. 6). Category 1, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents. Therefore, these Category 1 variables are important for reducing public risk.

(continued)

BFN-UNIT 2 B 3.3-89

~,

PAM Instrumentation B 3.3.3.1 BASES (continued)

LCO LCO 3.3.3.1 requires two OPERABLE channels for all but one Function to ensure that no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident.

Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

The exception to the two channel requirement is primary containment isolation valve (PCIV) position. In this case, the important information is the status of the primary containment penetrations. The LCO requires one position indicator for each active (e.g., automatic) PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for closed and deactivated valves is not required to be OPERABLE.

The following list is a discussion of the specified instrument Functions listed in Table 3.3.3.1-1.

continued BFN-UNIT 2 B 3.3-90

PAM Instrumentation B 3.3.3.1 BASES LCO 1. Reactor Steam Dome Pressure (continued) (PI-3-74A and PI-3-74B)

Reactor steam dome pressure is a Category 1 variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1200 psig monitor pressure. Wide range indicators are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

2. Reactor Vessel Water Level (LI-3-52, LI-3-62A, LI-3-58A, and LI-3-58B}

Reactor vessel water level is a Category 1 variable provided to support monitoring of core cooling and to verify operation of the ECCS. Two different range water level channels (Emergency Systems and Post-accident Flood Range) provide the PAM Reactor Vessel Water Level Functions. The water level channels measure from 1/3 of the core height to 221 inches above the top of the active fuel. Water level is measured by two independent differential pressure transmitters for each required channel. The output from these channels is indicated on two independent indicators, which is the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

The reactor vessel water level instruments are not compensated for variation in reactor water density. Function 2.a is calibrated to be most accurate at operational pressure and temperature while Function 2.b is calibrated to be most accurate for accident conditions.

continued BFN-UNIT 2 B 3.3-91

PAM Instrumentation B 3.3.3.1 BASES LCO 3. Su ression Pool Water Level (continued) (LI-64-1 59A and XR-64-1 59)

Suppression pool water level is a Category 1 variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function. The wide range suppression pool water level measurement provides the operator with sufficient information to assess the status of both the RCPB and the water supply to the ECCS. The wide range water level indicators monitor the suppression pool water level from two feet from the bottom of the pool to five feet above normal water level. Two wide range suppression pool water level signals are transmitted from separate differential pressure transmitters and are continuously recorded and displayed on one recorder and one indicator in the control room. The recorder and indicator are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

4. D ell Pressure (P 1-64-678, XR-64-50, Pl-64-1 60A, and XR-64-1 59)

Drywell pressure is a Category 1 variable provided to detect breach of the RCPB and to verify ECCS functions that operate to maintain RCS integrity. Two different ranges of drywell pressure channels (normal and wide range) receive signals that are transmitted from separate pressure transmitters and are continuously recorded and displayed on two control room recorders and two control room indicators. These recorders and indicators are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

continued BFN-UNIT 2 B 3.3-92

PAM Instrumentation B 3.3.3.1 BASES LCO 5. Prima ContainmentArea Radiation Hi h Ran e (continued) (RR-90-272 and RR-90-273)

Primary containment area radiation (high range) is provided to monitor the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Two high range primary containment area radiation signals are transmitted from separate radiation detectors and are continuously recorded and displayed on two control room recorders. These recorders are the primary indication used by the operator during an accident.

Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

6. Prima Containment Isolation Valve PCIV Position PCIV position is provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves.

For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE.

continued BFN-UNIT 2 B 3.3-93

0 PAM Instrumentation B 3.3.3.1 BASES LCO 6. Prima Containment Isolation Valve PCIV Position (continued)

The PCIV position PAM indication instrumentation consists of the category 1 PCIV position indications identified in Reference

4. The indication for. each PCIV consists of green and red indicator lights that illuminate to indicate whether the PCIV is fully open, fully closed, or in a mid-position. Therefore, the PAM specification deals specifically with this portion of the instrument channel.

7. D ell andTorus H dro enAnal zers (H2I-76-37, H2R-76-37, H2I-76-39, and H2R-76-39)

Drywell and torus hydrogen analyzers are Category 1 instruments provided to detect high hydrogen concentration conditions that represent a potential for containment breach.

The drywell and torus hydrogen concentration recorders allow the operators to detect trends in hydrogen concentration in sufficient time to initiate containment atmospheric dilution if containment atmosphere approaches combustible limits.

Hydrogen concentration indication is also important in verifying the adequacy of mitigating actions. High hydrogen concentration is measured by two independent analyzers and continuously recorded and displayed on one control room recorder and one control room indicator. The analyzers have the capability for sampling both the drywell and the torus.

These indicators are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

continued BFN-UNIT 2 B 3.3-94

PAM Instrumentation 8 3.3.3.1 BASES LCO 8. Su ression Pool Water Tem erature (continued) (TI-64-1 61, TR-64-1 61, Tl-64-1 62, and TR-64-1 62)

Suppression pool water temperature is a Category 1 variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. The suppression pool water temperature instrumentation allows operators to detect trends in suppression pool water temperature in sufficient time to take action to prevent steam quenching vibrations in the suppression pool. Sixteen temperature sensors are arranged in two groups of two independent and redundant channels, located such that they are sufficient to provide a reasonable measure of bulk pool temperature. For a channel to be OPERABLE, at least 7 of its 8 sensors must be OPERABLE. The outputs for the sensors are recorded on two independent recorders in the control room. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channels.

9. D ell Atmos here Tem erature (Tl-64-52AB and XR4-50)

Drywell atmosphere temperature is a Category 1 variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. Two wide range drywell atmosphere temperature signals are transmitted from separate temperature sensors and are continuously recorded and displayed on one control room recorder and one control room indicator. The recorder and indicator are the primary indications used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel ~

(continued)

BFN-UNIT 2 8 3.3-95

PAM Instrumentation B 3.3.3.1 BASES- (continued)

APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2.

These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumedtooccurinMODES1 and2. InMODES3,4, and5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES.

ACTIONS Note 1 has been added to the ACTIONS to exclude the MODE change restriction of LCO 3.0.4. This exception allows entry into the applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require plant shutdown.

This exception is acceptable due to the passive function of the instruments, the operator's ability to diagnose an accident using alternative instruments and methods, and the low probability of an event requiring these instruments.

Notes 2 and 3 have been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable PAM instrumentation channels provide appropriate compensatory measures for separate Functions. As such, Note 2 has been provided to allow separate Condition entry for each inoperable PAM Function. Note 3 has been provided for Function 6 to allow separate Condition entry for each penetration flow path.

continued BFN-UNIT 2 B 3.3-96

PAM Instrumentation 8 3.3.3.1 BASES ACTIONS (continued)

When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels (or, in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments),

and the low probability of an event requiring PAM instrumentation during this interval.

B.1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of action in accordance with Specification 5.6.6, which requires a written report to be submitted to the NRC. This report discusses the alternate method of monitoring, the results of the root cause evaluation of the inoperability, and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement, since alternative actions are identified before loss of functional capability, and given the likelihood of plant conditions that would require information provided by this instrumentation.

continued BFN-UNIT 2 B 3.3-97

PAM Instrumentation B 3.3.3.1 BASES ACTIONS C.1 (continued)

When one or more Functions have two required channels that are inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restoied to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur. Condition C is modified by a Note that excludes hydrogen monitor channels. Condition D provides appropriate Required Actions for two inoperable hydrogen monitor channels.

D.1 When two hydrogen monitor channels are inoperable, one hydrogen monitor channel must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is based on the low probability of the occurrence of a LOCA that would generate hydrogen in amounts capable of exceeding the flammability limit; and the length of time after the event that operator action would be required to prevent hydrogen accumulation from exceeding this limit.

continued BFN-UNIT 2 B 3.3-98

PAM Instrumentation B 3.3.3.1 BASES ACTIONS (continued)

This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1. The applicable Condition referenced in the Table is Function dependent. Each time an inoperable channel has not met any Required Action of Condition C or D, as applicable, and the associated Completion Time has expired, Condition E is entered for that channel and provides for transfer to the appropriate subsequent Condition.

F.1 For the majority of Functions in Table 3.3.3.1-1, if any Required Action and associated Completion Time of Condition C or D are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

G.1.

Since alternate means of monitoring primary containment area radiation have been developed and tested, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.6. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.

(continued)

BFN-UNIT 2 8 3.3-99

PAM Instrumentation B 3.3.3.1 BASES (continued)

SURVEILLANCE SR 3.3.3.1.1 REQUIREMENTS Performance of the CHANNEL CHECK for each required PAM instrumentation channel once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrument channels should be compared to each other or to other containment radiation monitoring instrumentation.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency of 31 days is based upon plant operating experience, with regard to channel OPERABILITYand drift, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the required channels of this LCO.

continued BFN-UNIT 2 B 3.3-100

PAM Instrumentation B 3.3.3.1 BASES SURVEILLANCE SR 3.3.3.1.2 SR 3.3.3.1.3 and SR 3.3.3.1.4 REQUIREMENTS (continued) A CHANNEL CALIBRATIONis a complete check of the instrument loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy.. For the PCIV position function, the CHANNEL CALIBRATIONconsists of verifying the remote indications conform to actual valve positions.

The 92 day Frequency for CHANNEL CALIBRATIONof the Drywell and Torus Hydrogen Analyzer is based on operating experience and vendor recommendations. The 184 day frequency for CHANNEL CALIBRATIONof the Reactor Pressure Indication is based on plant specific analysis. The 18 month Frequency for CHANNEL CALIBRATIONof all other PAM instrumentation in Table 3.3.3.1-1 is based on operating experience and consistency with BFN refueling cycles.

(continued)

BFN-UNIT 2 B 3.3-101

PAM Instrumentation B 3.3.3.1 BASES (continued)

REFERENCES 1. Regulatory Guide 1.97, "Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident,"

Revision 3, May 1983.

2. TVA Letter from L. M. IVlills to H. R. Denton (NRC) dated April 30, 1984.

3. NRC Letter from S. C. Black to S. A. White (TVA), NRC Regulatory Guide 1.97 SER letter, dated June 23, 1988.

4. TVA General Design Criteria No. BFN-50-7307, Revision 4, "Post-Accident Monitoring," dated June 22, 1993.

5. NRC Letter from Joseph F. Williams to Oliver D. Kingsley, Jr., "Regulatory Guide 1.97 - Boiling Water Reactor Neutron Flux Monitoring For the Browns Ferry Nuclear Plant, Units 1, 2, and 3," dated May 3, 1994.

6. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements,". July 23, 1993.

BFN-UNIT 2 B 3.3-102

Backup Control System

'B 3.3.3.2 B 3.3 INSTRUMENTATION 8 3.3.3.2 Backup Control System BASES BACKGROUND The Backup Control System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible. A safe shutdown condition is defined as MODE 3.

With the plant in MODE 3, the Reactor Core Isolation Cooling (RCIC) System, the safety/relief valves, and the Residual Heat Removal System can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the RCIC and the ability to operate the RHR System for decay heat removal from outside the control room allow extended operation in MODE 3.

In the event that the control room becomes inaccessible, the operators can establish control at the backup control panel and place and maintain the plant in MODE 3. Not all controls and necessary transfer switches are located at the backup control panel. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The plant automatically reaches MODE 3 following a plant shutdown and can be maintained safely in MODE 3 for an extended period of time.

The OPERABILITYof the Backup Control System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3 should the control room become inaccessible.

(continued)

BFN-UNIT 2 B 3.3-103

Backup Control System B 3.3.3.2 BASES (continued)

APPLICABLE The Backup Control System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a design capability to promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition in MODE 3.

The criteria governing the design and the specific system requirements of the Backup Control System are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1) and Reference 2.

C The Backup Control System is considered an important contributor to reducing the risk of accidents; as such, it meets Criterion 4 of the NRC Policy Statement (Ref. 3).

LCO The Backup Control System LCO provides the requirements for the OPERABILITYof the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation and controls typically required are listed in Table B 3.3.3.2-1.

The controls, instrumentation, and transfer switches are those required for:

~ Reactor pressure vessel (RPV) pressure control;

~ Decay heat removal;

~ RPV inventory control; and

~ Safety support systems for the above functions, including Residual Heat Removal (RHR) Service Water, Emergency Equipment Cooling Water, and onsite power, including the diesel generators.

continued BFN-UNIT 2 B 3.3-104

Backup Control System 8 3.3.3.2 BASES LCO The Backup Control System is OPERABLE if all instrument and (continued) control channels needed to support the backup control function are OPERABLE. In some cases, Table B 3.3.3.2-1 may indicate that the required information or control capability is available from several alternate sources. In these cases, the Backup Control System is OPERABLE as long as one channel of any of the alternate information or control sources for each Function is OPERABLE.

The Backup Control System instruments and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Backup Control System be placed in operation.

APPLICABILITY The Backup Control System LCO is applicable in MODES 1 and

2. This is required so that the plant can be placed and .

maintained in MODE 3 for an extended period of time from a location other than the control room.

This LCO is not applicable in MODES 3, 4, and 5. In these MODES, the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable. Consequently, the TS do not require OPERABILITY in MODES 3, 4, and 5.

(continued)

BFN-UNIT 2 B 3.3-1 05

Backup Control System B 3.3.3.2 BASES (continued)

ACTIONS A Note is included that excludes the MODE change restriction of LCO 3.0.4. This exception allows entry into an applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require a plant shutdown. This exception is acceptable due to the low probability of an event requiring this system Note 2 has been provided to modify the ACTIONS related to Backup Control System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable Backup Control System Functions provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable Backup Control System Function.

A.1 Condition A addresses the situation where one or more required Functions of the Backup Control System is inoperable.

This includes any Function listed in Table B 3.3.3.2-1, as well as the control and transfer switches.

The Required:Action is to restore the Function to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

continued BFN-UNIT 2 B 3.3-106

Backup Control System 8 3.3.3.2 BASES ACTIONS B.1 (continued)

If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.3.3.2.1 REQUIREMENTS SR 3.3.3.2.1 verifies each required Backup Control System transfer switch and control circuit performs the intended function. This verification is performed from the backup control panel and locally, as appropriate. Operation of the equipment from the backup control panel is not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the backup control panel and the local control stations. Operating experience demonstrates that Backup Control System control channels usually pass the Surveillance when performed at the 18 month Frequency.

continued BFN-UNIT 2 8 3.3-107

Backup Control System B 3.3.3.2 BASES SURVEILLANCE SR 3.3.3.2.2 and SR 3.3.3.2.3 REQUIREMENTS (continued) CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy..

The Frequency of SR 3.3.3.2.2 is based upon the assumption of a 184 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The 18 month Frequency of SR 3.3.3.2.3 is based upon operating experience and consistency with the typical industry refueling cycle.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 19.

2. FSAR Section 7.18.

3. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.3-108

Backup Control System B 3.3.3.2 Table B 3.3.3.2-1 (Page 1 of 3)

Backup Control System Instrumentation and Controls NUMBER FUNCTION REQUIRED Instrument Parameter

1. Reactor Water Level Indication 1

2. Reactor Pressure Indication 1

3. Suppression Pool Temperature Indication 1

4. Suppression Pool Level Indication 1

5. Drywell Pressure Indication

6. RHR Flow Indication

7. RCIC Flow Indication 1, note a

8. RCIC Turbine Speed Indication 1

9. Drywell Temperature Indication 1

10. RHRSW Header Pressure 1, note p Transfer/Control Parameter

11. Main Steam Relief Valve (MSRV) Transfer & Control 3, note b

12. Main Steam Isolation Valve (MSIV) Transfer & Control 4, note c (Closure)

13. Main Steam Drain Line Isolation Valve 1, noted

14. RHRSW Pumps note e

15. RHRSW Discharge Valves for RHR Loop I Heat Exchangers 2, note f note a: RCIC flow indication may be obtained from the Flow Indicating Controller note b: 1 required for each of 3 MSRVs.

note c: 1 MSIV required per penetration, may be either inboard valve or outboard valve.

note d: 1 Main Steam Drain Line isolation valve required, may be either inboard valve or outboard valve.

note e: There are 12 RHRSW pumps. All are equipped with emergency transfer switches. 2 of the 12 must be available for EECW service (supports all units) and an additional 1 must be available for RHRSW service.

note f: 1 Discharge Valve per RHR Loop I Heat Exchanger for a total of 2.

note o: Note not used.

note p: The RHRSW Pressure indicator for the Header of the RHRSW Pump that supports RHR service is required.

BFN-UNIT 2 B 3.3-109

Backup Control System B 3.3.3.2 Table B 3.3.3.2-1 (Page 2 of 3)

Backup Control System Instrumentation and Controls NUMBER FUNCTION REQUIRED Transfer/Control Parameter continued

16. RCW Pumps 1D and 3D (Trip Function Only) 2, note g

17. 4-kV Fire Pumps A, B, and C 3, note h

18. Recirculation System Sample Line Isolation Valves 1, note i

19. EECW Sectionalizing Valves 8, 1 per valve, note j

20. RHRSW to EECW Motor-Operated Crosstie Valves 2, 1 per valve

21. Recirculation Pump Discharge Valve (RHR Loop I) 1

22. RWCU Drain to Main Condenser Hotwell Isolation Valve 1

23. RWCU Drain to Radwaste Isolation Valve 1

24. RHR Shutdown Cooling Inboard Containment Isolation Valve 1

25. RHR Shutdown Cooling Outboard Containment Isolation Valve 1

26. RCIC Steam Supply Isolation Valves 2, 1 per valve

27. RCIC Steam Pot Drain Line Steam Trap Bypass 1

28. RCIC Steam Pot Drain to Main Condenser Isolation 1, note k

29. RCIC Drain to Radwaste Isolation 1, note k

30. RCIC Turbine Steam Supply Valve 1

31. RCIC Turbine Stop Valve 1

32. RCIC Pump Suction From Suppression Pool 2, 1 per valve

33. RCIC Pump Suction From Condensate Storage Tank 1

34. RCIC Lube Oil Cooler Cooling Water Supply 1

35. RCIC Pump Minimum Flow Bypass 1

36. RCIC Pump Discharge 1

37. RCIC Test Return to Condensate Storage Tank 1

38. RCIC Injection Valve to Reactor Vessel 1

39. RCIC Barometric Condenser Condensate Pump 1

40. RCIC Barometric Condenser Vacuum Pump 1

41. HPCI Turbine Steam Supply Valve (Isolation Function Only) 1 note g: 1 per pump.- Trip function necessang to prevent spurious start overloading 4-kV Buses/Diesel Generators.

note h: 1 per pump. Each 4-kV Fire Pump has backup control located on its 4-kV supply board.

note i: 1 Recirculation System Sample Line Isolation Valve required, may be either inboard valve or outboard valve.

note j: Not required if valve breaker remains open, per Appendix R requirement, except when required for valve testing or operation.

note k: 1 switch for 2 solenoid valves.

BFN-UNIT 2 B 3.3-110

Backup Control System B 3.3.3.2 Table B 3.3.3.2-1 (Page 3 of 3)

Backup Control System Instrumentation and Controls NUMBER FUNCTION REQUIRED Transfer/Control Parameter continued

42. RHR Pump Control Loop I 2, note m

43. RHR Pump A Suppression Pool Cooling Suction Valve 1

44. RHR Pump A Shutdown Cooling Suction Valve 1

45. RHR Pump C Suppression Pool Cooling Suction Valve 1

46. RHR Pump C Shutdown Cooling Suction Valve 1

47. RHR System I Minimum Flow Valve 1

48. RHR Pump B Shutdown Cooling Suction Valve 1

49. RHR Pump D Shutdown Cooling Suction Valve 1

50. RHR System I-II Crosstie Valve 1, note j

51. RHR System I Outboard Injection Valve 1

52. RHR System I Inboard Recirc Loop Valve

53. RHR System I Suppression Pool Spray/Test Isolation Valve 1

54. RHR System I Test Valve 1

55. RHR System I Drywell Spray Outboard Valve 1

56. RHR Pump A Suction Crosstie Valve 1

57. RHR Pump C Suction Crosstie Valve 1 58 Core Spray Pumps (Trip and Lockout Function Only) 4, note n

59. CRD Scram Discharge Volume Isolation Test Valve 1 note j: Not required if valve breaker remains open, per Appendix R requirement, except when required for valve testing or operation.

note m: 1 for each Loop I Pump.

note n: 1 per pump. To prevent overloading 4-kV Buses, Diesel Generators.

BFN-UNIT 2 B 3.3-111

EOC-RPT Instrumentation B 3.3.4.1 B 3.3 INSTRUMENTATION B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation BASES BACKGROUND The EOC-RPT instrumentation initiates a recirculation pump trip (RPT) to reduce the peak reactor pressure and power resulting from turbine trip or generator load rejection transients to provide additional margin to core thermal MCPR Safety Limits (SLs).

The need for the additional negative reactivity in excess of that normally inserted on a scram reflects end of cycle reactivity considerations. Flux shapes at the end of cycle are such that the control rods may not be able to ensure that thermal limits are maintained by inserting sufficient negative reactivity during the first few feet of rod travel upon a scram caused by Turbine Control Valve (TCV) Fast Closure, Trip Oil Pressure - Low or Turbine Stop Valve (TSV) - Closure. The physical phenomenon involved is that the void reactivity feedback due to a pressurization transient can add positive reactivity at a faster rate than the control rods can add negative reactivity.

The EOC-RPT instrumentation, as shown in Reference 1, is composed of sensors that detect initiation of closure of the TSVs or fast closure of the TCVs, combined with relays, logic circuits, and fast acting circuit breakers that interrupt power from the recirculation pump motor generator (MG) set generators to each of the recirculation pump motors. When the channels pre-established setpoint is exceeded, the channel output relay actuates, which then outputs an EOC-RPT signal to the trip logic. When the RPT breakers trip open, the recirculation pumps coast down under their own inertia. The EOC-RPT has two identical trip systems, either of which can actuate an RPT.

continued BFN-UNIT 2 B 3.3-112

EOC-RPT Instrumentation B 3.3.4.1 BASES BACKGROUND Each EOC-RPT trip system is a two-out-of-two logic for each (continued) Function; thus, either two TSV - Closure or two TCV Fast Closure, Trip Oil Pressure - Low signals are required for a trip system to actuate. If either trip system actuates, both recirculation pumps will trip. There are two EOC-RPT breakers in series per recirculation pump. One trip system trips one of the two EOC-RPT breakers for each recirculation pump, and the second trip system trips the other EOC-RPT breaker for each recirculation pump.

APPLICABLE The TSV - Closure and the TCV Fast Closure, Trip Oil SAFETY ANALYSES, Pressure - Low Functions are designed to trip the recirculation LCO, and pumps in the event of a turbine trip or generator load rejection APPLICABILITY to mitigate the increase in neutron flux, heat flux, and reactor pressure, and to increase the margin to the MCPR SL. The analytical methods and assumptions used in evaluating the turbine trip and generator load rejection are summarized in References 2, 3, and 4.

To mitigate pressurization transient effects, the EOC-RPT must trip the recirculation pumps after initiation of closure movement of either the TSVs or the TCVs. The combined effects of this trip and a scram reduce fuel bundle power more rapidly than a scram alone, resulting in an increased margin to the MCPR SL.

Alternatively, MCPR limits for an inoperable EOC-RPT, as specified in the COLR, are sufficient to preverit violation of the MCPR Safety Limit. The EOC-RPT function is automatically disabled when turbine first stage pressure is ( 30% RTP.

EOC-RPT instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 6).

continued BFN-UNIT 2 B 3.3-113

EOC-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE The OPERABILITYof the EOC-RPT is dependent on the SAFETYANALYSES, OPERABILITYof the individual instrumentation channel LCO, and Functions. Each Function must have a required number of APPLICABILITY OPERABLE channels in each trip system, with their setpoints (continued) within the specified Allowable Value of SR 3.3.4.1.3. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Channel OPERABILITYalso includes the associated EOC-RPT breakers. Each channel (including the associated EOC-RPT breakers) must also respond within its assumed response time.

Allowable Values are specified for each EOC-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified is more conservative than the analytical limit assumed in the transient and accident analysis in order to account for instrument uncertainties appropriate to the Function. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., TSV position), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state.

The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected continued BFN-UNIT 2 B 3.3-114

EOC-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE for calibration, process, and some of the instrument errors. The SAFETY ANALYSES, trip setpoints are then determined accounting for the remaining LCO, and instrument errors (e.g., drift). The trip setpoints derived in this APPLICABILITY manner provide adequate protection because instrumentation (continued) uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

The specific Applicable Safety Analysis, LCO, and Applicability discussions are listed below on a Function by Function basis.

Alternatively, since this instrumentation protects against a MCPR SL violation, with the instrumentation inoperable, modifications to the MCPR limits (LCO 3.2.2) may be applied to allow this LCO to be met. The MCPR penalty for the EOC-RPT inoperable condition is specified in the COLR.

Turbine Sto Valve - Closure Closure of the TSVs and a main turbine trip result in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TSV - Closure in anticipation of the transients that would result from closure of these valves. EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient.

continued BFN-UNIT 2 B 3.3-115

EOC-RPT Instrumentation 8 3.3.4.1 BASES APPLICABLE Turbine Sto Valve - Closure (continued)

SAFETY ANALYSES, LCO, and Closure of the TSVs is determined by measuring the position of APPLICABILITY each valve. There are two separate position signals associated with each stop valve, the signal from each switch being assigned to a separate trip channel. The logic for the TSV-Closure Function is such that two or more TSVs must be closed to produce an EOC-RPT. This Function must be enabled at THERMAL POWER a 30% RTP. This is normally accomplished automatically by pressure transmitters sensing turbine first stage pressure; therefore, opening the turbine bypass valves may affect this function. To consider this function OPERABLE, bypass of the function must not occur when bypass valves are open. Four channels of TSV-Closure, with two channels in each trip system, are available and required to be OPERABLE to ensure. that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TSV - Closure Allowable Value is selected to detect imminent TSV closure.

This protection is required, consistent with the safety analysis assumptions, whenever THERMAL POWER is z 30% RTP.

Below 30% RTP, the Reactor Vessel Steam Dome Pressure-High and the Average Power Range Monitor (APRM) Fixed Neutron Flux - High Functions of the Reactor Protection System (RPS) are adequate to maintain the necessary margin to the MCPR Safety Limit.

continued BFN-UNIT 2 8 3.3-116

EOC-RPT Instrumentation 8 3.3.4.1 BASES APPLICABLE Turbine Control Valve Fast Closure Tri Oil Pressure - Low SAFETYANALYSES, (PS-47-142, PS-47-144, PS-47-146, and PS-47-148)

LCO, and APPLICABILITY Fast closure of the TCVs during a generator load rejection (continued) results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited.

