ML20094M770

From kanterella
Jump to navigation Jump to search
Proposed Tech Specs,Informing That Fuel Bundle Weight Was Revised to Reflect Lighter Weight of GE11 Fuel Design
ML20094M770
Person / Time
Site: Browns Ferry  Tennessee Valley Authority icon.png
Issue date: 11/17/1995
From:
TENNESSEE VALLEY AUTHORITY
To:
Shared Package
ML20094M762 List:
References
NUDOCS 9511270219
Download: ML20094M770 (133)
v  d  e


Text

{{#Wiki_filter:- f l ENCLOSURE 2 TENNESSEE VALLEY AUTHORITY BROWNS FERRY NUCLEAR PLANT (BFN) UNITS 1, 2, AND 3 l l PROPOSED TECHNICAL SPECIFICATION (TS) CHANGE TS-370 i MARKED PAGES I I. AFFECTED PAGE LIST UNIT 1 UNIT 2 UNIT 3 3.10/4.10-12 1.1/2.1-8 1.1/2.1-8 1.1/2.1-9 1.1/2.1-9 1.1/2.1-13 1.1/2.1-13 1.1/2.1-14 1.1/2.1-14 1.1/2.1-15 1.1/2.1-16 1.1/2.1-16 1.2/2.2-2 1.2/2.2-2 1.2/2.2-3 1.2/2.2-3 1.2/2.2-4 3.1/4.1-14 3.1/4.1-15 3.1/4.1-15 3.1/4.1-16 3.1/4.1-17 3.1/4.1-19 i 3.1/4.1-20 3.2/4.2-64 3.2/4.2-65 3.2/4.2-67 3.2/4.2-67 3.2/4.2-70 3.3/4.3-15 3.3/4.3-14 3.3/4.3-17 3.3/4.3-17 3.3/4.3-18 3.3/4.3-18 3.3/4.3-20 3.3/4.3-20 3.5/4.5-24 3.5/4.5-27 3.5/4.5-30 3.5/4.5-33 3.5/4.5-32 3.6/4.6-30 3.6/4.6-30 3.6/4.6-31 3.6/4.6-31 3.6/4.6-33 3.6/4.6-32 3.7/4.7-25 3.6/4.6-33 3.7/4.7-26 3.7/4.7-26 3.7/4.7-27 3.7/4.7-27 3.7/4.7-34 3.7/4.7-28 3.9/4.9-18 3.9/4.9-19 3.10/4.10-11 3.10/4.10-12 3.10/4.10-12 3.10/4.10-15 3.10/4.10-13 II. MARKED PAGES See attached. 9511270219 951117 PDR ADOCK 05000259 p PDR

- - ~ _ _. - - - - - - - - -. - - -. - ~ - - -.. ~ l i 3.10 BASES (Cont'd) suberitical even when the highest worth control rod is fully withdrawn. The combination of refueling interlocks for control rods and the refueling platform provide redundant methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality. Fuel handling is normally conducted.with the fuel grapple hoist. The total load on this hoist when the interlock is required consists of the weight of the fuel grapple and the fuel assembly. This total is approximately 1,500 lbs, in comparison to the load-trip setting of 1,000 lbs. Provisions have also been made to allow fuel handling with either of the three auxiliary hoists and still maintain the refueling interlocks. The 400-lb load-trip setting on thes os i is adequate to trip the interlock when one of the more t 194& lb fuel bundles is being handled. O During certain periods, it is desirable to perform maintenance on two control rods and/or control rod drives at the same time without j removing fuel from the cells. The maintenance is performed with the 3 mode switch in the refuel position to provide the refueling interlocks normally available during refueling operations. In order to withdraw a second control rod after withdrawal of the first rod, ] it is necessary to bypass the refueling interlock on the first control rod which prevents more than one control rod from being ) withdrawn at the same time. The requirement that an adequate shutdown margin be demonstrated and that all remaining control rods 1 have their directional control valves electrically disarmed ensures that inadvertent criticality cannot occur during this maintenance. The adequacy of the shutdown margin is verified by demonstrating that at least 0.38 percent ok shutdown margin is available. Disarming the i' directional control valves does not inhibit control rod scram capability. Specification 3.10.A.7 allows unloading of a significant portion of the reactor core. This operation is performed with the mode switch in the refuel position to provide the refueling interlocks normally available during refueling operations. In order to withdraw more than one control rod, it is necessary to bypass the refueling interlock on each withdrawn control rod which prevents more than one ~ control rod from being withdrawn at a time. The requirement that the fuel assemblies in the cell controlled by the control rod be removed from the reactor core before the interlock can be bypassed ensures that withdrawal of another control rod does not result in inadvertent criticality. Each control rod provides primary reactivity control for the fuel assemblies in the cell associated with that control rod. Thus, removal of an entire cell (fuel assemblies plus control rod) results in a lower reactivity potential of the core. The requirements for SRM OPERABILITY during these CORE ALTERATIONS assure l sufficient core monitoring. AMENDMENT NO.19 4 BFN 3.10/4.10-12 Unit i

1 i l.1 BASES: l FUBL CLADDING INTBGRITY SAFETY LIMIT The fuel cladding represents one of the physical barriers which ~ separate radioactive materials from environs. cladding barrier. is related to its relative freedom fromThe integrity of this perforations or cracking. Although some corrosion or use-related cracking may occur during the life of the cladding, fission product migration from this source is incrementally cumulative and continuously measurable. Fuel cladding perforations, however, can result from thermal stresses which occur from reactor operation significantly above design conditions and the protection system setpoints. While. fission product migration from cladding perforation is just as measurable as that from use-related cracking, the thermally-caused cladding perforations signal a threshold, beyond which still greater thermal stresses may cause gross rather than incremental cladding deterioration. Therefore, the fuel cladding safety limit is defined in terms of the reactor operating conditions which can result in cladding perforation. The fuel cladding integrity limit is set such that no calculated fuel damage would occur as a result of an abnormal operational transient. Because fuel damage is not directly observable, the Fuel Cladding Safety Limit is defined with margin to the conditions which would produce onset transition boiling (MCPR of 1.0). This establishes a safety Limit such that the minimum critical power ratio (MCPR) is no less than 1.07. MCPR > 1.07 represents a conservative margin relative to the conditions required to maintain fuel cladding integrity. d onset of transition boiling results in a decrease in heat transfer from the clad and, therefore, elevated clad temperature and the possibility of clad failure. Since boiling transition is not a directly observable parameter, the margin to boiling transition is calculated from plant operating parameters such as core power, core flow, feedwater temperature, and core r distribution. The margin for each fuel assembly is aracte ized by the critical power ratio (CPR) which is the ratio f the bu le power which would produce onset of transition bo 11 ded by the actual bundle power. The minimum value of t s a for any bundle in the core is the minimum critical power rat o (MCPR). It is assumed that the plant operation is controlled to the nominal protective setpoints via the instrumented variables, i.e.. normal plant operation presented on Figure 2.1-1 by the nominal expected flow control line. The Safety Limit (MCPR of 1.07) has sufficient conservatism to assure that in the event of an abnormal operational transient initiated from a normal operating condition (MCPR > limits specified in specification 3.5.K) more than 99.9 percent of the fuel rods in the core are expected to avoid boiling transition. The margin between MCPR of 1.0 (onset of transition boiling) and the safety limit 1.07 is derived from a detailed statistical analysis considering all of the uncertainties in monitoring the core operating state including uncertainty in the boiling transition correlation as described in Reference 1. in deriving the safety limit are provided atThe uncertainties employed the beginning of each fuel cycle. Al A BFN h Unit 2 1.1/2.1-8

m 1.1 BASES (Cont'd) Because the boiling transition correT'ation is based on a large quantity of full scale data there is a very high confidence that operation of a fuel assembly at not produce boiling transition. the condition of MCPR = 1.07 would j Thus, although it is not required to establish the safety limit additional margin exists between the safety limit and the actual occurrence of loss of cladding integrity. However, if boiling transition were to occur, clad perforation would not be expected. cladding temperatures would increase to approximately 1.1000 of the cladding material.F which is below the perforation temperature This has been verified by tests in the General Electric Test Reactor (GETR) where fuel similar in design to BFNP operated above the critical heat flux for a significant period of time (30 minutes) without clad perforation. If reactor pressure should ever exceed 1,400 psia during normal power operation (the limit of applicability of the boiling transition correlation) integrity Safety t.imit has been violated.it would be assumed that the fuel cladding At pressures below 800 psia, the core elevation pressure drop (0 power, 0 flow) is greater than 4.56 psi, At low powers and flows this pressure differential is maintained in the bypass core. Since the pressure drop on of-t e all elevation head, the core 'e bypass region s es e't lly res te drop at low will always be greater than 4. ppI. Analyses s r a . lows flow of 28x103 lbs/hr bundle wit independent of bundle power and has a value of 3.5 psi., bundle pressure drop bundle flow with a 4.56 psi driving head will be greater than Thus, the 28x103 lbs/hr. 14.7 psia to 800 psia indicate thatFull scale ATLAS test data taken at pressures from at this flow is approximately 3.35 MWt.the fuel assembly critical power factors this corresponds to a core thermal power of more than 50With the design pe percent. Thus, a core thermal power limit of 25 percent for reactor pressures below 800 psia is conservative. For the fuel in the core during periods when the reactor is shut down, consideration must also be given to water level requirements due to the effect of decay heat. If water level should drop below the top of the fuel during this time, the ability to remove decay heat is reduced. elevated cladding temperatures and clad perforation.This reduction in coo fuel remains covered with water, sufficient cooling is available to As long as the prevent fuel clad perforation. BPN Unit 2 1.1/2.1-9

1 2.1 JIMifd (Cont'd) DEC 0 71994 i Analyses of the limiting traliraients show that no scram adjustment is required to assure MCFR > 1.07 when the transient is initiated from MCPR limits specified in Specification 3.5.k. 2. APRM Flur Scram Trin Settina (RE MEL or STARTUP/ HOT STawnBY MODE) For operation in the startup mode while the reactor is at low pressure, the APRM scram setting of 15 percent of rated power i i provides adequate thermal margin between the setpoint and the safety limit, 25 percent of rated. The margin is adequate to 4 accosmodate anticipated maneuvers associated with power plant startup. Effects of increasing pressure at zero or low void content are minor, cold water from sources available during startup is not much colder than that already in the system, temperature coefficients are small, and control rod patterns are constrained to be uniform by operating procedures backed up by the rod worth minimizer.+ Thus, of all naamible anureen of -y reactivity input, uniform control rod withdrawal is the most probable cause of significant power rise. Because the flux distribution associated with uniform rod withdrawals does not involve high local peaks, and because several rods must be moved to change power by a significant percentage of rated power, the rate of power rise is very slow. Generally, the heat flux is in near equilibrium with the fission rate. In an assumed uniform i rod withdrawal approach to the scram level, the rate of power rise is no more than five percent of rated power per minute, and i the APRM system would be more than adequate to assure a scram { before the power could exceed the safety limit. The 15 percent APRM scram remains active until the d a vitsthis-elar d in the RUN position. This switch a whep reactor pressure is, greater than 850 pais. Leodh ot' MuidA.AM rods t5 /cy l cx4 iri o LLYM90(tv\\ FOk 3. IBM Flur Scram Trio Settina s m, The IRM System consists of eight c am rs, four n each of the reactor protection system logic channels. The IBM is a five-decade instrument which covers the range of power level between that covered by the SRM and the APRM. The five decades are covered by the IBM by means of a range switch and the five ~ decades are broken down into 10 ranges, each being one-half of a ecade in size. The IRM scram setting of 1 sions is act in each range of the IRM. For ex le,Jf the instrument W M we V range 1, the scram setting would eJV divisions for cnat range; likewise if the i rupent va ange 5, the scram setting would be 120 divisio a otrth t range. Of 1.1/2.1-13 8 BFN Unit 2

_ __ _ _ _ _. _. _ _.. _ _ _.. _. _ _ _ _ _ _ _. ~ _. _ _ _ _ _ _ _ _ _. _ _ _. _ - 1 2.1 BAlfd (Cont'd) giig IRM Flux Scram Trin Settina (Continued) j' j 'Thus, as the IRM is ranged up to accommodate the increase in power level, the scram setting is also ranged up. A scram at l 120 divisions on the IRM instruments remains in effect as long as the reactor is in the startup mode. In addition, the APRM i-15 percent scram prevents higher power operation without being in the RUN mode.1 The IRM scram provides protection for changes which occur both locally and over the entire core. iThe most significant sources of reactivity change during the power l increase are due to control rod withdrawal.) For insequence control rod withdrawal, the rate of change of power is slow enough due to the physical limitation of withdrawing control ods that-heat flux is in equilibrium with the neutron flux. 7An I u d result in a reactor shutdown well before any r t s exceeded." For the case of a single control rod dra rror, a range of rod withdrawal accidents was analyzed. UThis analysis included starting the accident at various power levels. The most severe case involves an initial condition in which the reactor is just a critic i.ud 6u. I" system is not yet on scale. This co tion exist at quarter rod density.4 Quarter rod density is in dMCR$$8d. $ e .t{- k paragraph 7.5.'5+of the FSAR. >; Additiona = H== wa = taken j in this analysis by assuming that the IRM channel closest to the withdrawn rod is bypassed. The results of this analysis show that the reactor is scrammed and peak power limited to one percent of rated power, thus maintaining MCPR above 1.07. Based on the above analysis, the IRM provides protection against local control rod withdrawal errors and continuous withdrawal of control rods in sequence.

4. Fixed Hinh Neutron Flur Scram Trin The average power range monitoring (APRM) system, which is calibrated using heat balance data taken during steady-state conditions, reads in percent of rated power (3,293 MWt).

The APRM system responds directly to neutro Licensing analyses have demonstrated that wit neutron f1 scram of 120 percent of rated power, none of th ab 1 o e at nel transients analyzed violate the fu 1 there is a substantial margin from fuel damage B. APRM Control Rod Block Reactor power level may be varied by moving control rods or by varying the recirculation flow rate. The APRM system provides a control rod block to prevent rod withdrawal beyond a given point at constant recirculation flow rate and thus prevents scram actuation. l This rod block trip setting, which is automatically varied with recirculatitn loop flow rate, prevents an increase in the reactor power level to excess values due to control rod withdrawal. The flow variable trip setting is selected to provide adequate margin to the flow-biased scram setpoint. BFN 1.1/2.1-14 TS 357 - TVA Letter to NRC Unit 2 Dated 05/,11/95

2.1 BASES (Cont'd) MAY 1 C. ReactorWaterLowLevelScramandIsolation(ExceptMainStam2nes) i The setpoist for the low level scram is above the bottom of thev \\ separator skirt. dealing with coolant inventory decrease.This level has been used in transie The results reported in FSAR Subsection 14.5 show that scram and isolation of.all process lines (except main steam) at this level adequately protects the fuel and the pressure barrier, because MCPR is greater than 1.07 in all cases, and system pressure does not reach the safety valve settings. The scram setting is sufficiently below normal operating range to avoid spurious scrams. D. Turbine Ston Valve Closure Scram The turbine stop valve closure trip anticipates the pressure, neutron flux and heat flux increases that would result from closure of the stop valves. With a trip setting of 10 percent of valve closure from full open, the resultant increase in heat flux is such that adequate thermal margins are maintained even during the worst case transient that assumes the turbine bypass valves remain closed. (Reference 2) E. Turbine Control Valve Fast Closure or Turbine Trio Scram Turbine control valve fast closure or turbine trip scram anticipates the pressure, neutron flux, and heat flux increase that could result from control valve fast closure due to load rejection or control valve closure due to turbine trip; each without bypass valve capability. The reactor protection system initiates a scram in less than 30 milliseconds after the start of control valve fast closure due to load rejection or control valve closure due to turbine trip. This scram is achieved by rapidly reducing hydraulic control oil pressure at the main turbine control valve actuator disc dump valves. This loss of pressure is sensed by pressure switches whose contacts form the one-out-of-two-twice logic input to the reactor protection system. This trip setting, a nominally 50 percent greater closure time and a different valve characteristic from that of the turbine stop valve, combine to produce transients very similar to that for the stop valve. No significant change in MCPR occurs. Relevant transient analyses are discussed in References 2 and 3 of the Final Safety Analysis Report. This scram is bypassed ~ when turbine steam flow is below 30 percent of rated, as measured by turbine first state pressure. BFN Unit 2 1.1/2.1-15 TS 357 - TVA Letter to NRC Dated 05/11/95

l f 2.1 BASES (Cont'd) F. .(Deleted) G. & H. Main Steam line Isolation on Low Pressure and Main Steam Line _ Isolation Scram The low pressure isolation of the main steam lines at 825 psig was provided to protect against rapid reactor depressurization and the resulting rapid cool ) vessel. 'The scram feature that g occurs when the mai st.galiELice i olation valves close shuts down the { reactor so that high' r ao ion at low reactor pressure does u, us providing protection for the fuel cladding integrity sh7)1 . >0peration of the reactor at pressures lower than 825 mis icyuAres that the reactor mode switch be in the STAR i ition, where protection of the fuel cladding integrit My t JTyfl is provided by the IRM a igh neutron flux ser Mqm f)me. the combination of main steaarfia( ow pressure isolation and isolation valve closure scram assures the~ availability of neutron flux scram protection o v fuel cladding integrit prfh. wt1% j In addition, the isolation range of applicability of the valve closure scram ant cayew. de pressure and flux transients that occur during normal or inadvertent isolation valve closure. With the scrams set at 10 percent of valve closure, neutron flux does not increase. i l I.J.& K. Reactor Low Water Level Setpoint for Initiation of RPCI and RCIC l Closing Main Steam Isolation Valves. and Starting LPCI and Core ) Spray Pumps. These systems maintain adequate coolant inventory and provide core cooling with the objective of preventing excessive clad temperatures. The design of these systems to adequately perform the intended function is based on the specified low level scram setpoint and initiation setpoints. Transient analyses reported in Section 14 of the FSAR demonstrate that these conditions result in adequate safety margins for both the fuel and the system pressure. L. References 1. Supplemental Reload Licensing Report of Browns Ferry Nuclear Plant, Unit 2 (applicable cycle-specific document). 2. GE Standard Application for Reactor Fuel, NEDE-240ll-P-A and NEDE-24011-P-A-US (latest approved version). [t2 l' U 1-AMENDMENT RO. 214

.. ~ .. -. -.. -.. ~. - ~. - b i d i 1.2 BASES REACTOR COOL. ANT SYSTEM INTEGRITY The safety limits for the reactor coolant system pressure have been selected such that they are below pressures at which it can be shown that the integrity of the system is not endangered. However, the pressure safety limits are not high enough such that no foreseeable circumstances-can cause the system pressure to rise over these limits. The pressure safety limits are arbitrarily selected to be the lowest transient overpressures allowed by the applicable codes ASME Boller and pressure Vessel Code. Section III, and USAS Piping Code, Section B31.1. The design pressure (1,250 psig) of the reactor. vessel is established such that, when the 10 percent allowance (125 psi) allowed by the ASME Boiler and pressure Vessel Code Section III for pressure transients is added to the design pressure, a transient pressure limit of 1,375 psig is established. re dingly. the design pressu 1,1 ,pn g r suction nd 1.3 g6Pg'f r discharge) of the reactor recircu system pipi g h Cl f fb , when the 20 percent allowance (230 and 265 psi) allowed piping Code. Section B31.1 for pressure transients is added to the design pressures, transient pressure limits of 1,378 and 1,591 psig are established. Thus, the pressure safety limit applicable to power operation is este.ished at 1,375 psig (the lowest allowed by the pertinent codes), transient overpressure Section III, and USAS Piping Code, Section B31.1.ASME Boiler and Pressure Vessel Cod The current cycle's safety analysis concerning the most severe abnormal operational transient resulting directly in a reactor coolant system pressure increase is given in the reload licensing submittal for the current cycle. given in subsection 4.2 of the safety analysis reportThe reactor vessel is well above the peak pressure produced by the overpressure transient described above. Thus, the pressure safety limit applicable to power operation is well above the peak pressure that can result due to reasonably expected overpressure transients. Higher design pressures have been established for piping within the reactor coolant system than for the reactor vessel. These increased design pressures create a consistent design which assures that, if the pressure within the reactor vessel does not exceed 1,375 psig, the pressures within the piping cannot exceed their respective transient pressure limits due to static and pump heads. The safety limit of 1,375 psig actually applies to any point in the reactor vessel; however, because of the static water head, the highest pressure point will occur at the bottom of the vessel. Because the BPN Unit 2 1.2/2.2-2 ~

l 1.2 BASES (Cont'd) pressure is not monitored at thTs point, it cannot be directly determined if this safety limit has been violated. varying head level and flow pressure drops, an equivalent pressure can i be a priori determined for a pressure monitor higher in the vessel. Therefore, following any transient that is severe enough to cause concern that this safety limit was violated, a calculation will be performed ) using all available information to determine if the safety limit was violated. l REFERENCES i Ad App 6Mfl[ N) 1. Plant Safety Analysis (BFNP FSAR Section .0 2. ASME Boiler and Pressure Vessel Code Section 3. USAS Piping Code. Section B31.1 4. Reactor Vessel and Appn-tanantae Marhant<at De - -owction 4.2) FSAR K 0cnene. Seloac\\ Fue hye\\.'ca %, Dec^ sing Epica t Repod, NEDE-24cli A and. A cLct.e nd.a.. ~ BFN Unit 2 1.2/2.2-3

I l 3.1 BASES fe ,[rtectio jIytemautomaticallyinitiatesareactorscramto: to 4 1. Preserve the integrity of the fuel cladding. 2. Preserve the integrity of the reactor. coolant system. 3. Minimize the energy which must be absorbed following a_ loss of coolant accident, and prevents criticality. This specification provides th Ni[ng, hhs f,43 og necessary to preserve the ability of the system to toler&te single failures and still perform its intended function even during periods when { instrument channels may be out o b ause of maintenance. When i necessary, one channel may be ma A 2 for brief intervals to conduct required functional tests a __ffett'ons. 4 The reactor protection trip system is supplied, via a separate bus, by its own high inertia, ac motor-generator set. Alternate power is available to either Reactor Protection System bus from an electrical bus that can receive standby electrical power. The RPS monitoring system provides an isolation between nonclass 1E power supply and the class lE RLS bus. i This will ensure that failure of a nonclass 1E reactor protection power supply will not cause adverse interaction to the class 1E Reactor Protection System. i t e,ESac'r,hhot ti fhst is made up of two independent trip systems d t ( to n 7.2, R). There are usually four channels provided to monitor each critical parameter, with two channels in each trip system. The outputs of the channels in a trip system are combined in a logic such that either channel trip will trip that trip system. The simultaneous tripping of both trip systems will produce a reactor scram. This system meets the intent of IEEE-279 for Nuclear Power Plant Protection Systems. The system has a reliability greater than that of a 2-out-of-3 system and somewhat less than that of a 1-out-of-2 system. With the exception of the Average Power Range Monitor (APRM) channels, the Intermediate Range Monitor (IRM) channels, the Main Steam Isolation Valve closure and the Turbine Stop Valve closure, each trip system logic has one instrument channel. _When the minimum condition for operation on the number of OPERABLE instrument channels per untripped protection trip system is met or if it cannot be met and the effected protection trip system is placed in a tripped condition, the effectiveness of the protection system is preserved; i.e., the system can tolerate a single failure and still perform its intended function of scramming the reactor. Three APRM instrument channels are provided for each protection trip system. BFN 3.1/4.1-14 Unit 2

i i 2 L l 3.1 B.ASES (Cont'd) $[p27jgg4 Each protection trip system has one more APEM than is necessary to meet the minimum number required per channel. This allows the bypassing of ) one APRM per protection trip system for maintenance, testing or l l calibration. Additional IRM channels have also been provided to allow { for bypassing of one such channel. The bases for the scram setting for the IRM, APRM, high reactor pressure, re ow water level, MSIV closure, turbine control valve fast clo ure) turbine stop valve closure are discussed in Specifications 2. 2.2. Instrumentation (pressure switches) for the drywell are provided to detect a loss of coolant accident and initiate the core standby cooling I equipment. A high drywell pressure scram is provided at the same setting as the core cooling systems (CSCS) initiation to minimize the energy i which must be accommodated during a loss of coolant accident and to prevent return to criticality. This instrumentation is a backup to the 4 reactor vessel water level instrumentation. A reactor mode switch is provided which actuates or bypasses the various scram functions appropriate to the particular plant operating status. Reference Section 7.2.3.7 FSAR. The manual scram function is active in all modes, thus providing for a manual means of rapidly inserting control rods during all modes of reactor operation. The IRM system (120/125 scram) in conjunction with the APRM system (15 percent scram) provides protection against excessive power levels and short reactor periods in the startup and intermediate power ranges. i i The control rod drive scram system is designed so that all of the water which is discharged from the reactor by a scram can be accommodated in the discharge piping. The discharge volume tank accommodates in excess of 50 gallons of water and is the low point in the piping. No credit was taken for this volume in the design of the discharge piping as concerns the amount of water which must be accommodated during a scram. During normal operation the discharge volume is empty; however, should it fill with water, the water discharged to the piping from the reactor could not f a 4 BFN 3.1/4.1-15 AMEN 0 MENT NO. 2 2 7 Unit 2

/ ) NOV 0 21995 4.1 BASES The minimum functional testing frequency,u_ sed in this specification is ~~' based on a reliability analysis using the concepts developed in reference This concept was specifically adapted to the one-out-of-two taken The analysis shows that the (1). twice logic of the reactor protection system. sensors are primarily responsible for the reliability of the rer.ctor This analysis makes use of " unsafe failure" rate protection system. experience at conventional and nuclear power plants in a reliability model An " unsafe failure" is defined as one which negates for the system. channel operability and which, due to its nature, is revealed only when the channel is functionally tested or attempts to respond to a real Failure such as blown fuses, ruptured bourdon tubes, faulted signal. amplifiers, faulted cables, etc., which result in " upscale" or "downscale" readings on the reactor instrumentation are " safe" and will be easily recognized by the operators during operation because they are revealed by an alarm or a scram. The channels listed in Tables 4.1.A and 4.1.B are divided into three These are: groups for functional testing. On-Off sensors that provide a scram trip function. A. Analog devices coupled with bistable trips that provide a scram B. function. Devices which only serve a useful function during some restricted .] C. mode of operation, such as STARTUP, or for which the only practical test is one that can be performed at SHUTDOWN. The sensors that make up group (A) are specifically selected from among family of industrial on-off sensors that have earned an excellent eputation for reliable operation. During design, a goal of t 0.9999fproabilityofsuccess(atthe50percentconfidencelevel)was The -d -::d,to assure that a balanced and adequate design is achieved. probability of success is primarily a function of the sensor failure rate A three-month test interval was planned for group and the test interval. This is in keeping with good operating practices, and satisfies the design goal for the logic configuration utilized in the (A) sensors. Reactor Protection System. The once per six-month functional test frequency for the scram pilot air header low pressure trip function is acceptable due to: The functional reliability previously demonstrated by these switches 1. on Unit 2 during Cycles 6 and 7, The need for minimizing the radiation exposure associated with the 2. functional testing of these switches, and is in a The increased risk to plant availability while the plant half-scram condition during the performance of the functional testing 3. versus the limited increase in reliability that would be obtained by more frequent functional testing. AMENDMENT NE 2 4 2 3.1/4.1-17 BFN Unit 2

n ) 4.1 BASES (Cont'd) NOV 0 21995 Experience with passive type instrumenta in generating stations and For substations indicates that the speciflad calibrations are adequate. , etc., drift specifications call for ch employ amp those dev 0.4 per ent/ mon h; i.e., in the period of a month a drift be ess t drift}o)VpcNfent ouldocerafd't s providing for adequate margin. a n(-penenk For t tem drift of e onic apparatus is not the only j Change in power consideration in determining a calibration frequency. distribution and loss of chamber sensitivity dictate a calibration every Calibration on this frequency assures plant operation at or' 1 seven days. below thermal limits. A comparison of Tables 4.1.A and 4.1.B indicates that two instrument These are: mode switch channels have been included in the latter table. All of the devices or sensors associated in SHUTDOWN and manual scram. with these scras functions are simple on-off switches and, hence, calibration during operation is not applicable,-i.e., the switch is either on or off. The sensitivity of LPRM detectors decreases with exposure to neutron flux The APRM system, which uses at a slow and approximately constant rate. the LPRM readings to detect a change in thermal power, will be calibrated every seven days using a heat balance to compensate for this change in The RBM system uses the LPRM reading to detect a localized sensitivity. It applies a correction factor based on the APRM change in thermal power. output signal to determine the percent thermal power and therefore any I change in LPRM sensitivity is compensated-for by the APRM calibration. The technical specification limits of CMFLPD, CPR, and APLHGR are determined by the use of the process computer or other backup methods. These methods use LPRM readings and TIP data to determine the power distribution. Compensation in the process computer for changes in LPRM sensitivity will be made by performing a full core TIP traverse to update the computer calculated LPRM correction factors every 1000 effective full power hours. As a minimum the individual LPRM meter readings will be adjusted at the beginning of each operating cycle before reaching 100 percent power. 3.1/4.1-20l l l BFN Unit 2