Therefore, an RPT is initiated on TCV Fast Closure, Trip Oil Pressure - Low in anticipation of the transients that would result from the closure of these valves. The EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient.

Fast closure of the TCVs is determined by measuring the electrohydraulic control fluid pressure at each control valve.

There is one pressure switch associated with each control valve, and the signal from each switch is assigned to a separate trip channel. The logic for the TCV Fast Closure, Trip Oil Pressure - Low Function is such that two or more TCVs must be closed (pressure switch trips) to produ'ce an EOC-RPT. This Function must be enabled at THERMAL POWER a 30% RTP.

This is normally accomplished automatically by pressure transmitters sensing turbine first stage pressure; therefore, opening the turbine bypass valves may affect this function. To consider this function OPERABLE, bypass of the function must not occur when bypass valves are open. Four channels of TCV Fast Closure, Trip Oil Pressure - Low, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TCV Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TCV fast closure.

continued BFN-UNIT 2 B 3.3-117

EOC-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE Turbine Control Valve Fast Closure Tri Oil Pressure - Low SAFETY ANALYSES, (PS-47-142, PS-47-1 44, PS-47-1 46, and PS-47-1 48)

LCO, and (continued)

APPLICABILITY This protection is required consistent with the safety analysis whenever THERMAI. POWER is a 30% RTP. Below 30% RTP, the Reactor Vessel Steam Dome Pressure - High and the APRM Fixed Neutron Flux - High Functions of the RPS are adequate to maintain the necessary safety margins.

ACTIONS A Note has been provided to modify the ACTIONS related to EOC-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered,

. subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable EOC-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable EOC-RPT instrumentation channel.

continued BFN-UNIT 2 B 3.3-118

EOC-RPT Instrumentation B 3.3.4.1 BASES ACTIONS A.1 (continued)

With one or more channels inoperable, but with EOC-RPT trip capability maintained (refer to Required Actions B.1 and 8.2 Bases), the EOC-RPT System is capable of performing the intended function. However, the reliability and redundancy of the EOC-RPT instrumentation is reduced such that a single failure in the remaining trip system could result in the inability of the EOC-RPT System to perform the intended function.

Therefore, only a limited time is allowed to restore compliance with the LCO. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of an EOC-RPT, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is provided to restore the inoperable channels (Required Action A.1) or apply the EOC-RPT inoperable MCPR limit. Alternately, the inoperable channels may be placed in trip (Required Action A.2) since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an RPT, or if the inoperable channel is the result of an inoperable breaker),

Condition C must be entered and its Required Actions taken.

continued BFN-UNIT 2 B 3.3-119

EOC-RPT Instrumentation B 3.3.4.1 BASES ACTIONS B.1 and 8.2 (continued)

Required Actions 8.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining EOC-RPT trip capability. A Function is considered to be maintaining EOC-RPT trip capability when sufficient channels are OPERABLE or in trip, such that the EOC-RPT System will generate a trip signal from the given Function on a valid signal and both recirculation pumps can be tripped.

Alternately, Required Action B.2 requires the MCPR limit for inoperable EOC-RPT, as specified in the COLR, to be applied.

This also restores the margin to MCPR assumed in the safety analysis.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient time for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of the EOC-RPT instrumentation during this period. It is also consistent with the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.

C.1 With any Required Action and associated Completion Time not met, THERMAL POWER must be reduced to ( 30% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is reasonable, based on operating experience, to reduce THERMAL POWER to ( 30% RTP from full power conditions in an orderly manner and without challenging plant systems.

(continued)

BFN-UNIT 2 B 3.3-120

EOC-RPT Instrumentation B 3.3.4.1 BASES (continued)

SURVEILLANCE The Surveillances are modified by a Note to indicate that when REQUIREMENTS a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains EOC-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary.

SR 3.3.4.1.1 A CHANNEL FUNCTIONALTEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on reliability analysis of Reference 5.

continued BFN-UNIT 2 B 3.3-121

EOC-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.2 REQUIREMENTS (continued) This SR ensures that an EOC-RPT initiated from the TSV-Closure and TCV Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently bypassed when THERMAL POWER is a 30% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at a 30% RTP, either due to open main turbine bypass valves or other reasons), the affected TSV-Closure and TCV Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met with the channel considered OPERABLE.

The Frequency of 18 months is based on engineering judgment and reliability of the components.

SR 3.3.4.1.3 CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology. The Frequency is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-122

EOC-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITYof the required trip logic for a specific channel.

The system functional test of the pump breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONALTEST, to provide complete testing of the associated safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would also be inoperable.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency.

REFERENCES 1. FSAR, Figure 7.9-2 (EOC-RPT logic diagram).

2. FSAR, Section 7.9.4.5.

3. FSAR, Sections 14.5.1.1 and 14.5.1.3.

4. FSAR, Section 4.3.5.

5. GENE-770-06-1, "Bases For Changes To Surveillance Test Intervals And Allowed Out-Of-Service Times For Selected Instrumentation Technical Specifications,"

February 1991.

6. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.3-123

ATWS-RPT Instrumentation 8 3.3.4.2 B 3.3 INSTRUMENTATION B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT)

Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur, to lessen the effects of an ATWS event.

Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level - Low Low, Level 2 or Reactor Steam Dome Pressure - High setpoint is reached, the recirculation pump motor breakers trip.

The ATWS-RPT System (Ref. 1) includes sensors, relays, bypass capability, circuit breakers, and switches that are necessary to cause initiation of an RPT. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an ATWS-RPT signal to the trip logic.

The ATWS-RPT consists of two independent trip systems, with two channels of Reactor Steam Dome Pressure - High and two channels of Reactor Vessel Water Level - Low Low, Level 2 in each trip system. Each ATWS-RPT trip system is a two-out-of-two logic for each Function. Thus, either two Reactor Vessel Water Level - Low Low, Level 2 or two Reactor Pressure - High signals are needed to trip a trip system. The outputs of the channels in a trip system are combined in a logic so that either trip system will trip both recirculation pumps (by tripping the respective motor breakers).

continued BFN-UNIT 2 B 3.3-124

ATWS-RPT Instrumentation B 3.3.4.2 BASES BACKGROUND There are two motor breakers provided for each of the two (continued) recirculation pumps for a total of four breakers. The output of each trip system is provided to one of the two breakers for each recirculation pump.

APPLICABLE The ATWS-RPT is not assumed in the safety analysis. The SAFETY ANALYSES, ATWS-RPT initiates an RPT to aid in preserving the integrity LCO, and of the fuel cladding following events in which a scram does APPLICABILITY not, but should, occur. Based on its contribution to the reduction of overall plant risk, however, the instrumentation meets Criterion 4 of the NRC Policy Statement (Ref. 3).

The OPERABILITYof the ATWS-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.2.3. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). ATWS-RPT Channel OPERABILITYalso includes the associated recirculation pump motor breakers. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable'Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process continued BFN-UNIT 2 B 3.3-125

ATWS-RPT Instrumentation 8 3.3.4.2 BASES APPLICABLE parameter (e.g., reactor vessel water level), and when the SAFETYANALYSES, measured output value of the process parameter exceeds the LCO, and setpoint, the associated device (e.g., trip unit) changes state.

APPLICABILITY The analytic limits are derived from the limiting values of the (continued) process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and environmental effects are accounted for.

The individual Functions are required to be OPERABLE in MODE 1 to protect against catastrophidmultiple failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Steam Dome Pressure - High and Reactor Vessel Water Level - Low Low, Level 2 Functions are required to be OPERABLE in MODE 1, since the reactor is producing significant power and the recirculation system could be at high flow. During this MODE, the potential exists for pressure increases or low water level, assuming an ATWS event. In MODE 2, the reactor is at low power and the recirculation system is at low flow; thus, the potential is low for a pressure increase or low water level, assuming an ATWS event.

Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWS event is not significant and the possibility of a significant pressure increase or low water level is negligible. In MODE 5, the one rod out interlock ensures that the reactor remains subcritical; thus, an ATWS event is not significant. In addition, the reactor pressure vessel (RPV) head is not fully tensioned and no pressure transient threat to the reactor coolant pressure boundary (RCPB) exists.

continued BFN-UNIT 2 B 3.3-126

ATWS-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE The specific Applicable Safety Analyses and LCO discussions SAFETYANALYSES, are listed below on a Function by Function basis.

LCO, and APPLICABILITY a. Reactor Vessel Water Level - Low Low Level 2 (continued) (LS-3-58A1, LS-3-58B1, LS-3-58C1, and LS-3-58D1)

Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the ATWS-RPT System is initiated at Level 2 to aid in maintaining level above the top of the active fuel. The reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff.

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

Four channels of Reactor Vessel Water Level - Low Low, Level 2 with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level

- Low Low, Level 2 Allowable Value is chosen so that the system will not be initiated after a Level 3 scram with feedwater still available, and for convenience with the reactor core isolation cooling initiation.

continued BFN-UNIT 2 B 3.3-127

ATWS-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE b. Reactor Steam Dome Pressure- Hi h SAFETYANALYSES, (PIS-3-204A, PIS-3-204B, PIS-3-204C, and PIS-3-204D)

LCO, and APPLICABILITY Excessively high RPV pressure may rupture the RCPB. An (continued) increase in the RPV pressure during reactor operation compresses the ~team voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and overpressurization. The Reactor Steam Dome Pressure - High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT aids in the termination of the ATWS event and, along with the safety/relief valves, limits the peak RPV pressure to less than the ASME Section III Code limits.

The Reactor Steam Dome Pressure - High signals are initiated from four pressure transmitters that monitor reactor steam dome pressure. Four channels of Reactor Steam Dome Pressure - High, with two channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Steam Dome Pressure - High Allowable Value is chosen to provide an adequate margin to the ASME Section III Code limits.

(continued)

BFN-UNIT 2 8 3.3-128

ATWS-RPT Instrumentation B 3.3.4.2 BASES (continued)

ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel.

A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT capability for each Function maintained (refer to Required Actions B.1 and C.1 Bases), the ATWS-RPT System is capable of performing the intended function. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the remaining trip system could result in the inability of the ATWS-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status.

Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively continued BFN-UNIT 2 B 3.3-129

ATWS-RPT Instrumentation 8 3.3.4.2 BASES ACTIONS A.1 and A.2 (continued) compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and its Required Actions taken.

8.1 Required Action 8.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining ATWS-RPT trip capability. A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. This requires one channel of the Function in each trip system to be OPERABLE or in trip, and the recirculation pump motor breakers to be OPERABLE or in trip.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability.

continued BFN-UNIT 2 B 3.3-130

ATWS-RPT Instrumentation B 3.3.4.2 BASES ACTIONS C.1 (continued)

Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1 above.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period.

D.1 With any Required Action and associated Completion Time not met, the plant must be brought to'a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems.

(continued)

BFN-UNIT 2 B 3.3-131

ATWS-RPT Instrumentation

'B 3.3.4.2 BASES (continued)

SURVEILLANCE The Surveillances are modified by a Note to indicate that when REQUIREMENTS a channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary.

SR 3.3.4.2.1 Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

continued BFN-UNIT 2 B 3.3-132

ATWS-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.1 (continued)

REQUIREMENTS The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.4.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 2.

SR 3.3.4.2.3 A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-133

ATWS-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel.

The system functional test of the pump breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONALTEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would be inoperable.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency.

REFERENCES FSAR Section 7.19.

2. GENE-770-06-1, "Bases for Changes To Surveillance Test Intervals and Allowed Out-of-Service Times For Selected Instrumentation Technical Specifications," February 1991.

3. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.3-1 34

ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), and the Automatic Depressurization System (ADS). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating."

Portions of the ECCS instrumentation also provide for the generation of the Common Accident Signal which initiate the DGs and EECW System. Refer to LCO 3.8.1, "AC Systems-Operating," for operability requirements of the Common Accident Signal Logic.

Core S ra S stem The CS System may be initiated by automatic means. Each pump can be controlled manually by a control room remote switch. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or both Drywell Pressure - High and Reactor Steam Dome Pressure - Low.

Reactor water level and drywell pressure are each monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of these trip units are connected to continued BFN-UNIT 2 B 3.3-1 35

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Core S ra S stem (continued) relays whose contacts are arranged in a one-out-of-two taken twice logic (i.e., two trip systems) for each Function. The Reactor Steam Dome Pressure - Low variable is monitored by two transmitters for each trip system. The outputs from these transmitters are connected to relays arranged in a one-out-of-two logic.

The high drywell pressure and low reactor water level initiation signals are sealed in signals and must be manually reset.

Upon receipt of an initiation signal, if normal AC power is available, the four core spray pumps start one at a time, in order, at 0, 7, 14, and 21 seconds. If normal AC power is not available, the four core spray pumps start seven seconds after standby power becomes available. (The LPCI pumps start as soon as standby power is available.)

The CS test line isolation valve is closed on a CS initiation signal to allow full system flow assumed in the accident analyses.

The CS pump discharge flow is monitored by a flow switch.

When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis.

continued BFN-UNIT 2 B 3.3-136

ECCS Instrumentation 8 3.3.5.1 BASES BACKGROUND Core S ra S stem (continued)

The CS System logic also receives signals from transmitters which monitor the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure.

Reactor pressure is monitored by four redundant transmitters, which are, in turn, connected to four trip units (two per trip system). The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two logic for each CS trip system.

Low Pressure Coolant tn ection S stem The LPCI is an operating mode of the Residual Heat Removal (RHR) System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or both Drywell Pressure

- High and Reactor Steam Dome Pressure - Low. Each of these diverse variables is monitored by four redundant transmitters, which, in turn, are connected to four trip units.

The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic (i.e.,

two trip systems) for each Function.

'I Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.

Upon receipt of an initiation signal, if normal AC power is available, the four RHR (LPCI) pumps start one at a time, in order, at 0, 7, 14, and 21 seconds. If normal AC power is not available, the four pumps start simultaneously, with no delay, as soon as the standby power source is available.

continued BFN-UNIT 2 8 3.3-1 37

0 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant In'ection S stem (continued)

Each LPCI subsystem's discharge flow is monitored by a flow switch. When a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return. line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed.

However, LPCI flow rates assumed in the LOCA analyses can be achieved with the minimum flow valve in the open position.

The RHR test line suppression pool cooling isolation valve, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating.

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to multiple trip units.

The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Additionally, these instruments function to initiate closure of the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines.

Low reactor water level in the shroud is detected by two additional instruments which inhibit the manual initiation of other modes of RHR (e.g., suppression pool cooling) when LPCI is required. Manual overrides for the inhibit logic are provided.

continued BFN-UNIT 2 B 3.3-138

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Hi h Pressure Coolant In'ection S stem (continued)

The HPCI System may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low, Level 2 or Drywell Pressure - High. Each of these variables is monitored by four redundant transmitters, which are, in turn, connected to multiple trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

The HPCI pump discharge flow is monitored by a flow switch.

Upon automatic initiation, when the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow, however, the flow rates assumed in the accident analysis can be achieved with the minimum flow valve open.

The HPCI test line isolation valve is closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis.

continued BFN-UNIT 2 8 3.3-139

0' ECCS Instrumentation 8 3.3.5.1 BASES BACKGROUND Hi h Pressure Coolant In ection S stem (continued)

The HPCI System also monitors the water levels in the HPCI pump supply header from the condensate storage tank (CST) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in the HPCI pump supply header from the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the HPCI pump supply header from the CST. Either switch can cause the suppression pool suction valves to open and the CST suction valve to close.

The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level - High, Level 8 trip, at which time the HPCI turbine trips, which causes the turbine's stop valve to close. The logic is two-out-of-two to provide high reliability of the HPCI System.

The HPCI System automatically restarts if a Reactor Vessel Water Level - Low Low, Level 2 signal is subsequently received.

continued BFN-UNIT 2 B 3.3-140

ECCS Instrumentation

. 8 3.3.5.1 BASES BACKGROUND Automatic De ressurization S stem (continued)

The ADS may be initiated by either automatic or manual means.

Automatic initiation occurs when signals indicating Reactor Vessel Water Level - Low Low Low, Level 1; Drywell Pressure

- High or ADS High Drywell Pressure Bypass Timer; confirmed Reactor Vessel Water Level - Low, Level 3 (confirmatory); and CS or LPCI Pump Discharge Pressure - High are all present and the ADS Initiation Timer has timed out. There are two transmitters each for Reactor Vessel Water Level - Low Low Low, L'evel 1 and Drywell Pressure - High, and one transmitter for confirmed Reactor Vessel Water Level - Low, Level 3 (confirmatory) in each of the two ADS trip systems. Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic.

Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves.- The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the ADS Initiation Timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers.

The ADS also monitors the discharge pressures of the four LPCI pumps and the four CS pumps. Each ADS trip system includes two discharge pressure permissive switches from all four LPCI pumps and one discharge pressure permissive switch from all four CS pumps. The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel.

CS pumps (A or B and either C or D) or any one of the four LPCI pumps is sufficient to permit automatic depressurization.

continued BFN-UNIT 2 B 3.3-141

ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Automatic De ressurization S stem (continued)

The ADS logic in each trip system is arranged in two strings.

Each string has a contact from each of the following variables:

Reactor Vessel Water Level - Low Low Low, Level 1; Drywell Pressure - High; High Drywell Pressure Bypass Timer; and Pump Discharge Pressure - High. One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level - Low, Level 3 (confirmatory). Either the Drywell Pressure - High or the Drywell Pressure Bypass Timer contacts and all remaining contacts in both logic strings must close and the ADS initiation timer must time out to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. Once the Drywell Pressure - High signal, the ADS High Drywell Pressure Bypass Timer, or the ADS initiation signal is present, it is individually sealed in until manually reset.

Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

(continued)

BFN-UNIT 2 B 3.3-142

ECCS Instrumentation B 3.3.5.1 BASES (continued)

APPLICABLE The actions of the ECCS are explicitly assumed in the safety SAFETY ANALYSES, analyses of References 1, 2, and 3. The ECCS is initiated LCO, and to preserve the integrity of the fuel cladding by limiting APPLICABILITY the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits.

ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 5). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITYof the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Valves, where appropriate. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Table 3.3.5.1-1, footnote (b), is added to show that certain ECCS instrumentation Function channels affect Common Accident Signal Logic which is addressed in LCO 3.8.1, "AC Sources - Operating."

Allowable Values are specified for each ECCS Function specified in the table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined continued BFN-UNIT 2 B 3.3-143

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE values of output at which an action should take place. The SAFETYANALYSES, setpoints are compared to the actual process parameter (e.g.,

LCO, and reactor vessel water level), and when the measured output APPLICABILITY value of the process parameter exceeds the setpoint, the (continued) associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS function, a combination of Functions is required to provide primary and secondary initiation signals.

J The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

continued BFN-UNIT 2 B 3.3-144

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Core S ra and Low Pressure Coolant In'ection S stems SAFETY ANALYSES, LCO, and 1.a 2.a. Reactor Vessel Water Level - Low Low Low Level 1 APPLICABILITY (LS-3-58A-D)

(continued)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level - Low Low Low, Level 1 is also utilized in the development of the Common Accident Signal which initiates the DGs and EECW System. (Refer to LCO 3.8.1, "AC Sources - Operating," for operability requirements of the Common Accident Signal Logic).

The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Vessel Water Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

continued BFN-UNIT 2 B 3.3-145

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.a 2.a. Reactor Vessel Water Level - Low Low Low Level 1 SAFETY ANALYSES, (LS-3-58A-D) (continued)

LCO, and APPLICABILITY The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure injection/spray subsystems to activate and provide adequate cooling.

Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Refer to LCO 3.5.1 and LCO 3.5.2, "ECCS - Shutdown," for Applicability Bases for the low pressure ECCS subsystems.

1.b 2.b. D ell Pressure - Hi h (PIS-64-58A-D)

High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS is initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage.

The Drywell Pressure - High is also utilized in the development of the Common Accident Signal which initiates the DGs and EECW System. (Refer to LCO 3.8.1, "AC Sources - Operating" for operability requirements of the Common Accident Signal Logic). The Drywell Pressure - High Function, along with the Reactor Steam Dome Pressure - Low Function, are directly assumed in the analysis of the recirculation line break (Ref. 2).

The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

continued BFN-UNIT 2 B 3.3-146

ECCS Instrumentation 8 3.3.5.1 BASES APPLICABLE 1.b 2.b. D ell Pressure - Hi h (PIS-64-58A-D) (continued)

SAFETY ANALYSES, LCO, and High drywell pressure signals are initiated from four pressure APPLICABILITY transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary. containment.

The Drywell Pressure - High Function is required to be OPERABLE when ECCS is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS initiation. In MODES 4 and 5, the Drywell Pressure - High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems.

1.c 2.c. Reactor Steam Dome Pressure - Low In ection Permissive and ECCS Initiation (PIS-3-74A and B PIS-68-95 and 96)

Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems'aximum design pressure.

The Reactor Steam Dome Pressure - Low is also utilized in the development of the Common Accident Signal which initiates the continued BFN-UNIT 2 B 3.3-147

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.c 2.c. Reactor Steam Dome Pressure - Low In ection SAFETY ANALYSES, Permissive and ECCS Initiation LCO, and (PIS-3-74A and B; PIS-68-95 and 96) (continued)

APPLICABILITY DGs and EECW System. (Refer to LCO 3.8.1, "AC Sources-Operating," for operability requirements of the Common Accident Signal Logic). The Reactor Steam Dome Pressure-Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 2).

The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is low enough to prevent overpressurizing the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

Four channels of Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

continued BFN-UNIT 2 B 3.3-148

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.d. CoreS ra Pum Dischar e Flow-Low B ass SAFETYANALYSES, (FS-75-21 and 49)

LCO, and APPLICABILITY The minimum flow instruments are provided to protect the (continued) associated CS pumps from overheating when the pump is operating and the associated injection valve is not fully open.

The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The CS Pump Discharge Flow - Low Function is assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the CS flows assumed during the transients and accidents analyzed in References 1, 2, and 3 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

One flow switch per CS subsystem is used to detect the associated subsystems'low rates. The logic is arranged such that each flow switch causes 'its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The Pump Discharge Flow - Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough (based on engineering judgment) to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.

Each channel of Pump Discharge Flow - Low Function (two CS channels) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function.

Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

continued BFN-UNIT 2 B 3.3-149

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.e 2.f. Core S ra and Low Pressure Coolant In ection Pum SAFETYANALYSES, Start - Time Dela Rela LCO, and APPLICABILITY The reaction of the low pressure ECCS pumps to an initiation (continued) signal depends on the availability of power. If normal power (offsite power) is not.available, the four RHR (LPCI) pumps start simultaneously after the standby power source (four diesel generators) is available while the CS pumps start simultaneously after a seven-second time delay. This time delay allows the start of LPCI pumps to avoid overloading the diesel generators. When normal power is available, the CS and RHR pump starts are staggered by shutdown board (i.e., A pumps start at 0 seconds, B pumps start at 7 seconds, C pumps start at 14 seconds, and D pumps start at 21 seconds). The purpose of this time delay, when power is being provided from the normal power source (offsite), is to stagger the start of the CS and LPCI pumps, thus limiting the starting transients on the 4.16 kV shutdown buses. The CS and LPCI Pump Start - Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.

There are four CS Pump and six LPCI Pump Start - Time Delay Relays when power is being provided from the normal power source, one in each of the pump start logic circuits (LPCI pumps C and D have two time delay relays, one in each trip system). While each time delay relay is dedicated to a single pump start logic, a single failure of a CS or LPCI Pump Start-Time Delay Relay could result in the loss of normal power to a 4.16 kV shutdown board due to a voltage transient on the associated shutdown bus (e.g., as in the case where ECCS pumps on one shutdown bus start simultaneously due to an continued BFN-UNIT 2 B 3.3-150

ECCS Instrumentation B 3.3.5.1 7

BASES APPLICABLE 1.e 2.f. Core S ra and Low Pressure Coolant In'ection SAFETY ANALYSES, Pum Start - Time Dela Rela (continued)

LCO, and APPLICABILITY inoperable time delay relay). This would result in the affected board being powered by the associated diesel. Therefore, the worst case single failure would be failure of a single pump to start due to a relay failure leaving seven of the eight low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation). Since the CS pumps are 50% capacity pumps, the LOCA analysis does not take credit for a CS loop if one of the pumps is inoperable. Therefore, a 4.16 kV shutdown board failure results in the loss of one RHR pump and one CS loop (two CS pumps) for the LOCA analysis. The Allowable Value for the CS and LPCI Pump Start - Time Delay Relays is chosen to be long enough so that most of the starting transient of the first set of pumps is complete before starting the second set of pumps on the same 4.16 kV shutdown bus and short enough so that ECCS operation is not degraded.

There are also four CS and six LPCI Pump Start - Time Delay Relays when power is being provided by the standby source, one in each of the pump start logic circuits (LPCI pumps C and D have two time delay relays, one in each trip system). While each relay is dedicated to a single pump start logic, a single failure of a Pump Start-Time Delay Relay could result in the failure of the two low pressure ECCS pumps (CS and LPCI) powered from the same shutdown board, to perform their intended function (e.g., as in the case where both ECCS pumps on one shutdown board start simultaneously due to an inoperable time delay relay). This still leaves six of eight low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude continued BFN-UNIT 2 B 3.3-151

ECCS Instrumentation

'8 3.3.5.1 BASES APPLICABLE 1.e 2.f. Core S ra and Low Pressure Coolant In ection SAFETY ANALYSES, Pum Start - Time Dela Rela (continued)

LCO, and APPLICABILITY ECCS initiation). As stated above, since the LOCA analysis does not take credit for a CS loop if one of the pumps is inoperable, the loss of a 4.16 kV shutdown board effectively results in the loss of one LPCI pump and one CS loop (two CS pumps). The Allowable Value for the CS and LPCI Pump Start-Time Delay Relays is chosen to be long enough so that most of the starting transient for the LPCI pump is complete before starting the CS pump on the same 4.16 kV shutdown board and short enough so that ECCS operation is not degraded.

Each CS and LPCI Pump Start - Time Delay Relay Function is required to be OPERABLE only when the associated CS and LPCI subsystems are required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the CS and LPCI subsystems.