3.2 aus NOV 161992 In addition.to reactor protectian instrumentation which initiates a reactor scram, protective instrumenta' tion has been provided which initiates action to mitigate the consequences of accidents which are beyond the operator's ability to control before they result in serious consequence,s.or terminates operator errors This set of specifications provides the limiting conditions of operation for the primar block and standby gas treatment systems. The objectives of the Specifications are (i) to assure the effectiveness of the protective instrumentation when required by preserving its capability to tolerate a single failure of any component of such systems even during periods when portions of such systems are out of service for maintenance, and (11) to prescribe the trip settings required to assure adequate performance. When necessary, one channel may be made inoperable for brief intervals to conduct required functional tests and calibrations. Some of the settings on the instrumentation that initiate or control core and low values are both critical and may have a substantia safety. low end of the setting has a direct bearing on safety, are cho level away from the normal operating range to prevent inadvertent actuation of the safety system involved and exposure to abnormal situations. Actuation of primary containment valves is initiated by protective instrumentation =ha$atin Table 3.2.A which senses the conditions for which i at o is regired. Suc entation must be available wheneve p [ftifat 6 i required. The instrumentatio fwhich initiates primary system isolation is connected in a dual bus arrangement. The low water level instrumentation set to trip at 538 inches above - vessel zero closes isolation valves in the RER System, Drywell and Suppression Chamber exhausts and drains and Reactor Water Cleanup Lines (Groups 2 and 3 isolation valves). The low reactor water level instrumentation that is set to trip when reactor water level is 470 initiates the RCIC and NPCI systems. inches above vessel zero (Table The low water level instrumentation set to trip at 1 398 inches above Main Steam Line Drain Valves, and the Reactor Water Sampl (Group 1). These trip settings are adequate to prevent core uncovery in the case of a break in the largest line assuming the maximum closing time d The low reactor water level instrumentation that is set to trip when reactor water level is 1 398 inches above vessel zero (Table 3.2.B) BFN Unit 2 3.2/4.2-65 AMENDMENT NO. 2 0 4

i i 3.2 3A 31 (Cont'd) i M23E In the event of a loss of the reagtor building ventilation system, radiant heating in the vicinity of the main steam lines raises the ambient temperature above 200*F. The temperature increases can cause an unnecessary main steam line isolation and reactor scraa. Permission is provided to bypass the temperature trip for four hours to avoid an I unnecessary plant transient and allow performance of the secondary containment leak rate test or make repairs necessary to regain normal 3; ventilation. Pressure instrumentation is provided to close the main steam isolation valves in RUN Mode when the main steam line pressure drops below 825 psig. The HPCI high flow and temperature instrumentation are provided to detect j a break in the HPCI steam piping. Tripping of this instrumentation results in actuation of HPCI isolation valves. Tripping logic for the high flow is a 1-out-of-2 logic, and all sensors are required to be OPERABLE. 4 nntIS High temperature in the vicinity of the HPCI equipment i sensed by four sets of four binetallic temperature switches. The 6 temperature switches are arranged in two trip systems with eight eratur switches in each trip system. Each trip system consists of t o ts Each { channel contains one temperature switch located in the p-y_ room and three temperature switches located in the torus area. The RCIC high flow and high area temperature sensing instrument channels are arranged in the same manner as the HPCI system. The HPCI high steam flow trip setting of 90 paid and the RCIC high steam flow trip setting of 450" H O have been selected such that the trip 2 setting is high enough to prevent spurious tripping during pump startup but low enough to prevent core uncovery and maintain fission product releases within 10 CFR 100 limits. The HPCI and RCIC steam line space temperature switch trip settings are high enough to prevent spurious isolation due to normal temperature excursions in the vicinity of the steam supply piping. Additionally, these trip settings ensure that the primary containment isolation steaa supply valves isolate a break within an acceptable time period to prevent core uncovery and maintain fission product releases within 10 CFR 100 limits. 4 ~ High temperature at the Reactor Water Cleanup (RWCU) System in the main steam valve vault, RWCU pump room 2A, RWCU pump room 28, RWCU heat exchanger room or in the space near the pipe trench containing RWCU piping 4 i could indicate a break in the cleanup system. When high temperature occurs, the cleanup system is isolated. j BFN 3.2/4.2-67l TS 348 - TVA Letter to NRC Unit 2 Dated 02/23/95

3.3/4.3 BASES (Cent'd) e6 APR 3 01993 2. 4 - The control rod housing suppo tricts the outward movement of a control rod to less th in es in the extremely remote event of a housing faIIure, ount of reactivity which could be added by this small amount of rod withdrawal, which is less than a normal single withdrawal increment, will not contribute to any damage to the primary coolant system. The design basis is given in subsection 3.5.2 of the FSAR and the safety evaluation is given in subsection 3.5.4. This support is not required if the reactor coolant system is at atmospheric pressure since there would then be no driving force to rapidly eject a drive housing. Additionally, the support is not required if all control rods are fully inserted and if an adequate shutdown margin with.one control rod withdrawn has been demonstrated, since the reactor would remain suberitical even in the event of complete ejection of the strongest control rod. 3. The Rod Worth Minimizer (RWM) restricts withdrawals and j insertions of control rods to prespecified sequences. All patterns associated with these sequences have the characteristic that, assuming the worst single deviation from the sequence, the drop of any control rod from the fully inserted position to the position of the control rod drive would not cause the reactor to sustain a power excursion resulting in any pellet average enthalpy in excess of 280 calories per gram. An enthalpy of 280 calories per gram is well below the level at which rapid fuel dispersal could occur (i.e., 425 calories per gram). Primary system damage in this accident is not possible unless a significant amount of fuel is rapidly dispersed. Reference Sections 3.6.6, 7.16.5.3, and 14.6.2 of the FSAR, and NEDE-24011-P-A, Amendment 17. In performing the function described above, the RWM is not -l required to impose any restrictions at core power levels in excess of 10 percent of rated. Material in the cited reference l shows that it is impossible to reach 280 calories per gram in the eveat of a control rod drop occurring at power greater than 10 percent, regardless of the rod pattern. This is true for allnormalandabnormalpatternsincludingthosewhichmaximizel 4 individual control rod worth. d BFN 3.3/4.3-15 AMENDMENT NO. 212 Unit 2 i .~

3.3/4.3 BASES (Cont'd) DCT 211993 5. The Rod Block Monitor _(RBM) is designed to automatically prevent fuel damage in the event of erroneous rod withdrawal from locations of high power density during high power level operation. Two RBM channels are provided, and one of these may i l be bypassed from the console for maintenance and/or testing. l Automatic rod withdrawal blocks from one of the channels will block erroneous rod withdrawal soon enough to prevent fuel damage. The specified restrictions with one channel out of service conservatively assure that fuel damage will not occur l due to rod withdrawal errors when this condition exists. C. Scram Insertion Times Qhese 5 6 4 ontrol rod system is desi to ing the reactor a ber tical at 61 the' te fast enough to p event id ge; i.e., to preven the MCPR om becoming less than 1 e 1Luit ng power transientfja given in l Ref ce 1. Analysis o LEbr t ansien shows that the negative r activi rates resulti the scram with the average response of a Ihd as given in the above specificatio i n / d MCPR remains greater than 1.07. rovide the required prot 6 On an early BWR, some degradation of control rod scram performance occurred during plant STARTUP and was determined to be caused by particulate material (probably construction debris) plugging an internal control rod drive filter. The design of the present control rod drive (Model 7EDB144B) is grossly improved by the relocation of the filter to a location out of the scram drive path; i.e., it.can no longer interfere with scram performance, even if completely blocked. The degraded performance of the original drive (CRD7RDB144A) under dirty operating conditions and the insensitivity of the redesigned drive (CRD7RDB144B) has been demonstrated by a series of engineering tests l under simulated reactor operating conditions. The successful performance of the new drive under actual operating conditions has also been demonstrated by consistently good in-service test results for plants using the new drive and may be inferred from plants using the older model l l BFN 3,3/4,3_17 AMENDMEYr NO. 217 Unit 2 l l l _, _ _, _, _ _ _ _ _ - -- -- -- -^-*-- - - *--- - -

- - - - - - - -- ~~~ ~~~ ~-~~ ~ ~ I 1 3.3/4.3 BASES (Cent'd) i ypy { g }gg7 drive with a modified (larger screen size) internal filter which is less I prone to plugging. Data has heen documented by surveillance reports in variou ting plants. These include Oyster Creek, Monticello, Dresde 2a Dresden 3. Approximately 5000 drive tests have been 3 record date. Following identification of the " plugged filter" problem, very frequent j scram tests were necessary to ensure proper performance. However, the more frequent scram tests are now considered totally unnecessary and unwise for the following reasons { 1. Erratic scram performance has been identified as due to an obstructed drive filter in type "A" drives. The drives in BFNP are of the new "B" type design whose scram performance is unaffected by filter condition. 2. The dirt load is primarily released during STARTUP of the reactor when the reactor and its systems are first subjected to flows and pressure and thermal stresses. Special attention and measures are now being taken to assure cleaner systems. Reactors with drives identical or similar (shorter stroke, smaller piston areas) have operated through many refueling cycles with no sudden or erratic changes in scram performance. This preoperational and STARTUP testing is sufficient to detect anomalous drive performance. 3. The 72-hour outage limit which initiated the start of the frequent scram testing is arbitrary, having no logical basis other than quantifying a " major outage" which might reasonably be caused by an event so severe as to possibly affect drive performance. This requirement is unwise because it provides an incentive for shortcut actions to hasten returning "on line" to avoid the additional testing due a 72-hour outage. BFN 3.3/4.3-18 AMENDMENT RO. I 2 9 Unit 2

3.3/4.3 BAST 4 MAY.131987 D. Reactivity Anomalies During each fuel cycle excess 1 perative reactivity varies as fuel depletes and as any burnable poison in supplementary control is burned. The magnitude of this excess reactivity may be inferred from the critical rod configuration. As fuel burnup progresses, anomalous behavior in the excess reactivity may be detected by comparison of the critical rod pattern at selected base states to the predicted rod inventory at that state. Power operating base conditions provide the most sensitive and directly interpretable -data relative to core reactivity. Furthermore, using power operating base conditions permits frequent reactivity comparisons. Requiring a reactivity comparison at the specified frequency assures that a comparison will be made before the core reactivity change exceeds 1 percent AK. Deviations in core reactivity greater than 1 percent AK are not expected and require thorough evaluation. One percent reactivity nto the core would not lead to transients exceeding design co ons of the reacto stem 7 A limS j5 Ccn5idEYfC{ 6 \\ E. No BASES provided for this specificatio 5ina an irwey-lion DM \\ One, percenk N F. Scram Discharae Volume The nominal stroke time for the scram discharge volume vent and drain valves is.i 30 seconds following a scram. The purpose of these valves is to. limit the quantity of reactor water discharged after a scram and no direct safety-function is performed. The surveillance for the valves assures that system drainage is not impeded by a valve which fails to open and that the valves are OPERABLE and capable of closing upon a scram. References 1. Generic Reload Fuel Application, Licensing Topical Report, NEDE-24011-P-A and Addenda. BFN 3.3/4.3-20 NEE E I 2 9 Unit 2 { J

~. -.. - - -.. -.... -. -. -.. ~.. - 3.5 BASES MN% 3.5.A. Core Sorav System (CSS) and 3.5.B Residual Heat Removal System (RNRS) Analyses presented in the FSAR* and analyses presented in conformance with 10 CFR 50, Appendix K, demonstrated that the core spray system in conjunction with two LPCI pumps provides adequate cooling to the core to i dissipate the energy associated with the loss-of-coolant accident and to limit fuel clad temperature to below 2,200'F which assures that core geometry remains intact and imit the core average clad metal-water } reaction to less than 1 p cent. Core spray distribution has been shown ,p in taaen of systems simil. ign to BFNP to exceed the min % requirements. In acattion, cooling effectiveness has been demonstrated at less than half the rated flow in simulated fuel aatamblies with heater rods to duplicate the decay heat characteristics of irradiated fuel. The RERS (LPCI mode) is designed to provide emergency cooling to the core j by flooding in the event of a loss-of-coolant accident. This system is i completely independent of the core spray system; however, it does function in combination with the core spray system to prevent excessive fuel clad temperature. The LPCI mode of the RERS and the core spray system provide adequate cooling for break areas of approximately 0.2 square feet up to and including the double-ended recirculation line break without assistance from the high-pressure emergency core cooling l subsystems. The intent of the CSS and RHES specifications is to not allow startup from the cold condition without all associated equipment being OPERABLE. However, during oReration, certain components may be out of service for the specified allowable repair times. The allowable repair times have been selected using engineering judgment based on experiences and supported by availability analysis. g Should one core spray loop become inoperable, the remaining core spray loop, the RER System, and the diesel generators are required to be OPERABLE should the need for core cooling arise. These provida extensive margin over the OPEnant.x equipment needed for adequate core cooling. With due regard for this margin, the allowable repair time of seven days was chosen. Should one RER pump (LPCI mode) become inoperable, three RER pumps (LPCI ' mode) and the core spray system are available. Since adequate core cooling is assured with this complement of ECCS, a seven day repair period is justified. i Should two RER pumps (LPCI mode) become inoperable, there remains no reserve (redundant) capacity within the RHRS (LPCI mode). Therefore, the affected unit shall be placed in cold shutdown within 24 hours.

  • A detailed functional analysis is given in Section 6 of the BFNP FSAR.

l 4 i BFN 3.5/4.5-24 Unit 2 AMENDMENTNO.16 9 -e.m:.-,- v 9-9

3.5 BASES (Cont'd) NOV 0 21995 With the RCICS inoperable, a'seven-day period to return the system to service is justified based on the availability of the KPCIS to cool the core and upon consideration that the average risk associated with failure of the RCICS to cool the core when requited ia not increased. The surveillance requirements, which are based on industry codes and standards, provide adequate assurance that the RCICS will be OPERABLE when required. 3.5.G Automatic Denressurization System (ADS) The ADS consists of six of the thirteen relief valves. It is designed to provide depressurization of the reactor coolant system during a small break loss of coolant accident (LOCA) if HPCI fails or is unable to maintain the required water level in the reactor vessel. ADS operation reduces the reactor vessel pressure to within the operating -pressure range of the low pressure emergency core cooling systems (core spray and LPCI) so that they can operate to protect the fuel barrier. Specification 3.5.G applies only to the automatic feature of the pressure relief system. Specification 3.6.D specifies the requirements for the pressure relief function of the valves. It is possible for any number of the valves assigned to the ADS to be incapable of performing their ADS functions because of instrumentation failures, yet be fully capable of performing their pressure relief function. The emergency core cooling system LOCA ana yses f r s 11 line breaks assumed that four of the six ADS valves we e e. By requiring six valves to be OPERABLE, additional conserv.il.- Is'provided to account for the possibility of a single failure in the ADS system. Reactor operation with one of the six ADS valves inoperable is allowed to continue for fourteen days provided the HPCI, core spray, and LPCI systems are OPERABLE. Operation with more than one ADS valve inoperable is not acceptable. With one ADS valve known to be incapable of automatic operation, five valves remain OPERABLE to perform the ADS function. This condition is within the analyses for a small break LOCA and the peak clad ~., temperature is well below the 10 CFR 50.46 limit. Analysis has shown that four vslves are capable of depressurizing the reactor rapidly enough to maintain peak clad temperature within acceptable limits. 3.5.H. Maintenance of Filled Discharge Ploe i If the discharge piping of the core spray, LPCI, HPCIS, and RCICS are I not filled, a water hammer can develop in this piping when the pump and/or pumps are started. To minimize damage to the discharge piping and to ensure added margin in the operation of these systems, this Technical Specification requires the discharge lines to be fillen BFN 3.5/4.5-30 l AMEN 0 MENT ML 2 4 0 Unit 2

i 3.5 BASES (Cont'd) N0Y021995 The LHGR shall be checked dally during reactor operation at 1 25 percent power to determine if fuel burnup, or control rod movement has caused changes in power distribution. For LHGR to be a limiting value below 25 percent of rated thermal power, the largest total peaking would have to.be greater than approximately 9.7 which i is precluded by a considerable margin when employing any permissible j control rod pattern. 3.5.K. Minimum Critical Power Ratio (MCPR) 4 4 At core thermal power levels less than or equal to 25 percent, the j reactor will be operating at minimum recirculation pump speed and the j moderator void content will be very small. For all designated control rod patterns which may be employed at this point,' operating [ plant experience and thermal hydraulic analysis indicated that the [ resulting MCPR ialue is in excess of requirements by a considerable j margin. 'With th.'.s low void content, any inadvertent core flow i increase would only place operation in a more conservative mode relative to MCPR. The daily requirement for calculating MCPR above i 25 percent rated thermal power is sufficient.since power distribution { j shifts are very slow when there have not been significant power or j control rod changes. The requirement for calculating MCPR when a j limiting control rod pattern is approached ensures that MCPR will be known following a change in power or power shape (regardless of magnitude) that could place operation at a thermal 10mit. 3.5.L. APRM Setnoints Operation is constrained to the LHGR limit of Specification 3.5.J. This limit is reached when core maximum fraction of limiting power density (CNFLPD) equals 1.0. For the case where CNFLPD exceeds the i fraction of rated thermal power, operation is permitted only at less than 100-percent rated power and only with APRM scram settings as required by~ Specification 3.5.L.1. The scram trip setting and rod block trip setting are adjusted to ensure that no ombination of CMFLPD and TRP will increase the LHGR transie peak beyond that allowed by the 1-percent plastic strain list. A - our time period to achieve this condition is justified sin the itional margin gained by the setdown adjustment is above ad bey nd that naured by the safety analysis. gjj( 3.5.M. Core Thermal-Hydraulic Stability The minimum margin to the onset of thermal-hydraulic instability occurs in Region I of Figure 3.5.M-1. A manually initiated scram upon entry into this region is sufficient to preclude core oscillations which could challenge the MCPR safety limit. Because the robabil ty of thermal-hydraulic oscillations is lower and the ma in t MCPR safety limit is greater in Region II than in Region I of,(a th igu 3.5.M-1, an immediate scram upon entry into the d BFN 3.5/4.5-32 (MENDMufr NO. 2 4 0 Unit 2

3.6/4.6 BASES 3.6.B/4.6.C (Cont'd) five gym, as specified in 3.6.C, the experimental and analytical data i suggest a reasonable margin of safety that such leakage magnitude would not result from a crack approaching the critical size for rapid propagation. Leakage less than the magnitude specified can be detected j reasonably in a matter of a few hours utilizing the available leakage detection schemes, and if the origin cannot be determined in a i reasonably short time, the unit should be shut down to allow further iny ation and corrective action. The limit for coolant leakage rate increases over any 24-hour s pe is a limit specified by the NRC (Reference 2). This limit applies only during the RUN mode to avoid being penalized for the expected coolant leakage increase during pressurization. The total leakage rate consists of all leakage, identified and unidentified, which flows to the drywell floor drain and equipment drain sumps. The capacity of the drywell floor sump pump is 50 gpm and the capacity of the drywell equipment sump pump is also 50 spa. Removal of 25 spm from either of these sumps can be accomplished with considerable margin. REFERENCE

1. Nuclear System Leakage Rate Limits (BFNP FSAR Subsection 4.10)
2. Safety Evaluation Report (SER) on IE Bulletin 82-03 3.6.D/4.6.D Relief Valves To meet the safety basis, 13 relief valves have been installed on the unit with a total capacity of 84.1 percent of nuclear boiler rated steam i

flow. The analysis of the worst overpressure transient, (3-second closure of all main steam line isolation valves) neglecting the direct scram (valve position scram) results in a maximum vessel pressure which, if a neutron flux scram is assumed considering 12 valves OPERABLE, results in adequate margin to the code allowable overpressure limit of 1,375 psig. To meet operational design, the analysis of the plant isolation transient (generator load reject with bypass valve failure to open) shows that 12 of the 13 relief valves limit peak system pressure to a value which is well below the allowed vessel overpressure of 1,375 psig. Experience in relief valve operation shows that a testing of 50 percent of the valves per year is adequate to detect failures or deteriorations. The relief valves are benchtested every second operating cycle to ensure that their setpoints are within the i i percent tolerance. The relief valves are tested in place in accordance with Specification 1.0.MM to establish that they will open and pass steam. AMENDMENT n).17 0 BFN 3.6/4.6-30 Unit 2

3.6/4.6 DAgg 3.6.D/4.6.D (Cont'd) FEB 0 71991 The requirements established above apply when the nuclear system can be pressurized above ambient conditions. These requirements are applicable at nuclear system pressures below normal operating pressures because abnormal operational transients could possibly start at these conditions such that eventual overpressure relief would be needed. However, these transients are much less severe, in terms of pressure, than those starting at rated conditiona. The valves need not be functional when the vessel head is removed, since the nuclear system cannot be pressurized. The relief valves are not required to be OPERABLE in the COLD SHUTDOWN CONDITION. Overpressure protection is provided during hydrostatic tests by two of the relief valves whose relief setting has been established in conformance with ASME Section XI code requirements. The capacity of one relief valve exceeds the charging capacity of the pressurization source l used during hydrostatic testing. Two relief valves are used to provide redundancy. REFERENCES 1. Nuclear System Pressure Relief System (BFNP FSAR Subsection 4.4),h r \\ Amendment 22 in response to AEC Question 4.2 of December 6,1971. Ng. " Protection Against Overpressure" (ASME Boiler and Pressure Vessel Code, Section III, Article 9) Browns Ferry Nuclear Plant Design Deficiency Report-Target Rock Safety-Relief Valves, transmitted by J. E. G111 eland to F. E. Kruesi, 1 August 29, 1973 Generic Reload Fuel Application, Licensing Topical Report, NEDE-24011-P-A and Addenda 3.6.E/4.6.E Jet Pumos Failure of a jet pump nozzle assembly holddown mechanism, nozzle assembly and/or riser, would increase the cross-sectional flow area for blowdown following the design basis double-ended line break. Also, failure of the diffuser would eliminate the capability to reflood the core to two-thirds height level following a recirculation line break. Therefore, if a failure occurred, repairs must be made. The detection technique is as follows. With the two recirculation pumps balanced in speed to within i 5 percent, the flow rates in both recirculation loops will be verified by control room monitoring instruments. If the two flow rate values do not differ by more than 10 percent, riser and nozzle assembly integrity has been verified. BFN AMENDMET NO.19 0 3.6/4.6-31 Unit 2 i

3.6/4.6 R&lEl 3.6.E/4.6.E (Cont'd) AUG 281991 1 If they do differ by 10 percent or more, the core flow rate measured by -the jet pump diffuser differential pressure system must be checked against the core flow rate derived from the measured values of loop flow to core flow correlation. If the difference between measured and derived 4 core flow rate is 10 percent or more (with the derived value higher) i diffuser measurements will be taken to define the location within the vessel of failed jet pump nozzle (or riser) and the unit shut down for repairs. If the potential blowdown flow area is increased, the system resistance to the recirculation pump is also reduced; hence, the affected drive pump will "run out" to a substantially higher flow rate (approximately 115 percent to 120 percent for a single nozzle failure). If the two loops are balanced in flow at the same pump speed, the resistance characteristics cannot have changed. Any imbalance between drive loop flow rates would be indicated by the plant process instrumentation. In addition, the affected jet pump would provide a leakage path past the core thus reducing the core flow rate. The reverse flow through the inactive jet pump would still be indicated by a positive differential pressure but the net effect would be a slight decrease (3 percent to 6 percent) in the total core flow measured. This decrease, together with the loop flow increase, would result in a lack of correlation between measured and derived core flow rate. Finally, the affected jet pump diffuser differential pressure signal would be reduced because the backflow would be less than the normal forward flow. A nozzle-riser system failure could also generate the coincident failure of a jet pump diffuser body; however, the converse is not true. The lack of any substantial stress in the jet pump diffuser body makes failure impossible without an initial nozzle-riser system failure. 3.6.F/4.6.F Recirculation Pumn Operation Operation without forced recirculation is permitted for up to 12 hours when the reactor is not in the RUN mode. And the start of a recirculation pump from the natural circulation condition will not be permitted unless the temperature difference between the loop to be started and the core coolant temperature is less than 75'F. This reduces the positive reactivity insertion to an acceptably low value. Requiring at least one recirculation pump to e '.while in the RUN mode (i.e., requiring a manual scram if both r n pumps are tripped) provides protection against the potential occurrence of core thermal-hydraulic instabilities at low flow conditi (Cenf Requiring the discharge valve of the lower sp o remain closed until the speed of the faster pump is below 5 its rated speed provides assurance when going from one-to-two ump operation that excessive vibration of the jet pump risers will not occur. BER 3.6/4.6-32 AMENDMOU NO. I g 8 Unit 2

3.6/4.6 BASES j 3.6.G/4.6.G Structural Interrity U$kI8l993 The requirements for the reactor coolant systems inservice inspection program have been identified by evaluating the need for a sampling examination of areas of high stress and highest probability of failure in the system and the need to meet as closely as possible the requirements of Section XI, of the ASME Boiler and Pressure Vessel Code. The program reflects the built-in limitations of access to the reactor coolant systems. It is intended that the required examinations and inspection be completed during each 10-year interval. The periodic examinations are to be done during refueling outages or other extended plant shutdown periods. Only proven nondestructive testing techniques will be used. More frequent inspections shall be performed on certain circumferential pipe welds as listed in plant procedures to provide additional protection l against pipe whip. These welds were selected in respect to their distance from hangers or supports wherein a failure of the weld would permit the unsupported segments of pipe to strike the drywell wall or nearby auxiliary systems or control systems. Selection was based on judgment from actual plant observation of hanger and support locations and review of drawings. Inspection of all these welds during each 10-year inspection interval will result in three additional examinations above the requirements of Section XI of ASME C g An augmented inservice surveillance program is required to determine whether any stress corrosion has occurred in any stainless steel piping, stainless components, and highly-stressed alloy steel such as hanger I springs, as a result of environmental conditions associated with the I March 22, 1975 fire. REFE 1.hserviceInspec and Testing FNP FSAR Subsection 4.1 ) 2. Inservice Inspection of Nuclear Reactor Coolant Systems, Section XI, ASME Boiler and Pressure Vessel Code 3. ASME Boiler and Pressure Vessel Code, Section III (1968 Edition) 4. American Society for Nondestructive Testing No. SNT-TC-1A (1968 Edition) mbh 5. Mechanical Maintenance Instruction 46 (Mechanical Equipment, Concrete, and Structural Steel Cleaning Procedure for Residue From Plant Fire - Units 1 and 2) 6. Mechanical Maintenance Instruction 53 (Evaluation of Corrosion Damag of Piping Components Which Were Exposed to Residue From March 22, 1975 Fire) 7. Plant Safety Analysis (BFNP FSAR Subsection 4.12) 8" -3 AMENDMDR E 2 0 6 ,e2

_ _ _ _ _ _ _. _. _ _ ~_._ _. _ __ _ _ _ _.. _ 3.7/4.7 BASES (Cont'd). NOV 1619E i Maintaining the water level between these levels will ensure that the torus 1 water volume and downcomer submergence are within the aforementioned limits during normal plant operation. Alarms, adjusted for instrument error, will notify the operator when the limits of the torus water level are approached. The maximum permissible bulk pool temperature is limited by the potential for stable and complete condensation of steam discharged from safety relief valves and adequate core spray pump net positive auction head. At reactor vessel pressures above approximately 555 pais, the bulk pool temperature shall not exceed 180*F. At pressures below approximately 240 psig, the bulk temperature may be as much as 184*F. At intermediate pressures, linear interpolation of the bulk temperature is permitted. They also represent the bounding upper limits that are used in suppression pool temperature response analyses for safety relief valve discharge and loss-of-coolant accident (LOCA) cases. The actions required by Specifications 3.7.C. - 3.7.F. assure the reacter can be depressurized in a timely manner to avoid exceeding the maximum bulk suppression pool water limits. Furthermore, the 184*F limit provides that adequate RER and core spray pump NPSH will be available without dependency on containment overpressure. Should it be necessary to drain the c r, should only be done when there is no requirement f db 11 tems OPERABILITY. Under full power oper n itio , bio wn from an initial i suppression chamber water temperature of 95*F results in a peak long term water temperature which is sufficient for complete condensation. Limiting suppression pool temperature to 105'T during RCIC, HPCI, or relief valve operation when decay heat and stored energy is removed from the primary system by discharging reactor steam directly to the suppression' chamber ensures adequate margin for controlled blowdown anytime during RCIC operation =ad aa-a ;; - ain fez cw.y1=i. h8C# /o55- - Coo lQ L'l' occMed--(4;; - . loc. A.onofsteamfromthedesignbasigg j In addition to the limits on temperature of the suppression chamber pool j water, operating procedures define the action to be taken in the event a relief valve inadvertently opens or sticks open. This action would include: (1) use of all available means to close the valve, (2) initiate suppression pool water cooling heat exchangers, (3) initiate reactor shutdown, and (4) if i other relief valves are used to depressurize the reactor, their discharge i shall be separated from that of the stuck-open relief valve to assure mixing j ~ and uniformity of energy insertion to the pool. If a LOCA were to occur when the reactor water temperature is below approximately 330*F, the containment pressure will not exceed the 62 psig code permissible pressures even if no condensation were to occur. The maximum allowable pool temperature, whenever the reactor is above 212*F, shall be governed by this specification. Thus, specifying water volume-temperature requirements applicable for reactor-water temperature above 212*F provides additional margin above that available at 330*F. BFN 3.7/4.7-26 Unit 2

3.7/4.7 BASES (Cont'd) l In conjunction with the Mark I Containment Short Term Program, a p ant-uni ue analysis was performed (" Torus Support System and Attached Piping An a for the Browns Ferry Nuclear Plant Units 1, 2, and 3," dated September 9, 1976 and supplemented October 12, 1976) which demonstrated a factor of safety of at least two for the weakest element in the suppression chamber support system and attached piping. The maintenance of a drywell-suppression chamber differential pressure of 1.1 paid and a suppression chamber water level corresponding to a downcomer submergence range of 3.06 feet to 3.58 feet will assure the integrity of the suppression chamber when subjected to post-loss-of-coolant suppression pool hydrodynamic forces. Inerting The relativity small containment volume inherent in the GE-BWR pressure suppression containment and the large amount of zirconium in the core are.such that the occurrence of a very limited (a-percent or so) reaction of the zirconium and steam during a LOCA could lead to the liberation of hydrogen combined with an air atmosphere to result in a flammable concentration in the containment. If a sufficient amount of hydrogen is generated and oxygen is available in stoichiometric quantities the subsequent ignition of the hydrogen in rapid recombination rate could lead to failure of the containment to maintain a low leakage integrity. The <4 percent hydrogen concentration minimizes the possibility of hydrogen combustion following a LOCA. The occurrence of primary system leakage following a major refueling outage or other scheduled shutdown is much more probable than the occurrence of the LOCA upon which the specified oxygen concentration limit is based. Permitting access to the drywell for leak inspections during a startup is judged prudent in terms of the added plant safety offered without significantly reducing the margin of safety. Thus, to preclude the possibility of starting the reactor and operating for extended periods of time with significant J'aks in the primary system, leak inspections are scheduled during startup Jeriods, when { s the primary system is at or near rated operating temperature and pressure. The 24-hour period to provide inerting is judged to be sufficient to perform the leak inspection and establish the required oxygen concentration. j To ensure that the hydrogen concentration is maintained less than 4 percent following an accident, liquid nitrogen is maintained onsite for containment atmosphere dilution. About 2,260 gallons would be sufficient as a seven-day supply,andreplenishmentfacilitiescandeliverliquidnitrogentothe within one day;_ther rementa f 2.500_ga11 ops in ra== ~vativa. M8 e 6' Pollowing a LOCA the Containment Air Monitoring (CAM) System continuously monitors the hydrogen concentration of the containment volume. Two independent systems (a system consists of one hydrogen sensing circuit) are installed in the drywell and the torus. Each sensor and associated circuit is periodically checked by a calibration gas to verify operation. Failure of one system does not reduce the ability to monitor system atmosphere as a second independent and redundant system will still be OPERABLE. _Lnsc<4 E5 BFN 3.7/4.7-27 Unit 2 AMENDMENT N0. 2 0 4 1

- -.-. -.=. - - - _ -. Insert B', gggg Following a lecc-Of cc,cla.t c M e..t-the Containment Air i Monitoring (CAM) System continuously monitors the-hydrogen concentration of the containment volume. Two independent systems are capable of sampling and monitoring hydrogen concentration in the~drywell and the torus. Each sensor and associated circuit is periodically checked by a calibration gas to verify operation. Failure of one system does not reduce the ability to monitor the hydrogen concentration in the drywell or torus atmosphere as a second independent and redundant system will still be OPERABLE. i +

-. - -. -.-. -. -. -.. -. -. _. - -. _ - - -.. - - - - ~ ~ -.. - - - ~ - - 2 3.7/4.7 BASES (Cont'd) Np16 Bu In terms of separability, redundancy.for a failure of the torus system is 4 based upon at least one OPERABLE drywell system. The drywell hydrogen concentration can be used to limit the torus hydrogen concentration during post-LOCA conditions. Post-LOCA calculations show that the CAD system initiated within two-hours at a flow rate of 100 scfm will limit the peak drywell and wetwell hydrogen concentration to 3.6-percent (at 4 hours) and 3.8-percent (at 32 hours), respectively. This is based upon purge initiation after 20 hours at a flow rate of 100 scfm to maintain containment pressure below 30 pais. Thus, peak torus hydrogen concentration can be controlled below 4.0 percent using either the direct torus hydrogen monitoring system or the drywell hydrogen monitoring system with appropriate conservatism (1 3.8-percent), as a guide for CAD / Purge operations. Vacuum Re ef The purpose of the vacuum relief valves is to equalize the pressure between the drywell and suppression chamber and reactor building so that the structural integrity of the containment is maintained. The vacuum relief system from the pressure suppression chamber to reactor building consists of two 100-percent vacuum relief breakers (two parallel sets of two valves in series). Operation of either system will maintain the pressure differential less than 2 psig; the external design pressure. One reactor building vacuum breaker may be out of service for repairs for a period of seven days. If repairs cannot be completed within seven days, the reactor coolant system is brought to a condition where vacuum relief is no longer required, a When a drywell-suppression chamber vacuum breaker valve is exercised through an opening-closing cycle the position indicating lights in the control room are designed to function as specified below: Initial and Final Check - On Condition (Fully Closed) Green - On ) Red - Off Opening Cycle Check - Off (Cracked Open) I Green - Off () 80* Open) Red - On () 3* Open) Closing Cycle Check - On (Fully Closed) Green - On (< 80* Open) Red - Off (< 3* Open) The valve position indicating lights consist of one check light on the check light panel which confirms full closure, one green light next to the hand switch which confirms 80* of full opening and one red light next to the hand switch which confirms "near closure" (within 3* of full closure). Each light is on a separate switch. If the check light circuit is OPERABLE when the valve is exercised by its air operator there exists a confirmation that the valve will fully close. If the red light circuit is OPERABLE, there exists a BFN 3.7/4.7-28 l AMENDMENT NO. 2 0 4 Unit 2

_ -. ~. _ _ _. _. _ _ _. _ _ _ _ _. _ l 4 j 3.9 HAlfd U.nd, 211995 The objective of this specification is to assure te source of j electrical power to operate facilities to cool th uring shutdown 4 and to operate the engineered safeguards following an accident. There l are three sources of alternating current electrical energy available, namely, the 161-kV transmission system, the 500-kV transmission system, and the diesel generators. The unit station-service transformer B for unit 1 or the unit station-service transformer B for unit 2 provide noninterruptible sources 3 of offsite power from the 500-kV transmission system to the unita-1 and 2 shutdown boards. Auxiliary power can also be supplied from the 161-kV transmission system through the common station-service transformers or j through the cooling tower transformers by way of the bus tie board. The 4-kV bus tie board may remain out of service indefinitely provided one of i the required offsite power sources is not supplied from the 161-kV system { through the bus tie board. The minimum fuel oil requirement of 35,280 gallons for each diesel j generator fuel tank assembly is sufficient for seven days of full load j operation of each diesel and is conservatively based on availability of a replenishment supply. Each diesel generator has its own independent j 7-day fuel oil storage tank assembly. i i The degraded voltage sensing relays provide a start signal to the diesel generators in the event that a deteriorated voltage condition exists on a 4-kV shutdown board. This starting signal is independent of the starting j signal generated by the complete loss of voltage relays and will continue i to function and start the diesel generators on complete loss of voltage j should the loss of voltage relays become inoperable. The 15-day l inoperable time limit specified when one of the three phase-to-phase degraded voltage relays is inoperable is justified based on the two-out-of-three permissive logic scheme provided with these relays. 4* A 4-kV shutdown board is allowed to be out of operation for a brief period to allow for maintenance and testing, provided all remaining 4-kV shutdown boards and associated diesel generators, CS, RHR, (LPCI and j containment cooling) systems supplied by the remaining 4-kV shutdown i boards, and all emergency 480-V power boards are OPERABLE. l The 480-V diesel auxiliary board may be out of service for short periods ] for tests and maintenance. j There is a safety related 250-V de unit battery located in each unit, j Each 250-V de unit battery system consists of a battery, a battery i charger, and a distribution panel. There is also a backup charger which i can be assigned to any one of the three unit batteries. The 250-V de i unit battery systems provide power for unit control functions, unit DC motor loads and alternate control power to the 4160 and 480-V ac shutdown i boards. The primary control power supplies to the 3A, 3C and 3D 4160-V j ac shutdown boards and the Unit 3 480-V ac shutdown boards are also provided by unit batteries. There are five safety related 250-V de j shutdown battery systems assigned as primary control power supplies to j BFN 3.9/4.9-19 By letter 3/24/93 1 Unit 2 l 1

__ _ _ _ _ ~ M 3.10 BASES (Cont'd) APR 0 91993 suberitical even when the hi_g. hest worth control rod is fully withdrawn. The combination of refueling interlocks for control rods and the refueling platform provide redundant methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality. Fuel handling is normally conducted with the fuel grapple hoist. The { total load on this hoist when the interlock is required consists of the weight of the fuel grapple and the fuel assembly. This total is approximately 1,500 lbs, in comparison to the load-trip setting of l 1,000 lbs. Provisions have also been made to allow fuel handling with either of the three auxiliary hoists and still maintain t refueling interlocks. The 400-1b load-trip setting on thes hoists is adequate to trip the interlock when one of the more tha 696-lb f uel bundles is being handled. () During certain periods, it is desirable to perform maintenance on two control rods and/or control rod drives at the same time without removing fuel from the cells. The maintenance is performed with the mode switch in the refuel position to provide the refueling interlocks normally available during refueling operations. In order to withdraw a second control rod after withdrawal of the first rod, it is necessary to bypass the refueling interlock on the first j control rod which prevents more than one control rod from being withdrawn at the same time. The requirement that an adequate shutdown margin be demonstrated and that all remaining control rods have their directional control valves electrically disarmed ensures that inadvertent criticality cannot occur during this maintenance. The adequacy of the shutdown margin is verified by demonstrating that at least 0.38 percent ok shutdown margin is available. Disarming the directional control valves does not inhibit control rod scram capability. Specification 3.10.A.7 allows unloading of a significant portion of the reactor core. This operation is performed with the mode switch in the REFUEL position to provide the refueling interlocks normally available during refueling operations. In order to withdraw more than one control rod, it is necessary to bypass the refueling interlock on each withdrawn control rod which prevents more than one control rod from being withdrawn at a time. The requirement that the fuel assemblies in the cell controlled by the control rod be removed from the reactor core before the interlock can be bypassed ensures that withdrawal of another control rod does not result in inadvertent criticality. Each control rod provides primary reactivity control for the fuel assemblies in the cell associated with that control rod. Thus, removal of an entire cell (fuel assemblies plus control rod) results in a lower reactivity potential of the core. The requirementsforSRMOPERABILITYduringtheseCOREALTERATIONSassurej sufficient core monitoring. BFN AMENDMINT ?RT. 2 0 9 3.10/4.10-12 Unit 2

.. _ - - -.. - - ~ -.. _. -... . ~.. - _ . ~. - _ _ - . ~. - (3115g (CetJ'dD o 3.10.7 soent runi canz Handline - Refueline Floor APR 0 91993 Although single failure protection has been provided in the design of-j thel125-ton hoist drum shaft wire ropes, hook and lower block assembly g on the reactor building crane, the limiting of lif t height of a spent ) fuel cask controls the amount of energy available in a dropped cask l accident when the cask is over the refueling floor. An analysis has been made which shows that the floor and support members in the area of cask entry into the decontamination facility can-satisfactorily sustain a dropped cask from a height of three feet. The yoke safety links provide single failure protection for the hook and lower block assembly and limit cask rotation. Cask rotation is necessary for decontamination and the safety links are removed during decontamination. 4.10 BASES A. Egfuelina Interlocks i Complete functional testing of all required refueling equipment {. interlocks before any refueling outage will. provide positive indication that the interlocks operate in the situations for which they.were designed. By loading each hoist with a weight equal to the fuel -l assembly, positioning the refueling platform, and withdrawing control rods, the interlocks can be subjected to valid operational tests. Where redundancy is provided in the logic circuitry, testa can be performed to assure that each redundant logic element can independently perform its function. B. Core Monitorine i Requiring the SRMs to be functionally tested prior to any CORE ALTERATION assures that the SRMs will be OPERABLE at the start of that alteration. The once per 12 hours verification of the SRM count rate and signal-to-noise ratio ensures their continued OPERABILITY. REFERENCES 1. Fuel Pool Cooling and Cleanup System (BFNP FSAR Subsection 10,5) 2. Spent Fuel Storage (BFNP FSAR S 6section 10.3) BFN AM M NO. 2 0 9 3.10/4.10-15 Unit 2 l

- -.. - =.. -. - 4 g

1.1 BASES

FUBL CLADDING INTEGRITY SAFETY LIMIT 1 l The fuel cladding represents one of the physical barriers which separate radioactive materials from environs. The' integrity of this cladding barrier is related to its relative freedom from perforations or cracking. Although some corrosion or use-related i cracking may occur during the life of the cladding, fission product migration from this source is incrementally cumulative and continuously measurable. Fuel cladding perforations, however, can result from thermal stresses which occur from reactor operation significantly above design conditions and the protection system setpoints. While fission product migration from cladding perforation is just as measurable as that from use-related cracking, i the thermally-caused cladding perforations signal a threshold, beyond which still greater thermal stresses may cause gross rather than incremental cladding deterioration. Therefore, the fuel cladding safety limit is defined in terms of the reactor operating conditions which can result in cladding perforation. The fuel cladding integrity limit is set such that no calculated fuel damage would occur as a result of an abnormal operational transient. Because fuel damage is not directly observable, the Fuel Cladding Safety Limit is defined with margin to the conditions which would produce onset transition boili MCPR of 1.0). This establishes a Safety Limit such t t the inimum critic l power N a ratio (MCPR) is no less than 1.07. 'OPI' ihrepresents a 7/ 07j conservative margin relative to the conditions required to maintai . fuel cladding integrity. Onset of transition boiling results in a decrease in heat transfer from the clad and, therefore, elevated clad temperature and the i possibility of clad failure. 2Since boiling transition is not a directly observable parameter, the margin to boiling transition is calculated from plant operating parameters such as core power, core flow, feedwater temperature, and core power distribution. TThe i margin for each fuel assembly is characterized by the critical power ratio (CPR) which is the ratio of the bundle power which would produce onset of transition boiling divided by the actual bundle power. 4The minimum value of this ratio for any bundle in the core is the minimum critical power ratio (MCPR). STt is assumed that the plant operation is controlled to the nominal protective setpoints ~ via the instrumented variables, i.e., normal plant operation presented on Figure 2.1-1 by the nominal expected flow control onservatism UmM@ line. LThe Safety Limit (MCPR of 1.07) has sufficient 'N to assure that in the event of an abnormal operati transient spec ed \\ initiated from a normal operating condition (MCPR > M re that its { gc 4, n,J gg 99.9 percent of the fuel rods in the core are exp o avoid boiling transition. The margin between MCPR of 1.0 (onset of y,Q transition boiling) and the safety limit 1.07 is derived from a detailed statistical analysis considering all of the uncertainties in monitoring the core operating state including uncertainty in the boiling transition correlation as described in Reference 1. The uncertainties employed in deriving the safety limit are provided at the beginning of each fuel cycle. s BFN-Unit-3 1.1/2.1-8 s

ua

-a -m -s- --mm a n-- m w

1 \\ t 1.1 BASES.(Cont'd) i Because the boiling transition correlabion is based on a large i quantity of full scale data there is a very high confidence that l operation of a' fuel assembly at the condition of MCPR = 1.07 would not produce boiling transition. Thus, although it is not required to establish the safety limit additional margin exists between the safety limit and the actual occurrence of loss-of-cladding integrity. However, if bo transition were to occur, clad perforation would not be expec ed. Cladding temperatures would increase to l approximate y 1)D0 F ich is below the perforation temperature of 0 the cladding

    • r This has been verified by tests in the General Electric Test Reactor (GBTR) where fuel similar in design to BPNP operated above the critical heat flux for a significant period of time (30 minutes) without clad perforat If reactor pressure should ever exce d h400 ps a during normal power operation (the limit of applicability boiling transition correlation) it would be assumed that the fuel cladding integrity Safety Limit has been violated.

At pressures below 800 psia, the core elevation pressure drop (0 power, O flow) is greater than 4.56 psi. At low powers and flows this pressure differential is maintained in the bypa e on of the core. Since the pressure drop all elevation head, the core the bypass region is es ntially ey re drop at low r r,$' flows will always be greater than 4 5p 1. Analyses s with a e flow of 28x103 lbs/hr bundle independent of bundle power and has a value of 3.5 psi., bundle pressure dro bundle flow with a 4.56 psi driving head will be greater than { Thus, the 28x103 lbs/hr. Full scale ATLAS test data taken at pressures from 14.7 psia to 800 psia indicate that the fuel assembly critical power at this flow is approximately 3.35 MWt. factors this corresponds to a core thermal power of more than 50With the design pea percent. Thus, a core thermal power limit of 25 percent for reactor pressures below 800 psia is conservative. For the fuel in the core during periods when the reactor is shut down, consideration must also be given to water level requirements due to the effect of decay heat. If water level should drop below the top of the fuel during this time, the ability to remove decay heat is reduced. This reduction in cooling capability could lead to elevated cladding temperatures and clad perforation. As long as the fuel remains covered with water, sufficient cooling is available to prevent fuel clad perforation. BPN-Unit-3 1.1/2.1-9

2.1 BASES (Cont'd) EO75 Analyses of the limiting transients show that no scram adjustment is requi rR, 1.s wnen ene transnisi. eci ed {n S eCYiCRO } Q&S tiMsd from f 2. u G Flux scram Trio Settina (Rr m L or STAiaue/ HOT STANDBY MODE) For operation in the startup. mode while the reactor is at low pressure, the APRM scram setting of 15 percent of rated power provides adequate thermal margin between the setpoint and the safety limit, 25 percent of rated. The margin is adequate to accomunodate anticipated maneuvers associated with power plant startup. Effects of increasing pressure at zero or low void content are minor, cold water from sources available during startup is not much colder than that already in the system, temperature coefficients are small, and control rod patterns are constrained to be uniform by operating procedures backed up by the rod worth minimizer. Worth of individual rods is very low in a uniform rod pattern. Thus, of all possible sources of reactivity input, uniform control rod withdrawai is the most probable cause of significant power rise. Because the flux distribution associated with uniform rod withdrawals does not involve high local peaks, and because several rods must be moved to change power by a significant percentage of rated power, the rate of power rise is very slow. Generally, the heat flux is in near equilibrium with the fission rate. In an assumed uniform rod withdrawal approach to the scram level, th rate of pc,wer rise is no more than 5 percent of rated powse per minute, and the APRM system would be more than adequate to assure a scram before the power could exceed the safety unit. The 15 percent APRM scram remains active until the mode switch is placed in the RUN position. This switch occurs when nactor pressure is greater than 850 psig. 3. IRM Flux Scram Trio Setti el M g The IRM System consists o amp:ss, e the reactor protection system logic channels, The RM - cade instrument which covers the rante of lev 1 etween that covered by the SRM and the APRV Th ec s are covered by the IRM by means of a range swd.;ch an - d cades are broken down into 10 ranges, each beiks one-half decade in size. The IRM scram setting of 120 divisions is active in each range of the IRM. For example, if the instrument was on range 1, the scram setting would be 120 divisions for that range; likewise if the instrumen on range 5, the scram setting would be 120 divisions at range. NgSeSR6n f 4 1 AMENDMEN NO.18 6 BFN 1.1/2.1-13 Unit 3

--. -.~.- 2.1 BASES (Cont'd) i IRM Flux Scram Trin Settina (Continued) MAY 111995 Thus,astheIRM[israngeduptoaccommodatetheincreasein 5 l i power level, the a ram setting is also ranged up. A scram at 120 div na on the IRM instruments remains in effect as lo i as t react r is ) ,n the startup mode.Whghe APkM 15 percent' 17n M eventVhigher power operation without being in t add.Mcn ser j RUN m The IRM scram provides protection for changes which j i occur both locally and over the entire core. The most significant sources of reactivity change during the power i increate are due to control rod withdrawal. For insequence 'l ' d withdrawal, the rate of change of power is slow 3 co e to the physical limitation of withdrawing control da t heat flux is in equilibrium with the neutron flux. 4 SAFETY LIMIT is exceeded. scram would result in a reactor shutdown well befo For the case of a single control rod i withdrawal error, a range of rod withdrawal accidents was analyzed. i This analysis included starting the accident at various power levels. The most severe case involves an initial condition in which the reactor is just suberitical and the IRM system is not yet on scale. 1 This co v2on Ertsts at q er ) rod density. Quarter rod density i 11AssemSt-in /5cuGSM i paragraph 7.5.5.4 of the FSAR. Addit onni uvEsefvatism'was l taken in this analysis by assuming that the IRM channel closest } to the withdrawn rod is bypassed. The results of this analysis show that the reactor is scrammed and peak power limited to one i i percent of rated power, thus maintaining MCPR above 1.07. Based on the above analysis, the IRM provides protection against local 1 } control rod withdrawal errors and continuous withdrawal of 1 control rods in sequence. i 1

4. Fixed Hinh Neutron Flur Scram Trin

? The average power range monitoring (APRM) system, which is calibrated using heat balance data taken during steady-state conditions, reads in percent of rated power (3,293 MWt). The i APRM system responds directly to neutron flux. Licensing analyses have demonstrated that with a neutron flux scram of 120 i percent of rated power, none of the abnormal operational j transients analyzed violate the fuel SAFETY LIMIT and there is a ~ substantial margin from fuel damage. B. ApRM Control Rod Block i s j Reactor power level may be varied by moving control rods or by varying the recirculation flow rate. 1 The APRM system provides a i control rod block to prevent rod withdrawal beyond a given point at constant recirculation flow rate and thus prevents scram actuation. l This rod block trip setting, which is automatically varied with recirculation loop flow rate, prevents an increase in the reactor i i 1 i BFN j Unit 3 TS 357 - TVA Letter to NRC 1.1/2.1-14 i Dated 05/ki/95 ) ,i

. ~ - - -. -.. ~. - - - 2.1 BASES (Cont'd) FEB 2 41995 T. (Deleted) G. & H. Main Steam Line Isolation on Low Pressure and Main Steam Line Isolation Scram [sas The low pressure isolation of the main steam lines a J44-is was provided to protect against rapid reactor depressuriza a and the resulting rapid cooldown of the vessel. The scram feature that 4 occurs when the main steam line isolation valves close shuts down J the reactor so that high power operation at low reactor pressure does not occur, thus providing protection for the fuel cladding inte SAFETY LIMIT. Operation of the reactor at pressures lower l TA5 e n."

  • sig requires that the reactor mode switch be in the osition, where protection of the fuel cladding integrity MIT is provided by the IRM and APRM high neutron flux Thus, the combination of main steam line low pressure scrams.

isolation and isolation valve closure scram assures the availability of neutron flux scram protection over the entire range of applicability of the fuel cladding integrity SAFETY LIMIT. In l addition, the isolation valve closure scram anticipates the pressure and flux transients that occur during normal or inadvertent isolation valve closure. With the scrans set at 10 percent of valve closure, neutron flux does not increase. I.J.& K. Reactor Low Water Level Setooint for Initiation of HPCI and RCIC Closina Main Steam Isolation Valves and Startinn LPCI and Core Sorav Pnens. These systems maintain adequate coolant inventory and provide core cooling with the objective of preventing excessive clad temperatures. The design of these systems to adequately perform the intended function is based on the specified low level scram setpoint and initiation setpoints. Transient analyses reported in Section 14 of the FSAR demonstrate that these conditions result in adequate safety margins for both the fuel and the system pressure. L. References 1. Supplemental Reload Licensing Report of Browns Ferry Nuclear Plant, Unit 3 (applicable cycle-specific document). 2. GE Standard Application for Reactor Fuel, NEDE-24011-P-A and NEDE-24011-P-A-US (latest approved version). BFN 1.1/2.1-16 Unit 3

1.2 BASES REACTOR COOLANT SYSTEM INTEGRITY ~ l The safety limits for the reactor coolant system pressure have been selected such that they are below pressures at which it can be shown that the integrity of the system is not endangered. However, the pressure safety limits are set high enough such that no foreseeable circumstances can cause the system pressure to rise over these limits. The pressure safety limits are arbitrarily selected to be the lowest transient overpressures allowed by the applicable codes, ASME Boiler and Pressure Vessel Code, Section III, and USAS Piping Code, Section B31.1. The design pressure (1,250 psig) of the reactor vessel is established-such that, when the 10 percent allowance (125 psi) allowed by the ASME Boiler and Pressure Vessel Code Section III for pressure transients is added to the design pressure, a transient pressure limit of 1,375 psig is established. 5 rr pondingly, the design pressur (1,14 pdt9 or suction and 1,326 ps1 F or discharge) of the reactor recircula 1 system piping are such , when the 20 percent allowance (230 and 265 p %1 owed by USAS Piping Code, Section B31.1 for pressure transient JS4( pded to the 15 design pressures, transient pressure limits of 1,37 ani 1,591 psig are Thus, the pressure safety limit applicable to power established. operation is established at 1,375 psig (the lowest transient overpressure allowed by the pertinent codes), ASME Boiler and Pressure Vessel Code, Section III, and USAS Piping Code, Section B31.1. The current cycle's safety analysis concerning the most severe abnormal operational transient resulting directly in a reactor coolant system pressure increase is given in the reload licensing submittal for the current cycle. The reactor vessel pressure code limit of 1,375 psig given in subsection 4.2 of the safety analysis report is well above the peak pressure produced by the overpressure transient described above. Thus, the pressure safety limit applicable to power operation is well above the peak pressure that can result due to reasonably expected overpressure transients. Higher design pressures have been established for piping within the reactor coolant system than for the reactor vessel. These increased design pressures create a consistent design which assures that, if the pressure within the reactor vessel does not exceed 1.375 psig, the pressures within the piping cannot exceed their respective transient pressure limits due to static and pump heads. The safety limit of 1,375 psig actually applies to any point in the reactor vessel; however, because of the static water head, the !.ighest pressure point will occur at the bottom of the vessel. Because the BPN-Unit 3 1.2/2.2-2

M 1.2 PASES (Cont'd) pressure is not monitored at this p51nt, it cannot be directly determined if this safety limit has been violated. Also, because of the potentially l varying head level and flow pressure drops, an equivalent pressure cannot be a priori determined for a pressure monitor higher in the vessel. Therefore, following any transient that is severe enough to cause concern that this safety limit was violated, a calculation will be performed using all available information to determine if the safety limit was violated. REFERENCES RM kpfC0dh k) 1. Plant Safety Analysis (BFNP FSAR Sec ion 4.0 2. ASME Boiler and Pressure Vessel Code Section III 3. USAS Piping Code, Section B31.1 4. Reactor Vessel and Appurtenances Mechanical Design (BFNP FSAR Subsection 4.2) 5. Generic Reload Fuel Application, Licensing Topical Report, NEDE-24011-P-A and Addenda. BFN-Unit 3 1.2/2.2-3

~ -. -. 2.2 BASES-REACTOR COOLANT SYSTEM INTEGRIT ~ l To meet the safety ba s,1 f valves have been inst led on the unit with a total capacity o ercent of nuclear boi r pa ed steam flow. The analysis of t st overpressure transi. t/(3 second closure of all main steam line isolation valves) negl g the direct scram (valve position scram) results in a maximum vessel pressure which, if a neutron flux scram is assumed considering 12 valves operable, results in adequate margin to the code allowable overpressure limit of 1,375 psig. To meet operational design, the analysis of the plant isolation transient (generator load reject with bypass valve failure to open) shows that 12 of the 13 relief valves limit peak system pressure to a value which is well below the allowed vessel overpressure of 1,375 psig. BFN-Unit 3 1.2/2.2-4

3.1 BAKE 1 (Cont'd) AUG 2 91995 be accommodated which would result'~in slow scram times or partial control rod insertion. To preclude this occurrence, level switches have been provided in the instrument volume which alarm and scram the reactor when the volume of water reaches 50 gallons. As indicated above, there is sufficient volume in the piping to accommodate the scram without impairmen* of the scram times or amount of insertion of the control rods. T3' r " unction shuts the reactor down while sufficient volume remains to accommodate the discharge water and precludes the situation in which a scram would be required but not be able to perform its function adequately. A source range monitor (SRM) system is also provided to supply additional neutron level information during startup but has no scram functions. Reference Section 7.5.4 FSAR. Thus, the IRM is required in the REFUEL and STARTUP modes. In the power range the APRM system provides required protection. Reference Section 7.5.7 FSAR. Thus, the IRM System is not required in the RUN mode. The APRMs and the IRMs provide adequate coverage in the STARTUP and intermediate range. The high reactor pressure, high drywell pressure, reactor low water level, low scram pilot air header pressure and scram discharge volume l high level scrams are required for STARTUP and RUN modes of plant operation. They are, therefore, required to be operational for these modes of reactor operation. The requirement to have the scram functions as indicated in Table 3.1.1 OPEDARLR in the REFUEL mode is to assure that shifting to the REFUEL mode during reactor power operation does not diminish the need for the reactor protection system. Because of the APRM downscale limit of.13 percent when in the RUN mode and high level limit of A15 percent when in the STARTUP Mode, the transition between the STARTUP and RUN Modes must be made with the APRM instrumentation indicating between 3 percent and 15 percent of rated power or a control rod scram will occur. In addition, the IRM system must be indicating below the High Flux setting (120/125 of scale) or a scram will occur when in the STARTUP Mode. For normal operating conditions, these limits provide assurance of overlap between the IRM system and APRM system so that there are no " gaps" in the" indications (i.e., the power level is continuously moni re 3 beginning of startup to full power and from full powers l o When power is being reduced, if a transfer to the STAR oei mad d 3 and the IRMs have not been fully inserted (a maloperational' bus not impossible condition) a control rod block immediately occurs so that reactivity insertion by control rod withdrawal cannot occur. The low scram pilot air header pressure trip performs the same function as the high water level in the scram discharge instrument volume for fast fill events in which the high level instrument response time may be inadequate. A fast fill event is postulated for certain degraded control air events in which the scram outlet valves unseat enough to allow 5 gpa per drive leakage into the scram discharge volume but not enough to cause control rod insertion. AMENDMENT NG.19 7 BFN 3.1/4.1-15 Unit 3