2.d. Reactor Steam Dome Pressure - Low Recirculation Dischar e Valve Permissive (PS-3-74A and B; PS-68-95 and 96)

Low reactor steam dome pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the'safety analysis. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in References 1 and 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Steam Dome Pressure

- Low Function is directly assumed in the analysis of the recirculation line break (Ref. 2).

continued BFN-UNIT 2 B 3.3-152

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.e. Reactor Vessel Water Level - Level 0 SAFETYANALYSES, (LIS-3-52 and 62A)

LCO, and APPLICABILITY The Reactor Steam Dome Pressure - Low signals are initiated (continued) from four pressure transmitters that sense the reactor dome pressure.

The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis.

Four channels of the Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function of the instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

The Level 0 Function is provided as a permissive to allow the RHR System to be manually aligned from the LPCI mode to the suppression pool cooling/spray or drywell spray modes. The permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed.

This ensures that LPCI is available to prevent or minimize fuel damage. This function may be overridden during accident conditions as allowed by plant procedures. Reactor Vessel Water Level - Level 0 Function is implicitly assumed in the analysis of the recirculation line break (Ref. 2) since the analysis assumes that no LPCI flow diversion occurs when continued 8FN-UNIT 2 B 3.3-153

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.e. Reactor Vessel Water Level - Level 0 SAFETY ANALYSES, (LIS-3-52 and 62A) (continued)

LCO, and APPLICABILITY reactor water level is below Level 0. Reac tor Vessel Water Level - Level 0 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Level 0 Allowable Value is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer.

Two channels of the Reactor Vessel Water Level - Level 0 Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves that this Function isolates (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used).

~HPCI S 3.a. Reactor Vessel Water Level - Low Low Level 2 (LIS-3-58A-D)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel Water Level - Low Low, Level 2 is continued BFN-UNIT 2 B 3.3-154

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.a. Reactor Vessel Water Level - Low Low Level 2 SAFETY ANALYSES, (LIS-3-58A-D) (continued)

LCO, and APPLICABILITY one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in References 1, 2, and 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is high enough such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC) System flow with HPCI assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level - Low Low Low, Level 1.

Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases.

continued BFN-UNIT 2 B 3.3-155

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.b. D ell Pressure - Hi h (PIS-64-58A-D)

SAFETYANALYSES, LCO, and High pressure in the drywell could indicate a break in the APPLICABILITY RCPB. The HPCI System is initiated upon receipt of the (continued) Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure - High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.c. Reactor Vessel Water Level - Hi h Level 8 (LIS-3-208B and 208D)

High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level - High, Level 8 Function is not assumed in the accident and transient analyses.

It was retained since it is a potentially significant contributor to .

risk, thus it meets Criterion 4 of the NRC Policy Statement (Ref. 5).

continued BFN-UNIT 2 B 3.3-156

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.c. Reactor Vessel Water Level - Hi h Level 8 SAFETY ANALYSES, (LIS-3-208B and 208D) (continued)

LCO, and APPLICABILITY Reactor Vessel Water Level - Hig h Level 8 si gnals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation. The Reactor Vessel Water Level - High, Level 8 Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.

Two channels of Reactor Vessel Water Level - High, Level 8 Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.d. Condensate Header Level - Low (LS-73-56A and B)

Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCI and the CST are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CST. However, if the water level in the HPCI pump supply header from the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

continued BFN-UNIT 2 B 3.3-157

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.d. Condensate Header Level - Low (LS-73-56A and 8)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Condensate Header Level - Low si g na I s are Initiated from two level switches. The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Condensate Header Level - Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST.

One channel of the Condensate Header Level - Low Function is required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.e. Su ression Pool Water Level - Hi h (LS-7S-57A and B)

Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a /lowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CST to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes.

This Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

continued BFN-UNIT 2 B 3.3-158

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.e. Su ression Pool Water Level - Hi h (LS-73-57A and B)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Su pp ression Pool Water Level - Hig h si g nals are initiated fro m two level switches. The logic is arranged such that either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Allowable Value for the Suppression Pool Water Level - High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded.

One channel of Suppression Pool Water Level - High Function is required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.f. Hi h Pressure Coolant In'ection Pum Dischar e Flow-

~l- 8 (FIS-73-33)

The minimum flow instrument is provided to protect the HPCI pump from overheating when the pump is operating at reduced flow. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The High Pressure Coolant Injection Pump Discharge Flow - Low Function will close the minimum flow valve, but is not required to ensure that the ECCS flow assumed during the transients and accidents analyzed in References 2 and 3 is met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

continued BFN-UNIT 2 B 3.3-159

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.f. Hi h Pressure Coolant In'ection Pum Dischar e Flow-SAFEYYANAIYSES, ~LS (FIS-73-33) ( II ~)

LCO, and APPLICABILITY One flow switch is used to detect the HPCI S ystem's flow rat e.

The logic is arranged such that the switch causes the minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded.

The High Pressure Coolant Injection Pump Discharge Flow-Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough (based on engineering judgment) to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core.

One channel is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

Automatic De ressurization S stem 4.a 5.a. Reactor Vessel Water Level - Low Low Low Level 1 (LS-3-58A-D)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 2.

The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

continued BFN-UNIT 2 B 3.3-160

ECCS Instrumentation 8 3.3.5.1 BASES APPLICABLE 4.a 5.a. Reactor Vessel Water Level - Low Low Low Level 1 SAFETY ANALYSES, (LS-3-58A-D) (continued)

LCO, and APPLICABILITY Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.

4.b 5.b. D ell Pressure - Hi h (PIS-64-57A-D)

High pressure in the drywell could indicate a break in the RCPB. Therefore, ADS receives one of the signals necessary for initiation from this Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Drywell Pressure - High signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

continued BFN-UNIT 2 B 3.3-161

ECCS Instrumentation 8 3.3.5.1 BASES APPLICABLE 4.b 5.b. D ell Pressure - Hi h (PIS-64-57A-D)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Four channels of D rywell Pressure - High Fu n c tion are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.c 5.c. Automatic De ressurization S stem Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 2 that require ECCS initiation.

There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

continued BFN-UNIT 2 B 3.3-162

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.c 5.c. Automatic De ressurization S stem Initiation Timer SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Two channels of the Automatic De p re s su nztinSytm

'o s e Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d 5.d. Reactor Vessel Water Level - Low Level 3

~Cf t (I-18-3-184 d 185)

The Reactor Vessel Water Level - Low, Level 3 (Confirmatory)

Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level - Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 (Confirmatory) signal must also be received before ADS initiation commences.

Reactor Vessel Water Level - Low, Level 3 (Confirmatory) signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

Two channels of Reactor Vessel Water Level - Low, Level 3 (Confirmatory) Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

continued BFN-UNIT 2 B 3.3-163

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.e 4.f 5.e 5.f. Core S ra and Low Pressure Coolant SAFETY ANALYSES, In'ection Pum Dischar e Pressure - Hi h LCO, and (PS-75-7, 16, 35, 44 and PS-74-8A and B, -1 9A and B, -31A APPLICABILITY and 8, -42A and B)

(continued)

The Pump Discharge Pressure - High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 2 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Pump discharge pressure signals are initiated from twelve pressure switches, two on the discharge side of each RHR (LPCI) pump and one on the discharge side of each CS pump.

There are two ADS low pressure ECCS pump permissives in each trip system. Each of these permissives receives inputs from all four RHR (LPCI) pumps (different signals for each permissive) and two CS pumps, one from each subsystem (different pumps for each permissive). In order to generate an ADS permissive in one trip system, it is necessary that only one LPCI pump or two CS pumps (CS pumps A or B and either C or D) indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running.

continued BFN-UNIT 2 B 3.3-164

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.e 4.f 5.e 5.f. Core S ra and Low Pressure Coolant SAFETYANALYSES, In'ection Pum Dischar e Pressure - Hi h LCO, and (PS-75-7, 16, 35, 44 and PS-74-8A and B, -1 9A and B, -31A APPLICABILITY and B, -42A and B) (continued)

The actual operating point of this function is not assumed in any transient or accident analysis. However, this function is indirectly assumed to operate (in Reference 2) to provide the ADS permissive to depressurize the RCS to allow the ECCS low pressure systems to operate.

Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Four CS channels associated with CS pumps A through D and eight LPCI channels associated with LPCI pumps A through D are required for both trip systems.

Refer to LCO 3.5.1 for ADS Applicability Bases.

4. 5.. Automatic De ressurization S stem Hi h D ell Pressure 8 ass Timer One of the signals required for ADS initiation is Drywell Pressure - High. However, if the event requiring ADS initiation occurs outside the drywell (e.g., main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System High Drywell Pressure Bypass Timer is used to bypass the Drywell Pressure - High Function after a certain time period has elapsed. Operation of the Automatic Depressurization System High Drywell Pressure Bypass Timer Function is not assumed in any accident analysis. The instrumentation was installed to meet requirements of NUREG-0737, Item II.K.3.18 (Ref. 6) and is retained in the TS because ADS is part of the primary success path for mitigation of a DBA.

continued BFN-UNIT 2 8 3.3-165

ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4. 5.. AutomaticDe ressurizationS stemHi hD ell SAFETY ANALYSES, Pressure B ass Timer (continued)

LCO, and APPLICABILITY There are four Automatic De p ressu rizatio nSy s te mHighDrywell Pressure Bypass Timer relays, two in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System High Drywell Pressure Bypass Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Two channels in each trip system of the Automatic Depressurization System High Drywell Pressure Bypass Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

continued BFN-UNIT 2 8 3.3-166

ECCS Instrumentation 8 3.3.5.1 BASES ACTIONS A.1 (continued)

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

B.1 B.2 and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s).

Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS).

The Required Action B.2 system would be HPCI. For Required Action 8.1, redundant automatic initiation capability is lost if (a) two or more Function 1.a channels are inoperable and untripped such that both trip systems lose initiation capability, (b) two or more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability, (c) two or more Function 1.b channels are inoperable and untripped such that both trip systems lose initiation capability, or (d) two or more Function 2.b channels are inoperable and untripped such that both trip systems lose initiation capability.

For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS continued BFN-UNIT 2 B 3.3-167

ECCS Instrumentation 8 3.3.5.1 BASES ACTIONS 8.1 8.2 and 8.3 (continued) subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS being concurrently declared inoperable.

For Required Action 8.2, automatic HPCI initiation capability is lost if two or more Function 3.a or two or more Function 3.b channels are inoperable and untripped such that the trip system loses initiation capability. In this situation (loss of automatic HPCI initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action 8.3 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . As noted (Note 1 to Required Action 8.1), Required Action 8.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action 8.3) is allowed during MODES 4 and 5. There is no similar Note provided for Required Action 8.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary.

Notes are also provided (Note 2 to Required Action 8.1 and the Note to Required Action 8.2) to delineate which Required Action is applicable for each Function that requires entry into Condition 8 if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed. Required Action 8.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Function 2.e, since this Function provides backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed. Thus, a total loss of Function 2.e capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed, since the LPCI subsystems remain capable of performing their intended function.

continued BFN-UNIT 2 8 3.3-168

i ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.1 B.2 and B.3 (continued)

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that redundant features in the same system (e.g.,

both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation),

Condition H must be entered and its Required Action taken.

continued BFN-UNIT 2 B 3.3-169

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued)

Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action C.1 features would be those that are initiated by Functions 1.c, 2.c, 1.e, 2.d, and 2.f (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if either (a) four Function 1.c channels are inoperable (i.e., both channels in both trip systems are inoperable), (b) two or more Function 2.c channels are inoperable such that both trip systems lose initiation capability, (c) two or more Function.2.d channels are inoperable such that both trip systems lose initiation capability, (d) one or more Function 1.e channels are inoperable in both trip systems (i.e.,

at least one CS pump in both subsystems ~s affected), or (e) multiple Function 2.f channels are inoperable such that the trip systems cannot start both LPCI pumps in at least one subsystem. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g., both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.c, 2.c, 1.e, 2.d, and 2.f, the affected portions are the associated low pressure ECCS pumps. As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3.

continued BFN-UNIT 2 B 3.3-170

ECCS Instrumentation B 3.3".5.1 BASES ACTIONS C.1 and C.2 (continued)

In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action C.2) is allowed during MODES 4 and 5.

Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 2.c, 1.e, 2.d, and 2.f. Required Action C.1 is also not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable). The loss of one Function 3.c channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 4 and considered acceptable for the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that redundant features in the same system (e.g.,

both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

continued BFN-UNIT 2 B 3.3-171

ECCS Instrumentation

'B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

D.1 Required Action D.1 is intended to ensure that appropriate actions are taken if an inoperable, untripped channel within the same Function results in a complete loss of automatic component initiation capability for the HPCI System. Since Table 3.3.5.1-1 only requires one channel to be OPERABLE, automatic component initiation capability is lost if the one required Function 3.d channel or the one required Function 3.e channel is inoperable and untripped. In this situation (loss of automatic suction swap), the HPCI system must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

continued 8FN-UNIT 2 B 3.3-172

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2 (continued)

Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray Pump Discharge Flow - Low Bypass Function results in redundant automatic initiation capability being lost for the feature(s). Automatic initiation capability of the Core Spray Pump Discharge Flow - Low (Bypass) Function in both CS subsystems is lost if two Function 1.d channels are inoperable.

In this situation (loss of capability for both subsystems), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected CS pump to be declared inoperable.

However, since channels for both CS subsystems are inoperable, and the completion times started concurrently for both channels this results in all four CS pumps being concurrently declared inoperable. As noted (Note 1 to Required Action E.1), Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to Function 1.d. Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 4 and considered acceptable for the 7 days allowed by Required Action E.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

continued BFN-UNIT 2 B 3.3-173

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2 (continued)

For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g.,

both CS subsystems) cannot be automatically initiated due to inoperable channels. within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

If the instrumentation that controls the CS pump minimum flow valve is inoperable, such that the valve will not automatically open, extended CS pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow.

Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

continued BFN-UNIT 2 8 3.3-174

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS F.1 and F.2 (continued)

Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and 8 Functions result in redundant automatic. initiation capability being lost for the ADS.

Redundant automatic initiation capability is lost if either (a) one or more Function 4.a channels and one or more Function G.a channels are inoperable and untripped, (b) one or more Function 4.b channels and one or more Function 5.b channels are inoperable and untripped, or (c) one or more Function 4.d channels and one or more Function 5.d channels are inoperable and untripped.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable;of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

continued BFN-UNIT 2 B 3.3-175

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS F.1 and F.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months , the 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

continued BFN-UNIT 2 B 3.3-176

ECCS Instrumentation

'B 3.3.5.1 BASES ACTIONS G.1 and G.2 (continued)

Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. Automatic initiation capability is lost if either (a) one Function 4.c channel and one Function 5.c channel are inoperable, (b) a combination of Function 4.e, 4.f, 5.e, and 5.f channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable, or (c) one or more Function 4.g channels and one or more Function 5.g channels are inoperable.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

continued BFN-UNIT 2 B 3.3-177

ECCS Instrumentation B 3.3.5.1 BASES ACTIONS G.1 and G.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 4) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months , the 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately.

(continued)

BFN-UNIT 2 B 3.3-178

0 ECCS Instrumentation B 3.3.5.1 BASES (continued)

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

The Surveillances are modified by a second Note (Note 2) to indicate that when a.channel is placed in an inoperable status solely for performance of required Suweillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months as follows: (a) for Functions 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

continued BFN-UNIT 2 B 3.3-179

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.1 (continued)

REQUIREMENTS Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication, that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.1.2 A CHANNEL FUNCTIONALTEST is performed on each required channel to ensure that the entire channel will perform the intended function.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of Reference 4.

continued BFN-UNIT 2 B 3.3-180

ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.3 SR 3.3.5.1.4 and SR 3.3.5.1.5 REQUIREMENTS (continued) A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequencies of SR 3.3.5.1.3, SR 3.3.5.1.4, and SR 3.3.5.1.5 are based upon the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.1.6 The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITYof the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.7.2, and LCO 3.8.1 overlaps this Surveillance to complete testing of the assumed safety function.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

(continued)

BFN-UNIT 2 B 3.3-181

ECCS Instrumentation

.B 3.3.5.1 BASES (continued)

REFERENCES 1. FSAR, Section 8.5.

2. FSAR, Section 6.5.

3. FSAR, Chapter 14.

4. NEDC-30936-P-A, "BWR Owners'roup Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2," December 1988.

5. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

6. NUREG-0737, "Clarification of TMI Action Plan Requirements," October 31, 1980.

BFN-UNIT 2 B 3.3-1 82

RCIC System Instrumentation B 3.3.5.2 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is unavailable, such that initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System."

The RCIC System may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of reactor vessel Low Low water level. The variable is monitored by four transmitters that are connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement.

Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared.

The RCIC'test line isolation valve is closed on a RCIC initiation signal to allow full system flow.

There are two sources of water for RCIC operation. Reactor grade water in the CST is the normal source and the suppression pool is the alternate source. Although the RCIC System does not monitor the water levels in the High Pressure Coolant Injection (HPCI) supply header from the condensate continued BFN-UNIT 2 B 3.3-1 83

RCIC System Instrumentation B 3.3.5.2 BASES BACKGROUND storage tank (CST) and the suppression pool, administrative (continued) controls are in place that direct the transfer from the CST to the suppression pool when the HPCI System automatically transfers on low HPCI pump supply header level or high suppression pool level.

The RCIC System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) trip (two-out-of-two logic), at which time the RCIC steam supply closes and the minimum flow valve closes, if open. The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2).

APPLICABLE The function of the RCIC System to provide makeup coolant to SAFETYANALYSES, the reactor is used to respond to transient events. The LCO, and RCIC System is not an Engineered Safety Feature System and APPLICABILITY no credit is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system, and therefore its instrumentation me'ets Criterion 4 of the NRC Policy Statement (Ref. 2). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITYof the RCIC System instrumentation is dependent upon the OPERABILITYof the individual instrumentation channel Functions specified in Table 3.3.5.2-1.

Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint).

continued BFN-UNIT 2 B 3.3-184

RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE Allowable Values are specified for each RCIC System SAFETY ANALYSES, instrumentation Function specified in the Table. Nominal trip LCO, and setpoints are specified in the setpoint calculations. The APPLICABILITY nominal setpoints are selected to ensure that the setpoints do (continued) not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified accounts for instrument uncertainties appropriate to the Function. These uncertainties are described in the setpoint methodology.

The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure ) 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System.)

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level - Low Low Level 2 (LIS-3-58A-D)

Low reactor pressure vessel (RPV) water level indicates that normal feedwater flow is insufficient to maintain reactor vessel water level and that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel.

continued BFN-UNIT 2 B 3.3-185

0 RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE 1. Reactor Vessel Water Level - Low Low Level 2 SAFETYANALYSES, (LIS-3-58A-D) (continued)

LCO, and APPLICABILITY Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is set high 'enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1.

Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation.

Refer to LCO 3.5.3 for RCIC Applicability Bases.

2. Reactor Vessel Water Level - Hi h Level 8 (LIS-3-208A and 208C)

High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam supply valve to prevent overflow into the main steam lines (MSLs).

Reactor Vessel Water Level - High, Level 8 signals for RCIC are initiated from two level transmitters from the narrow range water level measurement instrumentation, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

continued BFN-UNIT 2 B 3.3-186

RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE 2. Reactor Vessel Water Level - Hi h Level 8 SAFETY ANALYSES, (LIS-3-208A and 208C) (continued)

LCO, and APPLICABILITY The Reactor Vessel Water Level - Hig, h Leve I 8 Allowable Value is high enough to preclude closing the RCIC steam supply valve, yet low enough to trip the RCIC System prior to water overflowing into the MSLs.

Two channels of Reactor Vessel Water Level - High, Level 8 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE. Refer to LCO 3.5.3 for RCIC Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required of the Condition continue to apply for each additional 'ctions failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.

continued BFN-UNIT 2 B 3.3-1 87

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS A. I (continued)

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides. for transfer to the appropriate subsequent Condition.

B.1 and B.2 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action B.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of RCIC initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two or more inoperable, untripped Reactor Vessel Water Level - Low Low, Level 2 channels such that the trip system loses initiation capability. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

continued BFN-UNIT 2 B 3.3-188

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS 8.1 and B.2 (continued)

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. For conservatism, in some transient analyses, RCIC flow rates were used rather than HPCI flow rates. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition D must be entered and its Required Action taken.

C.1 A risk based analysis was performed and determined that an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Ref. 1) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B.1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required. This Condition applies to the Reactor Vessel Water Level - High, Level 8 Function whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC initiation capability. As stated above, this loss of automatic RCIC initiation capability was analyzed and determined to be acceptable. The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events.

continued BFN-UNIT 2 B 3.3-189

RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS D.1 (continued)

With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately.

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC REQUIREMENTS System instrumentation Function are found in the SRs column of Table 3.3.5.2-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows:

(a) for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for Function 2; and (b) for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for Function 1, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 1) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RCIC will initiate when necess'ary.

continued BFN-UNIT 2 B 3.3-190

RCIC System Instrumentation 8 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

continued BFN-UNIT 2 B 3.3-191

0, RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology The Frequency of 92 days is based on the reliability analysis of Reference 1.

SR 3.3.5.2.3 A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.2.3 is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 8 3.3-192

RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITYof the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

REFERENCES 1. GENE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

2. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.3-193

0 Primary Containment Isolation Instrumentation B 3.3.6.1 B 3.3 INSTRUMENTATION B 3.3.6.1 Primary Containment Isolation Instrumentation BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA.

The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a primary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are (a) reactor vessel water level, (b) area ambient temperatures, (c) main steam line (MSL) flow measurement, (d) Standby Liquid Control (SLC) System initiation, (e) main steam line pressure, (f) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line flow, (g) drywell pressure, (h) HPCI and RCIC steam line pressure, (i) HPCI and RCIC turbine exhaust diaphragm pressure, and (j) reactor steam dome pressure. Redundant sensor input signals from each parameter are provided for initiation of isolation. The only exception is SLC System initiation.

continued BFN-UNIT 2 B 3.3-1 94

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND Primary containment isolation instrumentation has inputs to the (continued) trip logic of the isolation functions listed below.

1. Main Steam Line Isolation The MSL Isolation Reactor Vessel Water Level - Low Low Low, Level 1 and Main Steam Line Pressure - Low Functions each contain four channels. One channel for each function is provided in each of the four Primary Containment Isolation System (PCIS) trip channels (trip channels A1 and A2 for PCIS trip system A and trip channels B1 and B2 for PCIS trip system B). The Main Steam Line Flow - High and Main Steam Tunnel Temperature - High Functions each contain 16 channels. Each PCIS trip channel receives four inputs from each of these functions, one flow input from each MSL and one temperature input from each of the four areas monitored. Any one of these inputs will trip the associated PCIS trip channel.

The PCIS trip channel output relays are arranged in logic systems for the Main Steam Isolation Valves (separate logic systems for the inboard and outboard valves) such that PCIS trip channels A1 or A2 and B1 or B2 must trip (one-out-of-two taken twice logic) to cause an isolation of the IVIain Steam Isolation Valves (MSIVs).

The PCIS trip channel output relays are arranged in logic systems for the MSL Drain Valves and Recirculation Loop Sample Valves such that both PCIS trip channels A1 and B1 must trip to isolate the inboard valves and both PCIS trip channels A2 and B2 must trip to isolate the outboard valves.

This is effectively a two-out-of-two logic for each valve. The Recirculation Loop Sample Valves are isolated only by the Reactor Vessel Water Level - Low Low Low, Level 1.Function.

MSL Isolation Functions isolate the Group 1 valves as described above.

continued BFN-UNIT 2 B 3.3-195

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 2. Prima Containment Isolation (continued)

The Primary Containment Isolation Functions each contain four channels. One channel for each Function is provided in each of the four PCIS trip channels (trip channels A1 and A2 for PCIS trip system A and trip channels B1 and B2 for PCIS trip system B). Any one of these inputs will trip the associated PCIS trip channel. The PCIS trip channel output relays are arranged in logic systems such that PCIS trip channels A1 or A2 and B1 or B2 must trip (one-out-of-two taken twice logic) to cause an isolation. For most penetrations a logic system initiates isolation of its associated inboard primary containment isolation valves, while another logic system initiates isolation of its associated outboard primary containment isolation valves, so that operation of either logic isolates the penetration.

Primary Containment Isolation Drywell Pressure - High and Reactor Vessel Water Level - Low, Level 3 Functions are required for isolation of the Group 2 (excluding RHR valves for SDC), 6 and 8 valves.

3 4. Hi h Pressure Coolant In ection S stem Isolation and Reactor Core Isolation Coolin S stem Isolation The Steam Line Flow - High Functions for HPCI and RCIC each receive input from two channels, one per trip system. The channel output relays are arranged in logic systems using a one-out-of-two logic (redundant logic systems for most isolation valves).

continued BFN-UNIT 2 B 3.3-1 96

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 3 4. Hi h Pressure Coolant ln'ection S stem Isolation and Reactor Core Isolation Coolin S stem Isolation (continued)

The Steam Supply Line Pressure - Low and Turbine Exhaust Diaphragm Pressure - High Functions for HPCI and RCIC each contain four channels in a single trip system. The Steam Supply Line Pressure - Low channels are arranged in a series of logic parallel pairs to form one-out-of-two taken twice logic.

Each HPCI isolation valve receives a single isolation signal from this logic. Each RCIC isolation valve receives an isolation signal from this logic through redundant logic systems. The trip system for the Turbine Exhaust Diaphragm Pressure - High Function contains two trip channels. Each trip channel contains two instrument channels (logic parallel pair). The output relays for the trip channels are arranged in logic systems (redundant logic systems for most isolation valves) such that both trip channels must trip (effectively one-out-of-two taken twice logic for the instrument channels) to cause an isolation.

The HPCI and RCIC Area Temperature - High Functions each contain sixteen channels, four Pump Room Area and twelve Torus Area channels (four channels for each area monitored).

Each trip system contains two trip channels; Logic A trip channel 1 (trip channel output relay 23A-K34 for HPCI and 13A-K10 for RCIC) and trip channel 2 (trip channel output relay 23A-K35 for HPCI and 13A-K11 for RCIC) and Logic B trip channel 1 (trip channel output relay 23A-K6 for HPCI and 13A-K30 for RCIC) and trip channel 2 (trip channel output relay 23A-K8 for HPCI and 13A-K31 for RCIC). Each trip channel receives one input from each of the four areas monitored. Any continued BFN-UNIT 2 B 3.3-197

Primary Containment Isolation Instrumentation 8 3.3.6.1 BASES BACKGROUND 3 4. Hi h Pressure Coolant In ection S stem Isolation and Reactor Core Isolation Coolin S stem Isolation (continued) one of these inputs will trip the associated trip channel. The trip channel output relays are arranged in logic systems (redundant logic systems for most isolation valves) such that trip channel 1 of either the A or 8 Logic and.trip channel 2 of either the A or B Logic must trip (one-out-of-two taken twice logic) to cause an isolation.

HPCI and RCIC Functions isolate the Group 4 and 5 valves.

5. Reactor Water Cleanu S stem Isolation The RWCU Isolation Reactor Vessel Water Level - Low, Level 3 Function contains four channels. Each of the six Area Temperature - High Functions contain four channels which monitor the area associated with the Function. One channel for each of these RWCU Isolation Functions are provided in each of the four PCIS trip channels (trip channels A1 and A2 for PCIS trip system A and trip channels B1 and B2 for PCIS trip system B). Any one of these inputs will trip the associated PCIS trip channel. The PCIS trip channel output relays are arranged in logic systems (one logic system for the inboard valve and one logic system for the outboard valve) such that PCIS trip channels A1 or A2 and B1 or B2 must trip (one-out-of-two taken twice logic) to cause an isolation. The SLC System Initiation Function provides an isolation signal to close both RWCU isolation valves.

RWCU Isolation Functions are required for isolation of the Group 3 valves.

continued BFN-UNIT 2 B 3.3-198

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 6. Shutdown Coolin S stem Isolation (continued)

The Shutdown Cooling System Isolation Reactor Vessel Water Level - Low, Level 3 and Drywell Pressure - High Functions each contain four channels. One channel for each Function is provided in each of the four PCIS trip channels (trip channels A1 and A2 for PCIS trip system A and trip channels B1 and B2 for PCIS trip system B). Any one of these inputs will trip the associated PCIS trip channel. The PCIS trip channel output relays are arranged in logic systems (each division of logic provides a signal for one RHR LPCI to Reactor isolation valve and one RHR SDC Supply isolation valve) such that PCIS trip channels A1 or A2 and B1 or B2 must trip (one-out-of-two taken twice logic) to cause an isolation. Isolation of the RHR LPCI to Reactor isolation valves from these functions are enabled only when both RHR SDC Supply isolation valves are open.

The Reactor Steam Dome Pressure - High Function consists of two channels, one per trip system. The output relays from these channels are arranged in logic systems to provide one-out-of-two isolation logic to each RHR SDC isolation valve.

The Shutdown Cooling System Isolation Reactor Vessel Water Level - Low, Level 3 and Drywell Pressure - High Functions are required for isolation of the Group 2 RHR LPCI to Reactor and RHR SDC Supply isolation valves. The Reactor Steam Dome Pressure - High Function also isolates the Group 2 RHR SDC Supply isolation valves.

(continued)

BFN-UNIT 2 B 3.3-199

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES (continued)

APPLICABLE The isolation signals generated by the primary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the safety LCO, and analyses of References 2 and 8 to initiate closure of valves to APPLICABILITY limit offsite doses. Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)," Applicable Safety Analyses Bases for more detail of the safety analyses.

Primary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITYof the primary containment instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.6.1-1.

Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint).

Allowable Values are specified for each Primary Containment Isolation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process continued BFN-UNIT 2 B 3.3-200

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE parameter (e.g., reactor vessel water level), and when the SAFETYANALYSES, measured output value of the process parameter exceeds the LCO, and setpoint, the associated device (e.g., trip unit) changes state.

APPLICABILITY The analytic limits are derived from the limiting values of the

. (continued) process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

Certain Emergency Core Cooling Systems (ECCS) and RCIC valves (e.g., minimum flow) also serve the dual function of automatic PCIVs. The signals that isolate these valves are also associated with the automatic initiation of the ECCS and RCIC.

The instrumentation requirements and ACTIONS associated with these signals are addressed in LCO 3.3.5.1, "Emergency Core Cooling Systems (ECCS) Instrumentation," and LCO 3.3.5.2, "Reactor Core Isolation Cooling (RCIC) System Instrumentation," and are not included in this LCO.

In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, "Primary Containment." Functions that have different Applicabilities are discussed below in the individual Functions discussion.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

continued BFN-UNIT 2 B 3.3-201

Primary Containment Isolation Instrumentation

~

B 3.3.6.1 BASES APPLICABLE Main Steam Line Isolation SAFETYANALYSES, LCO, and 1.a. Reactor Vessel Water Level - Low Low Low Level 1 APPLICABILITY (LIS-3-56A-D)

(continued)

Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level - Low Low Low, Level 1 Function is one of the many Functions assumed to be-OPERABLE and capable of providing isolation signals. The Reactor Vessel Water Level - Low Low Low, Level 1 Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MSLs on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA.

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 100 limits.

This Function isolates the Group 1 valves.

continued BFN-UNIT 2 B 3.3-202

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.b. Main Steam Line Pressure- Low (PIS-1-72, 76, 82, 86)

SAFETYANALYSES, LCO, and Low MSL pressure with the reactor at power indicates that there APPLICABILITY may be a problem with the turbine pressure regulation, which (continued) could result in a low reactor vessel water level condition and the RPV cooling down more than 100'F/hr if the pressure loss is allowed to continue. The Main Steam Line Pressure - Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 2). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100'F/hr) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded.

(This Function closes the MSIVs prior to pressure decreasing below 785 psig, which results in a scram due to MSIV closure, thus reducing reactor power to ( 25% RTP.)

The MSL low pressure signals are initiated from four transmitters that are connected to the MSL header. The transmitters are arranged such that, even though physically separated from each other, each transmitter is able to detect low MSL pressure. Four channels of Main Steam Line Pressure

- Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be high enough to prevent excessive RPV depressurization.

The Main Steam Line Pressure - Low Function is only required to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 2).

This Function isolates the Group 1 valves excluding the Recirculation Loop Sample valves.

continued BFN-UNIT 2 B 3.3-203

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.c. Main Steam Line Flow- Hi h SAFETY ANALYSES, (PDIS-1-13A-D, 25A-D, 36A-D, 50A-D)

LCO, and APPLICABILITY Main Steam Line Flow - High is provided to detect a break of (continued) the MSL and to initiate closure of the MSIVs. If the steam were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow - High Function is directly assumed in the analysis of the main steam line break (MSLB)

(Ref. 2). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the 10 CFR 100 limits.

The MSL flow signals are initiated from 16 transmitters that are connected to the four MSLs. The transmitters are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow - High Function for each MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL.

The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break.

This Function isolates the Group 1 valves excluding the Recirculation Loop Sample valves.

continued BFN-UNIT 2 B 3.3-204

Primary Containment Isolation Instrumentation 8 3.3.6.1 BASES APPLICABLE 1.d. Main Steam Tunnel Tem erature-Hi h SAFETYANALYSES, (TS-1-1 7A-D, 29A-D, 40A-D, 54A-D)

LCO, and APPLICABILITY The Main Steam Tunnel Temperature Function is provided to (continued) detect a leak in the RCPB and provides diversity to the high flow instrumentation. The isolation occurs when a very small leak has occurred. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. However, credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks, such as MSLBs.

Main Steam Tunnel temperature signals are initiated from bimetallic temperature switches located in the areas being monitored. Sixteen channels of Main Steam Tunnel Temperature - High Function are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The main steam tunnel temperature detection system Allowable Value is chosen to detect a leak equivalent to between 1% and 10% rated steam flow.

This Function isolates the Group 1 valves excluding the Recirculation Loop Sample valves.

continued BFN-UNIT 2 B 3.3-205

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Prima Containment Isolation SAFETYANALYSES, LCO, and 2.a. Reactor Vessel Water Level - Low Level 3 APPLICABILITY (LIS-3-203A-D)

(continued)

Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Reactor Vessel Water Level - Low, Level 3 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown.

This Function is required for the isolation of the Group 2 (excluding RHR valves for SDC), 6, and 8 valves. Portions of this instrumentation are also required for Functions 5.h and 6.b.

continued BFN-UNIT 2 B 3.3-206

Primary Containment Isolation Instrumentation

~

B 3.3.6.1 BASES APPLICABLE 2.b. D ell Pressure- Hi h (PIS-64-56A-D)

SAFETYANALYSES, LCO, and High drywell pressure can indicate a break in the RCPB inside APPLICABILITY the primary containment. The isolation of some of the primary (continued) containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment.

This Function is required for the isolation of the Group 2 (excluding RHR valves for SDC), 6 and 8 valves. Portions of this instrumentation are also required for Function 6.c.

continued BFN-UNIT 2 B 3.3-207

0 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Hi h Pressure Coolant In ection and Reactor Core Isolation SAFETY ANALYSES, Coolin S stems Isolation LCO, and APPLICABILITY 3.a. 4.a. HPCI and RCIC Steam Line Flow - Hi h (continued) (PDIS-71-1A and 1B; PDIS-73-1A and 1B)

Steam Line Flow - High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding.

The HPCI and RCIC Steam Line Flow - High signals are initiated from transmitters (two for HPCI and two for RCIC) that are connected to the system steam lines. Two channels of both HPCI and RCIC Steam Line Flow - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event.

These Functions isolate the Group 4 and 5 valves, as appropriate.

continued BFN-UNIT 2 8 3.3-208

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.b.. 4.b. HPCI and RCIC Steam Su I Line Pressure - Low SAFETY ANALYSES, (PS-71-1A-D and PS-73-1A-D)

LCO, and APPLICABILITY Low MSL pressure indicates that the pressure of the steam i n (continued) the HPCI or RCIC turbine may be too low to continue operati on of the associated system's turbine. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. However, they also provide a diverse signal to indicate a possible system break and provide the only signal which will isolate the steam supply lines for certain pipe breaks. These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations. Therefore, they meet Criterion 4 of the NRC Policy Statement (Ref. 7).

The HPCI and RCIC Steam Supply Line Pressure - Low signals are initiated from switches (four for HPCI and four for RCIC) that are connected to the system steam line. Four channels of both HPCI and RCIC Steam Supply Line Pressure

- Low Functions are available. Only three channels of each Function are required to be OPERABLE.

The Allowable Values are selected to be high enough to prevent damage to the system's turbine.

These Functions isolate the Group 4 and 5 valves, as appropriate.

continued BFN-UNIT 2 8 3.3-209

0 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.c. 4.c. HPCI and RCIC Turbine Exhaust Dia hra m SAFETYANALYSES, LCO, and

~P-lii 0 (PP-71-11A-0 0PP-73-20A-07 APPLICABILITY High turbine exhaust diaphragm pressure indicates that the (continued) pressure may be too high to continue operation of the associated system's turbine. That is, one of two exhaust diaphragms has ruptured and pressure is reaching turbine casing pressure limits. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. These instruments are included in the TS because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations.

Therefore, they meet Criterion 4 of the NRC Policy Statement (Ref. 7).

The HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High signals are initiated from switches (four for HPCI and four for RCIC) that are connected to the area between the rupture diaphragms on each system's turbine exhaust line. Four channels of both HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High Functions are available. Only three channels of each Function are required to be OPERABLE.

The Allowable Values are low enough to prevent damage to the systems'urbine.

These Functions isolate the Group 4 and 5 valves, as appropriate.

continued BFN-UNIT 2 B 3.3-210

Primary Containment Isolation Instrumentation 8 3.3.6.1 BASES APPLICABLE 3.d. 3.e. 3.f. 3.. 4.d. 4.e. 4.f. 4.. Area Tem erature-Hi h SAFETYANALYSES, (TS-71-2A-H, J-N, P, R, S and TS-73-2A-H, J-N, P, R, S)

LCO, and APPLICABILITY Area Temperature Functions are provided to detect a leak from (continued) the associated system steam piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area Temperature - High signals are initiated from bimetallic temperature switches that are appropriately located to protect the system that is being monitored. Four instruments monitor each area. HPCI and RCIC each have sixteen total channels of Area Temperature - High Function available. All of which are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are set low enough to detect a leak equivalent to 25 gpm.

These Functions isolate the Group 4 and 5 valves, as appropriate.

continued BFN-UNIT 2 B 3.3-211

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Reactor Water Cleanu S stem Isolation SAFETY ANALYSES, LCO, and 5.a. 5.b. 5.c. 5.d. 5.e. 5.f. Area Tem erature-Hi h APPLICABILITY (TIS-69-834A-D, 835A-D, 836A-D, 837A-D, 838A-D, 839A-D)

(continued)

RWCU Area Temperature Functions are provided to detect a leak from the RWCU System.. The isolation occurs even when very small leaks have occurred. If the small leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area temperature signals are initiated from temperature elements that are located in the areas monitored. Four sensors in each of the six monitored areas are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Area Temperature - High Allowable Values are set based on the maximum abnormal operating temperature for each area.

These Functions isolate the Group 3 valves.

continued BFN-UNIT 2 B 3.3-212

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.. SLC S stem Initiation SAFETYANALYSES, LCO, and The isolation of the RWCU System is required when the SLC APPLICABILITY System has been initiated to prevent dilution and removal of the (continued) boron solution by the RWCU System (Ref. 4). An isolation signal for both RWCU isolation valves is initiated when the SLC

, pump start handswitch is not in the stop position.

There is no Allowable Value associated with this Function since the channels are mechanically actuated based solely on the position of the SLC System initiation switch.

The SLC System Initiation Function is required to be OPERABLE only in MODES 1 and 2, since these are the only MODES where the reactor can be critical, and these MODES are consistent with the Applicability for the SLC System (LCO 3.1.7).

As noted (footnote (a) to Table 3.3.6.1-1), the SLC initiation signal provides input to the isolation logic for both RWCU isolation valves.

5.h. Reactor Vessel Water Level - Low Level 3 (LIS-3-203A-D)

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 3 supports actions to ensure that the fuel peak cladding continued BFN-UNIT 2 B 3.3-213

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.h. Reactor Vessel Water Level - Low Level 3 SAFETY ANALYSES, (LIS-3-203A-D) (continued)

LCO, and APPLICABILITY tern P erature remains below the limits of 10 CF R 50.46. The Reactor Vessel Water Level - Low, Level 3 Function associated with RWCU isolation is not directly assumed in the FSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting).

Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

Four channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown.

This Function is required for the isolation of the Group 3 valves.

Portions of this instrumentation are also required for Functions 2.a and 6.b.

continued BFN-UNIT 2 B 3.3-214

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Shutdown Coolin S stem Isolation SAFETYANALYSES, LCO, and 6.a. Reactor Steam Dome Pressure - Hi h APPLICABILITY (PS-68-93 and 94)

(continued)

The Reactor Steam Dome Pressure - High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System. This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the FSAR.

The Reactor Steam Dome Pressure - High signals are initiated from two switches that are connected to different taps on the RPV. Two channels of Reactor Steam Dome Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized; thus, equipment protection is needed. The Allowable Value was chosen to'be low enough to protect the system equipment from overpressurization.

This Function isolates Group 2 RHR SDC Supply isolation valves.

continued BFN-UNIT 2 B 3.3-215

0 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.b. Reactor Vessel Water Level - Low Level 3 SAFETYANALYSES, (LIS-3-203A-D)

LCO, and APPLICABILITY Low RPV water level indicates that the capability to cool the (continued) fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level - Low, Level 3 Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Cooling System is bounded by breaks of the recirculation and MSL. The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. As noted (footnote (b) to Table 3.3.6.1-1), only two channels of the Reactor Vessel Water Level - Low, Level 3 Function (one channel for PCIS trip system A and one channel for PCIS trip system B) with the capability of isolating one RHR SDC supply isolation valve are required to be OPERABLE in MODES 4 and 5, provided the RHR Shutdown Cooling System integrity is maintained. System integrity is maintained provided the piping is intact and no maintenance is being performed that has the potential for draining the reactor vessel through the system.

continued 8FN-UNIT 2 B 3.3-216

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.b. Reactor Vessel Water Level - Low Level 3 SAFETY ANALYSES, (LIS-3-203A-D) (continued)

LCO, and APPLICABILITY The Reactor Vessel Water Level - Low Level 3 Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level - Low, Level 3 Allowable Value (LCO 3.3.1.1),

since the capability to cool the fuel may be threatened.

The Reactor Vessel Water Level - Low, Level 3 Function is only required to be OPERABLE in MODES 3, 4, and 5 to prevent the potential flow paths from lowering the reactor vessel level to the top of the fuel. In MODES 1 and 2, other isolation Functions are required to be OPERABLE (i.e., Reactor Steam Dome Pressure - High and Drywell Pressure - High) and administrative controls for the flow paths prevent unexpected loss of inventory via these flow paths.

This Function is required for the isolation of the Group 2 RHR LPCI to Reactor and RHR SDC Supply isolation valves.

Portions of this instrumentation are also required for Functions 2.a and 5.h.

6.c. D ell Pressure- Hi h (PIS-64-56A-D)

High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

continued BFN-UNIT 2 3.3-217

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.c. D ell Pressure - Hi h (PIS-64-56A-D) (continued)

SAFETY ANALYSES, LCO, and High drywell pressure signals are initiated from pressure APPLICABILITY transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment.

This Function is required for the isolation of the Group 2 RHR LPCI to Reactor and RHR SDC Supply isolation valves.

Portions of this instrumentation are also required for Function 2.b.

ACTIONS A Note has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result, in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.

continued BFN-UNIT 2 B 3.3-218

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS A.1 and A.2 (continued)

Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Functions 2.a, 2.b, 5.h, 6.b, and 6.c; and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Functions other than Functions 2.a, 2.b, 5.h, 6.b, and 6.c has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. Required Actions A.1 and A.2 are modified by Notes that specify the Applicability of the Required Actions for Function 1.d when 15 of 16 channels are OPERABLE. Required Action A.2 provides an allowable out of service time of 30 days for Function 1.d when 15 of 16 channels are OPERABLE. This has been shown to be acceptable (Ref. 9) to permit restoration of the one inoperable channel to OPERABLE status. These out of service times are only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1 or A.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Action taken.

continued 8FN-UNIT 2 B 3.3-219

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS 8.1 (continued)

Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in isolation capability being lost for the associated penetration flow path(s). The Isolation Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip (or the associated trip channel is in trip). Such that at least either the inboard or outboard PCIVs in the associated penetration flow paths can receive an isolation signal from the given Function on a valid signal. For Functions 1.a and 1.b, this would require the Function to have at least two channels OPERABLE or in trip.

For the MSL Drain Valves and the Recirculation Loop Sample Valves the required channels would be the two channels inputting to PCIS trip channels A1 and B1 or the two channels inputting to A2 and B2. For the MSIVs the required channels would be one channel in both PCIS trip systems. For Functions 1.c and 1.d, each Function consists of channels that monitor different parameters (e.g., different flows and different area temperatures). Therefore, this would require the Function to have at least eight channels OPERABLE or in trip. For the MSL Drain Valves the required channels would be the eight channels inputting to PCIS trip channels A1 and B1 or the eight channels inputting to PCIS trip channels A2 and B2. For the MSIVs the required channels would be one Function 1.c channel from each MSL line and one Function 1.d channel from each area monitored in both PCIS trip systems. For Functions 2.a, 2.b, 5.a, 5.b, 5.c, 5.d, 5.e, 5.f, 5.h, 6.b, and 6.c, this would require both PCIS trip systems to have at least one channel of the Function OPERABLE or in trip. For Functions 3.a, 4.a, and 6.a, this would require one channel to be OPERABLE or in trip. For Functions 3.b, 3.c, 4.b, and 4.c, this would require the Function to have at least two channels OPERABLE or in trip, one in both logic parallel pairs. For Functions 3.d, 3.e, 3.f, 3.g, 4.d, 4.e, 4.f, and 4.g, this would require the Function to have at least two continued BFN-UNIT 2 B 3.3-220

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTION 8.1 (continued) channels OPERABLE or in trip (combined total channels of at least eight for HPCI and eight for RCIC). The required channels would be one channel inputting to trip channel 1 of either the A or B Logic and one channel inputting to trip channel 2 of either the A or B Logic. For Function 5.g, this would require the SLC System initiation switch to be capable of generating an isolation signal to at least one of the RWCU isolation valves.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

The second Completion Time for Function 1.d when normal ventilation is not available is provided to allow the plant to avoid an MSL isolation transient when recovering from a temporary loss of ventilation in the MSL tunnel area (e.g., during performance of the secondary containment leak rate tests). As allowed by LCO 3.0.2 (and discussed in the Bases for LCO 3.0.2), the plant may intentionally enter this condition to avoid an MSL isolation transient and bypass the high temperature channels during restoration of ventilation flow.

However, during the period that multiple Main Steam Tunnel Temperature - High Function channels are inoperable due to this intentional action, an additional compensatory measure is deemed necessary and shall be taken: an operator shall observe control room indications of the affected space temperatures for indications of small steam leaks. In the event of rapid increases in temperature (indicative of a steam line break), the operator shall promptly close the MSIVs. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is acceptable because along with the compensatory measures described above it minimizes risk while allowing time for restoration or tripping of channels.

continued BFN-UNIT 2 B 3.3-221

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS C.1 (continued)

Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

D.1 D.2.1 and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plarit must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months (Required Actions D.2.1 and D.2.2). Alternately, the associated MSLs may be isolated (Required Action D.1), and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated), operation with that MSL isolated may continue.

Isolating the affected MSL accomplishes the safety function of the inoperable channel. The Completion Times are reasonable, based on operating experience, to reach the. required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

continued BFN-UNIT 2 B 3.3-222

Primary Containment Isolation Instrumentation 8 3.3.6.1 BASES ACTIONS (continued)

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

F.'I If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated.

Isolating the affected penetration flow path(s) accomplishes the safety, function of the inoperable channels.

For the RWCU Area Temperature - High Functions, the affected penetration flow path(s) may be considered isolated by isolating only that portion of the system in the associated room monitored by the inoperable channel. That is, if the RWCU pump room A area channel is inoperable, the pump room A area can be isolated while allowing continued RWCU operation utilizing the B RWCU pump.

Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition G must be entered and its Required Actions taken.

continued BFN-UNIT 2 B 3.3-223

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS F.1 (continued)

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s).

G.1 and G.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or any Required Action of Condition F is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the SLC System is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the SLC System inoperable or isolating the RWCU System.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System.

continued BFN-UNIT 2 B 3.3-224

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS l.1 and l.2 (continued)

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path(s) should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path(s) to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status or to isolate the RHR Shutdown Cooling System (i.e., provide alternate decay heat removal capabilities so the penetration flow path(s) can be isolated). Actions must continue until the channel is restored to OPERABLE status or the RHR Shutdown Cooling System is isolated.

SURVEILLANCE As noted (Note 1) at the beginning of the SRs, the SRs for REQUIREMENTS each Primary Containment Isolation instrumentation Function are found in. the SRs column of Table 3.3.6.1-1.

The Surveillances are modified by a Note (Note 2) to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary.

continued BFN-UNIT 2 B 3.3-225

Primary Containment Isolation Instrumentation 8 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated, on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

continued BFN-UNIT 2 B 3.3-226

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.2 REQUIREIVIENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 92 day Frequency of SR 3.3.6.1.2 is based on the reliability analysis described in References 5 and 6.

SR 3.3.6.1.3 SR 3.3.6.1.4 and SR 3.3.6.1.5 A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequencies of SR 3.3.6.1.3, SR 3.3.6.1.4, and SR 3.3.6.1.5 are based on the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-227

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.6 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. The LOGIC SYSTEM FUNCTIONAL TEST shall include a calibration of time delay relays and timers necessary for proper functioning of the logic.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the Frequency provided.

REFERENCES 1. FSAR, Section 6.5.

2. FSAR, Chapter 14.

3. NEDO-31466, "Technical Specification Screening Criteria Application and Risk Assessment," November 1987.

4. FSAR, Section 4.9.3.

5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation,"

July 1990.

6. NEDC-30851P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

continued BFN-UNIT 2 B 3.3-228

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES REFERENCES 7. NRC No.93-102, "Final Policy Statement on Technical (continued) Specification Improvements," July 23, 1993.

8. FSAR, Section 5.2.

9. NRC letter from Richard J. Clark to Hugh G. Parris dated August 9, 1984,'Safety Evaluation for Amendment Nos.

107, 101, and 74 to Facility Operating License Nos.

DPR-33, DPR-52, and DPR-68 for Browns Ferry Nuclear Plant Units 1, 2, and 3 respectively.

8FN-UNIT 2 B 3.3-229

Secondary Containment Isolation Instrumentation B 3.3.6.2 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation BASES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1). Secondary containment isolation and establishment of vacuum with the SGT System within the assumed time limits ensures that fission products that leak from primary containment following a DBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits.

The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logic are (1) reactor vessel water level, (2) drywell pressure, (3) reactor zone exhaust high radiation, and (4) refueling floor exhaust high radiation. Redundant sensor input signals from each parameter are provided for initiation of isolation.

continued BFN-UNIT 2 B 3.3-230

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES BACKGROUND The output signals from the secondary containment-isolation (continued) logic isolates secondary containment and starts all three SGT subsystems to provide for the necessary filtration of fission products.

APPLICABLE The isolation signals generated by the secondary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the safety LCO, and analyses of References 1 and 2 to initiate closure of valves and APPLICABILITY start the SGT System to limit offsite doses.

Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT)

System," Applicable Safety Analyses Bases for more detail of the safety analyses.

The secondary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITYof the secondary containment isolation instrumentation is dependent on the OPERABILITYof the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

continued 8FN-UNIT 2 8 3.3-231

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE Allowable Values are specified for each Function specified in SAFETYANALYSES, the Table. Nominal trip setpoints are specified in the setpoint LCO, and calculations. The nominal setpoints are selected to ensure that APPLICABILITY the setpoints do not exceed the Allowable Value between (continued) CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g.,

trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors.

The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions when SCIVs and the SGT System are required.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

continued BFN-UNIT 2 B 3.3-232

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 1. Reactor Vessel Water Level - Low Level 3 SAFETY ANALYSES, (LIS-3-203A-D)

LCO, and APPLICABILITY Low reactor pressure vessel (RPV) water level indicates that (continued) the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The Reactor Vessel Water Level-Low, Level 3 Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The isolation and initiation systems on Reactor Vessel Water Level - Low, Level 3 support actions to ensure that any offsite releases are within the limits calculated in the safety analysis (Ref. 4).