4.1 BASES AljG 2 91995 4 The minimum functional testing frequency used in this specification is based on a reliability analysis using the concepts developed in reference (1).- This concept was specifically adapted to the one-out-of-two taken twice logic of the reactor protection system. The analysis shows that the sensors are primarily responsible for the reliability of the reactor protection system. This analysis makes use of " unsafe failure" rate experience at conventional and nuclear power plants in a reliability model for the system. An " unsafe failure" is defined as one which negates channel operability and which, due to its nature, is revealed only when the channel is ' functionally tested M attempts to respond to a real signal. Failure such as blown fuses, ruptured bourdon tubes, faulted amplifiers, faulted cables, etc., which result in " upscale" or "downscale" readings on the reactor instrumentation are " safe" and will be easily recognized by the operators during operation because they are ;*vealed by an alarm or a scram. The channels listed in Tables 4.1.A and 4.1.B are divided into three groups for functional testing. These are: A. On-Off sensors that provide a scram trip function. B. Analog devices coupled with bistable trips that provide a scram function. C. Devices which only serve a useful function during some tricted mode of operation, such as STARTUP or SHUTDOWN, or or wh ch e only practical test is one that can be performed t jdEf 7 The sensors that make up group (A) are specifically selected from among the whole family of industrial on-off sensors that have earned an excellent reputation for reliable operation. During design, a goal of 0.99999 probability of success (at the 50 percent confidence level) was adopted to assure that a balanced and adequate design is achieved. The probability of success is primarily a function of the sensor failure rate and the test interval. A three-month test interval was planned for group (A) sensors. This is in keeping with good operating practices, and satisfies the design goal for the logic configuration utilized in the Reactor Protection System. The once per six-month functional test frequency for the scram pilot air header low pressure trip function is acceptable due to: 1. The functional reliability previously demonstrated by these switches on Unit 2 during Cycles 6 and 7, 2. The need for minimizing the radiation exposure associated with the functional testing of these switches, and 3. The increased risk to plant availability while the plant is in a half-scram condition during the performance of the functional testing versus the limited increase in reliability that weuld be obtained by more frequent functional testing. BFN 3.1/4.1-16 IOI Unit 3

4.1 BASES (Cont'd) ggg J Experience with passive type instruments in generating stations and substations indicates that the specified calibrations are adequate. For those devic which employ amplifiers etc., drift specifications call for drift be less an 0.4 perce' g i.e., in the period of a month a fit mont drift fC.4-perce would oce r a providing for adequate margin. For the APRM system drif t of electronic apparatus is not the only consideration in determining a calibration frequency. Change in power distribution and loss of chamber sensitivity dictate a calibration every seven days. Calibration on this frequency assures plant operation at or below thermal limits. A comparison of Tables 4.1.A and 4.1.B indicates that two instrument channels have been included in the latter table. These are mode switch in SHUTDOWN and manual scram. All of the devices or sensors associated with these scram functions are simple on-off switches and, hence, calibration during operation is not applicable, i.e., the switch is either on or off. The sensitivity of LPRM detectors decreases with exposure to neutron flux a slow and approximetely constant rate. The APRM system, which uses at the LPRM readings to detect a change in thermal power,.will be calibrated every seven days using a heat balance to compensate for this change in sensitivity. The RBM system uses the LPEM reading to detect a localized chante in thermal power. It applies a correction factor based on the APRM output signal to determine the percent thermal power and therefore any change in LPRM sensitivity is compensated for by the APRM calibration. The technical specification limits of CMFLPD, CPR, and APLHCR are determined by the use of the process computer or other backup methods. These methods use LPRM readings and TIP data to determine the power distribution. Compensation in the process computer for changes in LPRM sensitivity will be made by performing a full core TIP traverse to update the computer calculated LPRM correction factors every 1000 effective full power hours. As a minimum the individual LPRM meter readings will be adjusted at the beginning of each operating cycle before reaching 100 percent power. BFN 3.1/4.1-19l AMENDMDfT NO. I 9 7 Unit 3

~ " ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ a 3.2 aus i JU(.17 m In addition to reactor protection instrumentation which initiates a~ reactor scram, protective instrdmentation has been provided which initiates action to mitigate the consequences of accidents which are 1 beyond the operator's ability to control before they result in serious consequence,s.or terminates operator errors This set of specifications provides the limiting conditions of operation for the p i 4 block and standby gas treatment systems. The objectives of the Specifications are (i) to assure the effectiveness of the protective instrumentation when required by preserving its capability to tolerate a { single failure of any component of such systems even during periods when portions of such systems are out of service for maintenance, and (ii) to prescribe the trip settings required to assure adequate performance. I When necessary, one channel may be made inoperable for brief intervals to conduct required functional tests and calibrations. Some of the settings on the instrumentation that initiate or control core and low values are both critical and may have a subs safety. low end of the setting has a direct bearing on safety, a level away from the normal operating range to prevent inadvertent actuation of the safety system involved and exposure to abnormal situations. Actuation of primary containment valves is initiated by protective instrumentation shown in Table 3.2.A which senses the conditio which isolation is required. whenever PRIMAkY CONTAIRMENT INTEGRITY is required.Such instrum l I The instrumentation which initiates primary system isolation is connected in a dual bus arrangement. The low water level instrumentation set to trip at 538 inches above vessel zero closes isolation valves in the RER System, Drywell and Suppression Chamber exhausts and drains and Reactor Water Cleanup Lines (Groups 2 and 3 isolation valves). The low reactor water level instrumentation that is set to trip when reactor water level is 470 i_niliAtes the RCIC and HPCI systems.J The RCIC opens the turbine steam supply valve which in turn initiates closure of he respective drain valves (Group 7). _ n The low water level i vessel zero (Table 3. entation set to trip at 1398 inches above l Main Steam Line Drain loses the Main Steam Isolation Valves, the ves, and the Reactor Water Sample Valves (Group 1). These trip settings are adequate to prevent core uncovery in the case of a break in the largest line assuming the maximum closing time BFN Unit 3 3.2/4.2-64 AMENOMBU NO.19 6

3.2 BASES (Cent'd) fiAY 111995 The instrumentation which initiatas CSCS action is arranged in a dual bus system. As for other vital instrumentation arranged in this fashion, the specification preserves the effectiveness of the system even during periods when maintenance or testing is being performed. An exception to this is when logic functional testing is being performed. The control rod block functions are provided to generate a trip signal to block rod withdrawal if the monitored power level exceeds a preset value. The trip logic for this function is 1-out-of-n e.g., any trip on one of six APRMs, eight IRMs, or four_SRMs will_rannlt in a rod block. d The minimum instrument channel requirements assure sufficient instrumentation to assure the single failure criteria is met. The minimum instrument channel requirements for the RBM may be reduced by one for maintenance, testing, or calibration. This does not significantly increase the risk of an inadvertent control rod withdrawal, as the other channel is available, and the RBM is a backup system to the written ce for withdrawal of control rods. e .l.nsert A v The APRM rod block function is flow biased and provides a trip signal for blocking rod withdrawal when average reactor thermal power exceeds pre-established limits set to prevent scram actuation. The RBM rod block function provides local protection of the core; i.e., the prevention of critical power in a local region of the core, for a single rod withdrawal error from a limiting control rod pattern. If the IRM channels are in the worst condition of allowed bypass, the sealing arrangement is such that for unbypassed IRM channels, a rod block signal is generated before the detected neutrons flux has increased by more than a factor of 10. A downscale indication is an indication the instrument has failed or the instrument is not sensitive enough. In either case the instrument will not respond to changes in control rod motion and thus, control rod motion is prevented. The refueling interlocks also operate one logic channel, and are required for safety only when the mode switch is in the refueling position. For effective emergency core cooling for small pipe breaks, the HPCI ~ system must function since reactor pressure does not decrease rapid enough to allow either core spray or LPCI to operate in time. The automatic pressure relief function is provided as a backup to the HPCI in the event the HPCI does not operate. The arrangement of the tripping contacts is such as to provide this function when necessary and minimize spurious operation. adequate to assure the above criteria are met.The trip settings given in the The specification preserves the effectiveness of the system during periods of maintenance, testing, or calibration, and also minimizes the risk of inadvertent operation; i.e., only one instrument channel out of service. BFN Unit 3 3.2/4.2-67 TS 357 - TVA Letter to NRC Dated 05/ki/95

. -. - -. -... - -. - - - - -. ~... -. -.......... l i i i i { ~ i Lnser4 b: 1 When the RBM is required, the minista instrument channel i apply. the single failure criteria is act.These requirements assure suff requirements requirements for the RBN may be reduced by one for maintenanceT or calibration. inadvertent control rod withdrawal, as the other chan ) and the RBM is a backup system to the written sequence for withdr a a e, control rods. wal of j j d O 4 .~ ~

FEB 05 27

p. plSES,Cc

_t. ch, when tripped, result in a rod block have their contacts arranged in a 1-out-of-n logic, and all are capable of being bypassed. For such a tripping arrangement with bypass capability provided, there is an optinua test laterval that should be maintained in order to anzimize the reliability of a given channel (7). This takes account of the fact that testing degrades reliability and the optimum laterval between tests is approximately gives by: 4 2t i-g Where: 1= the optimum interval between tests. t= the time the trip contacts are disabled from performing their function while i the test is la progress, f the expected failure rate of the relays. r-To test the trip relays requires that the chamael be bypassed, the test;sade, and the systaa returned to its initial state. It is assumed this task requires an estimated 30 minutes to complete relays have a failure rate of 10-{n a thorough and workanalike manner and that the failures per hour. Using this data and the above operation, the optimaa test interval is: 4 O 2(0.5) 3 1 1 x 10 6 . - da,s For additional marzia a test interval of once ser month will be used initially. The sensors and electronic apparatus have not been included here as these are analog devices with readouts in the control room and the sensors and electronic apparatus can be checked by comparison with other like The checks which are made on a daily basis are adequate to assure the sensors and electronic apparatus, and the test interval given - r-a _ _ for optimum testing of the relay circuits. P The above calculated test laterval optimizes each individual channel, considering it to be independent of all others. As an erseple, assume that there are two channels with an inaividual technician assigned to each. Each technician tests bis channel at the optimum frequency, but the two technicians are not allowed to coasmaicate so that one can advise the other that his channel is under test. Under these conditions, it is possible for both channels to be under test simultaneously. Now, assume that the technicians are required to communicate and that two channels are never tested at the same time. (7) UCRL-50451, Improving Availability and Readiness of Fleid Equipment Through S. Periodic Inspection. Benjaala Epstein, Albert Shiff, July 16, 1968, page 10 tant squation (24). Lawrence Radiation Laboratory. BFN-Unit 3 3.2/4.2-70

~_ E j 3.3/4.3 3M31 (Cent'd) M30W 2. Reactivi in erab tro n - Specification l 3.3.A.2 r'equifes thM rod bhtsken Wof service -if it ( cannot be moved with 3 rive pressure. If the rod is fully inserted and disarmed electrically *, it is in a safe position of maximum contribution to shutdown reactivity.. If it is disarmed electrically in a nonfully inserted position, that position shall be consistent with the shutdown reactivity limitations stated in Specification 3.3.A.1. This assures that the core can be shut down at all times with the remaining control rods assuming the strongest OPERABLE control rod does not insert. Also if damage within the control rod drive mechanism and in particular, cracks in drive internal housings, cannot be ruled out, then a generic problem affecting a number of drives cannot be ruled out. Circumferential cracks resulting from stress-assisted intergranular corrosion have occurred in the collet housing of drives at several BWRs.- This type of cracking could occur in a number of drives and if the cracks propagated until severance of the collet housing occurred, scram could be prevented in the affected rods. Limiting the period of operation with a potentially severed rod after detecting one stuck rod will assure that the reactor will not be operated with a large number of rods with failed collet housings. The Rod Worth Minimizer is not automatically bypassed until rea.ctor power is above the preset power level cutoff. Therefore, control rod movement is restricted and the single notch exercise surveillance test is only performed above this power level. The Rod Worth Minimizer prevents movement of out-of-sequence rods unless power is above the preset power level cutoff. B. Control Rods 1. Control rod dropout accidents as discussed in the FSAR can lead to significant core damage. If coupling integrity is maintained, the possibility of a rod dropout accident is eliminated. The overtravel position feature provides a positive check as only uncoupled drives may reach this position. Neutron instrumentation response to rod movement provides a verification that the rod is following its drive. Absence of such response to drive movement could indicate an uncoupled condition. Rod position indication is required for proper function of the Rod Worth Minimizer.

  • To disarm the drive electrically, four amphenol type plug connectors are removed from the drive insert and withdrawal solenoids rendering the rod incapable of withdrawal.

This procedure is equivalent to valving out the drive and is preferred because, in this condition, drive water cools and minimizes crud accumulation in the drive. eliminate position indication. Electrical disarming does not BFN 3.3/4.3-14 Unit 3 ~

-... ~ - -.. .. ~. l 3.3/4.3 BASIa (Cont'd) gg4g 5. The Rod Block Monitor (RBM)-is designed to automatically prevent fuel l damage in the event of erroneous rod withdrawal from locations of high power density during high power level operation. Two RBM channels are Provided, and one of these may be bypassed from the console for maintenance and/or testing. Automatic rod wichdrawal blocks from one of the channels will block erroneous rod withdrawal soon enough to prevent fuel damage. The specified restrictions with one channel out of service conservatively assure that fuel damage will not occur due to rod withdrawal rere. Leo iii. ce;ditiaa arists. Scram Insertion Times gpu((m;hhower hansieb Me $sE The C. p d ese 5 Thecontrolrodsystemis!designedtobrin reac or subcritical at a rate fast enough to prevest fuel damage' .e., to p event the MCPR from becoming less than 1.07. VAnalysis of transien shows that th g negative reactivity rates result rom the scram FSAR Figure N3.6-9 with the av e response of al rives a ven nt j specificat o#y rovide the requ rotecti W MCPR remains greater than 1.07. On an early BWR, some denradme on of control rod scram performance occurred during p1 a ) was determined to be caused by particulate material yhteLly construction debris) plugging an internal control rod drive filter. The design of the present control red drive .(Model 7EDB144B) is. grossly improved by the relocation of the filter to a location out of the scram drive path; i.e., it can no longer interfere with scram performance, even if completely blocked. The degraded performance of the original drive (CRD7RDB144A) under dirty l operating conditions and the insensitivity of the redesigned drive (CRD7EDB144B) has been demonstrated by a series of engineering tests under simulated reactor operating conditions. The successful performance of the new drive under actual operating conditions has also been demonstrated by j consistently good in-service test results for plants using the new drive and may be inferred from plants using the older model BN AMENDMENT N0.19 0 3.3/4.3-17 Unit 3

3.3/4.3 BASES (Cont'd). g jg g drive with a modified (larger screen size) internal filter which is less prone to plugging. Data has been documented by surveillance reports in various operating plants. These include Oyster Creek, Monticello, Dresden 2, and Dresden 3. Approximately 5000 drive tests have been recorded to date. Following identification of the " plugged filter" problem, very frequent scram tests were necessary to ensure proper performance. However, the more frequent scram tests are now considered totally unnecessary and unwise for the following reasons: 1. Erratic scram performance has been identified as due to an obstructed drive filter in type "A" drives. The drives in BFNP are of the new "B" type design whose scram performance is unaffected by filter condition. I 2. The dirc load is primarily released duri the reactor and its systems are first sub emd i.J the reactor when o flows and pressure and thermal stresses.- Special attention and measures are now being taken to assure cleaner systems. Reactors with drives identical or similar (shorter stroke, smaller piston areas) have operated through many refueling cycles with no sudden [ea(("thtingissufficie =~=>ia changes in scram performance. This preoperational d detect anomalous drive performance. 3. The 72-hour outage limit which initiated the start of the frequent scram testing is arbitrary, having no logical basis other than quantifying a " major outage" which might reasonably be caused by an event so severe as to possibly affect drive performance. This requirement is unwise because it provides an incentive for shortcut actions to hasten returning "on line" to avoid the additional testing due a 72-hour outage. 3.3/4.3-18 l MDfT NO.10 4 BFN Unit 3

3.3/4.3 BASES D. Reactivity Anomalies During each fuel cycle excess' operative reactivity varies as fuel depletes and as any burnable poison in supplementary control is burned. The magnitude of this excess reactivity may be inferred from the critical rod configuration. As fuel burnup progresses, anomalous behavior in the excess reactivity may be detected by comparison of the critical rod pattern at selected base states to ) the predicted rod inventory at that state. Power operating base conditions provide the most sensitive and directly interpretable data relative to core reactivity. Furthermore, using power operating base conditions permits frequent reactivity comparisons. .l Requiring a reactivity comparison at the specified frequency assures that a comparison will be made before the core reactivity change exceeds 1 percent AK. Deviations in core reactivity greater than 1 cent AK are not expected and require thorough evaluation. One erce t reactivity limit is considered safe since an insertion of activity into the core would not lead to transients; exceeding e1 5" :eaditi of the reactor system. Cne percen.t E. No naamo provide for this specification j F. Scram Discharae Volume l The nominal stroke time for the scram discharge volume vent and drain valves is 1 30 seconds following a scram. The purpose of these valves is to limit the quantity of reactor water discharged 1 after a scram and no direct safety function is performed. The surveillance for the valves assures that system drainage is not impeded by a valve which fails to open and that the valves are OPERABLE and capable of closing upon a scram. References 1. Generic Reload Fuel Application, Licensing Topical Report, NEDE-24011-P-A and Addenda. i BFN 3.3/4.3-20 Unit 3 AMENDMDE RO.10 4

3.5 BASES 021' 3.5.A. Core Sorav System (CSS) and 3.5.B Residual Heat Removal System (RNDS) Analyses presented in the FSAR*_and analyses presented in conformance with 10 CFR 50, Appendix K, demonstrated that the core spray system rovides adequate cooling to the core to dissipate the energy-associated with the loss-of-coolant accident and to limit fuel clad-intact and to limit the core average clad mete 1-water rea than 1 percent.- o less Core spray distribution has been shown in tests of systems similar in design to BFNP to exceed the minimum requirements. In addition, cooling effectiveness has been demonstrated at less than half the rated flow in simulated fuel assemblies with heater rods to 11cate the in cog (unc + decay heat characteria diated fuel. iew, w% h LPCI pumps LFCI moce; la t.ia d a p w ide xus mama core by flooding in the event of a loss-of-coolant accident.usergency cooling to the does function in combination with the core spray systpa This excessive fuel clad temperature. The LPCI mode of the RERS and the core spray system provide adequate cooling for break areas of approximately 0.2 square feet up to and including the double-ended recirculation line break without assistance from the high-pressure emergency core cooling subsystems. The intent of the CSS and RERS specifications is to not allow startup from the cold condition without all associated equipment being OPERARLE. service for the specified allowable repair times.However, during ope times have'been selected using engineering judgment based onThe allowable repair experiences and supported by availability analysis. loop, the RER System, and the diesel generators are re OPERABLE should the need for core cooling arise. These provide extensive margin over the OPERARLE equipment needed for adequate core cooling. seven days was chosen.With due regard for this margin, the allowable repair time o Should one RER pump (LPCI mode) become inoperable, three RER pumps (LPCI mode) and the core spray system are available. Since adequate repair period is justified. core cooling is assured with this complement of ECC Should two RHR pumps (LPCI mode) become inoperable, there remains no reserve (redundant) capacity within the RERS (LPCI mode). the affected unit shall be placed in cold shutdown within 24 hoursTherefore,

  • A detailed functional analysis is given in Section 6 of the BFNP FSAR BFN Unit 3 3.5/4.5-27 AMENDMENTNO.14 0

3.5 ' DASI} (Cont'd) NOV 0 2 5 With the RCICS inoperable, a 1reven-day period to return the system to service is justified based on the availability of the HPCIS to cool the core and upon consideration that the average risk associated with failure of the RCICS to cool the core when required is not increased. The surveillance requirements, which are based on industry codes and standards, provide adequate assurance that the RCICS will be OPERABLE when required. 3.5.G Automatic Denressurization System (ADS) The ADS consists of six of the thirteen relief valves. It is designed to provide depressurization of the reactor coolant system during a small break loss of coolant accident (LOCA) if HPCI fails or is unable to maintain the required water level in the reactor vessel. ADS operation reduces the reactor vessel pressure to within the operating Pressure range of the low pressure emergency core cooling systems (core spray and LPCI) so that they can operate to protect the fuel barrier. Specification 3.5.G applies only to the automatic feature of the pressure relief system. Specification 3.6.D specifies the requirements for the pressure relief function of the valves. It is possible for any number of the valves assigned to the ADS to be incapable of performing their ADS functions because of instrumentation failures, yet be fully capable of performing their pressure relief function. The emergency core cooling system LOCA analyses for small line breaks assumed that four of the six ADS valves were OPERABLE. By requiring six valves to be OPERABLE, additional conservatism is provided to account for the possibility of a single failure in the ADS system. Reactor operation with one of the six ADS valves inoperable is allowed to continue for fourteen days provided the HPCI, core spray, and LPCI systems are OPERABLE. Operation with more than one ADS valve inoperable is not acceptable. With one ADS valve known to be incapable of automatic operation, five valves remain OPERABLE to perform the ADS function. This condition is within the analyses for a small break LOCA and the peak clad ~ temperature is well below the 10 CFR 50.46 limit. Analysis'has shown ~ that four valves are capable of depressurizing the reactor rapidly ~~ .enough to maintain peak clad temperature within acceptable limits. $ /3 H. Maintenance of Filled Discharme Pine If the discharge piping of the core spray, LPCI, HPCIS, and RCICS are not filled, a water hammer can develop in this piping when the pump and/or pumps are started. To minimize damage to the discharge piping and to ensure added margin in the operation of these systems, this Technical Specification requires the discharge lines to be filled BFN 3.5/4.5-33 l U N0=109 Unit 3

.. ~ - 3.6/4.6 BASES i 3.6.C/4.6.C (Cont'd) A(JG 031989 suggest a reasonable margin of safety that such leakage magnitude would result from a crack approaching the critical size for rapid not Leakage less than the magnitude specified can be detected propagation. reasonably in a matter of a few hours utilizing the available leakage detection schemes, and if the origin cannot be determined in a reasonably short time, the unit should be shut down to allow further investigation and corrective action. 5 The two spm limit for coolant leakage rate increas over any 4-ho r period is a limit specified by the NRC (Reference 2). This li applies only during the RUN mode to avoid being penalized for the expected coolant leakage increase during pressurization. The total leakage rate consists of all leakage, identified and unidentified, which flows to the drywell floor drain and equipment drain sumps. The capacity of the dryvell floor sump pump is 50 gpm and the capacity of the drywell equipment sump pump is also 50 gpm. Removal of 25 gpm from either of these sumps can be accomplished with considerable margin. References 1. Nuclear System Leakage Rate Limits (BFNP FSAR Subsection 4.10) 2. Safety Evaluation Report (SER) on IE Bulletin 82-03 3.6.D/4.6.D Relief Valves ./ To meet the safety basis, 13 Ives have been installed on the j unit with a total capacity o reent of nuclear boiler rated steam flow. The analysis of the vors overpressure transient, (3-second closure of all main steam line isolation valves) neglecting the direct scram (valve position scram) results in a maximum vessel pressure which, if a neutron flux scram is assumed considering 12 valves OPERABLE, results in adequate margin to the code allowable overpressure limit of 1,375 psig. To meet operational design, the analysis of the plant isolation transient (generator load reject with bypass valve failure to open) shows that 12 of the 13 relief valves limit peak system pressure to a value which is well below the allowed vessel overpressure of 1,375 psig. Experience in 'elle maksa5Bg lve operation shows that a testing of 50 percent of ene valves y y ar a equate to detect failures or deteriorations. The reli and-1iafM Ives are benchtested every second operating cycle to ens to ;hes eir setpoints are within the 1 percent tolerance. The relief valves are tested in place in accordance with Specification 1.0.MM to establish that they will open and pass steam. BFN 3.6/4.6-30 AMENDMENT NO.141 Unit 3

3.6/4.6 BASES 3.6.D/4.6.D (Cont'd) The requirements established above apply when the nuclear system can be pressurized above ambient conditions. These requirements are applicable at nuclear system pressures below normal operating pressures because abnormal operational transients could possibly start at these conditions such that eventual overpressure relief would be needed. However, these transients are much less severe, in terms of pressure, than those starting et rated i conditions. The valves need not be functional when the vessel head is removed, since the nuclear system cannot be pressurized. The relief valves are not required to be OPERABLE in the COLD SHUTDOWN CONDITION. Overpressure protection is provided during hydrostatic tests by two of the relief valves whose relief setting has been established in conformance with ASME Section XI code requirements. The capacity of one relief valve exceeds the charging capacity of the pressurization source used during hydrostatic testing. Two relief valves are used to provide redundancy. References 1. Nuclear System Pressure Relief System (BFNP FSAR Subsection 4.4) 2. " Protection Against Overpressure" (ASME Boiler and Pressure Vessel Code, i Section III, Article 9) 3. Browns Ferry Nuclear Plant Design Deficiency Report-Target Rock _ Safety-Relief Valves, transmitted by J. E. Gilliland to F. E. Kruesi, August zy tyi5 M Ceneric. eload Fued Apphcaterw L.cce%; TJp4R.N , NEhP A .6.E/4.6.E Jet Pumns glf,p g a gg Failure of a jet pump nozzle assembly holddown mechanism, nozzle assembly and/or riser, would increase the cross-sectional flow area for blowdown following the design basis double-ended line break. Also, failure of the diffuser would climinate the capability to reflood the core to two-thirds height level following a recirculation line break. Therefore, if a failure occurred, repairs must be made. The detection technique is as follows. With the two recirculation pumps balanced in speed to within i 5 percent, the flow rates in both recirculation loops will be verified by control room monitoring instruments. If the two flow rate values do not differ by more than 10 percent, riser and nozzle assembly integrity has been verified. If they do differ by 10 percent or more, the core flow rate measured by the jet pump diffuser differential pressure system must be checked against the core flow rate derived from the measured values of loop flow to core flow correlation. If the difference between measured and derived core flow rate is 10 percent or more (with the derived value higher) diffuser measurements will be taken to define the location within the vessel of failed Jet pump nozzle (or riser) and the unit shut down for repairs. If the potential blowdown flow BFN 3.6/4.6-31 Unit 3

1 3.6/4.6 BASES M312 3.6.G/4.6.G (Cont'd) The program reflects the built-in limitations of access to the reactor coolant systems. { It is intended that the required examinations and inspection be completed during each 10-year interval. The periodic examinations are to be done during refueling outages or other extended plant shutdown periods. Only proven nondestructive testing techniques will be used. i 1 More frequent inspections shall be performed on certain circumferential pipe welds as listed in plant procedures to provide additional protection against pipe whip. These welds were selected in respect to their distance from hangers or supports wherein a failure of the weld would permit the unsupported segments of pipe to strike the drywell wall or nearby auxiliary systems or control systems. Selection was based on judgment from actual plant observation of hanger and support locations and review of drawings. Inspection of all these welds during each 10-year inspection interval will. result in three additional examinations above the requirements of Section XI of ASME Code. References 1. rvice Inspection and Testi FJfP FSAR Subsection 4. s 2. Inservice Inspection of Nuclear Reactor Coolant Systems, Section XI, ASME Boiler and Pressure Vessel Code 3. ASME Boiler and Pressure Vessel Code, Section III (1968 Edition) 4. American Society for Nondestructive Testing No. SNT-TC-1A (1968 Edition) BFN 3.6/4.6-33 l ARENDMENT NO.17 9 Unit 3

f 3.7/4.7 A M fd (Cont'd) NOV 16 ik Maintaining the water level between_these levels will ensure that the torus water volume and downcomer submergence are within the aforementioned limits during normal plant operation. Alarms, adjusted for instrument error, will notify the operator when the limits of the torus water level are approached. The maximum permissible bulk pool temocrature.is limited by the potential for' stable and complete condensation of steam discharged from safety relief valves and adequate core spray pump net positive suction head. At reactor vessel pressures above approximately 555 psig, the bulk pool temperature shall not exceed 180*F. At pressures below approximately 240 psis, the bulk temperature j may be as much as 184*F. the bulk temperature is permitted.At intermediate pressures, linear interpolation of They also rep-esent the bounding upper limits that are used in suppression pool temperature response analyses for safety relief velve discharge and t accident (LOCA) cases. The actions required by Specifications p ^ 3.7.C.*-D.7.. assure the reactor can be depressurized in a timely manner to eeding the maximum bulk suppression pool water limits. avo the 184*F limit provides that adequate RHR and core spray pump NPSH will beFurtherm available without dependency on containment overpressure. Should it be necessary to drain the suppression chamber, this should only be done when there is no requirement for Core Standby Cooling Systems OPERABILITY. Under full power operation conditions, blowdown from an initial suppression chamber water temperature of 95'F results in a peak long term water temperature which is sufficient for complete condensation. Limiting suppression pool temperature to 105*F during RCIC, HPCI, or relief valve operation when decay heat and stored energy is removed from the primary I system by discharging reactor steam directly to the suppression chamber as uste margin fo p ontrolled blowdown anytime during RCIC operation an margin for plete condenaation of steam from the design basis loss w* accide t))( L.oCA), e rwu re In addition to the limits on temperature of the suppression chamber pool water, operating procedures define the action to be taken in the event a relief valve inadvertently opens or sticks open. (1) use of all available means to action would include: e the val initist ession pool water cooling heat exchange , ( ) initiate tor shutd d (4) if other relief valves are used to depressurize the reactor, their shall be separated from that of the stuck-open relief valve to assure mixing harge and unifo energy inserti n to he pool. Ifshas-of-Toolant7ciden re occur when the reactor water temperature is below approximatEly.uu'r, e e o 62 psig code permissible pressir ainment pressure will not exceed the maximum allowable pool temperat v n if no condensation were to occur. The be governed by this specification., whenever the reactor is above 212*F, shall Thus, specifying water volume-temperature requirements applicable for reactor-water temperature above 212*F provides additional margin above that available at 330*F. BFN Unit 3 3.7/4.7-25 AMENDMENT NO. I 61

3.7/4.7 BASES (Cont'd) NOV 16 m In conjunction with the Mark I Containment Short Term Program, a plant-uniq analysis was performed (" Torus Support System and Attached Piping Analysis for the Browns Ferry Nuclear Plant Units 1, 2, and 3," dated September 9 i supplemented October , 1976 and 12, 1976) which demonstrated a factor of safety of at least two for the weakest element in the suppression chamber support system and attached piping. The maintenance of a drywell-suppression chamber differential pressure of 1.1 paid and a suppression chamber water level corresponding to a downcomer submergence range of 3.06 feet to 3.58 feet will assure the integrity of the suppression chamber when subjected to post-loss-of-coolant suppression pool hydrodynamic forces. I"*"*"" LOCA Qdu The relativity small containm suppression containment and thont volume inherent in the GE-BWR pressure that the occurrence of a veryylimi_tede large amount of zircon um in the core are zirconitan and steam during a[ loss-ob co(olant acci R c)ould lead to th a percent or s reaction of the o liberation of hydrogen combined with an air atmos i flammable concentration in the containment. re to result in a If a sufficient amount of hydrogen is generated and oxygen is available in stoichiometric quantities the subsequent ignition of the hydrogen in rapid recombination rate could lead to failure of the containment to maintain low leakage integrity. hydrogen e The <4 percent ation minimizes the p lity of hydrogen combustion following a loss-of-coolant accident LocA. ~ ' dew The occurrence of rimary syst eskage following a major refueling outage or o,thn cheduled utdown i (loss-of _ coolant accident ch more probable than the occurrence of the pon which the specified oxygen concentration limit is based. Permitting access to the drywell for leak inspections during a i significantly reducing the margin of safety.startup is judged prud Thus, to preclude the possibility of starting the reactor and operating for extended periods of time with significant leaks in the primary system, leak inspections are scheduled during startup periods, when the primary system is at or near rated operatin temperature and pressure. The 24-hour period to provide inerting is judged sufficient to perform the leak inspection and establish the required oxygen concentration. To ensure that the hydrogen concentration is maintained less than 4 percent following an accident, liquid nitrogen is maintained onsite for containment atmosphere dilution. supply, and replenishment facilities can deliver liquid nitrogen M within one da the fore, a requirement of 2.500 g ns is_ conservative. ol ow a loss-of-coolanhe Containment Air Monitoring (CAM) System continuously monitors the hydrogen concentration of the containment volume. circuit) are installed in the drywell and the torus.Two independent Each sensor and ( associated circuit is periodically checked by a calibration gas to verify ? operation. Failure of one system does not reduce the ability to monitor system atmosphere as a second independent and redundant system will still b OPERABLE. Lse < + BFN Unit 3 3.7/4.7-26 l AMENDMENT NO. I 6 I .~.