Reactor Vessel Water Level - Low, Level 3 signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. These signals are the same that isolate the primary containment (additional information on the arrangement of these channels in the PCIS trip systems can be found in the Bases for LCO 3.3.6.1, "Primary Containment Isolation Instrumentation," Function 2). Four channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low, Level 3 Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the Reactor Coolant System (RCS); thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of continued BFN-UNIT 2 B 3.3-233

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 1. Reactor Vessel Water Level - Low Level 3 SAFETYANALYSES, (LIS-3-203A-D) (continued)

LCO, and APPLICABILITY these MODES; thus, this Function is not required. In addition, the Function is also required to be OPERABLE during operations with a potential for draining the reactor vessel (OPDRVs) because the capability of isolating potential sources of leakage must be provided to ensure that offsite dose limits are not exceeded if core damage occurs.

2. D ell Pressure - Hi h (PIS-64-56A-D)

High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis. However, the Drywell Pressure - High Function associated with isolation is not assumed in any FSAR accident or transient analyses. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. These signals are the same that isolate the primary containment (additional information on the arrangement of these channels in the PCIS trip systems can be found in the Bases for LCO 3.3.6.1, "Primary Containment Isolation Instrumentation,"

Function 2). Four channels of Drywell Pressure - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function.

continued BFN-UNIT 2 B 3.3-234

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 2. D ell Pressure - Hi h (PIS-64-56A-D) (continued)

SAFETYANALYSES, LCO, and The Allowable Value was chosen to be the same as the ECCS APPLICABILITY Drywell Pressure - High Function Allowable Value (LCO 3.3.5.1) since this is indicative of a loss of coolant accident (LOCA).

The Drywell Pressure - High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas.

This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.

3 4. Reactor Zone and Refuelin Floor Exhaust Radiation-Hicih (RM-90-140, 141, 142, 143)

High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB or the refueling floor due to a fuel handling accident.

When Exhaust Radiation - High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the FSAR safety analyses (Ref.'4).

The Exhaust Radiation - High signals are initiated from radiation detectors located on the ventilation exhausts coming from the reactor zones and the common refueling zone. There are two radiation monitors and two divisional trip systems for each unit (Units 1, 2, and 3). Each monitor has one channel of Reactor Zone Exhaust Radiation - High and one channel of Refueling Floor Exhaust Radiation - High. Each monitor's channels provide signals to its associated divisional trip system.

Each channel has two radiation elements which monitor the continued BFN-UNIT 2 B 3.3-235

Secondary Containment Isolation Instrumentation

'B 3.3.6.2 BASES APPLICABLE 3 4. Reactor Zone and Refuelin Floor Exhaust Radiation-SAFETYANALYSES, Hicih (RM-90-1 40, 141, 142, 143) (continued)

LCO, and APPLICABILITY ventilation exhaust both of which must be OPERABLE for the channel to be OPERABLE. Both radiation elements must provide a High signal to trip the associated channel (two-out-of-two). However, the output relays from the divisional trip systems are arranged in logic systems such that if either channel for a zone trips, a secondary containment isolation signal is initiated (one-out-of-two). Six channels of Reactor Zone Exhaust Radiation - High Function and six channels of Refueling Floor Exhaust Radiation - High Function are available (two channels of each Function from each unit) and are required to be OPERABLE to ensure that.no single instrument failure can preclude the isolation function.

The Allowable Values are chosen to provide timely detection of nuclear system process barrier leaks inside containment but are far enough above background levels to avoid spurious isolation.

The Reactor Zone and Refueling Floor Exhaust Radiation-High Functions are required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, these Functions are not required. In addition, the Functions are also required to be OPERABLE during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (due to fuel uncovery or dropped fuel assemblies) must be provided to ensure that offsite dose. limits are not exceeded.

(continued)

BFN-UNIT 2 B 3.3-236

Secondary Containment Isolation Instrumentation 8 3.3.6.2 BASES (continued)

ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel.

A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Functions 1 and 2, and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Functions other than Functions 1 and 2, has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status.

This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable continued BFN-UNIT 2 B 3.3-237

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS A.1 (continued) channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel. in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation),

Condition C must be entered and its Required Actions taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic isolation capability for the associated secondary containment penetration flow path(s) or a complete loss of automatic initiation capability for the SGT System. A Function is considered to be maintaining secondary containment isolation capability when sufficient channels are OPERABLE or in trip, such that at least one of the two SCIVs in the associated penetration flow path(s) and two SGT subsystems can be initiated on an isolation signal from the given Function. For Functions 1 and 2, this would require both PCIS trip systems to have at least one channel of the Function OPERABLE or in trip.

For Functions 3 and 4, this would require each unit to have at least one channel of the Function OPERABLE or in trip.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

continued BFN-UNIT 2 8 3.3-238

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS C.1.1 C.1.2 C.2.1 and C.2.2 (continued)

If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the SGT System cannot be ensured.

Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function.

Isolating the associated zone (closing the ventilation supply and exhaust automatic isolation dampers) and starting the associated SGT subsystem (Required Actions C.1.1 and C.2.1) performs the intended function of the instrumentation and allows operation to continue.

Alternately, declaring the associated SCIVs or SGT subsystem(s) inoperable (Required Actions C.1.2 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components.

Required Actions C.2.1 and C.2.2 can be performed independently on each SGT subsystem. For example, when all three SGT subsystems are affected, two SGT subsystems can be placed in operation (Required Action C.2.1) while the other SGT subsystem can be declared inoperable (Required Action C.2.2).

One hour is sufficient for plant operations personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems.

(continued)

BFN-UNIT 2 B 3.3-239

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES (continued)

SURVEILLANCE As noted (Note 1) at the beginning of the SRs, the SRs for REQUIREMENTS each Secondary Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1.

The Surveillances are modified by a Note (Note 2) to indicate that when a channel. is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains secondary containment isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance.

That analysis demonstrated the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and that the SGT System will initiate when necessary.

The Surveillances are modified by a third Note (Note 3) to indicate that for Functions 3 and 4, when a channel is placed in an inoperable status solely for performance of required testing or maintenance, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for a CHANNEL FUNCTIONALTEST and for up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for a CHANNEL CALIBRATIONor maintenance, provided the downscale trip of the inoperable channel is placed in the tripped condition. Upon completion of the Surveillance or maintenance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

continued BFN-UNIT 2 B 3.3-240

Secondary Containment Isolation Instrumentation

'B 3.3.6.2 BASES SURVEILLANCE SR 3.3.6.2.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated. on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

continued BFN-UNIT 2 B 3.3-241

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE SR 3.3.6.2.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONALTEST is performed on each required channel to ensure that the entire channel will perform the intended function.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of References 5 and 6.

This Surveillance for Functions 3 and 4 shall consist of verifying the High Voltage Power Supply (HVPS) voltage at the sensor and convertors (detectors) is within its design limits. A CHANNEL FUNCTIONALTEST as defined in Section 1.1, "Definitions" shall be performed once per 18 months as part of the CHANNEL CALIBRATIONfor Functions 3 and 4.

SR 3.3.6.2.3 A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.6.2.3 is based on the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-242

Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE SR 3.3.6.2.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITYof the required isolation logic for a specific channel. The system functional testing performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, respectively, overlaps this Surveillance to provide complete testing of the assumed safety function.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint.

REFERENCES 1. FSAR, Chapter 5 and Section 7.3.5.

2. FSAR, Chapter 14.

3. FSAR, Section 14.6.3.5.

4. FSAR, Sections 14.6.3.6 and 14.6.4.5.

5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation,"

July 1990.

6. NEDC-30851P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

7. NRC No. 93-1 02, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

8FN-UNIT 2 B 3.3-243

CREV System Instrumentation B 3.3.7.1 B 3.3 INSTRUMENTATION 8 3.3.7.1 Control Room Emergency Ventilation (CREV) System Instrumentation BASES BACKGROUND The CREV System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent CREV subsystems are each capable of fulfillingthe stated safety function. The instrumentation and controls for the CREV System automatically initiate action to pressurize the control room (CR) to minimize the consequences of radioactive material in the control room environment.

In the event of a Reactor Vessel Water Level - Low, Level 3, Drywell Pressure - High, Reactor Zone Exhaust Radiation-High, Refueling Floor Exhaust Radiation - High, or Control Room Air Supply Duct Radiation - High signal, the CREV System is automatically started in the pressurization mode.

The air is then recirculated through the charcoal filter, and sufficient outside air is drawn in through the normal intake to maintain the CR slightly pressurized.

The CREV System instrumentation has two control logic systems, which can initiate their associated CREV subsystem (only the selected subsystem will be initiated) (Ref. 1). Each control logic system receives input from each of the Functions listed above. The Functions are arranged as follows for each control logic system. The Reactor Vessel Water Level - Low, Level 3 and Drywell Pressure - High are each arranged in a one-out-of-two taken twice logic (these signals are the same that isolate the primary containment and additional information t \

BFN-UNIT 2 B 3.3-244 continued

CREV System Instrumentation B 3.3.7.1 BASES BACKGROUND on the arrangement of these channels in the PCIS trip systems (continued) can be found in the Bases for LCO 3.3.6.1, "Primary Containment Isolation Instrumentation," Function 2). The Reactor Zone Exhaust Radiation - High and Refueling Floor Exhaust Radiation - High are each arranged in a one-out-of-two logic (these signals are the same that isolate the secondary containment and additional information on the arrangement of these channels in the divisional trip systems can be found in the Bases for LCO 3.3.6.2, "Secondary Containment Isolation Instrumentation," Functions 3 and 4).

The control Room Air Supply Duct Radiation - High Function contains two radiation monitors (one per trip system).

The output relays from the trip systems are arranged in the control logic systems in a one-out-of-two logic. Some of the channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a CREV System initiation signal to the initiation logic.

APPLICABLE The ability of the CREV System to maintain the habitability of SAFETY ANALYSES, the CR is explicitly assumed for certain accidents as discussed LCO, and in the FSAR safety analyses (Ref. 2). CREV System operation APPLICABILITY ensures that the radiation exposure of control room personnel, through the duration of any one of the postulated accidents, does not exceed the limits set by GDC 19 of 10 CFR 50, Appendix A.

CREV System instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 5).

continued BFN-UNIT 2 B 3.3-245

CREV System Instrumentation 6 3.3.7.1 BASES APPLICABLE The OPERABILITYof the CREV System instrumentation is SAFETYANALYSES, dependent upon the OPERABILITYof the individual LCO, and instrumentation channel Functions specified in Table 3.3.7.1-1.

APPLICABILITY Each Function must have a required number of OPERABLE (continued) channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint).

Allowable Values are specified for each CREV System Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and the measured output value of the process parameter 'hen exceeds the setpoint, the associated device (e.g., trip relay) changes state.

The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

continued BFN-UNIT 2 B 3.3-246

CREV System Instrumentation B 3.3.7.1 BASES APPLICABLE The specific Applicable Safety Analyses, LCO, and Applicability SAFETY ANALYSES, discussions are listed below on a Function by Function basis.

LCO, and

.APPLICABILITY 1. Reactor Vessel Water Level - Low Level 3 (LIS-3-203A-D)

(continued)

Low reactor pressure vessel (RPV) water level indicates that the capability of cooling the fuel may be threatened. A low reactor vessel water level could indicate a LOCA and will automatically initiate the CREV System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low, Level 3 Function are available (two channels per trip system) and are required to be OPERABLE to ensure that a single instrument failure cannot preclude CREV System initiation. The Reactor Vessel Water Level - Low, Level 3 allowable value was chosen to be the same as the RPS Level 3 scram allowable value (LCO 3.3.1.1).

The Reactor Vessel Water Level - Low, Level 3 Function is required to be OPERABLE in MODES 1, 2, and 3, and during operations, with a potential for draining the reactor vessel (OPDRVs) to ensure that the control room personnel are protected during a LOCA. In MODES 4 and 5 at times other than OPDRVs, the probability of a vessel draindown event resulting in a release of radioactive material into the environment is minimal. In addition, adequate protection is performed by the Control Room Air Supply Duct Radiation-High Function. Therefore, this Function is not required in other MODES and specified conditions.

continued BFN-UNIT 2 B 3.3-247

CREV System Instrumentation 8 3.3.7.1 BASES APPLICABLE 2. D ell Pressure- Hi h (PIS-64-56A-D)

SAFETYANALYSES, LCO, and High pressure in the drywell could indicate a break in the APPLICABILITY reactor coolant pressure boundary. A high drywell pressure (continued) signal could indicate a LOCA and will automatically initiate the CREV System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.

Drywell Pressure - High signals are initiated from four pressure transmitters that sense drywell pressure. Four channels of Drywell Pressure - High Function are available (two channels per trip system) and are required to be OPERABLE to ensure that no single instrument failure can preclude CREV System initiation. The Drywell Pressure - High Allowable Value was chosen to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1).

The Drywell Pressure - High Function is required to be OPERABLE in MODES 1, 2, and 3 to ensure that control room personnel are protected in the event of a LOCA. In MODES 4 and 5, the Drywell Pressure - High Function is not required since there is insufficient energy in the reactor to pressurize the drywell to the Drywell Pressure - High setpoint.

continued BFN-UNIT 2 B 3.3-248

CREV System Instrumentation B 3.3.7.1 BASES APPLICABLE 3. 4. Reactor Zone and Refuelin Floor Exhaust SAFETYANALYSES, ~R0i 11 -111 0 ( ~ 4990-140, 141, 142, 1432 LCO, and APPLICABILITY High secondary containment exhaust radiation is an indication, (continued) of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB. Additionally, high radiation in the refueling floor exhaust could be the result of a fuel handling accident. A reactor zone or refueling floor exhaust high radiation signal will automatically initiate the CREV System, since this radiation release could result in radiation exposure to control room personnel.

The reactor zone and refueling floor exhaust radiation monitors provide two independent channels for each ventilation exhaust path coming from the reactor zones and the refueling zone.

There are two radiation monitors (each monitor provides one channel of each Function) and two divisional trip systems for each unit (Units 1, 2, and 3). Six channels of each function are available (two channels of each Function from each unit) and are required to be OPERABLE to ensure that no single instrument failure can preclude CREV System initiation. The Allowable Value was selected to ensure that the Function will promptly detect high activity that could threaten exposure to control room personnel.

The Reactor Zone and Refueling Floor Exhaust Radiation-High Functions are required to be OPERABLE in MODES 1, 2, and 3 and during movement of irradiated fuel assemblies in the secondary containment, CORE ALTERATIONS, and operations with a potential for draining the reactor vessel (OPDRVs), to ensure that control room personnel are protected during a LOCA, fuel handling event, or vessel draindown event. During MODES 4 and 5; when these specified conditions are not in progress (e.g., CORE ALTERATIONS), the probability of a LOCA or fuel damage is low; thus, the Function is not required.

continued BFN-UNIT 2 B 3.3-249

CREV System Instrumentation B 3.3.7.1 BASES APPLICABLE 5. Control Room Air Su I Duct Radiation - Hi h SAFETYANALYSES, (RM-90-259A and B)

LCO, and APPLICABILITY The control room air supply duct radiation monitors measure (continued) radiation levels exterior to the inlet ducting of the CR. A high radiation level may pose a threat to CR personnel; thus, the CREV System is automatically initiated on a control room air supply duct high radiation signal.

The Control Room Air Supply Duct Radiation - High Function consists of two independent monitors. Two channels of Control Room Air Supply Duct Radiation - High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude CREV System initiation. The Allowable Value was selected to ensure protection of the control room personnel.

The Control Room Air Supply Duct Radiation - High Function is required to be OPERABLE in MODES 1, 2, and 3 and during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, to ensure that control room personnel are protected during a LOCA, fuel handling event, or vessel draindown event. During MODES 4 and 5, when these specified conditions are not in progress (e.g., CORE ALTERATIONS), the probability of a LOCA or fuel damage is low; thus, the Function is not required.

(continued)

BFN-UNIT 2 B 3.3-250

CREV System Instrumentation B 3.3.7.1 BASES (continued)

ACTIONS A Note has been provided to modify the ACTIONS related to CREV System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not witflin limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable CREV System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable CREV System instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.7.1-1. The applicable Condition specified in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

continued BFN-UNIT 2 B 3.3-251

CREV System Instrumentation 8 3.3.7.1 BASES ACTIONS 8.1 and 8.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREV System design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months has been shown to be acceptable (Refs. 3 and 4) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function is still maintaining CREV System initiation capability.

A Function is considered to be maintaining CREV System initiation capability when sufficient channels are OPERABLE or in trip such that an initiation signal from the given Function will be generated on a valid signal. For Functions 1 and 2, this would require both PCIS trip systems to have at least one channel of the Function OPERABLE or in trip. In this situation (loss of CREV System initiation capability), the 1g hour allowance of Required Action 8.2 is not appropriate. If the Function is not maintaining CREV System initiation capability, the CREV System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery of the loss of CREV System initiation capability.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time (8.1) is acceptable because it minimizes risk while allowing time for restoring or tripping of channels.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action 8.2.

Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip (e.g.,

as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.

continued BFN-UNIT 2 8 3.3-252

CREV System Instrumentation B 3.3.7.1 BASES ACTIONS C.1 and C.2 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREV System design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is provided to permit restoration. of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function is still maintaining CREV System initiation capability. A Function is considered to be maintaining CREV System initiation capability when sufficient channels are OPERABLE or in trip such that an initiation signal from the given Function will be generated on a valid signal. For Functions 3 and 4, this would require each unit to have at least one channel of the Function OPERABLE or in trip. In this situation (loss of CREV System initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action C.2 is not appropriate. If the Function is not maintaining CREV System initiation capability, the CREV System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery of the loss of CREV System initiation capability.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time (C.1) is acceptable because it minimizes risk while allowing time for restoring or tripping of channels.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action C.2.

Placing the inoperable channel in trip performs the intended function of the channel (starts the selected CREV subsystem in the pressurization mode). Alternately, if it is not desired to place the channel in trip (e.g., as in the case where it is not desired to start the subsystem), Condition E must be entered and its Required Action taken.

continued BFN-UNIT 2 B 3.3-253

CREV System Instrumentation B 3.3.7.1 BASES ACTIONS D.1 D.2 and D.3 (continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREV System design, Required Action D.1 allows continued operation with an inoperable channel provided repair is initiated in a timely manner and the remaining OPERABLE channel is functionally tested once per 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . With two channels of the Control Room Air Supply Duct Radiation - High function inoperable (Required Actions D.2 and D.3), an allowed outage time of 30 days is provided to restore at least one channel to OPERABLE status provided that the alternate monitoring capability is verified functional once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The alternate monitoring capability is provided by the control room particulate monitor (RM-90-53) and radiation monitor (RM-90-8). These monitors alarm in the control room on high activity. Upon receipt of these alarms, the operator is required to manually isolate the control room and manually initiate the emergency pressurization system. The 30 day allowed outage time is based on verifying functional capability of these two monitors and the administrative controls that require operator action to manually initiate a CREV subsystem.

E.1 and E.2 With any Required Action and associated Completion Time not met, the associated CREV subsystem(s) must be placed in the pressurization mode of operation per Required Action E.1 to ensure that control room personnel will be protected in the event of a Design Basis Accident. When both CREV subsystems are affected, Required Action E.1 can be met with continued BFN-UNIT 2 B 3.3-254

CREV System Instrumentation 8 3.3.7.1 BASES ACTIONS E.1 and E.2 (continued) only one CREV subsystem operating provided the redundant CREV subsystem is placed in a condition such that it will automatically initiate upon loss of the operating CREV subsystem. The method used to place the CREV subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the CREV subsystem(s). Alternately, if it is not desired to start the subsystem(s), the CREV subsystem(s) associated with inoperable, untripped channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (Required Action E.2).

Required Actions E.1 and E.2 can be performed independently on each CREV subsystem. That is one CREV subsystem can be placed in operation (Required Action E.1) while the other CREV subsystem can be declared inoperable (Required Action E.2).

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is intended to allow the operator time to place the CREV subsystem(s) in operation. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels, for placing the associated CREV subsystem(s) in operation, or for entering the applicable Conditions and Required Actions for the inoperable CREV subsystem(s). tl (continued)

BFN-UNIT 2 B 3.3-255

CREV System Instrumentation

~

B 3.3.7.1 BASES (continued)

SURVEILLANCE As noted (Note 1) at the beginning of the SRs, the SRs for REQUIREMENTS each CREV System instrumentation Function are located in the SRs column of Table 3.3.7.1-1.

The Surveillances are modified by a Note (Note 2) to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains CREV System initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 3 and 4) assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the CREV System will initiate when necessary.

The Surveillances are modified by a third Note (Note 3) to indicate that for Functions 3 and 4, when a channel is placed in an inoperable status solely for performance of a CHANNEL CALIBRATIONor maintenance, entry into associated Conditions and Required Actions may be delayed for up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months provided the downscale trip of the inoperable channel is placed in the tripped condition. Upon completion of the Surveillance or maintenance, or expiration of the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

continued BFN-UNIT 2 B 3.3-256

CREV System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.7.1.2 A CHANNEL FUNCTIONALTEST is performed on each required channel to ensure that the entire channel will perform the intended function.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

continued BFN-UNIT 2 B 3.3-257

CREV System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.2 (continued)

REQUIREMENTS The Frequency of 92 days is based on the reliability analyses of References 3 and 4.

This Surveillance for. Functions 3 and 4 shall consist of verifying the High Voltage Power Supply (HVPS) voltage at the Sensor and Convertors (detectors) is within its design limits. A CHANNEL FUNCTIONALTEST as defined in Section 1.1, "Definitions" shall be performed once per 18 months as part of the CHANNEL CALIBRATIONfor Functions 3 and 4.

SR 3.3.7.1.3 and SR 3.3.7.1.5 A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequencies are based upon the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-258

CREV System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1 4 and SR 3.3.7.1.6 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.7.3, "Control Room Emergency Ventilation (CREV) System,"

overlaps this Surveillance to provide complete testing of the assumed safety function.

The 184 day Frequency for Function 5 is based on equipment capability. The 18 month Frequency for Functions 1, 2, 3, and 4 is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at their designated Frequencies.

REFERENCES 1. FSAR, Section 10.12.5.3.

2. FSAR, Section 14.6.3.7.

3. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

4. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation,"

July 1990.

5. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.3-259

LOP Instrumentation B 3.3.8.1 B 3.3 INSTRUMENTATION B 3.3.8.1 Loss of Power (LOP) Instrumentation BASES BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the availability of adequate power sources for energizing the various components such as pump motors, motor operated valves, and the associated control components. The LOP instrumentation monitors the 4.16 kV shutdown boards. Offsite power is the preferred source of power for the 4.16 kV shutdown boards. If the monitors determine that insufficient power is available, the boards are disconnected from the offsite power sources and connected to the onsite diesel generator (DG) power sources.

Each 4.16 kV shutdown board has its own independent LOP instrumentation and associated trip logic. The voltage for each board is monitored at two levels, which can be considered as two different undervoltage Functions: Loss of Voltage and 4.16 kV Shutdown Board Undervoltage Degraded Voltage.

Each Function causes various board transfers and disconnects.

The Degraded Voltage Function is monitored by three undervoltage relay channels for each shutdown board, whose outputs are arranged in a two-out-of-three logic configuration (Ref. 1). The channels compare measured input signals with pre-established setpoints. When the setpoint is exceeded for two-of-three degraded voltage channels, the logic energizes timers which provides a LOP trip signal to the shutdown board logic.

continued BFN-UNIT 2 B 3.3-260

LOP Instrumentation B 3.3.8.1 BASES BACKGROUND The Loss of Voltage Function is monitored by two undervoltage (continued) relay pairs for each shutdown board, where outputs are arranged in a two-out-of-two logic configuration (Ref. 1). The channels include four electro-mechanical relays, two of which must deenergize to start the associated diesel generator and another two which must deenergize to initiate load shed of the associated 4.16 kV shutdown board.

APPLICABLE The LOP instrumentation is required for Engineered Safety SAFETY ANALYSES, Features to function in any accident with a loss of offsite LCO, and power. The required channels of LOP instrumentation ensure APPLICABILITY that the ECCS and other assumed systems powered from the DGs, provide plant protection in the event of any of the Reference 2, 3, and 4 analyzed accidents in which a loss of offsite power is assumed. The initiation of the DGs on loss of offsite power, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Accident analyses credit the loading of the DG based on the loss of offsite power concurrent with a loss of coolant accident.

The diesel starting and loading times have been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.

The LOP instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 5).

continued BFN-UNIT 2 B 3.3-261

LOP Instrumentation B 3.3.8.1 BASES APPLICABLE The OPERABILITYof the LOP instrumentation is dependent SAFETYANALYSES, upon the OPERABILITYof the individual instrumentation LCO, and channel Functions specified in Table 3.3.8.1-1. Each Function APPLICABILITY must have a required number of OPERABLE channels per (continued) 4.16 kV shutdown board, with their setpoints within the specified Allowable Values. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

The Allowable Values are specified for each Function in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., degraded voltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for unit channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

continued BFN-UNIT 2 B 3.3-262

LOP Instrumentation B 3.3.8.1 BASES APPLICABLE The specific Applicable Safety Analyses, LCO, and Applicability SAFETY ANALYSES, discussions are listed below on a Function by Function basis.

LCO, and The channel devices for each shutdown board are listed in APPLICABILITY Table B 3.3.8.1-1.

(continued)

1. 4.16 kV Shutdown Board Undervolta e Loss of.Volta e Loss of voltage on a 4.16 kV shutdown board indicates that offsite power may be completely lost to the respective shutdown board and is unable to supply sufficient power for proper operation of the applicable equipment. Therefore, the power supply to the board is transferred from offsite power to DG power upon total loss of shutdown board voltage for 1.5 seconds. The transfer will not occur if the voltage recovers to the specified Allowable Value for Reset Voltage within 1.5 seconds. This ensures that adequate power will be available to the required equipment.

The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that power is available to the required equipment.

Two channels of 4.16 kV Shutdown Board Undervoltage (Loss of Voltage) Function per associated shutdown board are required to be OPERABLE when the associated DG is required to be OPERABLE to ensure that no single instrument failure can preclude the DG function. Refer to LCO 3.8.1, "AC Sources - Operating," and 3.8.2, "AC Sources - Shutdown," for Applicability Bases for the DGs.

continued BFN-UNIT 2 B 3.3-263

LOP Instrumentation B 3.3.8.1 BASES APPLICABLE 2. 4.16kVShutdown Board Undervolta e De raded Volta e SAFETYANALYSES, LCO, and A reduced voltage condition on a.4.16 kV shutdown board APPLICABILITY indicates that, while offsite power may not be completely lost (continued) to the respective shutdown board, available power maybe insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS function.