1 i ~ InserY W' LccA Following a le= - ~ = P q rient-the Containment Air Monitoring (CAM) System continuously monitors the hydrogen concentration of the containment.-volume. Two independent systems are capable of sampling and monitoring hydrogen concentration in the drywell and the torus. Each sensor and associated circuit is periodically checked by a calibration gas to verify' operation. Failure of one system does not reduce the ability to monitor the j { hydrogen concentration in the drywell or torus atmosphere as a t second independent and redundant system will still be OPERABLE. 4 i J l 4 l i 3 J i. i a ii )

4 l 3.7/4.7 i t'd M 3 .s In terms of separability, redundancT for a failure of the torus system is based upon at least one OPERABLE drywell system. The drywell hydrogen post-loss-of-coolant accident conditions. concentration can be used to { . Post-loss-of-coolant accident calculations show that the CAD system within two hours at a flow rate of 100 scfm will limit the peak drywell and wetwell hydrogen concentration to ~ 3.9-percent (at 3 hours) and 3.9-percent (at 32 hours), respectively. j based upon purge initiation after 20 hours at a flow rate of 100 scfm toThis is maintain containment pressure below 30 psig. Thus, peak torus hydrogen i concentration can be controlled below 4.0 percent using either the direct j with appropriate conservatism (1 3.9-percent), as a g operations. Vacuum Relief The purpose of the vacuum relief valves is to equalize the pressure between the drywell and suppression chamber and reactor building so that the structural integrity of the containment is maintained. The vacuum relief two 100-percent vacuum relief breakers (two parallel s series). less than 2 psig; the external design pressure. Operation of either breaker may be out of service for repairs for a period of seven daysOne rea brought to a condition where vacuum relief is no longer If When a drywell-suppression chamber vacuum breaker valve is exercised an opening-closing cycle the position indicating lights in the control room are designed to function as specified below: Initial and Final Check - On Condition (Fully Closed) Green - On Red - Off Opening Cycle Check - Off (Cracked Open) Green - Off (> 80' Open) Red - On (> 3' Open) Closing Cycle Check - On (Fully Closed) Green - On (< 80* Open) Red - Off (< 3' Open) The valve position indicating lights consist of one check light on the check light panel which confirms full closure, one green light next to the hand switch which confirms "near closure" (within 3* of full c is on a separate switch. Each light If the check light circuit is OPERABLE when the valve will fully close. valve is exercised by its air operator there exists a confir If the red light circuit is OPERABLE, there exists a BFN Unit 3 3.7/4.7-27l AMENDMENT NO. I 6 I

3.7/4.7 BASES (Cont'd) PUWt151995 in the system, isolation is provided by high temperature in the cleanup system Also, since the vessel could potentially be drained through the cleanup area. system, a low-level isolation is provided. Groues 4 and 5 - Process lines are designed to remain OPERABLE and citigate the consequences of an accident which results in the isolation c other a process lines. The signals which initiate isolation of Gro'ss 4 and 5 process lines are therefore indicative of a condition which woul'. render them inoperable. Groue 6 - Lines are connected to the primary con'.ainment but not directly to the reactor vessel. These valves are isolated on reactor low water level (538"), high drvva11 nressure, or reactor building ventilation high radiation which would ndicate a sible accident and necessitate primary containment isolation. @ k$cd) g _ m_ Groun 7. rocess lines are closed only on the respective turbine steam supply (valve not fully closed. This assures that the valves are not open when HPCI (or RCIC action is required. Groue 8 - Line (traveling in-core probe) is isolated on high drywell pressure or reactor low water level (538"). This is to assure that this line does not provide a leakage path when containment pressure or reactor water level indicates a possible accident condition. The maximum closure time for the automatic isolation valves of the primary containment and reactor vessel isolation control system have been selected in consideration of the design intent to prevent core uncovering following pipe breaks outside the primary containment and the need to contain released fission products following pipe breaks inside the primary containment. -In satisfying this design intent, an additional margin has been included in specifying maximum closure times. This margin permits identification of degraded valve performance prior to exceeding the design closure times. In order to assure that the doses that may result from a steam line break do not exceed the 10 CFR 100 guidelines, it is necessary that no fuel rod perforation resulting from the accident occur prior to closure of the main steam line isolation valves. Analyses indicate that fuel rod cladding perforations would be avoided for main steam valve closure times, including ~ instrument delay, as long as 10.5 seconds. 3.7/4.7-34 DMENT NO.19 3 BFN Unit 3

3.9 ams 1 S MAR 2 41993 The objective of this specification is to assure an a quate source of electrical power to operate facilities to cool the uni during shutdown and to operate the engineered safeguards following an accident. There 4 are three sources of alternating current electrical energy available, namely, the 161-kV transmission. system, the 500-kV transmission system, and the diesel generators. The unit station-service transformer B for unit 3 provides a noninterruptible source of offsite power from the 500-kV transmission system to the unit 3 shutdown boards. Auxiliary power can also be supplied from the 161-kV transmission system through the common ~ station-service transformers or through the cooling tower transformers by way of the bus tie board. The 4-kV bus tie board may remain out of service indefinitely provided one of the required offsite power sources is not supplied from the 161-kV system through the bus tie board. The minimum fuel oil requirement of 35,280 gallons for each diesel 3 generator fuel tank assembly is sufficient for seven days of full load operation of each diesel and is conservatively based on availability of a replenishment supply. Each diesel generator has its own independent 7-day fuel oil storage tank assembly. The degraded voltage sensing relays provide a start signal to the diesel generators in the event that a deteriorated voltage condition exists on a 4-hV shutdown board. This starting signal is independent of the starting signal generated by the complete loss of voltage relays and will continue to function and start the diesel generators on complete loss of voltage should the loss of voltage relays become inoperable. The 15-day inoperable time limit specified when one of the three phase-to-phase degraded voltage relays is inoperable is justified based on the two-out-of-three permissive logic scheme provided with these relays. A 4-kV shutdown board is allowed to be out of operation for a brief period to allow for maintenance and testing, provided all remaining 4-kV i shutdown boards and associated diesel generators, CS, RHR, (LPCI and containment cooling) systems supplied by the remaining 4-kV shutdown 4 boards, and all emergency 480-V power boards are OPERABLE. The 480-V diesel auxiliary board may be out of service for short periods ] for tests and maintenance. There is a safety related 250-V de unit battery located in each unit. Each 250-V de unit battery system consists of a battery, a battery charger, and a distribution panel. There is also a backup charger which can be assigned to any one of the three unit batteries. The 250-V de unit battery systems provide power for unit control functions, unit DC motor loads and alternate control power to the 4160 and 480-V ac shutdown boards. The primary control power supplies to the 3A, 3C and N BFN 3.9/4.9-18 By letter 3/24/93 Unit 3

_.. _ _ ____ __ _ _ _. _ _ _ ~ ___ _ _______ 3.10 BASES (Cont'd) 09m suberitical even when the highest worth control rod is fully withdrawn. The combination of refueling interlocks for control rods and the refueling platform provide redundant methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality. Fuel handling is normally conducted with the fuel grapple hoist. The total load on this hoist when the interlock is required consists of the weight of the fuel grapple and the fuel assembly. This total is approximately 1,500 lbs, in comparison to the load-trip setting of 1,000 lbs. Provisions have also been made to allow fuel handling with either of the three auxiliary hoists and still maintain the refueling interlocks. The 400-lb load-trip setting on thes a is adequate to trip the interlock when one of the more 490'-1b fuel bundles is being handled. 650 During certain periods, it is desirable to perform maintenance on two control rods and/or control rod drives at the same time without removing fuel from the cella. The maintenance is performed with the. mode switch in the refuel position to provide the refueling interlocks normally available during refueling operations. In order to withdraw a second control rod after withdrawal of the first rod, it is necessary to bypass the refueling interlock on the first control rod which prevents more than one control rod from being withdrawn at the sama time. The requirement that an adequate shutdown margin be demonstrated and that all remaining control rods have their directional control valves electrically disarmed ensures that inadvertent criticality cannot occur during this maintenance. The adequacy of the shutdown margin is verified by demonstrating that at least 0.38 percent Ak shutdown margin is available. Disarming the directional control valves does not inhibit control rod scram capability. Specification 3.10.A.7 allows unloading of a significant portion of the reactor core. This operation is performed with the mode switch in the REFUEL position to provide the refueling interlocks normally available during refueling operations. In order to withdraw more than one control rod, it is necessary to bypass the refueling interlock on each withdrawn control rod which prevents more than one control rod from being withdrawn at a time. The requirement that the ~ fuel assemblies in the cell controlled by the control rod be removed from the reactor core before the interlock can be bypassed ensures that withdrawal of another control rod does not result in inadvertent 1 criticality. Each control rod provides primary reactivity control for the fuel assemblies in the cell associated with that control rod. i Thus, removal of an entire cell (fuel assemblies plus control rod) results in a lower reactivity potential of the core. The i requirementsforSRMOPERABILITYduringtheseCOREALTERATIONSassurel sufficient core monitoring. I BFN 3.10/4.10-11 Unit 3 AMENDMENT NO. I 6 6

3.10 BASES (Cont'd) FEB 2 3 W REFERENCES 1. Refueling interlocks (BFNP FSAR Subsection 7.6) B. Core Monitorinn The SRMs are provided to monitor the core during periods of unit shutdown and to guide the operator during refueling operations and unit startup. Requiring two OPERABLE SEMs (FLCs) during CORE ALTERATIONS assures adequate monitoring of the fueled region (s) and the core quadrant where CORE ALTERATIONS are being performed. The fueled region is any set of contiguous (adjacent) control cells which contain one or more fuel assemblies. An SEM is considered to be in the fueled region when one or more of the four fuel assembly locations surrounding the SEM dry tube contain a fuel assembly. An FLC is considered to be in the fueled region if the FLC is positioned such that it is monitoring the fuel assemblies in its associated core quadrant, even if the actual position of the FLC is outside the fueled region. Each SRM (FLC) is not required to read 1 3 cps until after four fuel assemblies have been loaded adjacent to the SEM (FLC) if no other fuel assemblies are in the associated core quadrant. These four locations are adjacent to the SRM dry tube. When utilizing FLCs, the FLCs will be located such that the required count rate is achieved without exceeding the SRM upscale setpoint. With four fuel assemblies or, fewer loaded around each SRM, even with a control rod withdrawn, the configuration will not be critical. Under the special condition of removing the full core with all control rods inserted and electrically disarmed, it is permissible to allow SRM count rate to decrease below three counts per second. All fuel moves during core unloading vill reduce reactivity. It is expected that the SRMs will drop below three counts per second before all of the fuel is unloaded. Since there will be no reactivity additions during this i period, the low number of counts will not present a hazard. When sufficient fuel has been removed to the spent fuel storage pool to drop the SRM count rate below 3 cps, SRMs will no longer be required to be OPEDART.R. Requiring the SEMs to be functionally tested prior to fuel removal assures that the SEMs will be OPERABLE at the start of fuel removal. The once per 12 hours verification of the SRM count rate and ~ signal-to-noise ratio ensures their continued OPERABILITY until the count rate diminishes due to fuel removal. Control rods in cells from which all fuel has been removed pay be armed electrically and moved for j maintenance purposes during full core removal, provided all rods that control fuel arm Fis11y 4a==-t d --M ::lecuicell; &~==d - O d axt a edsidR, Oe. Periphe$ of b N% M Sc\\ YYOYE Y 1. Neutron Monitoring System (BFNP FSAR Subsection 7.5) BFN 3.10/4.10-12 TS 348 - TVA Letter to NRC Unit 3 Dated 02/23/95

d i j 3.10 3&331 (Cont'd) FEB 2 3195 2. Morgan, W. R., "In-CoreJeutron Monitoring System for General Electric Boiling Water Reactors," General Electric Company, Atomic Power Equipment Department, November 1968, revised April 1969 4 (APED-5706) C. Snent Fuel Pool Water i s The design of the spent fuel storage pool provides a storage location i for approximately 140 percent of the full core load of fuel assemblies in the reactor building which ensures adequate shielding, cooling, and reactivity control of irradiated fuel. An analysis has been performed which shows that a water level at or in excess of eight and one-half feet over the top of the stored assemblies will provide shielding such i i that the maximum calculated radiological doses do not exceed the limits of 10 CFR 20. The normal water level provides 14-1/2 feet of additional water shielding. The capacity of the skimmer surge tanks is available to maintain the water level at its normal height for three days in the absence of additional water input from the condensate storage tanks. All penetrations of the fuel pool have been installed 4 at such a height that their presence does not provide a possible j drainage route that could lower the normal water level more than one-half foot. The fuel pool cooling system is designed to maintain the pool water temperature less than 125'F during normal heat loads. If the reactor core is completely unloaded when the pool contains two previous discharge batches, the temperatures may increase to greater than 125'F. The RER system supplemental fuel pool cooling mode will be used under these conditions to maintain the pool temperature to less than 125'F. /, ~ 3m 1 M.10 # R A Reactor Bu11 dine crane The re.ctor building crane and 125-ton hoist are required to be OPERABLE for handling of the spent fuel in the reactor building. The controls for the 125-ton hoist are located in the crane cab. The five-ton has both cab and pendant controls. a A visual inspection of the load-bearing hoist wire rope assures detection of signs of distress or wear so that corrections can be promptly made if needed. The testing of the various limits and interlocks assures their proper operation when the crane is used. 3M Spent Fuel Cask The spent fuel cask design incorporates removable lifting trunnions. The visual inspection of the trunnions and fasteners prior to BFN Unit 3 3.10/4.10-13l TS 348 - TVA Letter to NRC Dated 02/23/95

ENCLOSURE 3 TENNESSEE VALLEY AUTHORITY BROWNS FERRY NUCLEAR PLANT (BFN) UNITS 1, 2, AND 3 1 PROPOSED TECHNICAL SPECIFICATION (TS) CHANGE TS-370 REVISED PAGES i 1 I. AFFECTED PAGE LIST i UNIT 1 UNIT 2 UNIT 3 3.10/4.10-12 1.1/2.1-8 1.1/2.1-8 1.1/2.1-9 1.1/2.1-9 1.1/2.1-13 1.1/2.1-13 1.1/2.1-14 1.1/2.1-14 1.1/2.1-15 1.1/2.1-16 l 1.1/2.1-16 1.2/2.2-2 1.2/2.2-2 1.2/2.2-3 1.2/2.2-3 1.2/2.2-4 3.1/4.1-14 3.1/4.1-15 3.1/4.1-15 3.1/4.1-16 3.1/4.1-17 3.1/4.1-19 3.1/4.1-20 3.2/4.2-64 3.2/4.2-65 3.2/4.2-67 3.2/4.2-67 3.2/4.2-70 3.3/4.3-15 3.2/4.2-71 3.3/4.3-17 3.2/4.2-72 3.3/4.3-18 3.3/4.3-14 3.3/4.3-20 3.3/4.3-17 3.5/4.5-24 3.3/4.3-18 3.5/4.5-30 3.3/4.3-20 3.5/4.5-32 3.5/4.5-27 3.6/4.6-30 3.5/4.5-33 3.6/4.6-31 3.6/4.6-30 3.6/4.6-32 3.6/4.6-31 '3.6/4.6-33 3.6/4.6-32 3.7/4.7-26 3.6/4.6-33 3.7/4.7-27 3.7/4.7-25 3.7/4.7-28 3.7/4.7-26 3.9/4.9-19 3.7/4.7-27 3.10/4.10-12 3.7/4.7-34 3.10/4.10-15 3.9/4.9-18 1 3.10/4.10-11 3.10/4.10-12 l 3.10/4.10-13 II. REVISED PAGES l See attached. i

_ ~ -.. - 3.10 BASES (Cont'd) i subcritical even when the highes_t worth control rod is fully withdrawn. The combination of refueling interlocks for control roda 2 j and the refueling platform provide redundant methods of preventing i inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of. avoiding inadvertent criticality. Fuel handling is normally conducted with the fuel grapple hoist. The total load on this hoist when the interlock is required consists of the weight of the fuel grapple and the fuel assembly. This total is approximately 1,500 lbs, in comparison to the load-trip setting of 1,000 lbs. Provisions have also been made to allow fuel handling with either of the three auxiliary hoists and still maintain the refueling interlocks. The 400-1b load-trip setting on these hoists is adequate to trip the interlock when one of the more than 550-1b l fuel bundles is being handled. During certain periods, it is desirable to perform maintenance on two control rods and/or control rod drives at the same time without removing fuel from the cells. The maintenance is performed with the mode switch in the refuel position to provide the refueling interlocks normally available during refueling operations. In order to withdraw a second control rod after withdrawal of the first rod, it is necessary to bypass the refueling interlock on the first control rod which prevents more than one control rod from being withdrawn at the same time. The requirement that an adequate shutdown margin be demonstrated and that all remaining control rods have their directional control valves electrically disarmed ensures that inadvertent criticality cannot occur during this maintenance. The adequacy of the shutdown margin is verified by demonstrating that at least 0.38 percent Ak shutdown margin is available. Disarming the directional control valves does not inhibit control rod scram capability. Specification 3.10.A.7 allows unloading of a significant portion of the reactor core. This operation is performed with the mode switch in the refuel position to provide the refueling interlocks normally available during refueling operations. In order to withdraw more than one control rod, it is necessary to bypass the refueling interlock on each withdrawn control rod which prevents more than one control rod from being withdrawn at a time. The requirement that the fuel assemblies in the cell controlled by the control rod be removed a from the reactor core before the interlock can be bypassed ensures that withdrawal of another control rod does not result in inadvertent criticality. Each control rod provides primary reactivity control for the fuel assemblies in the cell associated with that control rod. Thus, removal of an entire cell (fuel assemblies plus control rod) results in a lower reactivity potential of the core. The requirements for SRM OPERABILITY during these CORE ALTERATIONS assure sufficient core monitoring. 1 BFN 3.10/4.10-12 Unit 1

-- -.. -.. - ~. _.. _ _.. - - - _. - - - - - -.. - -.. -... - -. -. - - -. ~.. - -... f f i

1.1 BASES

FUEL CLADDING INTEGRITY SAFETY LIMIT l The fuel cladding represents one of__the physical barriers which separate radioactive materials from environs. The integrity of this cladding barrier is related to its relative freedom from perforations or cracking. Although some corrosion or use-related cracking may occur during the life of the cladding, fission product migration from this source is incrementally cumulative and continuously measurable. Fuel cladding perforations, however, can result from thermal stresses which occur from reactor operation significantly above design conditions and the protection system setpoints. While fission product migration from cladding perforation is just as measurable as that from use-related cracking, the thermally-caused cladding perforations signal a threshold, j beyond which still greater thermal stresses may cause gross rather than incremental cladding deterioration. Therefore, the fuel cladding safety limit is defined in terms of the reactor operating conditions which can result in cladding perforation. The fuel cladding integrity limit is set such that no calculated fuel damage would occur as a result of an abnormal operational transient. Because fuel damage is not directly observable, the Fuel Cladding Safety Limit is defined with margin to the conditions which would produce onset transition boiling (MCPR of 1.0). This establishes a Safety Limit such that the minimum critical power ratio (MCPR) is no less than 1.07. MCPR > 1.07 represents a conservative margin relative to the conditions required to maintain fuel cladding integrity. Onset of transition boiling results in a decrease in heat transfer from the clad and, therefore, elevated clad temperature and the possibility of clad failure. Since boiling transition is not a directly observable parameter, the margin to boiling transition is calculated from plant operating parameters such as core power, core flow, feedwater temperature, and core power distribution. The margin for each fuel assembly is characterized by the critical power ratio (CPR) which is the ratio of the bundle power which would produce onset of transition boiling divided by the actual bundle d power. The minimum value of this ratio for any bundle in the core is the minimum critical power ratio (MCPR). It is assumed that the plant operation is controlled to the nominal protective setpoints via the instrumented variables, i.e., normal plant operation presented on Figure 2.1-1 by the nominal expected flow control line. The Safety Limit (MCPR of 1.07) has sufficient conservatism to assure that in the event of an abnormal operational transient initiated from a normal operating condition (MCPR > limits specified in Specification 3.5.K) more than 99.9 percent of the fuel rods in the core are expected to avoid boiling transition. The margin between MCPR of 1.0 (onset of transition boiling) and the safety limit 1.07 is derived from a detailed statistical analysis considering all of the uncertainties in monitoring the core operating state including uncertainty in the boiling transition correlation as described in Reference 1. The uncertainties employed in deriving the safety limit are provided at the beginning of each fuel cycle. BFN 1.1/2.1-8 Unit 2

I 1.1 BASES (Cont'd) i l Because the boiling transition correlation is based on a large quantity of full scale data there i~i a very high confidence that operation of a fuel assembly at the condition of MCPR = 1.07 would j not produce boiling transition. Thus, although it is not required i to establish the safety limit additional margin exists between the i safety limit and the actual occurrence of loss of cladding integrity. ) However, if boiling transition were to occur, clad perforation would 3 i not be expected. Cladding temperatures would increase to j approximately 1,100 F which is below the perforation temperature of the cladding material. This has been verified by tests in the { General Electric Test Reactor (GETR) where fuel similar in design to BFNP operated above the critical heat flux for a significant period e of time (30 minutes) without clad perforation. a If reactor pressure should ever exceed 1,400 paia during normal power operation (the limit of applicability of the boiling j transition correlation) it would be assumed that the fuel cladding integrity Safety Limit has been violated. 4 ) At pressures below 800 psia, the core elevation pressure drop (0 power, O flow) is greater than 4.56 pai. At low powers and flows i this pressure differential is maintained in the bypass region of the } core. Since the pressure drop in the bypass region is essentially l all elevation head, the core pressure drop at low power and flows l will always be greater than 4.5 pai. Analyses show that with a flow y of 28x103 lbs/hr bundle flow, bundle pressure drop is nearly j j independent of bundle power and has a value of 3.5 pai. Thus, the bundle flow with a 4.56 psi driving head will be greater than { 28x103 lbs/hr. Full scale ATLAS test data taken at pressures from 14.7 psia to 800 psia indicate that the fuel assembly critical power j at this flow is approximately 3.35 MWt. With the design peaking i factors this corresponds to a core thermal power of more than 50 l percent. Thus, a core thermal power limit of 25 percent for reactor j pressures below 800 psia is conservative. i For the fuel in the core during periods when the reactor is shut i down, consideration must also be given to water level requirements due to the effect of decay heat. If water level should drop below i the top of the fuel during this time, the ability to remove decay ] heat is reduced. This reduction in cooling capability could lead to elevated cladding temperatures and clad perforation. As long as the fuel remains covered with water, sufficient cooling is available to j prevent fuel clad perforation. t 4 5 l, i BFN 1.1/2.1-9 i Unit 2

4 2.1 BASES (Cont'd) 1 Analyses of the limiting transients show that no scram ~ adjustment is required to assure MCPR > 1.07 when the transient is initiated from MCPR limits specified in Specification 3.5.k. 2

2..APRM Flux Scram Trio Settina (REFUEL or STARTUP/ HOT STANDBY MODE) 1 For operation in the startup mode while the reactor is at low pressure, the APRM scram setting of 15 percent of rated power provides adequate thermal margin between the setpoint and the safety limit, 25 percent of rated. The margin is adequate to accommodate anticipated maneuvers associated with power plant startup. Effects of increasing pressure at zero or low void j

content are minor, cold water from sources available during i startup is not much colder than that already in the system, temperature coefficients are small, and control rod patterns are constrained to be uniform by operating procedures backed up by the rod worth minimizer. Worth of individual rods is very low in a uniform rod pattern. Thus, of ell possible sources of reactivity input, uniform control rod withdrawal is the most probable cause of significant power rise. Because the flux distribution associated with uniform rod withdrawals does not involve high local peaks, and because several rods must be moved to change power by a significant percentage of rated power, the rate of power rise is very slow. Generally, the heat flux is in near equilibrium with the fission rate. In an assumed uniform rod withdrawal approach to the scram level, the rate of power rise is no more than five percent of rated power per minute, and the APRM system would be more than adequate to assure a scram before the power could exceed the safety limit. The 15 percent APRM scram remains active until the mode switch is placed in the RUN position. This switch occurs when reactor pressure is greater than 850 psig. 3. IRM Flux Scram Trio Settina The IRM System consists of eight chambers, four in each of the reactor protection system logic channels. The IRM is a five-decade instrument which covers the range of power level between that covered by the SEM and the APRM. The five decades are covered by the IRM by means of a range switch and the five decades are broken down into 10 ranges, each being one-half of a decade in size. The IRM scram setting of 120 divisions is active in each range of the IRM. For example, if the instrument was on range 1, the scram setting would be 120 divisions for l that range; likewise if the instrument was on range 5, the scram setting would be 120 divisions for that range. l 4 BFN 1.1/2.1-13 Unit 2

l 2.1 AAEKE (Cont'd) IRM Flux Scram Trio Settina (Continued) Thus, as the IRM is ranged up to accommodate the increase in power level, the scram setting is also ranged up. A scram at 120 divisions on the IRM instruments remains in effect as long as the reactor is in the startup mode. In addition, the APRM 15 percent scram prevents higher power operation without being in the RUN mode. The IRM scram provides protection for changes which occur both locally and over the entire core. The most significant sources of reactivity change during the power increase are due to control rod withdrawal. For insequence control rod withdrawal, the rate of change of power is slow enough due to the physical limitation of withdrawing control rods that heat. flux is in equilibrium with the neutron flux. An IRM scram would result in a reactor shutdown well before any SAFETY LIMIT is exceeded. For the case of a single control rod l withdrawal error, a range of rod withdrawal accidents was analyzed. This analysis included starting the accident at various power levels. The most severe case involves an initial condition in which the reactor is just suberitical and the IRM system is not yet on scale. This condition exists at quarter rod density. Quarter rod density is discussed in paragraph 7.5.5.4 of the FSAR. Additional conservatism was taken in this analysis by assuming that the IRM channel closest to the withdrawn rod is bypassed. The results of this analysis show that the reactor is scrammed and peak power limited to one percent of rated power, thus maintaining MCPR above 1.07. Based on the above analysis, the IRM provides protection against local control rod withdrawal errors and continuous withdrawal of control rods in sequence.

4. Fixed Hiah Neutron Flux Scram Trio The average power range monitoring (APRM) system, which is calibrated using heat balance data taken during steady-state conditions, reads in percent of rated power (3,293 MWt). The APRM system responds directly to neutron flux. Licensing analyses have demonstrated that with a neutron flux scram of 120 percent of rated power, none of the abnormal operational i

transients analyzed violate the fuel SAFETY LIMIT and there is a l substantial margin from fuel damage. B. APRM Control Rod Block Reactor power level may be varied by moving control rods or by varying the recirculation flow rate. The APRM system provides a control rod block to prevent rod withdrawal beyond a given point at constant recirculation flow rate and thus prevents scram actuation. This rod block trip setting, which is automatically varied with recirculation loop flow rate, prevents an increase in the reactor power level to excess values due to control rod withdrawal. The flow variable trip setting is selected to provide adequate margin to i l the flow-biased scram setpoint. l BFN 1.1/2.1-14 Unit 2 ,-r,-

l l 2.1 BASES (Cont'd) C. Reactor Water Low Level Scram and Isolation (Exceot Main Steam Lines) l The setpoint for the low level scram is above the bottom of the separator skirt. This level has been used in transient analyses dealing with coolant inventory decrease. The results reported in FSAR Subsection 14.5 show that scram and isolation of all process lines (except main steam) at this level adequately protects the fuel and the pressure barrier, because MCPR is greater than 1.07 in all ) cases, and system pressure does not reach the safety valve settings. The scram setting is sufficiently below normal operating range to avoid spurious scrams. D. Turbine Stoo Valve Closure Scram The turbine stop valve closure trip anticipates the pressure, neutron flux and heat flux increases that would result from closure of the stop valves. With a trip setting of 10 percent of valve closure from full open, the resultant increase in heat flux is such that adequate thermal margins are maintained even during the worst case transient that assumes the turbine bypass valves remain closed. (Reference 2) E. Turbine Control Valve Fast Closure or Turbine Trio Scram Turbine control valve fast closure or turbine trip scram anticipates the pressure, neutron flux, and heat flux increase that could result from control valve fast closure due to load rejection or control valve closure due to turbine trip; each without bypass valve capability. The reactor protection system initiates a scram in less than 30 milliseconds after the start of control valve fast closure due to load rejection or control valve closure due to turbine trip. This scram is achieved by rapidly reducing hydraulic control oil pressure at the main turbine control valve actuator dise dump valves. This loss of pressure is sensed by pressure switches whose contacts form the one-out-of-two-twice logic input to the reactor protection system. This trip setting, a nominally 50 percent greater closure time and a different valve characteristic from that of the turbine stop valve, combine to produce transients very similar to that for the stop valve. No significant change in MCPR occurs. Relevant transient analyses are discussed in References 2 and 3 of the Final Safety Analysis Report. This scram is bypassed when turbine steam flow is below 30 percent of rated, as measured by turbine first state pressure. BFN 1.1/2.1-15 Unit 2

2.1 BASES (Cont'd) i F. (Deleted) G. & H. Main Steam line Isolation on Low Pressure and Main Steam Line Isolation Scram The low pressure isolation of the main steam lines at 825 psig was provided to protect against rapid reactor depressurization and the resulting rapid cooldown of the vessel. The scram feature that occurs when the main steam line isolation valves close shuts down l the reactor so that high power operation at low reactor pressure does not occur, thus providing protection for the fuel cladding integrity SAFETY LIMIT. Operation of the reactor at pressures lower l than 825 psig requires that the reactor mode switch be in the STARTUP position, where protection of the fuel cladding integrity SAFETY LIMIT is provided by the IRM and APRM high neutron flux scrams. Thus, the combination of main steam line low pressure isolation and isolation valve closure scram assures the availability of neutron flux scram protection over the entire range of l applicability of the fuel cladding integrity SAFETY LIMIT. In addition, the isolation valve closure scram anticipates the pressure and flux transients that occur during normal or inadvertent isolation valve closure. With the scrans set at 10 percent of valve closure, neutron flux does not increase. I.J.& K. Reactor Low Water Level Setooint for Initiation of HPCI and RCIC Closina Main Steam Isolation Valves. and Startina LPCI and Core Sorav Pumns. These systems maintain adequate coolant inventory and provide core cooling with the objective of preventing excessive clad temperatures. The design of these systems to adequately perform the intended function is based on the specified low level scram setpoint and initiation setpoints. Transient analyses reported in Section 14 of the FSAR demonstrate that these conditions result in adequate safety margins for both the fuel and the system pressure. L. References 1. Supplemental Reload Licensing Report of Browns Ferry Nuclear Plant, Unit 2 (applicable cycis-specific document). 2. GE Standard Application for Reactor Fuel, NEDE-24011-P-A and NEDE-24011-P-A-US (latest approved version). BFN 1.1/2.1-16 Unit 2

d 1.2 BASES REACTOR COOLANT SYSTEM INTEGRITY The safety limits for the reactor coolant system pressure have been selected such that they are below pressures at which it can be shown that the integrity of the system is not endangered. However, the pressure safety limits are not high enough such that no foreseeable circumstances can cause the system pressure to rise over these limits. The pressure safety limits are arbitrarily selected to be the lowest transient l overpressures allowed by the applicable codes, ASME Boiler and Pressure Vessel Code, Section III, and USAS Piping Code, Section B31.1. i The design pressure (1,250 pais) of the reactor vessel is established such that, when the 10 percent allowance (125 psi) allowed by the ASME Boiler and Pressure Vessel Code Section III for pressure transients is added to the design pressure, a transient pressure limit of 1,375 pais is ) established. Correspordingly, the design pressures (1,148 for suction and 1,326 for discharge) of the reactor recirculation system piping are such that, when the 20 percent allowance (230 and 265 psi) allowed by USAS Piping Code, Section B31.1 for-pressure transients is added to the design pressures, transient pressure limits of 1,378 and 1,591 psig are established. Thus, the pressure safety limit applicable to power operation is established at 1,375 psig (the lowest transient overpressure allowed by the pertinent codes), ASME Boiler and Pressure Vessel Code, Section III, and USAS Piping Code, Section B31.1. The current cycle's safety analysis concerning the most severe abnormal operational transient resulting directly in a reactor coolant system pressure increase is given in the reload licensing submittal for the current cycle. The reactor vessel pressure code limit of 1,375 psig given in subsection 4.2 of the safety analysis report is well above the peak pressure produced by the overpressure transient described above. Thus, the pressure safety limit applicable to power operation is well above the peak pressure that can result due to reasonably expected overpressure transients. Higher design pressures have been established for piping within the reactor coolant system than for the reactor vessel. These increased design pressures create a consistent design which assures that, if the pressure within the reactor vessel does not exceed 1,375 psis, the pressures within the piping cannot exceed their respective transient ] pressure limits due to static and pump heads. The safety limit of 1,375 psig actually applies to any point in the reactor vessel; however, because of the static water head, the highest pressure point will occur at the bottom of the vessel. Because the J J BFN 1.2/2.2-2 Unit 2

i 1.2 BASES (Cont'd) f pressure is not monitored at this point, it cannot be directly determined i if this safety limit has been violated. Also, because of the potentially varying head level and flow pressure dropa, an equivalent pressure cannot be a priori determined for a pressure monitor higher in the vessel. Therefore, following any transient that is severe enough to cause concern that this safety limit was violated, a cniculation will be performed using all available information to determine if the safety limit was l violated. REFERENCES 1. Plant Safety Analysis (BFNP FSAR Sections 14.0 and Appendix N) l 2. ASME Boiler and Pressure Vessel Code Section-III 3. USAS Piping Code, Section B31.1 4. Reactor Vessel and Appurtenances Mechanical Design (BFNP FSAR Subsection 4.2) 5. Generic Reload Fuel Application, Licensing Topical Report, NEDE-24011-P-A and Addenda. BFN 1.2/2.2-3 Unit 2

. ~. - _ - - - -. ~... -. - - - - - - 4 i 3.1 BASES TheReactorProtectionSystemautomaticallyinitiatesareactorscramtorl 1. Preserve the integrity of the fuel cladding. 1 l 2. Preserve the integrity of the reactor coolant system. 3 3. Minimize the energy which must be absorbed following a loss of coolant accident, and prevents criticality. This specification provides the LIMITING CONDITIONS FOR OPERATION l necessary to preserve the ability of the system to tolerate single i failures and still perform its intended function even during periods when instrument channels may be out of service because of maintenance. When necessary, one channel may be made inoperable for brief intervals to l conduct required functional tests and calibrations. The reactor protection trip system is nupplied, via a separate bus, by its own high ;nertia, ac motor-generator set. Alternate power is available to either Reactor Protection System bus from an electrical bus that can receive standby electrical power. The RPS monitoring system provides an isolation between nonclass 1E power supply and the class 1E RPS bus. This will ensure that failure of a nonclass 1E reactor protection power supply will not cause adverse interaction to the class 1E Reactor Protection System. The Reactor Protection System is made up of two independent trip systems l 1 j (refer to Section 7.2, FSAR). There are usually four channels provided j to monitor each critical parameter, with two channels in each trip ~ system. The outputs of the channels in a trip system are combined in a logic such that either channel trip will trip that trip system. The simultaneous tripping of both trip systems will produce a reactor scram. This system meets the intent of IEEE-279 for Nuclear Power Plant Protection Systems. The system has a reliability greater than that of a 2-out-of-3 system and somewhat less than that of a 1-out-of-2 system. With the exception of the Average Power Range Monitor (APRM) channels, the Intermediate Range Monitor (IRM) channels, the Main Steam Isolation Valve closure and the Turbine Stop Valve closure, each trip system logic has one instrument channel. When the minimum condition for operation on the number of OPERABLE instrument channels per untripped protection trip system is met or if it cannot be met and the effected protection trip system is placed in a tripped condition, the effectiveness of the protection system is preserved; i.e., the system can tolerate a single failure and still perform its intended function of scramming the reactor. Three APRM instrument channels are provided for each protection trip system. BFN 3.1/4.1-14 Unit 2

I l 3.1 BASES (Cont'd) Each protection trip system has one more APRM than is necessary to meet the minimum number required per channel. This allows the bypassing of one APRM per protection trip system for maintenance, testing or calibration. Additional IRM channels have also been provided to allow for bypassing of one such channel. The bases for the scram setting for the IRM, APRM, high reactor pressure, reactor low water level, MSIV closure, turbine control valve fast closure, and turbine stop valve l closure are discussed in Specifications 2.1 and 2.2. Instrumentation (pressure switches) for the drywell are provided to i detect a loss of coolant accident and initiate the core standby cooling equipment. A high drywell pressure scram is provided at the same setting as the core cooling systems (CSCS) initiation to minimize the energy which must be accommodated during a loss of coolant accident and to prevent return to criticality. This instrumentation is a backup to the reactor vessel water level instrumentation. A reactor mode switch is provided which actuates or bypasses the various scram functions appropriate to the particular plant operating status. Reference Section 7.2.3.7 FSAR. The manual scram function is active in all modes, thus providing for a manual means of rapidly inserting control rods during all modes of reactor operation. The IRM system (120/125 scram) in conjunction with the APRM system (15 percent scram) provides protection against excessive power levels and short reactor periods in the startup and intermediate power ranges. The control rod drive scram system is designed so that all of the water which is discharged from the reactor by a scram can be accommodated in the discharge piping. The discharge volume tank accommodates in excess of 50 gallons of water and is the low point in the piping. No credit was taken for this volume in the design of the discharge piping as concerns the amount of water which must be accommodated during a scram. During normal operation the discharge volume is wspty; however, should it fill with water, the water discharged to the piping from the reactor could not I l l BFN 3.1/4.1-15 Unit 2

- -.-. - - -. _ ~.. - - i i 1. j 4.1 BASES 4 j The minimum functional testing frequency used in this specification is j based on a reliability analysis using~the concepts developed in reference i (1). This concept was specifically adapted to the one-out-of-two taken twice logic of the reactor protection system. The analysis shows that the sensors are primarily responsible for the reliability of the reactor protection system. This analysis makes use of " unsafe failure" rate experience at conventional and nuclear power plants in a reliability model for the system. An " unsafe failure" is defined as one which negates channel operability and which, due to its nature, is revealed only when the channel is functionally tested or attempts to respond to a real signal. Failure such as blown fuses, ruptured bourdon tubes, faulted amplifiers, faulted cables, etc., which result in " upscale" or "downscale" readings on the reactor instrumentation are " safe" and will be easily recognized by the operators during operation because they are revealed by an alare or a scram. The channels listed in Tables 4.1.A and 4.1.B are divided into three groups for functional testing. These are: A. On-Off sensors that provide a scram trip function. B. Analog devices coupled with bistable trips that provide a scram function. C. Devices which only serve a useful function during some restricted { mode of operation, such as STARTUP, Jr for which the only practical test is one that can be performed at SHUTDOWN. The sensors that make up group (A) are specifically selected from among the whole family of industrial on-off sensors that have earned an excellent reputation for reliable operation. During design, a goal of 0.99999 probability of success (at the 50 percent confidence level) was l adopted to assure that a balanced and adequate design is achieved. The probability of success is primarily a function of the sensor failure rate and the test interval. A three-month test interval was planned for group (A) sensors. This is in keeping with good operating practices, and satisfies the design goal for the logic configuration utilized in the Reactor Protection System. The once per six-month functional test frequency for the scram pilot air header low pressure trip function is acceptable due to: 1. The functional reliability previously demonstrated by these switches on Unit 2 during Cycles 6 and 7, 2. The need for minimizing the radiation exposure associated with the functional testing of these switches, and 3. The increased risk to plant availability while the plant is in a half-scram condition during the performance of the functional testing versus the limited increase in reliability that would be obtained by more frequent functional testing. BFN 3.1/4.1-17 Unit 2

4.1 BASES (Cont'd) Experience with passive type instruments in generating stations and substations indicates that the specified calibrations are adequate. For those devices which employ amplifiers, etc., drift specifications call for drift to be less than 0.4 percent / month; i.e., in the period of a month a drift of 0.4-percent would occur thus providing for adequate margin. l For the APRM system drift of electronic apparatus is not the only consideration in determining a calibration frequency. Change in power distribution and loss of chamber sensitivity dictate a calibration every 3 seven days. Calibration on this frequency assures plant operation at or below thermal limits. 1 J A comparison of Tables 4.1.A and 4.1.B indicates that two instrument channels have been included in the latter table. These are: mode switch in SHUTDOWN and manual scram. All of the devices or sensors associated-with these scram functions are simple on-off switches and, hence, calibration during operation is not applicable, i.e., the switch is either on or off. The sensitivity of LPRM detectors decreases with exposure to neutron flux at a slow and approximately constant rate. The APRM system, which uses the LPRM readings to detect a change in thermal power, will be calibrated every seven days using a heat balance to compensate for this change in sensitivity. The RBM system uses the LPRM reading to detect a localized change in thermal power. It applies a correction factor based on the APRM j output signal to determine the percent thermal power and therefore any 3 change in LPRM sensitivity is compensated for by the APRM calibration. 1 The technical specification limits of CMFLPD, CPR, and APLHGR are determined by the use of the process computer or other backup methods. These methods use LPRM readings and TIP data to determine the power distribution. j Compensation in the process computer for changes in LPRM sensitivity will be made by performing a full core TIP traverse to update the computer calculated LPRM correction factors every 1000 effective full power hours. As a minimum the individual LPRM meter readings will be adjusted at the beginning of each operating cycle before reaching 100 percent power. 1 i BFN 3.1/4.1-20 Unit 2

l l 3.2 BASES I In addition to reactor protection instrumentation which initiates a reactor scram, protective instrumentation has been provided which initiates action to mitigate the consequences of accidents which are beyond the operator's ability to control, or terminates operator errors before they result in serious consequences. This set'of specifications provides the limiting conditions of operation for the primary systen isolation function, initiation of the core cooling systems, control rod block and standby gas treatment systems. The objectives of the Specifications are (1) to assure the effectiveness of'the protective instrumentation when required by preserving its capability to tolerate a single failure of any component of such systems even during periods when portions of such systems are out of service for maintenance, and (ii) to prescribe the trip settings required to assure adequate performance. When necessary, one channel may be made inoperable for brief intervals to conduct required functional tests and calibrations. Some of the settings on the instrumentation that initiate or control core and containment cooling have tolerances explicitly stated where the high and low values are both critical and may have a substantial effect on safety. The setpoints of other instrumentation, where only the high or low end of the setting has a direct bearing on safety, are chosen at a level away from the normal operating range to prevent inadvertent actuation of the safety system involved and exposure to abnormal situations. Actuation of primary containment valves is initiated by protective instrumentation shown in Table 3.2.A which senses the conditions for which isolation is required. Such instrumentation must be available whenever PRIMARY CONTAINMENT INTEGRITY is required. l -f The instrumentation which initiates primary system isolation is connected in a dual bus arrangement. The low water level instrumentation set to trip at 538 inches above vessel zero closes isolation valves in the RHR System, Drywell and Suppression Chamber exhausts and drains and Reactor Water Cleanup Lines (Groups 2 and 3 isolation valves). The low reactor water level instrumentation that is set to trip when reactor water level is 470 inches above vessel zero (Table 3.2.B) trips the recirculation pumps and initiates the RCIC and HPCI systems. The low water level instrumentation set to trip at 1 398 inches above vessel zero (Tabic 3.2.A) closes the Main Steam Isolation Valves, the Main Steam Line Drain Valves, and the Reactor Water Sample Valves (Group 1). These trip settings are adequate to prevent core uncovery in the case of a break in the largest line assuming the maximum closing time. The low reactor water level instrumentation that is set to trip when reactor water level is 1 398 inches above vessel zero (Table 3.2.B) BFN 3.2/4.2-65 Unit 2

3.2 B&gg). (Cont'd) I In the event of a loss of the reactor building ventilation system, radiant heating in the vicinity of the main steam lines raises the ambient temperature above 200*F. The temperature increases can cause an unnecessary main steam line isolation and reactor scram. Permission is provided to bypass the temperature trip for four hours to avoid an unnecessary plant transient and allow performance of the secondary containment leak rate test or make repairs necessary to regain normal ventilation. Pressure instrumentation is provided to close the main steam isolation valves in RUN Mode when the main steam line pressure drops below 825 pais. The HPCI high flow and temperature instrumentation are provided to detect a break in the HPCI steam piping. Tripping of this instrumentation results in actuation of HPCI isolation valves. Tripping logic for the high flow is a 1-out-of-2 logic, and all sensors are required to be OPERABLE. High temperature in the vicinity of the HPCI equipment is sensed by four sets of four binetallic temperature switches. The 16 temperature switches are arranged in two trip systems with eight temperature switches l in each trip system. Each trip system consists of two channels. Each channel contains one temperature switch located in the pump room and three temperature switches located in the torus area. The RCIC high flow and high area temperature sensing instrument channels are arranged in the same manner as the HPCI system. The HPCI high steam flow trip setting of 90 paid and the RCIC high steam flow trip setting of 450" H O have been selected such that the trip 2 setting is high enough to prevent spurious tripping during pump startup but low enough to prevent core uncovery and maintain fission product releases within 10 CFR 100 limits. The NPCI and RCIC steam line space temperature switch trip settings are high enough to prevent spurious isolation due to normal temperature excursions in the vicinity of the steam supply piping. Additionally, these trip settings ensure that the primary containment isolation Pt',0m supply valves isolate a break within an acceptable time period to prevent core uncovery and maintain fission product releases within 10 CFR 100 limits. ~ High temperature at the Reactor Water Cleanup (RWCU) System in the main steam valve vault, RWCU pump room 2A, RWCU pump room 2B, RWCU heat exchanger room or in the space near the pipe trench containing RWCU piping could indicate a break in the cleanup system. When high temperature occurs, the cleanup system is isolated. BFN 3.2/4.2-67 Unit 2 l l.

i 3.3/4.3 BASES (Cont'd) 2. The control' rod housing support restricts the outward movement of a control rod to less Ihan three inches in the extremely l remote event of a housing failure. The amount of reactivity which could be added by this small amount of rod withdrawal, which is less than a normal single withdrawal increment, will not contribute to any damage to the primary coolant system. The design basis is given in subsection 3.5.2 of the FSAR and the safety evaluation is given in subsection 3.5.4. Tnis support is not required if the reactor coolant system is at i atmospheric pressure since there would then be no driving force to rapidly eject a drive housing. Additionally, the support is not required if all control rods are fully inserted and if an adequate shutdown margin with one control rod withdrawn has been demonstrated, since the reactor would remain suberitical even in the event of complete ejection of the strongest control rod. 3. The Rod Worth Minimizer (RWM) restricts withdrawals and insertions of control rods to prespecified sequences. All patterns associated with these sequences have the i characteristic that, assuming the worst single deviation from the sequence, the drop of any control rod from the fully inserted position to the position of the control rod drive would not cause the reactor to sustain a power excursion resulting in any pellet average enthalpy in excess of 280 cciories per gram. An enthalpy of 280 calories per gram is well below the level at which rapid fuel' dispersal could occur (i.e., 425 calories per gram). Primary system damage in this accident is not possible unless a significant amount of fuel is rapidly dispersed. Reference Sections 3.6.6, 7.16.5.3, and a 14.6.2 of the FSAR, and NEDE-24011-P-A, Amendment 17. In performing the function described above, the RWM is not required to impose any restrictions at core power levels in excess of 10 percent of rated. Material in the cited reference shows that it is impossible to reach 280 calories per gram in the event of a control rod drop occurring at power greater than 10 percent, regardless of the rod pattern. This is true for all normal and abnormal patterns including those which maximize individual control rod worth. i BFN 3.3/4.3-15 Unit 2

3.3/4.3 BASES (Cont'd) 5. The Rod Block Monitor (RBM),is designed to automatically prevent 4 fuel damage in the event of erroneous rod withdrawal from locations of high power. density during high power level operation. Two RBM channels are provided, and one of these may be bypassed from the console for maintenance and/or testing. Automatic rod withdrawal blocks from one of the channels will block erroneous rod withdrawal soon enough to prevent fuel damage. The specified restrictions with one channel out of service conservatively assure that fuel damage will not occur due to rod withdrawal errors when this condition exists. C. Scram Insertion Times The control rod system is designed to bring the reactor suberitical at a l rate fast enough to prevent fuel damage; i.e., to prevent the MCPR from becoming less than 1.07. The limiting power transients are given in Reference 1. Analysis of these transients shows that the negative reactivity rates resulting from the scram with the average response of all drives as given in the above specifications provide the required l protection and MCPR remains greater than 1.07. On an early BWR, some degradation of control rod scram performance { occurred during plant STARTUP and was determined to be caused by particulate material (probably construction debris) plugging an internal control rod drive filter. The design of the present control rod drive (Model 7RDB144B) is grossly improved by the relocation of the filter to a location out of the scram drive path; i.e., it can no longer interfere with scram performance, even if completely blocked. The degraded performance of the original drive (CRD7RDB144A) under dirty operating conditions and the insensitivity of the redesigned drive (CRD7RDB144B) has been demonstrated by a series of engineering tests under simulated reactor operating conditions. The successful performance of the new drive under actual operating conditions has also been demonstrated by consistently good in-service test results for plants using the new drive and may be inferred from plants using the older model 4 l BFN 3.3/4.3-17 Unit 2

l 3.3/4.3 BASES (Cont'd) drive with a modified (larger screen size) internal filter which is less prone to plugging. Data has been d'ocumented by surveillance reports in various operating plants. These include Oyster Creek, Monticello, Dresden 2, and Dresden 3. Approximately 5000 drive tests have been l recorded to date. Following identification of the " plugged filter" problem, very frequent scram tests were necessary to ensure proper performance. However, the more frequent scram testa are now considered totally unnecessary and unwise for the following reasons: 1. Erratic scram performance has been identified as due to an obstructed drive filter in type "A" drives. The drives in BFNP are of the new "B" type design whose scram performance is unaffected by filter condition. 2. The dirt load is primarily released during STARTUP of the reactor when the reactor and its systems are first subjected to flows and pressure and thermal stresses. Special attention and measures are now being taken to assure cleaner systems. Reactors with drives identical or similar (shorter stroke, smaller piston areas) have operated through many refueling cycles with no sudden or erratic changes in scram performance. This preoperational and STARTUP testing is sufficient to detect anomalous drive performance. 3. The 72-hour outage limit which initiated the start of the frequent scram testing is arbitrary, having no logical basis other than l quantifying a " major outage" which might reasonably be caused by an event so severe as to possibly affect drive performance. This requirement is unwise because it provides an incentive for shortcut actions to hasten returning "on line" to avoid the additional testing due a 72-hour outage. l l l I l BFN 3.3/4.3-18 Unit 2

a i I s-3.3/4.3 BASES l D. Reactivity Anomalies i During each fuel cycle excess operative reactivity varies as fuel depletes and as any burnable poison in supplementary control is burned. The magnitude of this excess reactivity may be inferred from the critical rod configuration. As fuel burnup progresses, { anomalous behavior in the excess reactivity may be detected by I comparison of the critical rod patter at selected base states to the predicted rod inventory at that state. Power operating base conditions provide the most sensitive and directly interpretable data relative to core reactivity. Furthermore, using power operating base conditions permits frequent reactivity comparisons. Requiring a reactivity comparison at the specified frequency assures that a comparison will be made before the core reactivity change exceeds 1 percent AK. Deviations in core reactivity greater than 1 percent AK are not expected and require thorough evaluation. One percent reactivity limit is considered safe since an insertion of~ one percent reactivity into the core would not lead to transients exceeding design conditions of the reactor system. E. No BASES provided for this specification ' F. Jeram Discharae Volume The nominal stroke tims for the scram discharge volume vent and drain valves is 1 30 seconds following a scram. The purpose of these valves is to limit the quantity of reactor water discharged after a scram and no direct safety function is performed. The 1 surveillance for the valves assures that system drainage is not impeded by a valve which fails to open and that the valves are OPERABLE and capable of closing upon a scram. ] References 1. Generic Reload Fuel Application, Licensing Topical Report, NEDE-24011-P-A and Addenda. BFN 3.3/4.3-20 Unit 2

i 3.5 B&EEE 3.5.A. Core Sorav System (CSS) and 3.5 B Residual Heat Removal Sv6 tem (RHES) Analyses presented in the FSAR* and analyses presented in conformance with 10 CFR 50, Appendix K, demonstrated that the core spray system in conjunction with two LPCI pumps provides adequate cooling to the core to dissipate the energy associated with the loss-of-coolant accident and to limit fuel clad temperature to below 2,200*F which assures that core geometry remains intact and to limit the core average clad metal-water ) reaction to less than 1 percent. Core spray distribution has been shown in tests of systems similar in design to BFNP to exceed the minimum l requirements. In addition, cooling effectiveness has been demonstrated at less than half the rated flow in simulated fuel assemblies with heater { rods to duplicate the decay heat characteristics of irradiated fuel. The RHP- '.,NI mode) is designed to provide emergency cooling to the core i by floct.ag in the event of a loss-of-coolant accident. This system is 1 completely independent of the core spray system; however, it does function in combination with the core spray system to prevent excessive fuel clad temperature. The LPCI mode of the RHRS and che core spray system provide adequate cooling for break areas of approximately 0.2 square feet up to and including the double-ended recirculation line break l without assistance from the high-pressure emergency core cooling subsystems. The intent of the CSS and RHRS specifications is to not allow startup from the cold condition without all associated equipment being OPERABLE. 1 However, during operation, certain components may be out of service for the specified allowable repair times. The allowable repair times have been selected using engineering judgment based on experiences and supported by availability analysis. Should one core spray loop become inoperable, the remaining core spray loop, the RHR System, and the diesel generators are required to be OPERABLE should the need for core cooling ariee. These provide extensive margin over the OPERABLE equipment needed for adequate core cooling. With due regard for this margin, the allowable repair time of seven days was chosen. Should one RHR pump (LPCI mode) become inoperable, three RHR pumps (LPCI mode) and the core spray system are available. Since adequate core cooling is assured with this complement of ECCS, a seven day repair period is justified. Should two RHR pumps (LPCI mode) become inoperable, there remains no reserve (redundant) capacity within the RHRS (LPCI mode). Therefore, the affected unit shall be placed in cold shutdown within 24 hours.

  • A detailed functional analysis is given in Section 6 of the BFNP TSAR.