Therefore, power supply to the board is transferred from offsite power to onsite DG power when the voltage on the board drops below the Degraded Voltage Function Allowable Values

'(degraded voltage with a time delay). This ensures that adequate power will be available to the required equipment.

The Board Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that sufficient power is available to the required equipment.

Three channels of 4.16 kV Shutdown Board Undervoltage (Degraded Voltage) Function per associated board are required to be OPERABLE when the associated DG is required to be OPERABLE to ensure that no single instrument failure can preclude the DG function. Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the DGs.

(continued)

BFN-UNIT 2 B 3.3-264

LOP Instrumentation B 3.3.8.1 BASES (continued)

ACTIONS A Note has been provided to modify the ACTIONS related to LOP instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel.

A.1 and A.2 With one of the degraded voltage relay channels inoperable on one or more shutdown boards and with the loss of voltage relay channels on the affected shutdown board(s) OPERABLE, Required Action A.2 provides a 15 day allowable out of service time to restore the relay channel to OPERABLE status provided the other two degraded voltage relay channels and associated timers are OPERABLE. Immediate verification of the OPERABILITYof the other degraded voltage relay channels and associated timers is therefore required (Required Action A.1). This may be performed as an administrative check by examining logs or other information to determine if this equipment is out of service for maintenance or other reasons. It does not mean to perform the Surveillances needed to demonstrate OPERABILITYof this equipment. If the OPERABILITYof this equipment cannot be verified, however, continued BFN-UNIT 2 B 3.3-265

0 LOP Instrumentation

~

B 3.3.8.1 BASES ACTIONS A.1 and A.2 (continued)

Condition C or D, as applicable, must be entered immediately.

The 15 day allowable out of service time is justified based on the two-out-of-three permissive logic scheme provided for these relays. If the inoperable relay channel cannot be restored to OPERABLE status within the allowable out of service time, the degraded voltage relay channel must be placed in the tripped condition per Required Action A.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure (within the LOP instrumentation), and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in a DG initiation), Condition E must be entered and its Required Action taken.

B.1 With two or more degraded voltage relay channels or one or more associated timers inoperable on one or more shutdown boards, the Function is not capable of performing the intended function. Required Action B.1 provides a 10 day allowable out of service time provided the loss of voltage relay channels on the affected shutdown board(s) are OPERABLE.

The 10 day allowable out of service time is justified since the loss of voltage relay channels on the same shutdown board are independent of the degraded voltage relay channel(s) and will continue to function and start the diesel generators on a complete loss of voltage. If the inoperable channel(s) cannot

'ontinued BFN-UNIT 2 B 3.3-266

LOP Instrumentation B 3.3.8.1 BASES ACTIONS B.1 (continued) be restored to OPERABLE status within the allowable out of service time, the channel(s) must be placed in the tripped condition per Required Action B.1. Placing the inoperable channel(s) in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure (within the LOP instrumentation), and allow operation to continue. Alternately, if it is not desired to place the channel(s) in trip (e.g., as in the case where placing the channel(s) in trip would result in a DG initiation), Condition E must be entered and its Required Action taken.

C.1 With one or more loss of voltage relay channels in'operable on one or more shutdown boards, the Function is not capable of performing the intended function. Required Action C.1 provides a 10 day allowable out of service time provided two or more degraded voltage relay channels and associated timers on the affected shutdown board(s) are OPERABLE. The 10 day allowable out of service time is justified since the degraded voltage relay channels on the same shutdown board are independent of the loss of voltage relay channels and will continue to function and start the diesel generators on a complete loss of voltage. If the inoperable channels cannot be restored to OPERABLE status within the allowable out of service time, the channel(s) must be placed in the tripped condition per Required Action C.1. Placing the inoperable channel(s) in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure (within the LOP instrumentation), and allow operation to continue. Alternately, if it is not desired to place the channel(s) in trip (e.g., as in the case where placing the channel(s) in trip would result in a DG initiation), Condition E must be entered and its Required Action taken.

continued BFN-UNIT 2 B 3.3-267

0 LOP Instrumentation B 3.3.8.1 BASES ACTIONS D.1 and D.2 (continued)

With two or more degraded voltage relay channels or one or more associated timers and the loss of voltage relay channel(s) inoperable on the same shutdown board, the associated diesel generator will not automatically start upon degraded voltage or complete loss of voltage on that shutdown board. In this situation, Required Action D.2 provides a 5 day allowable out of service time provided the other shutdown boards and undervoltage relay channels are OPERABLE. Immediate verification of the OPERABILITYof the other shutdown boards and undervoltage relay channels is therefore required (Required Action D.1). This may be performed as an administrative check by examining logs or other information to determine if this equipment is out of service for maintenance or other reasons. It does not mean to perform the Surveillances needed to demonstrate OPERABILITY of this equipment. If the OPERABILITYof this equipment cannot be verified, however, Condition E must be entered immediately. The 5 day allowable out of service time is justified based on the remaining redundancy of the 4.16 kV Shutdown Boards. The 4.16 kV Shutdown Boards have a similar allowable out of service time.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.

Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure (within the LOP instrumentation),

and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in a DG initiation), Condition E must be entered and its Required Action taken.

continued BFN-UNIT 2 B 3.3-268

LOP Instrumentation B 3.3.8.1 BASES ACTIONS E.1 (continued)

If any Required Action and associated Completion Time are not met, the associated Function is not capable of performing the intended function. Therefore, the associated DG(s) is declared inoperable immediately. This requires entry into applicable Conditions and Required Actions of LCO 3.8.1 and LCO 3.8.2, which provide appropriate actions for the inoperable DG(s).

SURVEILLANCE As noted (Note 1) at the beginning of the SRs, the SRs for REQUIREMENTS each LOP instrumentation Function are located in the SRs column of Table 3.3.8.1-1.

SR 3.3.8.1.1 and SR 3.3.8.1.2 A CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATIONleaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency is based upon the calibration interval assumed in the determination of the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-269

LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE SR 3.3.8.1.3 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONALTEST demonstrates the OPERABILITYof the required actuation logic for a specific channel. The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency.

REFERENCES 1. FSAR, Figure 8.4-4.

2. FSAR, Section 6.5.

3. FSAR, Section 8.5.4.

4. FSAR, Chapter 14.

5. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.3-270

LOP Instrumentation

~

B 3.3.8.1 Table B 3.3.8.1-1 (Page 1 of 2)

Loss of Power Instrumentation Channel Device Identification BOARD AND FUNCTIONS CHANNEL DEVICES UNIDs 4.16 kV Shutdown Board A (Loss of Voltage) 1.a Board Undervoltage - Board Load Shedding 27SA 8A and 27SA 8C (27-211~A/12E & /12F) 1.b Board Undervoltage - Diesel Start Time Delay 27OA 8A and 27DA 8C (27-211~A/12A & /1 2B)

(Degraded Voltage) 2.a Board Undervoltage 27-21 1-1 A, 27-211-1 B, and 27-211-1 C (27-211~A/23A, /23B, & /23C) 2.b.1 Initial Diesel Start and Load Shedding Time Delay 2-21 1-1A (02-2114001A) 2.b.2 Diesel Start Time Delay 2-211-2A (02-2114002A) 2.b.3 Board Load Shedding Time Delay 2-211-3A (02-2114003A) 2.b.4 Diesel Generator Breaker Closure Time Delay 2-211-4A (02-2114004A) 4.16 kV Shutdown Board B (Loss of Voltage) 1.a Board Undervoltage - Board Load Shedding 27SB 8A and 27SB 8C (27-211-000B/12E & /12F) 1.b Board Undervoltage - Diesel Start Time Delay 27DB 8A and 27DB 8C (27-21 WXKB/12A& /12B)

(Degraded Voltage) 2.a Board Undervoltage 27-211-2A, 27-21 1-2B, and 27-211-2C (27-21 1-000B/21A, /21 B, /21 C)

? b.1 Initial Diesel Start and Load Shedding Time Delay 2-211-1 B (02-2114001 B) 2.b.2 Diesel Start Time Delay 2-21 1-2B (02-2114002B) 2.b.3 Board Load Shedding Time Delay 2-211-3B (02-21 14003B) 2.b.4 Diesel Generator Breaker Closure Time Delay 2-21144B (02-2114004B) 4.16 kV Shutdown Board C (Loss of Voltage) 1.a Board Under voltage - Board Load Shedding 27SC 8A and 27SC 8C (27-211~/11E & /11F) 1.b Board Undervoltage - Diesel Start Time Delay 27DC 8A and 27DC 8C (27-211~C/11A & /1 1B)

(Degraded Voltage) 2.a Board Undervoltage 27-211-3A, 27-211-3B, and 27-2114C (27-21 1~C/25A, /25B, /25C) 2.b.1 Initial Diesel Start and Load Shedding Time Delay 2-211-1 C (02-2114001 C) 2.b.2 Diesel Start Time Delay 2-211-2C (02-21 14002C) 2.b.3 Board Load Shedding Time Delay 2-211 SC (02-2114003C) 2.b.4 Diesel Generator Breaker Closure Time Delay 2-211-4C (02-21 14004C)

BFN-UNIT 2 B 3.3-271

LOP Instrumentation B 3.3.8.1 Table B 3.3.8.1-1 (Page 2 of 2)

Loss of Power Instrumentation Channel Device Identification BOARD AND FUNCTIONS CHANNEL DEVICES UNIDs 4.16 kV Shutdown Board D (Loss of Voltage) 1.a Board Undervoltage - Board Load Shedding 27SD SA and 27SD 8C (27-211~D/11E & /11F) 1.b Board Undervoltage - Diesel Start Time Delay 27DD 8A and 27DD 8C (27-211~D/11A & /11B)

(Degraded Voltage) 2.a Board Undervoltage 27-211', 27-211-4B, and 27-211-4C (27-211~D/21 A, /21 B, /21C) 2.b.1 Initial Diesel Start and Load Shedding Time Delay 2-211-1 D (02-21 14001D) 2.b.2 Diesel Start Time Delay 2-21 1-2D (02-21 14002D) 2.b.3 Board Load Shedding Time Delay 2-21 1-3D (02-21 14XGD) 2.b.4 Diesel Generator Breaker Closure Time Delay 2-211-4D (02-21 14004D)

BFN-UNIT 2 B 3.3-272

RPS Electric Power Monitoring B 3.3.8.2 B 3.3 INSTRUMENTATION B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring BASES BACKGROUND RPS Electric Power Monitoring System is provided to isolate the RPS bus from the motor generator (MG) set or an alternate power supply in the event of overvoltage, undervoltage, or underfrequency. This system protects the loads connected to the RPS bus against unacceptable voltage and frequency conditions (Ref. 1) and forms an important part of the primary success path of the essential safety circuits. Some of the essential equipment powered from the RPS buses includes the RPS logic and scram solenoids.

RPS electric power monitoring assembly will detect any abnormal high or low voltage or low frequency condition in the outputs of the two MG sets or the alternate power supply and will de-energize its respective RPS bus, thereby causing all safety functions normally powered by this bus to de-energize.

In the event of failure of an RPS Electric Power Monitoring System (e.g., both in series electric power monitoring assemblies), the RPS loads may experience significant effects from the unmonitored power supply. Deviation from the nominal conditions can potentially cause damage to the scram solenoids and other Class 1E devices.

In the event of a low voltage condition for an extended period of time, the scram solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action.

continued BFN-UNIT 2 B 3.3-273

RPS Electric Power Monitoring 8 3.3.8.2 BASES BACKGROUND In the event of an overvoltage condition, the RPS logic relays

, (continued) and scram solenoids may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function.

Two redundant Class 1E contactors are connected in series between each RPS bus and its MG set, and between each RPS bus and its alternate power supply. Each of these contactors has an associated independent set of Class 1E overvoltage, undewoltage, and underfrequency sensing logic. Together, a contactor and its sensing logic constitute an electric power monitoring assembly. If the output of the MG set exceeds predetermined limits of overvoltage, undervoltage, or underfrequency, for ) 4 seconds, a trip relay driven by this logic circuitry opens the contactor, which removes the associated power supply from service. The timer is common to the three trip relays.

APPLICABLE The RPS electric power monitoring is necessary to meet the SAFETY ANALYSES assumptions of the safety analyses by ensuring that the equipment powered from the RPS buses can perform its intended function. RPS electric power monitoring provides protection to the RPS and other systems that receive power from the RPS buses, by acting to disconnect the RPS from the power supply under specified conditions that could damage the RPS bus powered equipment.

RPS electric power monitoring satisfies Criterion 3 of the NRC Policy Statement (Ref. 2).

(continued)

BFN-UNIT 2 B 3.3-274

RPS Electric Power Monitoring B 3.3.8.2 BASES (continued)

LCO The OPERABILITYof each RPS electric power monitoring assembly is dependent on the OPERABILITYof the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITYof the associated contactor. Two electric power monitoring assemblies are required to be OPERABLE for each inservice power supply. This provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single RPS electric power monitoring assembly failure can preclude the function of RPS bus powered components. Each inservice electric power monitoring assembly's trip logic setpoints are required to be within the specified Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint procedures (nominal trip setpoint).

Allowable Values are specified for each RPS electric power monitoring assembly trip logic (refer to SR 3.3.8.2.2). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected based on engineering judgment and operational experience to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., overvoltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state.

continued BFN-UNIT 2 B 3.3-275

0 RPS Electric Power Monitoring B 3.3.8.2 BASES LCO The Allowable Values for the instrument settings are based on (continued) the RPS continuously providing a 56 Hz, 120 V a 10% (to all equipment), and 115 V a 10 V (to scram and MSIV solenoids).

The most limiting voltage requirement and associated line losses determine the settings of the electric power monitoring instrument channels. The settings are calculated based on the loads on the buses and RPS MG set or alternate power supply being 120 VAC and 60 Hz.

APPLICABILITY The operation of the RPS electric power monitoring assemblies is essential to disconnect the RPS bus powered components from the MG set or alternate power supply during abnormal voltage or frequency conditions. Since the degradation of a nonclass 1E source supplying power to the RPS bus can occur as a result of any random single failure, the OPERABILITYof the RPS electric power monitoring assemblies is required when the RPS bus powered components are required to be OPERABLE. This results in the RPS Electric Power Monitoring System OPERABILITYbeing required in MODES 1, 2, and 3; and in MODES 4 and 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies (a control rod withdrawn in MODE 4 is only allowed by Special Operations LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown" ).

(continued)

BFN-UNIT 2 8 3.3-276

RPS Electric Power Monitoring B 3.3.8.2 BASES (continued)

ACTIONS A.1 If one RPS electric power monitoring assembly for an inservice power supply (MG set or alternate) is inoperable, or one RPS electric power monitoring assembly on each inservice power supply is inoperable, the OPERABLE assembly will still provide protection to the RPS bus powered components under degraded voltage or frequency conditions. However, the reliability and redundancy of the RPS Electric Power Monitoring System is reduced, and only a limited time (72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) is allowed to restore the inoperable assembly to OPERABLE status. If the inoperable assembly cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service (Required Action A.1). This places the RPS bus in a safe condition. An alternate power supply with OPERABLE power monitoring assemblies may then be used to power the RPS bus.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the remaining OPERABLE electric power monitoring assembly and the low probability of an event requiring RPS electric power monitoring protection occurring during this period. It allows time for plant operations personnel to take corrective actions or to place the plant in the required condition in an orderly manner and without challenging plant systems.

Alternately, if it is not desired to remove the power supply from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation),

Condition C or D, as applicable, must be entered and its Required Actions taken.

continued BFN-UNIT 2 B 3.3-277

RPS Electric Power Monitoring B 3.3.8.2 BASES ACTIONS (continued) lf both power monitoring assemblies for an inservice power supply (MG set or alternate) are inoperable or both power monitoring assemblies in each inservice power supply are inoperable, the system protective function is lost. In this condition, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to restore one assembly to OPERABLE status for each inservice power supply. If one inoperable assembly for each inservice power supply cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (Required Action B.1). An alternate power supply with OPERABLE assemblies may then be used to power one RPS bus. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient for the plant operations personnel to take corrective actions and is acceptable because it minimizes risk while allowing time for restoration or removal from service of the electric power monitoring assemblies.

Alternately, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation),

Condition C or D, as applicable, must be entered and its Required Actions taken.

continued BFN-UNIT 2 B 3..3-278

RPS Electric Power Monitoring B 3.3.8.2 BASES ACTIONS C.1 and C.2 (continued)

If any Required Action'and associated Completion Time of Condition A or B are not met in MODE 1, 2, or 3, a plant shutdown must be performed. This places the plant in a condition where minimal equipment, powered through the inoperable RPS electric power monitoring assembly(s), is required and ensures that the safety function of the RPS (e.g.,

scram of control rods) is not required. The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 4 or 5, with any control rod withdrawn from a core cell containing one or more fuel assemblies, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Required Action D.1 results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required.

(continued)

BFN-UNIT 2 8 3.3-279

RPS Electric Power Monitoring B 3.3.8.2 BASES (continued)

SURVEILLANCE SR 3.3.8.2.1 REQUIREMENTS A CHANNEL FUNCTIONAL TEST is performed on each overvoltage, undervoltage, and underfrequency channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 184 day Frequency is based on operating experience and the need to calibrate the instrument loop and sensor.

SR 3.3.8.2.2 CHANNEL CALIBRATIONis a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based on the assumption of a 184 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

continued BFN-UNIT 2 B 3.3-280

RPS Electric Power Monitoring

~

B 3.3.8.2 BASES SURVEILLANCE SR 3.3.8.2.3 REQUIREMENTS (continued) Performance of a system functional test demonstrates that, with a required system actuation (simulated or actual) signal, the logic of the system will automatically trip open the associated power monitoring assembly. Only one signal per power monitoring assembly is required to be tested. This Surveillance overlaps with the CHANNEL CALIBRATIONto provide complete testing of the safety function. The system functional test of the Class 1E contactors is included as part of this test to provide complete testing of the safety function. If the contactors are incapable of operating, the associated electric power monitoring assembly would be inoperable.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

REFERENCES 1. FSAR, Section 7.2.3.2.

2. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.3-281

Recirculation Loops Operating B 3.4.1 BASES APPLICABLE Recirculation loops operating satisfies Criterion 2 of the NRC SAFETY ANALYSES Policy Statement (Ref. 6).

(continued)

LCO Two recirculation loops are required to be in operation with their flows matched within the limits specified in SR 3.4.1.1 to ensure that during a LOCA caused by a break of the piping of one recirculation loop the assumptions of the LOCA analysis are satisfied. With the limits specified in SR 3.4.1.1 not met, the recirculation loop with the lower flow must be considered not in operation.

APPLICABILITY In MODES 1 and 2, requirements for operation of the Reactor Coolant Recirculation System are necessary since there is considerable energy in the reactor core and the limiting design basis transients and accidents are assumed to occur.

In MODES 3, 4, and 5, the consequences of an accident are reduced and the coastdown characteristics of the recirculation loops are not important.

(continued)

BFN-UNIT 2 B 3.4-4

Recirculation Loops Operating B 3.4.1 BASES (continued)

ACTIONS A.'I With the requirements of the LCO not met, the. recirculation loops must be restored to operation with matched flows within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . A recirculation loop is considered not in operation when the pump in that loop is idle or when the mismatch between total jet pump flows of the two loops is greater than required limits. The loop with the lower flow must be considered not in operation. Should a LOCA occur with one recirculation loop not in operation, the core flow coastdown and resultant core response may not be bounded by the LOCA analyses. Therefore, only a limited time is allowed to restore the inoperable loop to operating status.

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is based on the low probability of an accident occurring during this time period, on a reasonable time to complete the Required Action, and on frequent core monitoring by operators allowing abrupt changes in core flow conditions to be quickly detected.

continued BFN-UNIT 2 B 34-5

Recirculation Loops Operating B 3.4.1 BASES ACTIONS A.1 (continued)

This Required Action does not require tripping the recirculation pump in the lowest flow loop when the mismatch between total jet pump flows of the two loops is greater than the required limits. However, in cases where large flow mismatches occur, low flow or reverse flow can occur in the low flow loop jet pumps, causing vibration of the jet pumps. If zero or reverse flow is detected, the condition should be alleviated by changing pump speeds to re-establish forward flow or by tripping the pump.

B.1 With no recirculation loops in operation while in MODES 1 or 2 or the Required Action and associated Completion Time of Condition A not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . In this condition, the recirculation loops are not required to be operating because of the reduced severity of DBAs and minimal dependence on the recirculation loop coastdown characteristics. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

(continued)

BFN-UNIT 2 B 3.4-6

Recirculation Loops Operating

~

8 3.4.1 BASES (continued)

SURVEILLANCE SR 3.4.1.1 REQUIREMENTS This SR ensures the recirculation loops are within the allowable limits for mismatch. At low core flow (i.e., ( 70% of rated core flow), the MCPR requirements provide larger margins to the fuel cladding integrity Safety Limit such that the potential adverse effect of early boiling transition during a LOCA is reduced. A larger flow mismatch can therefore be allowed when core flow is

( 70% of rated core flow. The recirculation loop jet pump flow, as used in this Surveillance, is the summation of the flows from all of the jet pumps associated with a single recirculation loop.

The mismatch is measured in terms of percent of rated core flow. If the flow mismatch exceeds the specified limits, the loop with the lower flow is considered inoperable. The SR is not required when both loops are not in operation since the mismatch limits are meaningless during single loop or natural circulation operation. The Surveillance must be performed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after both loops are in operation. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is consistent with the Surveillance Frequency for jet pump OPERABILITYverification and has been shown by operating experience to be adequate to detect off normal jet pump loop flows in a timely manner.

(continued)

BFN-UNIT 2 B 3.4-7

Recirculation Loops Operating B 3.4.1 BASES (continued)

REFERENCES FSAR; Section 14.6.3.

2. FSAR, Section 4.3.5.

3. Deleted.

4. Deleted.

5. Deleted.

6. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 8 3.4-8

Jet Pumps B 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.2 Jet Pumps BASES BACKGROUND The Reactor Coolant Recirculation System is described in the Background section of the Bases for LCO 3.4.1, "Recirculation Loops Operating," which discusses the operating characteristics of the system and how these characteristics affect the Design Basis Accident (DBA) analyses.

The jet pumps are part of the Reactor Coolant Recirculation System and are designed to provide forced circulation through the core to remove heat from the fuel. The jet pumps are located in the annular region between the core shroud and the vessel inner wall. Because the jet pump suction elevation is at two-thirds core height, the vessel can be ref looded and coolant level maintained at two-thirds core height even with the complete break of the recirculation loop pipe that is located below the jet pump suction elevation.

Each reactor coolant recirculation loop contains ten jet pumps.

Recirculated coolant passes down the annulus between the reactor vessel wall and the core shroud. A portion of the coolant flows from the vessel, through the two external recirculation loops, and becomes the driving flow for the jet pumps. Each of the two external recirculation loops discharges high pressure flow into an external manifold from which individual recirculation inlet lines are routed to the jet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the suction flow for the continued BFN-UNIT 2 B 3.4-9

i Jet Pumps B 3.4.2 BASES BACKGROUND jet pumps. This flow enters the jet pump at suction inlets and is (continued) accelerated by the drive flow. The drive flow and suction flow are mixed in the jet pump throat section. The total flow then passes through the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive the required flow upward through the core.

APPLICABLE Jet pump OPERABILITY is an explicit assumption in the design SAFETY ANALYSES basis loss of coolant accident (LOCA) analysis evaluated in Reference 1'.

The capability of ref looding the core to two-thirds core height is dependent upon the structural integrity of the jet pumps. If the structural system, including the beam holding a jet pump in place, fails, jet pump displacement and performance degradation could occur, resulting in an increased flow area through the jet pump and a lower core flooding elevation. This could adversely affect the water level in the core during the ref lood phase of a LOCA as well as the assumed blowdown flow during a LOCA.

Jet pumps satisfy Criterion 2 of the NRC Policy Statement (Ref. 4).

LCO The structural failure of any of the jet pumps could cause significant degradation in the ability of the jet pumps to allow reflooding to two-thirds core height during a LOCA.

OPERABILITY of all jet pumps is required to ensure that operation of the Reactor Coolant Recirculation System will be consistent with the assumptions used in the licensing basis analysis (Ref. 1).

(continued)

BFN-UNIT 2 B 3.4-10

i Jet Pumps B 3.4.2 BASES (continued)

APPLICABILITY In MODES 1 and 2, the jet pumps are required to be OPERABLE since there is a large amount of energy in the reactor core and since the limiting DBAs are assumed to occur in these MODES. This is consistent with the requirements for operation of the Reactor Coolant Recirculation System (LCO 3.4.1).

In MODES 3, 4, and 5, the Reactor Coolant Recirculation System is not required to be in operation, and when not in operation, sufficient flow is not available to evaluate jet pump OPERABILITY.

ACTIONS A.1 An inoperable jet pump can increase the blowdown area and reduce the capability of ref loading during a design basis LOCA.

If one or more of the jet pumps are inoperable, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

(continued)

BFN-UNIT 2 B 3.4-11

0 Jet Pumps B 3.4.2 BASES (continued)

SURVEILLANCE SR 3.4.2.1 REQUIREMENTS This SR is designed to detect significant degradation in jet pump performance that precedes jet pump failure (Ref. 2). This SR is required to be performed only when the loop has forced recirculation flow since surveillance checks and measurements can only be performed during jet pump operation. The jet pump failure of concern is a complete mixer displacement due to jet pump beam failure. Jet pump plugging is also of concern since it adds flow resistance to the recirculation loop. Significant degradation is indicated if the specified criteria confirm unacceptable deviations from established patterns or relationships. The allowable deviations from the established patterns have been developed based on the variations experienced at plants during normal operation and with jet pump assembly failures (Refs. 2 and 3). Each recirculation loop must satisfy one of the performance criteria provided.

Since refueling activities (fuel assembly replacement or shuffle, as well as any modifications to fuel support orifice size or core plate bypass flow) can affect the relationship between core flow, jet pump flow, and recirculation loop flow, these relationships may need to be re-established each cycle. During the initial weeks of operation under such conditions, while baselining new "established patterns," engineering judgment of the daily surveillance results is used to detect significant abnormalities which could indicate a jet pump failure.