BFN 3.5/4.5-24 Unit 2

h 3.5 B&111 (Cont'd) i l With the RCICS inoperable, a seven-day period to return the system to service is justified based on the availability of the HPCIS to cool. I the core and upon consideration that the average risk associated with failure of the RCICS to cool the core when required is not increased. The surveillance requirements, which are based on industry codes and standards, provide adequare assurance that the RCICS will be OPERABLE when required. 3.5.G Automatic Deoressurization System (ADS) The ADS consists of six of the thirteen relief valves. It is designed to provide depressurization of the reactor coolant system during a small break loss of coolant accident (LOCA) if HPCI fails or is unable to maintain the required water level in the reactor vessel. ADS operation reduces the reactor vessel pressure to within the operating a pressure range of the low pressure emergency core cooling systems (core spray and LPCI) so that they can operate to protect the fuel barrier. Specification 3.5.G applies only to the automatic feature of the pressure relief system. Specification 3.6.D specifies the requirements for the pressure relief function of the valves. It is possible for any number of the valves assigned to the ADS to be incapable of performing their ADS functions because of instrumentation failures, yet be fully capable of performing their pressure relief function. The emergency core cooling system LOCA analyses for small line breaks assumed that four of the six' ADS valves were OPERABLE. By requiring l six valves to be OPERABLE, additional conservatism is provided to account for the possibility of a single failure in the ADS system. Reactor operation with one of the six ADS valves inoperable is allowed to continue for fourteen days provided the HPCI, core spray, and LPCI systems are OPERABLE. Operation with more than one ADS valve inoperable is not acceptable. With one ADS valve known to be incapable of automatic operation, five valves remain OPERABLE to perform the ADS function. This condition is within the analyses for a small break LOCA and the peak clad temperature is well below the 10 CFR 50.46 limit. Analysis has shown that four valves are capable of depressurizing the reactor rapidly enough to maintain peak clad temperature within acceptable limits. 3.5.H. Maintenance of Filled Discharme Pine If the discharge piping of the core spray, LPCI, HPCIS, and RCICS are not filled, a water hammer can develop in this piping when the pump and/or pumps are started. To minimize damage to the discharge piping and to ensure added margin in the operation of these systems, this Technical Specification requires the discharge lines to be filled BFN 3.5/4.5-30 Unit 2

3.5 BASES (Cont'd) The LHGR shall be checked daily during reactor operation at 1 25 percent power to determine if fuel burnup, or control rod movement has caused changes in power distribution. For LEGR to be a limiting value below 25 percent of rated thermal power, the largest total peaking would have to be greater than approximately 9.7 which is precluded by a considerable margin when employing'any permissible control rod pattern. 1 3.5.K. Minimum Critical Power Ratio (MCPR) At core thermal power levels less than or equal to 25 percent, the reactor will be operating at minimum recirculation pump speed and the moderator void content will be very small. For all designated control rod patterns which may be employed at this point, operating plant experience and thermal hydraulic analysis indicated that the resulting MCPR value is in excess of requirements by a considerable margin. With this low void content, any inadvertent core flow increase would only place operation in a more conservative mode relative to MCPR. The daily requirement for calculating MCPR above 25 percent rated thermal power is sufficient since power distribution shifts are very slow when there have not been significant power or control rod changes. The requirement for calculating MCPR when a limiting control rod pattern is approached ensures that MCPR will be known following a change in power or power shape (regardless of magnitude) that could place operation at a thermal limit. 3.5.L. APRM Setooints Operation is constrained to the LHGR limit of Specification 3.5.J. This limit is reached when core maximum fraction of limiting power density (CMFLPD) equals 1.0. For the case where CMFLPD exceeds the fraction of rated thermal power, operation is permitted only at less than 100-percent rated power and only with APRM scram settings as required by Specification 3.5.L.1. The scram trip setting and rod block trip setting are adjusted to ensure that no combination of CMFLPD and FRP will increase the LHGR transient peak beyond that allowed by the 1-percent plastic strain limit. A six-hour time l period to achieve this condition is justified since the additional margin gained by the setdown adjustment is above and beyond that ensured by the safety analysis. 3.5.M. Core Thermal-Hydraulic Stability The minimum margin to the onset of thermal-hydraulic instability occurs in Region I of Figure 3.5.M-1. A manually initiated scram upon entry into this region is sufficient to preclude core oscillations which could challenge the MCPR safety limit. Because the probability of thermal-hydraulic oscillations is lower and the margin to the MCPR safety limit is greater in Region II than in Region I of Figure 3.5.M-1, an immediate scram upon entry into the l BFN 3.5/4.5-32 Unit 2 J

= 3.6/4.6 BASES l 3.6.B/4.6.C (Cont'd) five gpm, as specified in 3.6.C, the experimental and analytical data suggest a reasonable margin of safety that such leakage magnitude would not result from a crack approaching the critical size for rapid propagation. Leakage less than the magnitude specified can be detected reasonably in a matter of a few hours utilizing the available leakage detection schemes, and if the origin cannot be determined in a reasonably short time, the unit should be shut down to allow further investigation and corrective action. The two spe limit for coolant leakage rate increases over any 24-hour l period is a limit specified by the NRC (Reference 2). This limit applies only during the RUN mode to avoid being penalized for the expected coolant leakage increase during pressurization. The total leakage rate consists of all leakage, identified and unidentified, which flows to the drywell floor drain and equipment drain sumps. l The capacity of the drywell floor sump pump is 50 gpm and the capacity of the drywell equipment sump pump is also 50 ape. Removal of 25 spa from either of these sumps can be accomplished with considerable margin. REFERENCE

1. Nuclear System Leakage Rate Limits (BFNP FSAR Subsection 4.10)
2. Safety Evaluation Report (SER) on IE Bulletin 82-03 3.6.D/4.6.D Relief Valves 1

To meet the safety basis, 13 relief valves have been installed on the unit.with a total capacity of 84.1 percent of nuclear boiler rated steam flow. The analysis of the worst overpressure transient, (3-second closure of all main steam line isolation valves) neglecting the direct scram (valve position scram) results in a maximum vessel pressure which, if a neutron flux scram is assumed considering 12 valves OPERABLE, results in adequate margin to the code allowable overpressure limit of 1,375 psig. To meet operational design, the analysis of the plant isolation transient (generator load reject with bypass valve failure to open) shows that 12 of the 13 relief valves limit peak system pressure to a value which is well below the allowed vessel overpressure of 1,375 psig. Experience in relief valve operation shows that a testing of 50 percent of the valves per year is adequate to detect failures or deteriorations. The relief valves are benchtested every second operating cycle to ensure that their setpoints are within the i 1 percent tolerance. The relief valves are tested in place in accordance with Specification 1.0.M4 to establish that they will open and pass steam. BFN 3.6/4.6-30 Unit 2

j 3.6/4.6 BASES 3.6.D/4.6.D (Cont'd) The requirements established above apply when the nuclear system can be pressurized above ambient conditions. These requirements are applicable at nuclear system pressures below normal operatina pressures because abnormal operational transients could possibly start at these conditions such that eventual overpressure relief would be needed. However, these transients are much less severe, in terms of pressure, than those starting at rated conditions. The valves need not be functional when the vessel head is removed, since the nuclear system cannot be pressurized. The relief valves are not required to be OPERABLE in the COLD SHUTDOWN CONDITION. Overpressure protection is provided during hydrostatic tests by two of the relief valves whose relief setting has been established in conformance with ASME Section XI code requirements. The capacity of one relief valve exceeds the charging capacity of the pressurization source used during hydrostatic testing. Two relief valves are used to provide redundancy. REFERENCES 1 1. Nuclear System Pressure Relief System (BFNP FSAR Subsection 4.4) d 2. " Protection Against Overpressure" (ASME Boiler and Pressure Vessel l Code,_Section III, Article 9) 3. Browns Ferry Nuclear Plant Design Deficiency Report--Target Rock l Safety-Relief Valves, transmitted by J. E. Gilleland to F. E. Kruesi, August 29, 1973 4. Generic Reload Fuel Application, Licensing Topical Report, l NEDE-24011-P-A and Addenda l 3.6.E/4.6.E Jet Pumos Failure of a jet pump nozzle assembly holddown mechanism, nozzle assembly 1 and/or riser, would increase the cross-sectional flow area for blowdown 1 following the design basis double-ended line break. Also, failure of the diffuser would eliminate the capability to reflood the core to two-thirds height level following a recirculation line break. Therefore, if a i failure occurred, repairs must be made. The detection technique is as follows. With the two recirculation pumps i balanced in speed to within i 5 percent, the flow rates in both recirculation loops will be verified by control room monitoring instruments. If the two flow rate values do not differ by more than 10 percent, riser and nozzle assembly integrity has been verified. BFN 3.6/4.6-31 Unit 2

3.6/4.6. BASES j 3.6.E/4.6.E (Cont'd) If they do differ by 10 percent or more, the core flow rate measured by the jet pump diffuser differential pressure system must be checked against the core flow rate derived _from the measured values of loop flow to core flow correlation. If the difference between measured and derived core flow rate is 10 percent or more (with the derived value higher) diffuser measurements will be taken to define the location within the vessel of failed jet pump nozzle (or riser) and the unit shut down for repairs. If the potential blowdown flow area is increased, the system resistance to the recirculation pump is also reduced; hence, the affected drive pump will "run out" to a substantially higher flow rate (approximately 115 percent to 120 percent for a single nozzle failure). If the two loops are balanced in flow at the same pump speed, the resistance characteristics cannot have changed. Any imbalance between drive loop flow rates would be indicated by the plant process instrumentation. In addition, the affected jet pump would provide a l 1eakage path past the core thus reducing the core flow rate. The reverse flow through the inactive jet pump would still be indicated by a positive i differential pressure but the net effect would be a slight decrease (3 percent to 6 percent) in the total core flow measured. This decrease, together with the loop flow increase, would result in a lack of correlation between measured and derived core flow rate. Finally, the affected jet pump diffuser differential pressure signal would be reduced because the backflow would be less than the normal forward flow. A nozzle-riser system failure could also generate the coincident failure of a jet pump diffuser body; however, the converse is not true. The lack I of any substantial stress in the jet pump diffuser body makes failure ) impossible without an initial nozzle-riser system failure. 3.6.F/4.6.F Recirculation Pumn Operation I Operation without forced recirculation is permitted for up to 12 hours when the reactor is not in the RUN mode. And the start of a recirculation pump from the natural circulation condition will not be permitted unless the temperature difference between the loop to be started and the core coolant temperature is less than 75'F. This reduces the positive reactivity insertion to an acceptably low value. RequiringatleastonerecirculationpumptobeOPERABLEwhileintheRUNl mode (i.e., requiring a manual scram if both recirculation pumps are tripped) provides protection against the potential occurrence of core thermal-hydraulic instabilities at low flow conditions. 1 Requiring the discharge valve of the lower speed loop to remain closed until the speed of the faster pump is below 50 percent of its rated speed l provides assurance when going from one-to-two pump operation that excessive vibration of the jet pump risers will not occur. 1 BFN 3.6/4.6-32 Unit 2

) l j 3.6/4.6 BASES i 3.6.G/4.6.G Structural Intenrity i The requirements for the reactor coolant systems inservice inspection program have been identified by evaluating the need for a sampling 4 i examination of areas of high stress and highest probability of failure in the system and the need to meet as closely as possible the requirements of Section Xl, of the ASME Boiler and Pressure Vessel Code. 1 j The program reflects the built-in limitations of access to the reactor coolant systems. It is intended that the required examinations and inspection be completed during each 10-year interval. The periodic araminations are to be done 5 during refueling outages or other extended plant shutdown periods. j Only proven nondestructive testing techniques will be used. j j More frequent inspections shall be performed on certain circumferential pipe welds as listed in plant procedures to provide additional protection } against pipe whip. These welds were selected in respect to their distance from hangers or supports wherein a failure of the veld would permit the unsupported segments of pipe to strike the drywell wall or } nearby auxiliary systems or control systems. Selection was based on 1 judgment from actual plant observation of hanger and support locations and review of drawings. Inspection of all these welds during each 10-year inspection interval will result in three additional examinations j above the requirements of Section XI of ASME Code. j REFERENCES i 1. BFNP FSAR Subsection 4.12, Inservice Inspection and Testing l l-2. Inservice Inspection of Nuclear Reactor Coolant Systems, Section XI, i ASME Boiler and Pressure Vessel Code 3. ASME Boiler and Pressure Vessel Code, Section III (1968 Edition) i 4. American Society for Nondestructive Testing No. SNT-TC-1A f (1968 Edition) 4 l 1 l 1 i i i 1 BFN 3.6/4.6-33 4 Unit 2 ]

_ ~. _ _. _ _ _.. _ _ i 3.7/4.7 BA333,(Cont'd) Maintaining the water level between these, levels will ensure that the torus water volume and downconer submergence are within the aforementioned limits during normal plant operation. Alarms, adjusted for instrument error, will notify the operator when the limits of the torus water level are approached. The maximum permissible bulk pool temperature is limited by the potential for stable and complete condensation of steam discharged from safety relief valves j and adequate core spray pump net positive suction head. At reactor vessel j-pressures above approximately 555 psig, the bulk pool temperature shall not exceed 180*F. At pressures below approximately 240 psig, the bulk temperature may be as much as 184*F. At intermediate pressures, linear interpolation of the bulk temperature is permitted. They also represent the bounding upper limits that are used in suppression pool temperature response analyses for safety relief valve discharge and J loss-of-coolant accident (LOCA) cases. The actions required by Specifications 3.7.C. - 3.7.F. assure the reactor can be depressurized in a timely manner to avoid exceeding the maximum bulk suppression pool water limits. Furthermore, the 184*F limit provides that adequate RHR and core spray pump NPSH will be available without dependency on containment overpressure. Should it be necessary to drain the suppression chamber, this should only be done when there is no requirement for Core Standby Cooling Systems Underfullpoweroperationconditions,blowdownfromaninitiall OPERABILITY. suppression chamber water temperature of 95'F results in a peak long term water temperature -which is sufficient for complete condensation.- Limiting suppression pool temperature to 105'F during RCIC, HPCI, or relief valve operation when decay heat and stored energy is removed from the primary system by discharging reactor steam directly to the suppression chamber ensures adequate margin for controlled blowdown anytime during RCIC operation and ensures margin for complete condensation of steam from the design basis loss-of-coolant accident (LOCA). l In addition to the limits on temperature of the suppression chamber pool water, operating procedures define the action to be taken in the event a relief valve inadvertently opens or sticks open. This action would include: (1) use of all available means to close the valve, (2) initiate suppression pool water cooling heat exchangers, (3) initiate reactor shutdown, and (4) if 4 other relief valves are used to depressurize the reactor, their discharge shall be separated from that of the stuck-open relief valve to assure mixing and uniformity of energy insertion to the pool. If a LOCA were to occur when the reactor water temperature is below approximately 330*F, the containment pressure will not exceed the 62 psig code a permissible pressures even if no condensation were to occur. The maximum f allowable pool temperature, whenever the reactor is above 212*F, shall be governed by this specification. Thus, specifying water volume-temperature requirements applicable for reactor-water temperature above 212*F provides additional margin above that available at 330*F. 1 BFN 3.7/4.7-26 Unit 2 w

-~ I j. 3.7/4.7 BASES (Cont'd) In conjunction with the Mark I Containment Short Term Program, a plant-unique l analysis was performed (" Torus Support System and Attached Piping Analysis for the Browns Ferry Nuclear Plant Units 1, 2, and 3," dated September 9, 1976 and supplemented October-12, 1976) which demonstrated a factor of safety of at least two for the weakest element in the suppression chamher support system and attached piping. The maintenance of a drywell-suppression chamber differential pressure of 1.1 paid and a nuppression chamber water level corresponding to a downcomer submergence range of 3.06 feet to 3.58 feet will assure the integrity of the suppression chamber.when subjected to post-loss-of-coolant suppression pool hydrodynamic forces. Inertina The relativity small containment volume inherent in the GE-BWR pressure suppression containment and the large amount of zirconium in the core are such that the occurrence of a very limited (a-percent or so) reaction of the zirconium and steam during a LOCA could lead to the liberation of hydrogen combined with an air atmosphere to result in a flammable concentration in the containment. If a sufficient amount of hydrogen is generated and oxygen is available in stoichiometric quantities the subsequent ignition of the hydrogen in rapid recombination rate could lead to failure of the containment to maintain a low leakage integrity. The <4 percent hydrogen concentration minimizes the possibility of hydrogen combustion following a LOCA. The occurrence of primary system leakage following a major refueling outage or other scheduled shutdown is much more probable than the occurrence of the LOCA upon which the specified oxygen concentration limit is based. Permitting access to the drywell for leak inspections during a startup is judged prudent in terms of the added plant safety offered without significantly reducing the margin of safety. Thus, to preclude the possibility of starting the reactor and operating for extended periods of time with significant leaks in the primary system, leak inspections are scheduled during startup periods, when the primary system is at or near rated operating temperature and pressure. The 24-hour period to provide inerting is judged to be sufficient to perform the leak inspection and establish the required oxygen concentration. To ensure that the hydrogen concentration is maintained less than 4 percent following an accident, liquid nitrogen is maintained onsite for containment atmosphere dilution. About 2,260 gallons would be sufficient as a seven-day supply, and replenishment facilities can deliver liquid nitrogen to the site within one day; therefore, a requirement of 2,500 gallons is conservative. Following a LOCA, the Containment Air Monitoring (CAM) System continuously monitors the hydrogen concentration of the containment volume. Two independent systems are capable of sampling and monitoring hydrogen concentration in the drywell and the torus. Each sensor and associated circuit is periodically checked by a calibration gas to verify operation. Failure of one system does not reduce the ability to monitor the hydrogen concentration in the drywell or torus atmosphere as a second independent and redundant system will still be OPERABLE. BFN 3.7/4.7-27 Unit 2

l t i 3.7/4.7 BASES (Cont'd) i Vacuum Relief 1 The purpose of the vacuum relief valves is to equalize the pressure between 2 the drywell and suppression chamber and reactor building so that the structural integrity of the containment is saintained. The vacuum relief system from the pressure suppression chamber to reactor building consists of two 100-percent vacuum relief breakers (two parallel sets of two valves in series). Operation of either system will maintain the pressure differential j less than 2 psig; the external design pressure. One reactor building vacuum l breaker may be out of service for repairs for a period of seven days. If ~ repairs cannot be completed within seven days, the reactor coolant system is i brought to a condition where vacuum relief is no longer required. l l When a drywell-suppression chamber vacuum breaker valve is exercised through 4 an opening-closing cycle the position indicating lights in the control room are designed to function as specified below: Initial and Final Check - On (Fully Closed) j Condition Green - On Red - Off Opening Cycle Check - Off (Cracked Open) Green - Off (> 80' Open) Red - On (> 3' Open) { Closing Cycle Check - On (Fully Closed) l Green - On (< 80* Open) Red - Off (< 3' Open) The valve position indicating lights consist of one check light on the check j light panel which confirms full closure, ons green light next.to the hand switch which confirms 80' of full opening and one red light next to the hand switch which confirms "near closure" (within 3* of full closure). Each light is on a separate switch. If the check light circuit is OPERABLE when the valve is exercised by its air operator there exists a confirmation that the valve will fully close. If the red light circuit is OPERABLE, there exists a i l 3 1 i ] BFN 3.7/4.7-28 i Unit 2 i

l 4 3.9 BASES ) I The objective of this specification is to assure an adequate source of ~ 1 i electrical power to operate facilities to cool the units during shutdown l ) and to operate the. engineered safeguards following an accident. There 1 are three sources of alternating current electrical energy available, namely, the 161-kV transmission system, the 500-kV transmission system, 1 and the diesel generators. The unit station-service transformer B for unit 1 or the unit station-service transformer B for unit 2 provide noninterruptible sources j of offsite power from the 500-kV transmission system to the units 1 and 2 shutdown boards. Auxiliary power can also be supplied from the 161-kV transmission system through the common station-service transformers or through the cooling tower transformers by way of the bus tie board. The 4-kV bus tie board may remain out of service indefinitely provided one of the required offsite power sources is not supplied from the 161-kV system through the bus tie board. The minimum fuel oil requirement of 35,280 gallons for each diesel generator fuel tank assembly is sufficient for seven days of full load operation of each diesel and is conservatively based on availability of a replenishment supply. Each diesel generator has its own independent 7-day fuel oil storage tank assembly. ] The degraded voltage sensing relays provide a start signal to the diesel 1 generators in the event that a deteriorated voltage condition exists on a 4-kV shutdown board. This starting signal is independent of the starting signal generated by the complete loss of voltage relays and will continue to function and start the diesel generators on complete loss of voltage i should the loss of voltage relays become inoperable. The 15-day inoperable time. limit specified when one of the three phase-to-phase degraded voltage relays is inoperable is justified based on the two-out-of-three permissive logic scheme provided with these relays. A 4-kV shutdown board is allowed to be out of operation for a brief period to allow for maintenance and testing, provided all remaining 4-kV shutdown boards and associated diesel generators, CS, RHR, (LPCI and containment cooling) systems supplied by the remaining 4-kV shutdown boards, and all emergency 480-V power boards are OPERABLE. The 480-V diesel auxiliary board may be out of service for short periods for tests and maintenance. There is a safety related 250-V de unit battery located in each unit. Each 250-V de unit battery system consists of a battery, a battery charger, and a distribution panel. There is also a backup charger which can be assigned to any one of the three unit batteries. The 250-V dc unit battery systems provide power for unit control functions, unit DC motor loads and alternate control power to the 4160 and 480-V ac shutdown boards. The primary control power supplies to the 3A, 3C and 3D 4160-V ac shutdown boards and the Unit 3 480-V ac shutdown boards are also provided by unit batteries. There are five safety related 250-V de shutdown battery systems assigned as primary control power supplies to BFN 3.9/4.9-19 Unit 2

3.10 BASES (Cont'd) j subcritical even when the highes_t worth control rod is fully withdrawn. The combination of refueling interlocks for control rods and the refueling platform provide redundant methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality. Fuel handling is normally conducted with the fuel grapple hoist. The i total load on this hoist when the interlock is required consists of the weight of the fuel grapple and the fuel assembly. This total is approximately 1,500 lbs, in comparison to the load-trip setting of 1,000 lbs. Provisions have also been made to allow fuel handling with either of the three auxiliary hoists and still maintain the refueling interlocks. The 400-lb load-trip setting on these hoists is adequate to trip the interlock when one of the more than 550-1b l fuel bundles is being handled. During certain periods, it is desirable to perform maintenance on two control rods and/or control rod drives at the same time without removing fuel from the cells. The maintenance is performed with the mode switch in the refuel position to provide the refueling interlocks normally available during refueling operations. In order to withdraw a second control rod after withdrawal of the first rod, it is necessary to bypass the refueling interlock on the first i control rod which prevents more than one control rod from being withdrawn at the same time. The requirement that an adequate shutdown margin be demonstrated and that all remaining control rods have their directional control valves electrically disarmed ensures that inadvertent criticality cannot occur during this maintenance. The adequacy of the shutdown margin is verified by demonstrating that at least 0.38 percent Ak shutdown margin is available. Disarming the j directional control valves does not inhibit control rod scram capability, Specification 3.10.A.7 allows unloading of a significant portion of the reactor core. This operation is performed with the mode switch in the REFUEL position to provide the refueling interlocks normally 2 available during refueling operations. In order to withdraw more than one control rod, it is necessary to bypass the refueling interlock on each withdrawn control rod which prevents more than one control rod from being withdrawn at a time. The requirement that the fuel assemblies in the cell controlled by the control rod be removed from the reactor core before the interlock can be bypassed ensures that withdrawal of another control rod does not result in inadvertent criticality. Each control rod provides primary reactivity control for the fuel assemblies in the cell associated with that control rod. Thus, removal of an entire cell (fuel assemblies plus control rod) results in a lower reactivity potential of the core. The requirements for SRM OPERABILITY during these CORE ALTERATIONS assure sufficient core monitoring. BFN 3.10/4.10-12 Unit 2

J l 3.10 BASES (Cont'd) l ) j 3.10.F Soent Fuel Cask Handlina - Refuel na Floor i Although single failure protection has been provided in the design of i the 125-ton hoist drum shaft, wire ropes, hook and lower block assembly I on the reactor building crane, the limiting of lift height of a spent fuel cask controls the amount of energy available in a dropped cask l accident when the cask is over the refueling floor. 1 i An analysis has been made'which shows that the floor and support 1 members in the area of cask entry into the decontamination facility can i satisfactorily sustain a dropped cask from a height of three feet. i The yoke safety links provide single failure protection for the hook l and lower block assembly and limit cask rotation. Cask rotation is 1 j necessary for decontamination and the safety links are removed during i decontamination. 1 i 4.10 BA151 1 l A. Refuelina Interlocks } Complete functional testing of all required refueling equipment interlocks before any refueling outage will provide positive indication j that the interlocks operate in the situations for which they were designed. By loading each hoist with a weight equal to the fuel } assembly, positioning the refueling platform, and withdrawing control I rods, the interlocks can be subjected to valid operational tests. j Where redundancy is provided in the logic circuitry, tests can be I i performed to assure that each redundant logic element can independently perform its function. } B. Core Monitoring i Requiring the SRMs to be functionally tested prior to any CORE j ALTERATION assures that the SRMs will be OPERABLE at the start of that alteration. The once per 12 hours verification of the SEM count rate j and signal-to-noise ratio ensures their continued OPERABILITY. 1 I REFERENCES I i 1. Fuel Pool Cooling and Cleanup System (BFNP FSAR Subsection 10.5) { 2. Spent Fuel Storage (BFNP FSAR Subsection 10.3) k i 1 BFN 3.10/4.10-15 Unit 2 4 l

1.1 BASES

FUEL CLAnDING INTEGRITY SAFETY LIMIT The fuel cladding represents one of the physical barriers which ~ separate' radioactive materials from environs. The integrity of this cladding barrier is related to its relative freedom from perforations or cracking. Although some corrosion or use-related cracking may occur during the life of. the cladding, fission product migration from this source is incrementally cumulative and continuously measurable. Fuel cladding perforations, however, can result from thermal stresses which occur from reactor operation significantly above design conditions and the protection system setpoints. While fission product migration from cladding perforation is just as measurable as that from use-related cracking, the thermally-caused cladding perforations signal a threshold, beyond which still greater thermal stresses may cause gross rather than incremental cladding deterioration. Therefore, the fuel cladding safety limit is defined in terms of the reactor operating conditions which can result in cladding perforation. q The fuel cladding integrity limit is set such that no calculated fuel damage would occur as a result of an abnormal operational. transient. Because fuel damage is not directly observable, the Fuel Cladding Safety Limit is defined with margin to the conditions which would produce onset transition boiling (MCPR of 1.0). This establishes a Safety Limit such that the minimum critical power ratio (MCPR) is no less than 1.07. MCPR > 1.07 represents a l conservative margin relative to the conditions required to maintain fuel cladding integrity. Onset of transition boiling results in a decrease in heat transfer from the clad and, therefore, elevated clad temperature and the possibility of clad failure. Since boiling transition is not a directly observable parameter, the margin to boiling transition is calculated from plant operating parameters such as core power, core flow, feedwater temperature, and core power distribution. The margin for each fuel assembly is characterized by the critical power ratio (CPR) which is the ratio of the bundle power which would produce onset of transition boiling divided by the actual bundle power. The minimum value of this ratio for any bundle in the core is the minimum critical power ratio (MCPR). It is assumed that the plant operation is controlled to the nominal protective setpoints via the instrumented variables, i.e., normal plant operation presented on Figure 2.1-1 by the nominal expected flow control line. The Safety Limit (MCPR of 1.07) has sufficient conservatism to assure that in the event of an abnormal operational transient initiated from a normal operating condition (MCPR > limits specified j in Specification 3.5.K) more than 99.9 percent of the fuel rods in j the core are expected to avoid boiling transition. The margin i between MCPR of 1.0 (onset of transition boiling) and the safety limit 1.07 is derived from a detailed statistical analysis I considering all of the uncertainties in monitoring the core operating state including uncertainty in the boiling transition correlation as described in Reference 1. The uncertainties employed in deriving the safety limit are provided at the beginning of each fuel cycle. BFN 1.1/2.1-8 Unit 3 I I

- ~ -. .~ 1.1 BASES (Cont'd) l l Because the boiling transition correlation is based on a large quantity of full scale data there is a very high confidence that l operation of a fuel assembly at the condition of MCPR = 1.07 would not produce boiling transition. Thus, although it is not required to establish the safety limit additional margin exists between the safety limit and the actual occurrence of loss-of-cladding integrity. However, if boiling transition were to occur, clad perforation would not be expected. Cladding temperatures would increase to 0 approximately 1,100 F which is below the perforation temperature of l the cladding material. This has been verified by tests in the General Electric Test Reactor (GETR) where fuel similar in design to BFNP operated above the critical heat flux for a significant period of time (30 minutes) without clad perforation. l If reactor pressure should ever exceed 1,400 psia during normal l power operation (the limit of applicability of the boiling transition correlation) it would be assumed that the fuel cladding integrity Safety Limit has been violated. At pressures below 800 psia, the core elevation pressure drop (0 power, O flow) is greater than 4.56 psi. At low powers and flows this pressure differential is maintained in the bypass region of the core. Since the pressure drop in the bypass region is essentially all elevation head, the core pressure drop at low power and flows -l vill always be greater than 4.5 pai. Analyses show that with a flow -j 3 of 28x10 lbs/hr bundle flow, bundle pressure drop is nearly independent of bundle power and has a value of 3.5 psi. Thus, the bundle flow with a 4.56 psi driving head will be greater than 28x103 lbs/hr. Full scale ATLAS test data taken at pressures from 14.7 paia to 800 psia indicate that the fuel assembly critical power i at this flow is approximately 3.35 MWt. With the design peaking factors this corresponds to a core thermal power of more than 50 percent. Thus, a core thermal power limit of 25 percent for reactor pressures below 800 psia is conservative. For the fuel in the core during periods when the reactor is shut down, consideration must also be given to water level requirements due to the effect of decay heat. If water level should drop below the top of the fuel during this time, the ability to remove decay heat is reduced. This reduction in cooling capability could lead to elevated cladding temperatures and clad perforation. As long as the fuel remains covered with water, sufficient cooling is available to prevent fuel clad perforation. BFN 1.1/2.1-9 Unit 3

, ~. _. . -. - - ~. -.. - i i 2.1 BASES (Cont'd) -l Analyses of the limiting transients show that no scram i ~ adjustment is required to assure MCPR > 1.07 when the transient j is initiated from MCPR limits specified in Specification 3.5.k. l 4 2. APRM Flux Scram Trio Settina (REFUEL or STARTUP/ HOT STAwnBY MODE) i For operation in the startup mode while the reactor is at low ) pressure, the APRM scram setting of 15 percent'of rated power j provides adequate thermal margin between the setpoint and the safety limit, 25 percent of rated. The margin is adequate to ] accommodate anticipated maneuvers associated with power plant-startup. Effects of increasing pressure at zero or low void 1 content are minor, cold water from sources available during startup is not much colder than that already in the system, temperature coefficients are small, and control rod patterns are j constrained to be uniform by operating procedures backed up by j' the rod worth minimizer. Worth of individual rods is very low j in a uniform rod pattern. Thus, of all possible sources of i reactivity input, uniform control rod withdrawai is the most i probable cause of significant power rise. Because the flux distribution associated with uniform rod withdrawals does not j involve high local peaks, and because several rods must be moved l to change power by a significant percentage of rated power, the i rate of power rise is very slow. Generally, the heat flux is in j near equilibrium with the fission rate. In an assumed uniform { rod withdrawal approach to the scram level, the rate of power rise is no more than 5 percent of rated power per minute, and the APRM system would be more than adequate to assure a scram 3 3 before the power could exceed the safety limit. The 15 percent } APRM scram remains active until-the mode switch is placed in the 1 RUN position. This switch occurs when' reactor pressure is j greater than 850 psig. } 3. IRM Flux Scram Trio Settinn The IRM System consists of eight chambers, four in each of the l l reactor protection system logic channels. The IRM is a j five-decade instrument which covers the range of power level between that covered by the SRM and the APRM. The five decades are covered by the IRM by means of a range switch and the five decades are broken down into 10 ranges, each being one-half of a 4 decade in size. The IRM scram setting of 120 divisions is active in each range of the IRM. For example, if the instrument i was on range 1, the scram setting would be 120 divisions for that range; likewise if the instrument was on range 5, the scram l setting would be 120 divisions for that range. l i i 1 BFN 1.1/2.1-13 } Unit 3 k

4 2.1 RARE 1 (Cont'd) .IRM Flux Scram Trio Settina (Continued) l Thus, as the IRM is ranged up to accommodate the increase in power level, the scram setting is also ranged up. A scram at ~120 divisions on the IRN instruments remains in effect as long as the reactor is in the startup mode. In addition, the APRM 15 percent scram prevents higher power operation without being in the RUN mode. The IRM scram provides protection for changes which occur both locally and over the entire core. The most significant sources of reactivity change during the power increase are due to control rod withdrawal. For insequence control rod withdrawal, the rate of change of power is slow enough due to the physical limitation of withdrawing control d rods that heat flux is in equilibrium with the neutron flux. An d IRM scram would result in a reactor shutdown well before any SAFETY LIMIT is exceeded. For the case of a single control rod withdrawal error, a range of rod withdrawal accidents was analyzed. This analysis included starting the accident at various power levels. The most severe case involves an initial 2 l condition in which the reactor is just suberitical and the IRM j system is not yet on scale. This condition exists at quarter rod density. Quarter rod density is discussed in l paragraph 7.5.5.4 of the FSAR. Additional conservatism was taken in this analysis by assuming that the IRM channel closest to the withdrawn rod is bypassed. The results of this analysis show that the reactor is scrammed and peak power limited to one percent of rated power, thus maintaining MCPR above 1.07. Based on the above analysis, the IRM provides protection against local control rod withdrawal errors and continuous withdrawal of control rods in sequence.