The recirculation pump speed operating characteristics (pump flow and loop flow versus pump speed) are determined by the flow resistance from the loop suction through the jet pump nozzles. A change in the relationship indicates a plug, flow restriction, loss in pump hydraulic performance, leakage, or new flow path between the recirculation pump discharge and jet pump nozzle. For this criterion, the pump flow and loop flow versus pump speed relationship must be verified.

continued BFN-UNIT 2 B 3.4-12

Jet Pumps B 3.4.2 BASES SURVEILLANCE SR 34.2.1 (continued)

REQUIREMENTS Individual jet pumps in a recirculation loop normally do not have the same flow. The unequal flow is due to the drive flow manifold, which does not distribute flow equally to all risers.

The flow (or jet pump diffuser to lower plenum differential pressure) pattern or relationship of one jet pump to the loop average is repeatable. An appreciable change in this relationship is an indication that increased (or reduced) resistance has occurred in one of the jet pumps. This may be indicated by an increase in the relative flow for a jet pump that has experienced beam cracks.

The deviations from normal are considered indicative of a potential problem in the recirculation drive flow or jet pump system (Ref. 2). Normal flow ranges and established jet pump flow and differential pressure patterns are established by plotting historical data as discussed in Reference 2.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency has been shown by operating experience to be timely for detecting jet pump degradation and is consistent with the Surveillance Frequency for recirculation, loop OPERABILITYverification.

This SR is modified by two Notes. Note 1 allows this Surveillance not to be performed until 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after the associated recirculation loop is in operation, since these checks can only be performed during jet pump operation. The 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is an acceptable time to establish conditions appropriate for data collection and evaluation.

continued BFN-UNIT 2 B 3.4-13

Jet Pumps B 3.4.2 BASES SURVEILLANCE SR 34.2.1 (continued)

REQUIREMENTS Note 2 allows this SR not to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after THERMAL POWER exceeds 25% of RTP. During low flow conditions, jet pump noise approaches the threshold response of the associated flow instrumentation and precludes the collection of repeatable and meaningful data. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is an acceptable time to establish conditions appropriate to perform this SR.

REFERENCES 1. FSAR, Section 14.6.3.

2. GE Service Information Letter No. 330, "Jet Pump Beam Cracks," June 9, 1980.

3. NUREG/CR-3052, "Closeout of IE Bulletin 80-07: BWR Jet Pump Assembly Failure," November 1984.

4. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-14

S/RVs B 3.4.3 B 3.4 REACTOR COOLANT SYSTEIVI (RCS)

B 3.4.3 Safety/Relief Valves (S/RVs)

BASES BACKGROUND The ASME Boiler and Pressure Vessel Code requires the reactor pressure vessel be protected from overpressure during upset conditions by self-actuated safety valves. As part of the nuclear pressure relief system, the size and number of S/RVs are selected such that peak pressure in the nuclear system will not exceed the ASME Code limits for the reactor coolant pressure boundary (RCPB).

The S/RVs are located on the main steam lines between the reactor vessel and the first isolation valve within the drywell.

The S/RVs can actuate by either of two modes: the safety mode or the relief mode. In the safety mode (or spring mode of operation), the spring loaded pilot valve opens when steam pressure at the valve inlet overcomes the spring force holding the pilot valve closed. Opening the pilot valve allows a pressure differential to develop across the main valve piston and opens the main valve. This satisfies the Code requirement.

Each S/RV discharges steam through a discharge line to a point below the minimum water level in the suppression pool.

The S/RVs that provide the relief mode are the Automatic Depressurization System (ADS) valves. ADS requirements are specified in LCO 3.5.1, "ECCS - Operating."

(continued)

BFN-UNIT 2 B 3.4-15

0' S/RVs B 3.4.3 BASES (continued)

APPLICABLE The overpressure protection system must accommodate the SAFETY ANALYSES most severe pressurization transient. Evaluations have determined that the most severe transient is the closure of all main steam isolation valves (MSIVs), followed by reactor scram on high neutron flux (i.e., failure of the direct scram associated with MSIV position) (Ref. 1). For the purpose of the analyses, 12 S/RVs are assumed to operate in the safety mode. The analysis results demonstrate that the design S/RV capacity is capable of maintaining reactor pressure below the ASME Code limit of 110% of vessel design pressure (110% x 1250 psig =

1375 psig). This LCO helps to ensure that the acceptance limit of 1375 psig is met during the Design Basis Event.

Reference 2 discusses additional events that are expected to actuate the S/RVs. From an overpressure standpoint, the design basis events are bounded by the MSIV closure with flux scram event described above.

S/RVs satisfy Criterion 3 of the NRC Policy Statement (Ref. 4).

LCO The safety function of 12 S/RVs are required to be OPERABLE to satisfy the assumptions of the safety analysis (Refs. 1 and 2).

The requirements of this LCO are applicable only to the capability of the S/RVs to mechanically open to relieve excess pressure when the lift setpoint is exceeded (safety function).

The S/RV setpoints are established to ensure that the ASME Code limit on peak reactor pressure is satisfied. The ASME Code specifications require the lowest safety valve setpoint to be at or below vessel design pressure (1250 psig) and the continued BFN-UNIT 2 B 3.4-16

S/RVs B 3.4.3 BASES LCO highest safety valve to be set so that the total accumulated (continued) pressure does not exceed 110% of the design pressure for overpressurization conditions. The transient evaluations in the FSAR are based on these setpoints, but also include the additional uncertainties of a 3% of the nominal setpoint drift to provide an added degree of conservatism.

Operation with fewer valves OPERABLE than specified, or with setpoints outside the ASME limits, could result in a more severe reactor response to a transient than predicted, possibly resulting in the ASME Code limit on reactor pressure being exceeded.

APPLICABILITY In MODES 1, 2, and 3, all required S/RVs must be OPERABLE, since considerable energy may be in the reactor core and the limiting design basis transients are assumed to occur in these MODES. The S/RVs may be required to provide pressure relief to discharge energy from the core until such time that the Residual Heat Removal (RHR) System is capable of dissipating the core heat.

In MODE 4, decay heat is low enough for the RHR System to provide adequate cooling, and reactor pressure is low enough that the overpressure limit is unlikely to be approached by assumed operational transients or accidents. In MODE 5, the reactor vessel head is unbolted or removed and the reactor is at atmospheric pressure. The S/RV function is not needed during these conditions.

(continued)

BFN-UNIT 2 B 3.4-17

S/RVs

. 8 3.4.3 BASES (continued)

ACTIONS A.1 and A.2 With less than the minimum number of required S/RVs OPERABLE, a transient may result in the violation of the ASME Code limit on reactor pressure. If the safety function of one or more required S/RVs is inoperable, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.3.1 REQUIREMENTS This Surveillance requires that the 12 required S/RVs open at the pressures assumed in the safety analysis of Reference 1.

The setpoint groups for all 13 S/RVs are listed. The demonstration of the S/RV safe lift settings must be performed during shutdown, since this is a bench test, to be done in accordance with the Inservice Testing Program. The lift setting pressure shall correspond to ambient conditions of the valves at nominal operating temperatures and pressures. The S/RV setpoint tolerance is a 3% for OPERABILITY; however, the valves are reset to a 1% during the Surveillance to allow for drift.

continued BFN-UNIT 2 B 34-18

S/RVs B 3.4.3 BASES SURVEILLANCE SR 3.4.3.2 REQUIREMENTS (continued) A manual actuation of each required S/RV is performed to verify that, mechanically, the valve is functioning properly and no blockage exists in the valve discharge line. This can be demonstrated by the response of the turbine control valves or bypass valves, by a change in the measured steam flow, or by any other method suitable to verify steam flow. Adequate reactor steam dome pressure must be available to perform this test to avoid damaging the valve. Also, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the S/RVs divert steam flow upon opening. Sufficient time is therefore allowed after the required pressure is achieved to perform this test. Adequate pressure at which this test is to be performed is 920 psig (the pressure recommended by the valve manufacturer). Adequate steam flow is represented by at least 3 turbine bypass valves open. Plant startup is allowed prior to performing this test because valve OPERABILITYand the setpoints for overpressure protection are verified, per ASME Code requirements, prior to valve installation. Therefore, this SR is modified by a Note that states the Surveillance is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reactor steam pressure and flow are adequate to perform the test. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for manual actuation after the required pressure is reached is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SR. If a valve fails to actuate due only to the failure of the solenoid but is capable of opening on overpressure, the safety function of the S/RV is considered OPERABLE.

continued BFN-UNIT 2 B 3.4-19

S/RVs B 34.3 BASES SURVEILLANCE SR 3.4.3.2 (continued)

REQUIREMENTS The 18 month Frequency was developed based on the S/RV tests required by the ASME Boiler and Pressure Vessel Code,Section XI (Ref. 3). Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

REFERENCES 1. FSAR, Section 4.4.6.

2. FSAR, Section 14.5.1.

3. ASME Boiler and Pressure Vessel Code,Section XI.

4. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-20

RCS Operational LEAKAGE B 3.4.4 8 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.4 RCS Operational LEAKAGE BASES BACKGROUND The RCS includes systems and components that contain or transport the coolant to or from the reactor core. The pressure containing components of the RCS and the portions of connecting systems out to and including the isolation valves define the reactor coolant pressure boundary (RCPB). The joints of the RCPB components are welded or bolted.

During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. Limits on RCS operational LEAKAGE are required to ensure appropriate action is taken before the integrity of the RCPB is impaired.

This LCO specifies the types and limits of LEAKAGE. This protects the RCS pressure boundary described in 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A (Refs. 1, 2, and 3).

The safety significance of RCS LEAKAGE from the RCPB varies widely depending on the source, rate, and duration.

Therefore, detection of LEAKAGE in the primary containment is necessary. Methods for quickly separating the identified LEAKAGE from the unidentified LEAKAGE are necessary to provide the operators quantitative information to permit them to take corrective action should a leak occur that is detrimental to the safety of the facility or the public.

continued BFN-UNIT 2 B 3.4-21

RCS Operational LEAKAGE B 3.4.4 BASES BACKGROUND A limited amount of leakage inside primary containment is (continued) expected from auxiliary systems that cannot be made 100%

leaktight. Leakage from these systems should be detected and isolated from the primary containment atmosphere, if possible, so as not to mask RCS operational LEAKAGE detection.

This LCO deals with protection of the RCPB from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident:

APPLICABLE The allowable RCS operational LEAKAGE limits are based on SAFETY ANALYSES the predicted and experimentally observed behavior of pipe cracks. The normally expected background LEAKAGE due to equipment design and the detection capability of the instrumentation for determining system LEAKAGE were also considered. The evidence from experiments suggests that, for LEAKAGE even greater than the specified unidentified LEAKAGE limits, the probability is small that the imperfection or crack associated with such LEAKAGE would grow rapidly.

The unidentified LEAKAGE flow limit allows time for corrective action before the RCPB could be significantly compromised.

The 5 gpm limit is a small fraction of the calculated flow from a critical crack in the primary system piping. Crack behavior from experimental programs (Refs. 4 and 5) shows that leakage rates of hundreds of gallons per minute will precede crack instability (Ref. 6).

continued BFN-UNIT 2 B 3.4-22

RCS Operational LEAKAGE B 3.4.4 BASES APPLICABLE The low limit on increase in unidentified LEAKAGE assumes a SAFETY ANALYSES failure mechanism of intergranular stress corrosion cracking (continued) (IGSCC) that produces tight cracks. This flow increase limit is capable of providing an early warning of such deterioration.

No applicable safety analysis assumes the total LEAKAGE limit.

The total LEAKAGE limit considers RCS inventory makeup capability and drywell floor sump capacity.

RCS operational LEAKAGE satisfies Criterion 2 of the NRC Policy Statement (Ref. 8).

LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Bounda LEAKAGE No pressure boundary LEAKAGE is allowed, since it is indicative of material degradation. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB.

LEAKAGE past seals, valve seats, and gaskets is not pressure boundary LEAKAGE.

b. Unidentified LEAKAGE The 5 gpm of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and drywell sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB.

continued BFN-UNIT 2 B 3.4-23

RCS Operational LEAKAGE B 3.4.4 BASES LCO c. Total LEAKAGE (continued)

The total LEAKAGE limit is based on a reasonable minimum detectable amount. The limit also accounts for LEAKAGE from known sources (identified LEAKAGE). Violation of this LCO indicates an unexpected amount of LEAKAGE and, therefore, could indicate new or additional degradation in an RCPB component or system.

d. Unidentified LEAKAGE Increase

)

An unidentified LEAKAGE increase of 2 gpm within the previous 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period indicates a potential flaw in the RCPB and must be quickly evaluated to determine the source and extent of the LEAKAGE. The increase is measured relative to the steady state value; temporary changes in LEAKAGE rate as a result of transient conditions (e.g., startup) are not considered. As such, the 2 gpm increase limit is only applicable in MODE 1 when operating pressures and temperatures are established. Violation of this LCO could result in continued degradation of the RCPB.

APPLICABILITY In MODES 1, 2, and 3, the RCS operational LEAKAGE LCO applies, because the potential for RCPB LEAKAGE is greatest when the reactor is pressurized.

In MODES 4 and 5, RCS operational LEAKAGE limits are not required since the reactor is not pressurized and stresses in the RCPB materials and potential for LEAKAGE are reduced.

(continued)

BFN-UNIT 2 B 3.4-24

RCS Operational LEAKAGE B 3.4.4 BASES (continued)

ACTIONS A.1 With RCS unidentified or total LEAKAGE greater than the limits, actions must be taken to reduce the leak. Because the LEAKAGE limits are conservatively below the LEAKAGE that would constitute a critical crack size, 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is allowed to reduce the LEAKAGE rates before the reactor must be shut down. If an unidentified LEAKAGE has been identified and quantified, it may be reclassified and considered as identified LEAKAGE; however, the total LEAKAGE limit would remain unchanged.

8.1 and 8.2 An unidentified LEAKAGE increase of ) 2 gpm within a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period is an indication of a potential flaw in the RCPB and must be quickly evaluated. Although the increase does not necessarily violate the absolute unidentified LEAKAGE limit, certain susceptible components must be determined not to be the source of the LEAKAGEincrease within the required Completion Time. For an unidentified LEAKAGE increase greater than required limits, an alternative to reducing LEAKAGE increase to within limits (i.e., reducing the leakage rate such that the current rate is less than the "2 gpm increase in the previous 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months " limit; either by isolating the source or other possible methods) is to evaluate service sensitive type 304 and type 316 austenitic stainless steel piping that is subject to high stress or that contains relatively stagnant or intermittent flow fluids and determine it is not the source of the increased LEAKAGE. This type piping is very susceptible to IGSCC.

The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable to properly reduce the LEAKAGE increase or verify the source before the reactor must be shut down without unduly jeopardizing plant safety.

continued BFN-UNIT 2 B 3.4-25

RCS Operational LEAKAGE 8 3.4.4 BASES ACTIONS C.1 and C.2 (continued)

If any Required Action and associated Completion Time of Condition A or B is not met or if pressure boundary LEAKAGE exists, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant safety systems.

SURVEILLANCE SR 3.4.4.1 REQUIREMENTS The RCS LEAKAGE is monitored by a variety of instruments designed to provide alarms when LEAKAGE is indicated and to quantify the various types of LEAKAGE. Leakage detection instrumentation is discussed in more detail in the Bases for LCO 3.4.5, "RCS Leakage Detection Instrumentation." Sump level and flow rate are typically monitored to determine actual LEAKAGE rates; however, other methods may be used to quantify LEAKAGE. In conjunction with alarms and other administrative controls, a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency for this Surveillance is appropriate for identifying LEAKAGE and for tracking required trends (Ref. 7).

(continued)

BFN-UNIT 2 B 3.4-26

RCS Operational LEAKAGE B 3.4.4 BASES (continued)

REFERENCES 1. 10 CFR 50.2.

2. 10 CFR 50.55a(c).

3. 10 CFR 50, Appendix A, GDC 55.

4. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968.

5. NUREG-75/067, "Investigation and Evaluation of Cracking in Austenitic Stainless Steel Piping in Boiling Water Reactors," October 1975.

6. FSAR, Section 4.10.3.2.

7. Generic Letter 88-01, Supplement 1, "NRC Position on IGSCC in BWR Austenitic Stainless Steel Piping,"

February 1992.

8. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-27

i RCS Leakage Detection Instrumentation 8 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.5 RCS Leakage Detection Instrumentation BASES BACKGROUND GDC 30 of 10 CFR 50, Appendix A (Ref. 1), requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE.

Limits on LEAKAGE from the reactor coolant pressure boundary (RCPB) are required so that appropriate action can be taken before the integrity of the RCPB is impaired. Leakage detection systems for the RCS are provided to alert the operators when leakage rates above normal background levels are detected and also to supply quantitative measurement of leakage rates. The Bases for LCO 3.4.4, "RCS Operational LEAKAGE,"discuss the limits on RCS LEAKAGE rates.

Systems for separating the LEAKAGE of an identified source from an unidentified source are necessary to provide prompt and quantitative information to the operators to permit them to take immediate corrective action.

LEAKAGE from the RCPB inside the drywell is detected by at least one of two or three independently monitored variables, such as sump level changes and drywell gaseous and particulate radioactivity levels. The primary means of quantifying LEAKAGE in the drywell is the drywell floor drain sump monitoring system.

continued BFN-UNIT 2 B 3 4-28

RCS Leakage Detection Instrumentation B 3.4.5 BASES BACKGROUND The drywell floor drain sump monitoring system monitors the (continued) LEAKAGE collected in the floor drain sump. This unidentified LEAKAGE consists of LEAKAGE from control rod drives, valve flanges or packings, flooi drains, the Reactor Building Closed Cooling Water System, and drywell air cooling unit condensate drains, and any LEAKAGE not collected in the drywell equipment drain sump. The drywell floor drain sump has transmitters that supply level indications locally.

The floor drain sump level indicators have switches that start and stop the sump pumps when required. A timer starts each time the sump is pumped down to the low level setpoint. If the sump fills to the high level setpoint before the timer ends, an alarm sounds in the control room, indicating a LEAKAGE rate into the sump in excess of a preset limit.

A flow transmitter in the discharge line of the drywell floor drain sump pumps provides flow indication in the control room. The pumps can also be started from the control room.

The primary containment air monitoring systems continuously monitor the primary containment atmosphere for airborne particulate and gaseous radioactivity. A sudden increase of radioactivity, which may be attributed to RCPB steam or reactor water LEAKAGE, is annunciated in the control room. The primary containment atmosphere particulate and gaseous radioactivity monitoring systems are not capable of quantifying LEAKAGE rates, but are sensitive enough to indicate increased LEAKAGE rates. This system is capable of detecting radiation levels in containment atmosphere of three times background (Ref. 2).

(continued)

BFN-UNIT 2 B 3.4-29

RCS Leakage Detection Instrumentation B 3.4.5 BASES (continued)

APPLICABLE A threat of significant compromise to the RCPB exists if the SAFETYANALYSES barrier contains a crack that is large enough to propagate rapidly. LEAKAGE rate limits are set low enough to detect the LEAKAGE emitted from a single crack in the RCPB (Refs. 3 and 4). Each of the leakage detection systems inside the drywell is designed with the capability of detecting LEAKAGE less than the established LEAKAGE rate limits and providing appropriate alarm of excess LEAKAGE in the control room.

A control room alarm allows the operators to evaluate the significance of the indicated LEAKAGE and, if necessary, shut down the reactor for further investigation and corrective action.

The allowed LEAKAGE rates are well below the rates predicted for critical crack sizes (Ref. 5). Therefore, these actions provide adequate response before a significant break in the RCPB can occur.

RCS leakage detection instrumentation satisfies Criterion 1 of the NRC Policy Statement (Ref. 6).

LCO The drywell floor drain sump monitoring system is required to quantify the unidentified LEAKAGE from the RCS. Thus, for the system to be considered OPERABLE, the system must be capable of measuring reactor coolant leakage. This may be accomplished by use of the drywell floor drain sump flow integrator, flow recorder, or the pump curves and the drywell floor drain sump pump out time. The other monitoring systems provide early alarms to the operators so closer examination of other detection systems will be made to determine the extent of any corrective action that may be required. With the leakage detection systems inoperable, monitoring for LEAKAGE in the RCPB is degraded.

(continued)

BFN-UNIT 2 B 3.4-30

0 RCS Leakage Detection Instrumentation B 3.4.5 BASES (continued)

APPLICABILITY In MODES 1, 2, and 3, leakage detection systems are required to be OPERABLE to support LCO 3 4.4. This Applicability is consistent with that for LCO 3.4.4.

ACTIONS A.1 With the drywell floor drain sump monitoring system inoperable, no other form of sampling can provide the equivalent information to quantify leakage. However, the primary containment atmospheric radioactivity monitor will provide indication of changes in leakage.

With the drywell floor drain sump monitoring system inoperable, but with RCS unidentified and total LEAKAGE being determined every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (SR 3.4.4.1), operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time of Required Action A.1 is acceptable, based on operating experience, considering no other method to quantify leakage is available.

B.1 and B.2 With both gaseous and particulate primary containment atmospheric monitoring channels (i.e., the required containment atmosphere monitoring system) inoperable, grab samples of the primary containment atmosphere must be taken and analyzed to provide periodic leakage information. Provided a sample is obtained and analyzed once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , the plant may be operated for up to 30 days to allow restoration of at least one of the required monitors.

continued BFN-UNIT 2 B 3.4-31

RCS Leakage Detection Instrumentation B 3.4.5 BASES ACTIONS B.1 and 8.2 (continued)

The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months interval provides periodic information that is adequate to detect LEAKAGE. The 30 day Completion Time for restoration recognizes that at least one other form of leakage detection is available.

The Required Actions are modified by a Note that states that the provisions of LCO 3.0.4 are not applicable. As a result, a MODE change is allowed when both the gaseous and particulate primary containment atmospheric monitoring channels are inoperable. This allowance is provided because other instrumentation is available to monitor RCS leakage.

C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to perform the actions in an orderly manner and without challenging plant systems.

D.1 With all required monitors inoperable, no required automatic means of monitoring LEAKAGE are available, and immediate plant shutdown in accordance with LCO 3.0.3 is required.

(continued)

BFN-UNIT 2 B 3.4-32

RCS Leakage Detection Instrumentation 8 3.4.5 BASES (continued)

SURVEILLANCE SR 3.4.5.1 REQUIREMENTS This SR is for the performance of a CHANNEL CHECK of the required primary containment atmospheric monitoring system instrumentation. The check gives reasonable confidence that the channel is operating properly. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is based on instrument reliability and is reasonable for detecting off normal conditions.

SR 3.4.5.2 This SR is for the performance of a CHANNEL FUNCTIONAL TEST of the required primary containment atmospheric monitoring system instrumentation. The test ensures that the monitors can perform their function in the desired manner. The test also verifies the alarm setpoint and relative accuracy of the instrument string. The Frequency of 31 days considers instrument reliability, and operating experience has shown it proper for detecting degradation.

SR 3.4.5.3 This SR is for the performance of a CHANNEL CALIBRATION of required drywell floor drain sump flow integrator instrumentation channels. The calibration verifies the accuracy of the instrument string. The Frequency of 184 days considers channel reliability. Operating experience has proven this Frequency is acceptable.

continued BFN-UNIT 2 B 3.4-33 I

RCS Leakage Detection Instrumentation B 3.4.5 BASES SURVEILLANCE SR 34.54 REQUIREMENTS (continued) This SR is for the performance of a CHANNEL CALIBRATION of required leakage detection system instrumentation channels.

The calibration verifies the accuracy of the instrument string.

The Frequency of 18 months is a typical refueling cycle and considers channel reliability. Operating experience has proven this Frequency is acceptable.

REFERENCES 10 CFR 50, Appendix A, GDC 30.

2. FSAR, Section 4.10.3.

3. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968.

4. NUREG-75/067, "Investigation and Evaluation of Cracking in Austenitic Stainless Steel Piping in Boiling Water Reactors," October 1975.

5. FSAR, Section 4.10.3.2.

6. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-34

RCS Specific Activity B 3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.6 RCS Specific Activity BASES BACKGROUND During circulation, the reactor coolant acquires radioactive materials due to release of fission products from fuel leaks into the reactor coolant and activation of corrosion products in the reactor coolant. These radioactive materials in the reactor coolant can plate out in the RCS, and, at times, an accumulation will break away to spike the normal level of radioactivity. The release of coolant during a Design Basis Accident (DBA) could send radioactive materials into the environment.

Limits on the maximum allowable level of radioactivity in the reactor coolant are established to ensure that in the event of a release of any radioactive material to the environment during a DBA, radiation doses are maintained within the limits of 10 CFR 100 (Ref. 1).

This LCO contains the iodine specific activity limits. The iodine isotopic activities per gram of reactor coolant are expressed in terms of a DOSE EQUIVALENT l-131. The allowable levels are intended to limit the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months radiation dose to an individual at the site boundary to well within the 10 CFR 100 limit.

APPLICABLE Analytical methods and assumptions involving radioactive SAFETY ANALYSES material in the primary coolant are presented in the FSAR (Ref. 2). The specific activity in the reactor coolant (the source term) is an initial condition for evaluation of the consequences of an accident due to a main steam line break (MSLB) outside continued BFN-UNIT 2 B 3.4-35

RCS Specific Activity 8 3.4.6 BASES APPLICABLE containment. No fuel damage is postulated in the MSLB SAFETY ANALYSES accident, and the release of radioactive material to the (continued) environment is assumed to end when the main steam isolation valves (MSIVs) close completely.

This MSLB release forms the basis for determining offsite doses (Ref. 2). The limits on the specific activity of the primary coolant ensure that the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months thyroid and whole body doses at the site boundary, resulting from an MSLB outside containment during steady state operation, will not exceed the dose guidelines of 10 CFR 100.

The basis for the equilibrium coolant iodine activity limit is a computed dose to the thyroid of 36 rem at the exclusion distance during the two-hour period following a steam line break. This dose is computed with the conservative assumption of a release of 140,000 pounds of coolant prior to closure of the isolation valves, and a X/Q of 3.4 x 10 Sec/m'. The maximum activity during a short term transient is established from consideration of a maximum iodine inhalation dose ( 300 rem.

RCS specific activity satisfies Criterion 2 of the NRC Policy Statement (Ref. 3).

LCO The specific iodine activity is limited to s 3.2 pCi/gm DOSE EQUIVALENT I-1 31. This limit ensures the source term assumed in the safety analysis for the MSLB is not exceeded, so any release of radioactivity to the environment during an IVISLB is well within 10 CFR 100 limits.

(continued)

BFN-UNIT 2 B 3.4-36

RCS Specific Activity B 3.4.6 BASES (continued)

APPLICABILITY In MODE 1, and MODES 2 and 3 with any main steam line not isolated, limits on the primary coolant radioactivity are applicable since there is an escape path for release of radioactive material from the primary coolant to the environment in the event of an MSLB outside of primary containment.

In MODES 2 and 3 with the main steam lines isolated, such limits do not apply since an escape path does not exist. In MODES 4 and 5, no limits are required since the reactor is not pressurized and the potential for leakage is reduced.

ACTIONS A.1 and A.2 When the reactor coolant specific activity exceeds the LCO DOSE EQUIVALENTI-131 limit, but is s 26.0 pCI/gm, samples must be analyzed for DOSE EQUIVALENT 1-131 at least once every 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . In addition, the specific activity must be restored to the LCO limit within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The Completion Time of once every 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is based on the time needed to take and analyze a sample. The 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Completion Time to restore the activity level provides a reasonable time for temporary coolant activity increases (iodine spikes) to be cleaned up with the normal processing systems.

A Note to Required Actions of Condition A excludes the MODE change restriction of LCO 3.0.4. This exception allows entry into the applicable MODE(S) while relying on the ACTIONS even though the ACTIONS may eventually require plant shutdown. This exception is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the plant remains at, or proceeds to power operation.

continued BFN-UNIT 2 B 3.4-37

0 RCS Specific Activity B 3.4.6 BASES ACTIONS B.1 B.2.1 B.2.2.1 and B.2.2.2 (continued)

If the DOSE EQUIVALENTI-131 cannot be restored to s 3.2 pCi/gm within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , or if at any time it is

> 26.0 pCI/gm, it must be determined at least once every 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and all the main steam lines must be isolated within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . Isolating the main steam lines precludes the possibility of releasing radioactive material to the environment in an amount that is more than a small fraction of the requirements of 10 CFR 100 during a postulated MSLB accident.

Alternatively, the plant can be placed in MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This option is provided for those instances when isolation of main steam lines is not desired (e.g., due to the decay heat loads). In MODE 4, the requirements of the LCO are no longer applicable.

The Completion Time of once every 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is the time needed to take and analyze a sample. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on operating experience, to isolate the main steam lines in an orderly manner and without challenging plant systems. Also, the allowed Completion Times for Required Actions B.2.2.1 and B.2.2.2 for placing the unit in MODES 3 and 4 are reasonable, based on operating experience, to achieve the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

BFN-UNIT 2 B3 4-38

RCS Specific Activity B 3.4.6 BASES (continued)

SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This Surveillance is performed to ensure iodine remains within limit during normal operation. The 7 day Frequency is adequate to trend changes in the iodine activity level. This SR is modified by a Note that requires this Surveillance to be performed only in MODE 1 because the level of fission products generated in other MODES is much less.

REFERENCES 1. 10 CFR 100.11, 1973.

2. FSAR, Section 14.6.5.

3. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-39

RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 B 3.4 REACTOR COOLANT SYSTEM (RCS) 8 3 4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to reduce the temperature of the reactor coolant to z 212'F. This decay heat removal is in preparation for performing refueling or maintenance operations, or for keeping the reactor in the Hot Shutdown condition.

The RHR System has two loops with each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR shutdown cooling subsystems per RHR System loop. Both loops have a common suction from the same recirculation loop. The four redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop.

The RHR heat exchangers transfer heat to the RHR Service Water System. Any one of the four RHR shutdown cooling subsystems can provide the required decay heat removal function.

(continued)

BFN-UNIT 2 B 3.4-40

RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 BASES (continued)

APPLICABLE Decay heat removal by operation of the RHR System in the SAFETY ANALYSES shutdown cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of the NRC Policy Statement (Ref. 1).

LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one RHR shutdown cooling subsystem must be in operation.

An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump, one heat exchanger, one RHRSW pump capable of providing cooling to the heat exchanger, and the associated piping and valves. The subsystems have a common suction source and are allowed to have common discharge piping. Since the piping is a passive component that is assumed not to fail, it is allowed to be common to the subsystems. Each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. In MODE 3, one RHR shutdown cooling subsystem can provide the required cooling, but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required.

However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required.

continued BFN-UNIT 2 B 3.4-41

RHR Shutdown Cooling System - Hot Shutdown 8 3.4.7 BASES LCO Note 1 permits both required RHR shutdown cooling (continued) subsystems and recirculation pumps to not be in operation for a period of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. Note 2 allows one required RHR shutdown cooling subsystem to be inoperable for performance of Surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy.

APPLICABILITY In MODE 3 with reactor steam dome pressure below the RHR low pressure permissive pressure (i.e., the actual pressure at which the interlock resets) the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to reduce or maintain coolant temperature. Otherwise, a recirculation pump is required to be in operation.

In MODES 1 and 2, and in MODE 3 with reactor steam dome pressure greater than or equal to the RHR low pressure permissive pressure, this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above this pressure because the RCS pressure may exceed the design pressure of the shutdown cooling piping. Decay heat removal at reactor pressures greater than or equal to the RHR low pressure permissive pressure is typically accomplished by condensing the steam in the main condenser. Additionally, in MODE 2 below this pressure, the OPERABILITYrequirements for the Emergency Core Cooling Systems (ECCS) (LCO 3.5.1, "ECCS - Operating" ) do not allow placing the RHR shutdown cooling subsystem into operation.

continued BFN-UNIT 2 B 3.4-42

~i RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 BASES APPLICABILITY The requirements for decay heat removal in MODES 4 and 5 (continued) are discussed in LCO 3.4.8, "Residual Heat Removal (RHR)

Shutdown Cooling System - Cold Shutdown", LCO 3.9.8, "Residual Heat Removal (RHR) - High Water Level"; and LCO 3.9.9, "Residual Heat Removal (RHR) - Low Water Level:"

ACTIONS A Note to the ACTIONS excludes the MODE change restriction of LCO 3.0.4. This exception allows entry into the applicable MODE(S) while relying on the ACTIONS may eventually require plant shutdown. This exception is acceptable due to the redundancy of the OPERABLE subsystems, the low pressure at which the plant is operating, the low probability of an event occurring during operation in this condition, and the availability of alternate methods of decay heat removal capability.

A second Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3, also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem.

continued BFN-UNIT 2 B 3.4-43

RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 BASES ACTIONS A.1 A.2 andA.3 (continued)

With one required RHR shutdown cooling subsystem inoperable for decay heat removal, the inoperable subsystem must be restored to OPERABLE status without delay. In this

'condition, the remaining OPERABLE subsystem can provide the necessary decay heat removal. The overall reliability is reduced, however, because a single failure in the OPERABLE subsystem could result in reduced RHR shutdown cooling capability. Therefore, an alternate method of decay heat removal must be provided.

With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities.

The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method'capability. Alternate methods that can be used include (but are not limited to) the Condensate/Main Steam (feed and bleed) Systems and the adjacent unit(s) RHR SDC pumps and heat exchangers available through the RHR cross tie.

However, due to the potentially reduced reliability of the alternate methods of decay heat removal, it is also required to reduce the reactor coolant temperature to the point where MODE 4 is entered.

continued BFN-UNIT 2 B 3.4-44

RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 BASES ACTIONS B.1 B.2 and B.3 (continued)

With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as permitted by LCO Note 1, reactor coolant circulation by the RHR shutdown cooling subsystem or recirculation pump must be restored without delay.

Until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is based on the coolant circulation function and is modified such that the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is applicable separately for each occurrence involving a loss of coolant circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter. This will provide assurance of continued temperature monitoring capability.

During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method.

The once per hour Completion Time is deemed appropriate.

(continued)

BFN-UNIT 2 B 3.4-45

RHR Shutdown Cooling System - Hot Shutdown 8 3.4.7 BASES (continued)

SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This Surveillance verifies that one RHR shutdown cooling .

subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient in view of other visual and audible indications available to the operator for monitoring the RHR subsystem and recirculation pump in the control room.

This Surveillance is modified by a Note allowing sufficient time to align the RHR System for shutdown cooling operation after clearing the pressure interlock that isolates the system, or for placing a recirculation pump in operation. The Note takes exception to the requirements of the Surveillance being met (i.e., forced coolant circulation is not required for this initial 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period), which also allows entry into the Applicability of this Specification in accordance with SR 3.0.4 since the Surveillance will not be "not met" at the time of entry into the Applicability.

REFERENCES 1. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-46

RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to maintain the temperature of the reactor coolant s 212'F. This decay heat removal is in preparation for performing refueling or maintenance operations, or for keeping the reactor in the Cold Shutdown condition.

The RHR System has two loops with each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two shutdown cooling subsystems per RHR System loop. Both loops have a common suction from the same recirculation loop. The four redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. Any one of the four RHR shutdown cooling subsystems can provide the required decay heat removal function.

(continued)

BFN-UNIT 2 B 3.4-47

RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 BASES (continued)

APPLICABLE Decay heat removal by operation of the RHR System in the SAFETY ANALYSES shutdown cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of the NRC Policy Statement (Ref. 1).

LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one RHR shutdown cooling subsystem must be in operation.

An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump, one heat exchanger, one RHRSW pump capable of providing cooling to the heat exchanger, and the associated piping and valves. The subsystems have a common suction source and are allowed to have common discharge piping. Since piping is a passive component that is assumed not to fail, it is allowed to be common to the subsystems. In MODE 4, the RHR cross tie valve (FCV-74-46) may be opened to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem. Additionally, each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat.

In MODE 4, one RHR shutdown cooling subsystem can provide the required cooling, but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required.

continued BFN-UNIT 2 B 3.4-48

RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 BASES LCO Note 1 permits both required RHR shutdown cooling (continued) subsystems and recirculation pumps to not be in operation for a period of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. Note 2 allows one RHR shutdown cooling subsystem to be inoperable for performance of Surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy.

APPLICABILITY In MODE 4, the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to maintain coolant temperature below 212'F. Otherwise, a recirculation pump is required to be in operation.

In MODES 1 and 2, and in MODE 3 with reactor steam dome pressure greater than or equal to the RHR low pressure permissive pressure, this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above this pressure because the RCS pr'essure may exceed the design pressure of the shutdown cooling piping. Decay heat removal at reactor pressures greater than or equal to the RHR low pressure permissive pressure is typically accomplished by condensing the steam in the main condenser. Additionally, in MODE 2 below this pressure, the OPERABILITYrequirements for the Emergency Core Cooling Systems (ECCS) (LCO 3.5.1, "ECCS-Operating" ) do not allow placing the RHR shutdown cooling subsystem into operation.

continued BFN-UNIT 2 B 3.4-49

RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 BASES APPLICABILITY The requirements for decay heat removal in MODE 3 below the (continued) low pressure permissive pressure and in MODE 5 are discussed in LCO 3.4.7, "Residual Heat Removal (RHR)

Shutdown Cooling System - Hot Shutdown"; LCO 3.9.7, "Residual Heat Removal (RHR) - High Water Level"; and LCO 3.9.8, "Residual Heat Removal (RHR) - Low Water Level."

ACTIONS A Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3, also specifies Required Actions of the Condition continue to apply for each. additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem.

A.'I With one of the two required RHR shutdown cooling subsystems inoperable, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore, an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem continued BFN-UNIT 2 B 3.4-50

RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 BASES ACTIONS . A.1 (continued) inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter. This will provide assurance of continued heat removal capability.

The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability. Alternate methods that can be used include (but are not limited to) the Condensate/Main Steam (feed and bleed) Systems and the adjacent unit(s) RHR SDC pumps and heat exchangers available through the RHR cross tie.

8.1 and 8.2 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as permitted by LCO Note 1, and until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature and pressure.,The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is based on the coolant circulation function and is modified such that the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is applicable separately for each occurrence involving a loss of coolant circulation.

Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months thereafter. This will provide assurance of continued temperature and pressure monitoring capability.

continued BFN-UNIT 2 B 3.4-51

RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 BASES ACTIONS B.1 and B.2 (continued)

During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method.

The once per hour Completion Time is deemed appropriate.

SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This Surveillance verifies that one required RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Frequency of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is sufficient in view of other visual and audible indications available to the operator for monitoring the RHR subsystem and recirculation pump in the control room.

REFERENCES 1. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-52

RCS P/T Limits B 3.4.9 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.9 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes.

These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation.

Figure 3.4.9-1 contains P/T limit curves for heatup, cooldown, and inservice leakage and hydrostatic testing. The maximum rate of change of reactor coolant temperature is contained in SR 3.4.9.5, SR 3.4.9.6, and SR 3.4.9.7. The heatup curve provides limits for both heatup and criticality.

Each P/T limit curve defines an acceptable region for normal operation. The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.

The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittle failure. Therefore, the LCO limits apply mainly to the vessel.

continued BFN-UNIT 2 B 3.4-53

RCS P/T Limits 8 3.4.9 BASES BACKGROUND 10 CFR 50, Appendix G (Ref. 1), requires the establishment of (continued) P/T limits for material fracture toughness requirements of the RCPB materials. Reference 1 requires an adequate margin to brittle failure during normal operation, abnormal operational transients, and system hydrostatic tests. It mandates the use of the ASME Code,Section III, Appendix G (Ref. 2).

The actual shift in the Ropy of the vessel material will be established periodically by removing and evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 3) and Appendix H of 10 CFR 50 (Ref. 4). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Reference 5.

The P/T limit curves are composite curves established by superimposing limits derived from stress analyses of those portions of the reactor vessel and head that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.

The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls.

continued BFN-UNIT 2 B 3.4-54

RCS P/T Limits B 3.4.9 BASES BACKGROUND The criticality limits include the Reference 1 requirement that (continued) they be at least 40'F above the heatup curve or the cooldown curve and not lower than the minimum permissible temperature for the inservice leakage and hydrostatic testing.

The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.

ASME Code,Section XI, Appendix E (Ref. 6), provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.

APPLICABLE The P/T limits are not derived from Design Basis Accident SAFETY ANALYSES (DBA) analyses. They are prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, a condition that is unanalyzed. Reference 7 establishes the methodology for determining the P/T limits. Since the P/T limits are not derived from any DBA, there are no acceptance limits related to the P/T limits. Rather, the P/T limits are acceptance limits themselves since they preclude operation in an unanalyzed condition.

RCS P/T limits satisfy Criterion 2 of the NRC Policy Statement (Ref. 9).

(continued)

BFN-UNIT 2 B3 4-55

RCS P/T Limits B 3.4.9 BASES (continued)

LCO The elements of this LCO are:

a. RCS pressure, temperature, and heatup or cooldown rate are within the limits specified in Figure 3.4.9-1, during RCS heatup, cooldown, and inservice leak and hydrostatic testing;

b. The temperature difference between the reactor vessel bottom head coolant and the reactor pressure vessel (RPV) coolant is within the limit during recirculation pump startup;

c. The temperature difference between the reactor coolant in the respective recirculation loop and in the reactor vessel meets the limit during recirculation pump startup;

d. RCS pressure and temperature are within the criticality limits specified, prior to achieving criticality; and

e. The reactor vessel flange and the head flange temperatures are within the limits when tensioning the reactor vessel head bolting studs.

These limits define allowable operating regions and permit a large number of operating cycles while also providing a wide margin to nonductile failure.

continued BFN-UNIT 2 8 3.4-56

RCS P/T Limits B 3.4.9 BASES LCO The rate of change of temperature limits controls the thermal (continued) gradient through the vessel wall and is used as input for calculating the heatup, cooldown, and inservice leakage and hydrostatic testing P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.

Violation of the limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCS components. The consequences, depend on several factors, as follows:

a. The severity of the departure from the allowable operating pressure temperature regime or the severity of the rate of change of temperature;

b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and

c. The existences, sizes, and orientations of flaws in the vessel material.

APPLICABILITY The potential for violating a P/T limit exists at all times. For example, P/T limit violations could result from ambient temperature conditions that result in the reactor vessel metal temperature being less than the minimum allowed temperature for boltup. Therefore, this LCO is applicable even when fuel is not loaded in the core.

(continued)

BFN-UNIT 2 B 3.4-57

RCS P/T Limits B 3.4.9 BASES (continued)

ACTIONS A.1 and A.2 Operation outside the P/T limits while in MODE 1, 2, or 3 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.

The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed if continued operation is desired.

Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable to accomplish the evaluation of a mild violation. More severe violations may require special, event specific stress analyses or inspections.

A favorable evaluation must be completed if continued operation is desired.

Condition A is modified by a Note requiring Required Action A.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

continued BFN-UNIT 2 B 3.4-58

RCS P/T Limits B 3.4.9 BASES ACTIONS B.1 and B.2

. (continued)

If a Required Action and associated Completion Time of Condition A are not met, the plant must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress, or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With the reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased.

Pressure and temperature are reduced by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 Operation outside the P/T limits in other than MODES 1, 2, and 3 (including defueled conditions) must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The Required Action must be initiated without delay and continued until the limits are restored.

Besides restoring the P/T limit parameters to within limits, an evaluation is required to determine if RCS operation is allowed.

This evaluation must verify that the RCPB integrity is acceptable and must be completed before approaching criticality or heating up to ) 212'F. Several methods may be used, including comparison with pre-analyzed transients, new continued BFN-UNIT 2 B 3.4-59

RCS P/T Limits B 3.4.9 BASES ACTIONS C.1 and C.2 (continued) analyses, or inspection of the components. ASME Code,Section XI, Appendix E (Ref. 6), may be used to support the evaluation; however, its use is restricted to evaluation of the beltline.

Condition C is modified by a Note requiring Required Action C.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

SURVEILLANCE SR 3.4.9.1 REQUIREMENTS Verification that operation is within limits is required every 30 minutes when RCS pressure and temperature conditions are undergoing planned changes. This Frequency is considered reasonable in view of the control room indication available to monitor RCS status. Also, since temperature rate of change limits are specified in hourly increments, 30 minutes permits a reasonable time for assessment and correction of minor deviations.

Surveillance for heatup, cooldown, or inservice leakage and hydrostatic testing may be discontinued when the criteria given in the relevant plant procedure for ending the activity are satisfied.

continued BFN-UNIT 2 B 3.4-60

I RCS P/T Limits B 3.4.9 BASES SURVEILLANCE SR 3.4.9.1 (continued)

REQUIREMENTS This SR has been modified by three Notes. Note 1 requires this Surveillance to be performed only during system heatup and cooldown operations or inservice leakage and hydrostatic testing. Also, Note 1 only requires this SR to be performed during inservice leakage and hydrostatic testing when reactor

)

pressure is 312 psig. Note 2 allows the limits of Figure 3.4.9-1, Curve No. 1, to be applied during nonnuclear heatup and ambient loss cooldown associated with inservice leak and hydrostatic testing provided that the heatup and cooldown rates are s 15 F/hr. Note 3 provides that the limits of Figure 3.4.9-1 do not apply when the tension from the reactor head flange bolting studs is removed.

SR 3.4.9.2 A separate limit is used when the reactor is approaching criticality. Consequently, the RCS pressure and temperature must be verified within the appropriate limits before withdrawing control rods that will make the reactor critical.

Performing the Surveillance within 15 minutes before control rod withdrawal for the purpose of achieving criticality provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the control rod withdrawal.

continued BFN-UNIT 2 B 3 4-61

RCS P/T Limits B 3.4.9 BASES SURVEILLANCE SR 3.4.9.3 and SR 3.4.9.4 REQUIREMENTS (continued) Differential temperatures within applicable limits ensure that thermal stresses resulting from the startup of an idle recirculation pump will not exceed design allowances. In addition, compliance with these limits ensures that the assumptions of the analysis for the startup of an idle recirculation loop (Ref. 8) are satisfied.

Performing the Surveillance within 15 minutes before starting the idle recirculation pump provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the idle pump start.

An acceptable means of demonstrating compliance with the temperature differential requirement in SR 3.4.9.4 is to compare the temperatures of the operating recirculation loop and the idle

'oop.

SR 3.4.9.3 and SR 3.4.9.4 have been modified by a Note (Note 1 for SR 3.4.9.4) that requires the Surveillance to be performed only in MODES 1, 2, 3, and 4. In MODE 5, the overall stress on limiting components is lower. The Note also states the SR is only required to be met during a recirculation pump startup, since this is when the stresses occur. Therefore, d T limits are not required. Note 2 of SR 3.4.9 4 allows the difference between the reactor coolant temperature in the recirculation loop to be started and the RPV coolant temperature to be s 75'F when in MODE 2 with both recirculation pumps not in operation.

continued BFN-UNIT 2 8 3.4-62

RCS P/T Limits B 3.4.9 BASES SURVEILLANCE SR 3.4.9.5 SR 34.9.6 and SR 3.4.9.7 REQUIREMENTS (continued) Limits on the reactor vessel flange and head flange temperatures are generally bounded by the other P/T limits during system heatup and cooldown. However, operations approaching MODE 4 from MODE 5 and in MODE 4 with RCS temperature less than or equal to certain specified values require assurance that these temperatures meet the LCO limits.

The flange temperatures must be verified to be above the limits 30 minutes before and while tensioning the vessel head bolting studs to ensure that once the head is tensioned the limits are satisfied. When in MODE 4 with RCS temperature s 85'F, 30 minute checks of the flange temperatures are required because of the reduced margin to the limits. When in MODE 4 with RCS temperature s 100'F, monitoring of the flange temperature is required every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to ensure the temperature is ) 82'F.

The 30 minute Frequency reflects the urgency of maintaining the temperatures within limits, and also limits the time that the temperature limits could be exceeded. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is reasonable based on the rate of temperature change possible at these temperatures.

SR 3.4.9.5 is modified by two Notes. Note 1 requires the Surveillance to be performed only when tensioning the reactor vessel head bolting studs. Note 2 allows the reactor vessel head bolts to be partially tensioned (four sequences of the seating pass) provided the studs and flange materials are

) 70'F. SR 3.4.9.6 is modified by a Note that requires the continued BFN-UNIT 2 B 34-63

RCS P/T Limits B 3.4.9 BASES SURVEILLANCE SR 3.4.9.5 SR 3.4.9.6 and SR 3.4.9.7 (continued)

REQUIREMENTS Surveillance to be initiated 30 minutes after RCS temperature s 85'F in MODE 4. SR 3.4.9.7 is modified by a Note that requires the Surveillance to be initiated 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after RCS temperature s 100'F in MODE 4. The Notes contained in these SRs are necessary to specify when the reactor vessel flange and head flange temperatures are required to be verified

) 82'F.

REFERENCES 1. 10 CFR 50, Appendix G.

2. ASME, Boiler and Pressure Vessel Code,Section III, Appendix G.

3. ASTM E 185-82, July 1982.

4. 10 CFR 50, Appendix H.

5. Regulatory Guide 1.99, Revision 2, May 1988.

6. ASME, Boiler and Pressure Vessel Code,Section XI, Appendix E.

7. NEDO-21778-A, December 1978.

8. FSAR, Section 14.5.6.2.

9. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-64

Reactor Steam Dome Pressure B 34.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10, Reactor Steam Dome Pressure BASES BACKGROUND The reactor steam dome pressure is an assumed value in the determination of compliance with reactor pressure vessel overpressure protection criteria and is also an assumed initial condition of design basis accidents and transients.

APPLICABLE The reactor steam dome pressure of s 1071 psig is an initial SAFETY ANALYSES condition of the vessel overpressure protection analysis of Reference 1. This analysis assumes an initial maximum reactor steam dome pressure and evaluates the response of the pressure relief system, primarily the safety/relief valves, during the limiting pressurization transient. The determination of compliance with the overpressure criteria is dependent on the initial reactor steam dome pressure; therefore, the limit on this pressure ensures that the assumptions of the overpressure protection analysis are conserved. Reference 2 also assumes an initial reactor steam dome pressure for the analysis of design basis accidents and transients used to determine the limits for fuel cladding integrity (see Bases for LCO 3.2.2, "MINIMUMCRITICAL POWER RATIO (MCPR)") and 1%

cladding plastic strain (see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)").

Since the design basis accident and the transient analyses are performed at nominal operating pressures (1005 psig), a continued BFN-UNIT 2 B 3.4-65

Reactor Steam Dome Pressure B 3.4.10 BASES APPLICABLE reactor steam dome pressure limit is chosen at 1020 psig, to SAFETY ANALYSES ensure the plant is operated within the bounds of the (continued) uncertainties of the design basis accident and transient analyses.

Reactor steam dome pressure satisfies the requirements of Criterion 2 of the NRC Policy Statement (Ref. 3).

LCO The specified reactor steam dome pressure limit of z 1020 psig ensures the plant is operated within the assumptions of the transient analysis. Operation above the limit may result in a transient response more severe than analyzed.

APPLICABILITY In MODES 1 and 2, the reactor steam dome pressure is required to be less than or equal to the limit. In these MODES, the reactor may be generating significant steam and the design basis accidents and transients are bounding.

In MODES 3, 4, and 5, the limit is not applicable because the reactor is shut down. In these MODES, the reactor pressure is well below the required limit, and no anticipated events will challenge the overpressure limits.

(continued)

BFN-UNIT 2 B 3.4-66

0, Reactor Steam Dome Pressure B 3.4.10 BASES (continued)

ACTIONS A,1 With the reactor steam dome pressure greater than the limit, prompt action should be taken to reduce pressure to below the limit and return the reactor to operation within the bounds of the analyses. The 15 minute Completion Time is reasonable considering the importance of maintaining the pressure within limits. This Completion Time also ensures that the probability of an accident occurring while pressure is greater than the limit is minimized. If the operator is unable to restore the reactor'team dome pressure to below the limit, then the reactor should be placed in MODE 3 to be operating within the assumptions of the transient analyses.

B.1 If the reactor steam dome pressure cannot be restored to within the limit within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.10.1 REQUIREMENTS Verification that reactor steam dome pressure is s 1020 psig ensures that the initial conditions of the design basis accidents and transients are met. Operating experience has shown the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency to be sufficient for identifying trends and verifying operation within safety analyses assumptions.

(continued)

BFN-UNIT 2 8 3.4-67

Reactor Steam Dome Pressure B 34.10 BASES (continued)

REFERENCES 1. FSAR, Section 4.'4.6.

2. FSAR, Chapter 14.

3. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

BFN-UNIT 2 B 3.4-68

0

ML18039A504

Text

References:

Navigation menu

Search