4. Fixed High Neutron Flux Scram Trio The average power range monitoring (APRM) system, which is calibrated using heat balance data taken during steady-state conditions, reads in percent of rated power (3,293 MWt). The APRM system responds directly to neutron flux. Licensing analyses have demonstrated that with a neutron flux scram of 120 percent of rated power, none of the abnormal operational transients analyzed violate the fuel SAFETY LIMIT and there is a substantial margin from fuel damage.

B. APRM Control Rod Block Reactor power level may be varied by moving control rods or by varying the recirculation flow rate. The APRM system provides a control rod block to prevent rod withdrawal beyond a given point at constant recirculation flow rate and thus prevents scram actuation. This rod block trip setting, which is automatically varied with recirculation loop flow rate, prevents an increase in the reactor BFN 1.1/2.1-14 Unit 3

-2.1 BASES (Cont'd) I F. (Deleted) G. & H. Main Steam Line Isolation on Low Pressure and Main Steam Line Isolation Scram i The low pressure isolation of the main steam lines at 825 psig was l provided to protect against rapid reactor depressurization and the resulting rapid cooldown of the vessel. The scram feature that occurs when the main steam line isolation valves close shuts down the reactor so that high power operation at low reactor pressure does not occur, thus providing protection for the fuel cladding integrity SAFETY LIMIT. Operation of the reactor at pressures lower than 825 psig requires that the reactor mode switch be in the STARTUP position, where protection of the fuel cladding integrity SAFETY LIMIT is provided by the IBM and APRM high neutron flux scrams. Thus, the combination of main steam line low pressure i isolation and isolation valve closure scram assures the availability j of neutron flux scram protection over the entire range of applicability of the fuel cladding integrity SAFETY LIMIT. In addition, the isolation valve closure scram anticipates the pressure and flux transients that accur during normal or inadvertent isolation valve closure. With the scrams set at 10 percent of valve 4 closure, neutron flux does not increase. I.J.& K. Reactor Low Water Level Setooint for Initiation of HPCI and RCIC Closina Main Steam Isolation Valves. and Startinn LPCI and Core Soray Pumns, These systems maintain adequate coolant inventory and provide core cooling with the objective of preventing excessive clad temperatures. The design of these systems to adequately perform the J intended function is based on the specified low level scram setpoint i and initiation setpoints. Transient analyses reported in Section 14 of the FSAR demonstrate that these conditions result in adequate safety margins for both the fuel and the system pressure. l L. References 1. Supplemental Reload Licensing Report of Browns Ferry Nuclear Plant, Unit 3 (applicable cycle-specific document). 2. GE Standard Application for Reactor Fuel, NEDE-24011-P-A and NEDE-24011-P-A-US (latest approved version). i BFN 1.1/2.1-16 Unit 3 4

l 1.2 BASES REACTOR COOLANT SYSTEM INTEGRITY i The safety limits for the reactor coolant system pressure have been selected such that they are below pressures at which it can be shown that the integrity of the system is not endangered. However, the pressure i safety limits are set high enough such that no foreseeable circumstances can cause the system pressure to rise over these limits. The pressure safety limits are arbitrarily selected to be the lowest transient overpressures allowed by the applicable codes, ASME Boiler and Pressure Vessel Code, Section III, and USAS Piping Code, Section B31.1. The design pressure (1,250 pais) of the reactor vessel is established such that, when the 10 percent allowance (125 pai) allowed by the ASME Boiler and Pressure Vessel Code Section III for pressure transients is added to the design pressure, a transient pressure limit of 1,375 psig is established. 1 Correspondingly, the design pressures (1,148 for suction and 1,326 for l { discharge) of the reactor recirculation system piping are such that, when the 20 percent allowance (230 and 265 psi) allowed by USAS Piping Code, Section B31.1 for pressure transients is added to the design pressures, l 1 transient pressure limits of 1,378 and 1,591 pais are established. Thus, the pressure safety limit applicable to power operation is established at 1,375 psig (the lowest transient overpressure allowed by the pertinent codes), ASME Boiler and Pressure Vessel Code, Section III, and USAS Piping Code, Section B31.1. l The current cycle's safety analysis concerning the most severe abnormal operational transient resulting directly in a reactor coolant system pressure increase is given in the reload licensing submittal for the current cycle. The reactor vessel pressure code limit of 1,375 psig given in subsection 4.2 of the safety analysis report is well above the peak pressure produced by the overpressure transient described above. Thus, the pressure safety limit applicable to power operation is well above the peak pressure that can result due to reasonably expected overpressure transients. Higher design pressures have been established for piping within the reactor coolant system than for the reactor vessel. These increased design pressures create a consistent design which assures that, if the pressure within the reactor vessel does not exceed 1,375 psig, the pressures within the piping cannot exceed their respective transient pressure limits due to static and pump heads. The safety limit of 1,375 psig actually applies to any point in the reactor vessel; however, because of the static water head, the highest pressure point will occur at the bottom of the vessel. Because the BFN 1.2/2.2-2 Unit 3

M 1.2 BASES (Cont'd) 4 pressure is not monitored at this point, it cannot be directly determined i if this safety limit has been violated. Also, because of the potentially varying head level and flow pressure drops, an equivalent pressure cannot be a priori determined for a pressure monitor higher in the vessel. Therefore, following any transient that is severe enough to cause concern that this safety limit was violated, a calculation will be performed l using all available information to determine if the safety limit was

violated, l

REFERENCES 1. Plant Safety Analysis (BFNP FSAR Sections 14.0 and Appendix N) l 1 2. ASME Boiler and Pressure Vessel Code Section III f 3. USAS Piping Code, Section B31.1 2 4. Reactor Vessel and Appurtenances Mechanical Design (BFNP FSAR Subsection 4.2) 2 1 5. Generic Reload Fuel Application, Licensing Topical Report, NEDE-24011-P-A and Addenda. i 4 i 1 i i ( l a i j 2 i J i BFN 1.2/2.2-3 Unit 3 a

2.2 BASES REACTOR COOLANT SYSTEM INTEGRITY To meet the safety basis, 13 relief valves have been installed on the unit with a total capacity of 84.1 percent of nuclear boiler rated steam flow. Theanalysisoftheworstoverpressuretransient(3-secondclosured of all main steam line isolation valves) neglecting the direct scram (valve position scram) results in a maximum vessel pressure which, if a neutron flux scram is assumed considering 12 valves operable, results in adequate margin to the code allowable overpressure limit of 1,375 psig. To meet operational design, the analysis of the plant isolation transient (generator load reject with bypass valve failure to open) shows that 12 of the 13 relief valves limit peak system pressure to a value which is well below the allowed vessel overpressure of 1,375 psig. j W BFN 1.2/2.2-4 Unit 3

3.1 BASES (Cont'd) i 5. be accommodated which would result in slow scram times or partial control l rod insertion. To preclude this occurrence, level switches have been i provided in the instrument volume which alarm and scram the reactor when the volume of water reaches 50 gallons. As indicated above, there is l sufficient volume in the piping to accommodate the scram without l impairment of the scram times or amount of insertion of the control rods. This function shuts the reactor down while sufficient volume remains to accommodate the discharge water and precludes the situation in which a scram would be required but not be able to perform its function adequately. i A source range monitor (SRM) system is also provided to supply additional l neutron level information during startup but has no scram functions. Reference Section 7.5.4 FSAR. Thus, the IRM is required in the REFUEL (with any control rod withdrawn from a core cell containing one or more fuel assemblies) and STARTUP Modes. In the power range the APRM system j provides required protection. Reference Section 7.5.7 FSAR. Thus, the IRM System is not required in the RUN mode. The APRMs and the IRMs provide adequate coverage in the STARTUP and intermediate range. The high reactor pressure, high drywell pressure, reactor low water level, low scram pilot air header pressure and scram discharge volume j high level scrams are required for STARTUP and RUN modes of plant i operation. They are, therefore, required to be operational for these modes of reactor operation. t i Because of the APRM downscale limit of 1 3 percent when in the RUN mode i and high level limit of 115 percent when in the STARTUP Hode, the j transition between the STARTUP and RUN Modes must be made with the APRM instrumentation indicating between 3 percent and 15 percent of rated j power or a control rod scram will occur. In addition, the IRM system j-must be indicating below the High Flux setting (120/125 of scale) or a scram will occur when in the STARTUP Mode. For normal operating conditions, these limits provide assurance of overlap between the IRM system and APRM system so that there are no " gaps" in the power level i indications (i.e., the power level is continuously monitored from l beginning of startup to full power and from full power to SHUTDOWN). l When power is being reduced, if a transfer to the STARTUP mode is made i and the IRMs have not been fully inserted (a maloperational but not l impossible condition) a control rod block immediately occurs so that j reactivity insertion by control rod withdrawal cannot occur. The low scram pilot air header pressure trip performs the same function j as the high water level in the scram discharge instrument volume for fast j fill events in which the high level instrument response time may be inadequate. A fast fill event is postulated for certain degraded control j air events in which the scram outlet valves unseat enough to allow 5 spm l per drive leakage into the scram discharge volume but not enough to cause control rod insertion. k 1 J BFN 3.1/4.1-15 1 Unit 3

i 4.1 BASES The minimum functional testing frequency used in this specification is 1 based on a reliability analysis using the concepts developed in reference j (1). This concept was specifically adapted to the one-out-of-two taken j twice logic of the reactor protection system. The analysis shows that the J sensors are primarily responsible for the reliability of the reactor j protection system. This analysis makes use of " unsafe failure" rate 1 experience at conventional and nuclear power plants in a reliability model for the system. An " unsafe failure" is defined as one which negates 5 channel operability and which, due to its nature, is revealed only when i the channel is functionally tested or attempts to respond to a real { signal. Failure such as blown fuses, ruptured bourdon tubes, faulted amplifiers, faulted cables, etc., which result in " upscale" or "downscale" readings on the reactor instrumentation are " safe" and will be easily recognized by the operators during operation because they are revealed by j-an alarm or a scram. A The channels listed in Tables 4.1.A and 4.1.B are divided into three j groups for functional testing. These are: A. On-Off sensors that provide a scram trip function. ) B. Analog devices coupled with bistable trips that provide a scram

function, j

C. Devices which only serve a useful function during some restricted mode of operation, such as STARTUP, or for which the only practical test is one that can be performed at SHUTDOWN. l The sensors that make up group (A) are specifically selected from amont, the whole family of industrial on-off sensors that have earned an excellent reputation for reliable operation. During design, a goal of i 0.99999 probability of success (at the 50 percent confidence level) was adopted to assure that a balanced and adequate design is achieved. The probability of success is primarily a function of the sensor failure rate and the test interval. A three-month test interval was planned for group j (A) sensors. This is in keeping with good operating practices, and satisfies the design goal-for the logic configuration utilized in the Reactor Protection System. The once per six-month functional test frequency for the scram pilot air header low pressure trip function is acceptable due to: The functional reliability previously demonstrated by these switches on Unit 2 during Cycles 6 and 7, 2. The need for minimizing the radiation exposure associated with the functional testing of these switches, and ( 3. The increased risk to plant availability while the plant is in a half-scram condition during the performance of the functional testing versus the limited increase in reliability that would be obtained by more frequent functional testing. BFN 3.1/4,1-16 Unit 3

4.1 BASES (Cont'd) Experience with passive type instruments in generating stations and substations indicates that the specilled calibrations are adequate. For those devices which employ amplifiers, etc., drift specifications call for drift to be less than 0.4 percent / month; i.e., in the period of a month a drift of 0.4-percent would occur thus providing for adequate margin. l For the APRM system drift of electronic apparatus is not the only consideration in determining a calibration frequency. Change in power distribution and loss of chamber sensitivity dictate a calibration every seven days. Calibration on this frequency assures plant operation at or below thermal limits. A comparison of Tables 4.1.A and 4.1.B indicates that two instrument channels have been included in the latter table. These are: mode switch in SHUTDOWN and manual scram. All of the devices or sensors associated with these scram functions are simple on-off switches and, hence, calibration during operation is not applicable, i.e., the switch is either on or off. The sensitivity of LPRM detectors decreases with exposure to neutron flux at a slow and approximately constant rate. The APRM system, which uses the LPRM readings to detect a change in thermal power, will be calibrated every seven days using a heat balance to compensate for this change in sensitivity. The RBM system uses the LPRM reading to detect a localized change in thermal power. It applies a correction factor based on the APRM output signal to determine the percent thermal power and therefore any change in LPRM sensitivity is compensated for by the APRM calibration. The technical specification limits of CNFLPD, CPR, and APLHGR are determined by the use of the process computer or other backup methods. i These methods use LPRM readings and TIP data to determine the power distribution. Compensation in the process computer for changes in LPRM sensitivity will j be made by performing a full cora TIP traverse to update the computer calculated LPRM correction factors every 1000 effective full power hours. As a minimum the individual LPRM meter readings will be adjusted at the beginning of each operating cycle before reaching 100 percent power. BFN 3.1/4.1-19 Unit 3

3.2 BASES In addition to reactor protection instrumentation which initiates a 4 reactor scram, protective instrumentation has been provided which initiates action to mitigate the consequences of accidents which are beyond the operator's ability to control, or terminates operator errors before they result in serious consequences. This set of specifications provides the limiting conditions of operation for the primary system isolation function, initiation of the core cooling systems, control rod block and standby gas treatment systems. The objectives of the 2 Specifications are (i) to assure the effectiveness of the protective instrumentation when required by preserving its capability to tolerate a j single failure of any component of such systems even during periods when portions of such systems are out of service for maintenance, and (ii) to prescribe the trip settings required to assure adequate performance. When necessary, one channel may be made inoperable for brief intervals to conduct required functional tests and calibrations. Some of the settings on the instrumentation that initiate or control core i and containment cooling have tolerances explicitly stated where the high and low values are both critical and may have a substantial effect on safety. The setpoints of other instrumentation, where only the high or low end of the setting has a direct bearing on safety, are chosen at a level away from the normal operating range to prevent inadvertent i actuation of the safety system involved and exposure to abnormal situations. Actuation of primary containment valves is initiated by protective instrumentation shown in Table 3.2.A which senses the conditions for which isolation is required. Such instrumentation must be available whenever PRIMARY CONTAIl0ENT INTEGRITY is required. The instrumentation which initiates primary system isolation is connected in a dual bus arrangement. The low water level instrumentation set to trip at 538 inches above vessel zero closes isolation valves in the RER System, Drywell and Suppression Chamber exhausts and drains and Reactor Water Cleanup Lines (Groups 2 and 3 isolation valves). The low reactor water level instrumentation that is set to trip when reactor water level is 470 inches above vessel zero (Table 3.2.B) trips the recirculation pumps and initiates the RCIC and HPCI systems. d The low water level instrumentation set to trip at 1398 inches above vessel zero (Table 3.2.A) closes the Main Steam Isolation Valves, the l Main Steam Line Drain Valves, and the Reactor Water Sample Valves (Group 1). These trip settings are adequate to prevent core uncovery in the case of a break in the largest line assuming the maximum closing time. BFN 3.2/4.2-64 Unit 3

3.2 BASES (Cont'd) The instrumentation which initiates _CSCS action is arranged in a dual bus system. As for other vital instrumentation arranged in this fashion, the specification preserves the effectiveness of the system even during periods when maintenance or testing is being performed. An exception to this is when logic functional testing is being performed. The control rod block functions are provided to generate a trip signal to block rod withdrawal if the monitored power level exceeds a preset value. The trip logic for this function is 1-out-of-n: e.g., any trip on one of_six APRMs, eight IRMs, or four SRMs will result in a rod block. When the RBM is required, the minimum instrument channel requirements apply. These requirements assure sufficient instrumentation to assure the single failure criteria is met. The minimum instrument channel requirements for the RBM may be reduced by one for maintenance, testing, or calibration. This does not significantly increase the risk of an inadvertent control rod withdrawal, as the other channel is available, and the RBM is a backup system to the written sequence for withdrawal of control rods. The APRM rod block function is flow biased and provides a trip signal for blocking rod withdrawal when average reactor thermal power exceeds pre-established limits set to prevent scram actuation. The 2BM rod block function provides local protection of the core; i.e., the prevention of critical power in a local region of the core, for a single rod withdrawal error from a limiting control rod pattern. If the IRM channels are in the worst condition of allowed bypass, the sealing arrangement is such that for unbypassed IRM channels, a rod block signal is generated before the detected neutrons flux has increased by more than a factor of 10. A downscale indication is an indication the instrument has failed or the instrument is not sensitive enough. In either case the instrument will not respond to changes in control rod motion and thus, control rod motion is prevented. The refueling interlocks also operate one logic channel, and are required for safety only when the mode switch is in the refueling position. For effective emergency core cooling for small pipe breaks, the HPCI system must function since reactor pressure does not decrease rapid enough to allow either core spray or LPCI to operate in time. The automatic pressure relief function is provided as a backup to the HPCI in the event the HPCI does not operate. The arrangement of the tripping contacts is such as to provide this function when necessary and minimize spurious operation. The trip settings given in the specification are adequate to assure the above criteria are met. The specification preserves the effectiveness of the system during periods of maintenance, testing, or calibration, and also minimizes the risk of inadvertent operation; i.e., only one instrument channel out of service. BFN 3.2/4.2-67 Unit 3

k 1 4.2 BASES (Cont'd) l ^ Those instruments which, when tripped, result in a. rod block have their j contacts arranged in a 1-out-of-n logic, and all are capable of being . bypassed. For such a tripping arrangement with bypass capability provided, there is an optimum test interval that should be maintained in j order to maximize the reliability of a given channel (7). This takes account of the fact that testing degrades reliability and the optimum l interval between tests is approximately given by: 2t' i= s Where: i= the optimum interval between tests, t= the time the trip contacts are disabled from performing their function while the test is in progress, r= the expected failure rate of the relays. To test the trip relays requires that the channel be bypassed, the test made, and the system returned to its initial state. It is' assumed this task requires an estimated 30 minutes to complete in a thorough a workmanlikemannerandthattherelayshaveafailurerateof10~gd failures per hour. Using this data and the above cperation, the optimum test interval is:

0. 5) '

i= = 1 x 10 l -6 \\g 10 = 40 days For additional marain a test interval of once ner month will be used initially. The sensors and electronic apparatus have not been included here as these are analog devices with readouts in the control room and the sensors and electronic apparatus can be checked by comparison with other like instruments. The checks which are made on a daily basis are adequate to assure OPERABILITY of the sensors and electronic apparatvs, and the test [ interval given above provides for optimum testing of tbc relay circulcs. The above calculated test interval optimizes each iadividual channel, considering it to be independent of all others. As an example, assume that there are two channels with an individual techniclan assigned to each. Each technician tests his channel at the optimum frequency, but (7) UCRL-50451, Improving Availability and Readiness of Field Equipment Through Periodic Inspection, Benjamin Epstein, Albert Shiff, July 16, 1968, page 10, Equation (24), Lawrence Radiation Laboratory. BFN 3.2/4.2-70 Unit 3

4.2 BASES (Cont'd) the two technicians are not allowed to communicate so that one can advise the other that his channel is under' test. Under these conditions, it is pcssible for both channels to be under test simultaneously. Now, assume that the technicians are required to communicate and that two channels are never tested at the same time. Forbidding simultaneous testing improves the availability of the system over that which would be achieved by testing each channel independently. These one-out-of-n trip systems will be tested one at s' time in order to take advantage of this inherent improvement in availability. Optimizing each channel independently may not truly optimize the system considering the overall rules of system operation. However, true system optimization is a complex problem. The optimuss are broad, not sharp, and optimizing the individual channels is generally adequate for the system. The formula given above minimizes the unavailability of a single channel which must be bypassed during testing. The minimization of the unavailability is illustrated by Curve No. 1 of Figure 4 assumes that a channel has a failure rate of 0.1 x 10-6 2-1 which / hour and 0.5 hours is required to test it. The unavailability is a minimum at a test interval i, of 3.16 x 103 hours. If two similar channels are used in a 1-out-of-2 configuration, the test interval for minimum unavailability changes as a function of the rules for testing. The simplest case is to test each one independent of the other. In this case, there is assumed to be a finite probability that both may be bypassed at one time. This case is shown by Curve No. 2. Note that the unavailability is lower as expected for a redundant system and the minimum occurs at the same test interval. Thus, if the two channels are tested independently, the equation above yields the test interval for minimum unavailability. A more usual case is that the testing is not done independently. If both channels are bypassed and tested at the same time, the result is shown in Curve No. 3. Note that the minimum occurs at about.40,000 hours, much longer than for cases 1 and 2. Also, the minimum is not nearly as low as Case 2 which indicates that this method of testing does not take full advantage of the redundant channel. Bypassing both channels for simultaneous testing should be avoided. The most likely case would be to stipulate that one channel be bypassed, tested, and restored, and then immediately following, the second channel be bypassed, tested, and restored. This is shown by Curve No. 4. Note that there is no true minimum. The curve does have a definite knee and very little reduction in system unavailability is achieved by testing at a ahorter interval than computed by the equation for a single channel. The best test procedure of all those examined is to perfectly stagger the tests. That is, if the test interval is four months, test one or the other channel every two months. This is shown in Curve No. 5. The i BFN 3.2/4.2-71 l Unit 3 j

4.2 BASES (Cont'd) difference between Cases 4 and 5 is negligible. There may be other arguments, however, that more strongly support the perfectly staggered tests, including reductions in human error. The conclusions to be drawn are these: 1. A 1-out-of-n system may be treated the same as a single channel in l terms of choosing a test interval; and l 2. more than one channel should not be bypassed for testing at any one time. The radiation monitors in the reactor and refueling zones which initiate building isolation and standby gas treatment operation are arranged such that two sensors high (above the high level setpoint) in a single channel or one sensor downscale (below low level setpoint),oe inoperable in two channels in the same zone will initiate a trip function. The functional testing frequencies for both the channel functional test and the high voltage power supply functional test are based on a Probabilistic Risk Assessment and system drift characteristics of the Reactor Building Ventilation Radiation Monitors. The calibration frequency is based upon the drift characteristics of the radiation monitors. The automatic pressure relief instrumentation can be considered to be a 1-out-of-2 logic system and the discussion above applies also. The RCIC and HPCI system logic tests required by Table 4.2.B contain provisions to demonstrate that these systems will automatically restart on a RPV low water level signal received subsequent to a RPV high water level trip. i O l BFN 3.2/4.2-72 l Unit 3

3.3/4.3 BASES (Cont'd) 2. Reactivity Marain - Inocerable Control Rods - Specification l 3.3.A.2 requires that a r'od be taken out of service if it cannot be moved with drive pressure. If the rod is fully inserted and disarmed electrically *, it is in a safe position of maximum contribution to shutdown reactivity. If it is disarmed electrically in a nonfully inserted position, that position shall be consistent with the shutdown reactivity limitations stated in Specification 3.3.A.1. This assures that the core can be shut down at all times with the remaining control rods assuming the strongest OPERABLE control rod does not insert. Also if damage within the control rod drive mechanism and in particular, cracks in drive internal housings, cannot be ruled out, then a generic problem affecting a number of drives cannot be ruled out. Circumferential cracks resulting from stress-assisted intergranular corrosion have occurred in the collet housing of drives at several BWRs. This type of cracking could occur in a number of drives and if the cracks propagated until severance of the collet housing occurred, scram could be prevented in the affected rods. Limiting the period of operation with a potentially severed rod after detecting one stuck rod will assure that the reactor will not be operated with a large number of rods with failed collet housings. The Rod Worth Minimizer is not automatically bypassed until reactor power is above the preset power level cutoff. Therefore, control rod movement is restricted and the single notch exercise surveillance test is only performed above this power level. The Rod Worth Minimizer prevents movement of out-of-sequence rods unless power is above the preset power level cutoff. B. Control Rodg 1. Control rod dropout accidents as discussed in the FSAR can lead to significant core damage. If coupling integrity is maintained, the possibility of a rod dropout accident is eliminated. The overtravel position feature provides a positive check as only uncoupled drives may reach this position. Neutron instrumentation response to rod movement provides a verification that the rod is fol?owing its drive. Absence of such response to drive movemert could indicate an uncoupled condition. Rod position indicstion is required for proper function of the Rod Worth Minimizer.

  • To disarm the drive electrically, four amphenol type plus connectors are removed from the drive insert and withdrawal solenoids rendering the rod incapable of withdrawal. This procedure is equivalent to valving out the drive and is preferred because, in this condition, drive water cools and minimizes crud accumulation in the drive. Electrical disarming does not eliminate position indication.

BFN 3.3/4.3-14 Unit 3

j 3.3/4.3 BASES (Cont'd) 5. The Rod Block Monitor (RBM) is designed to automatically prevent fuel damage in the event of erroneous rod withdrawal from locations of high l power density during high power level operation. Two RBM channels are provided, and one of these may be bypassed from the console for maintenance and/or testing.. Automatic rod withdrawal blocks from one of the channels will block erroneous rod withdrawal soon enough to prevent fuel damage. The specified restrictions with one channel out of service conservatively assure that fuel damage will not occur due to rod withdrawal errors when this condition exists. C. Scram Insertion Times The control rod system is designed to bring the reactor suberitical at a rate fast enough to prevent fuel damage; i.e., to prevent the MCPR from becoming less than 1.07. The limiting power transients are given in Reference 1. Analysis of these transients shows that the negative l reactivity rates resulting from the scram with the average response of all drives as given in the above specifications provide the required l protection and MCPR remains greater than 1.07. i On an early BWR, some degradation of control rod scram performance occurred during plant STARTUP and was determined to be caused by l particulate material (probably construction debris) plugging an internal control rod drive filter. The design of the present control rod drive (Model 7RDB144B) is grossly improved by the relocation of the filter to a i location out of the scram drive path; i.e., it can no longer interfere with scram performance, even if completely blocked. The degraded performance of the original drive (CRD7RDB144A) under dirty operating conditions and the insensitivity of the redesigned drive ] (CRD7RDB144B) has been demonstrated by a series of engineering tests under i simulated reactor operating conditions. The successful performance of the new drive under actual operating conditions has also been demonstrated by consistently good in-service test results for plants using the new drive and may be inferred from plants using the older model i 4 BFN 3.3/4.3-17 Unit 3

\\ l l l 3.3/4.3 3ASES (Cont'd) i drive with a modified (larger screen _ size) internal filter which is less 1 prone to plugging. Data has been documented by survelliance reports in various operating plants. These include Oyster Creek, Monticello, Dresden 2, and Dresden 3. Approximately 5000 drive tests have been recorded to date. Following identification of the " plugged filter" problem, very frequent scram tests were necessary to ensure proper performance. However, the more frequent scram tests are now considered totally unnecessary and . unwise for the following reasons: 1. Erratic scram performance has been identified as due to an obstructed drive filter in type "A" drives. The drives in BFNP are of the new "B" type design whose scram performance is unaffected by filter condition. 2. ThedirtloadisprimarilyreleasedduringSTARTUPofthereactorwhenl the reactor and its systems are first subjected to flows and pressure and thermal stresses. Special attention and measures are now being taken to assure cleaner systems. Reactors with drives identical or similar (shorter stroke, smaller piston areas) have operated through many refueling cycles with no sudden or erratic changes in scram performance. ThispreoperationalandSTARTUPtestingissufficienttol detect anomalous drive performance. l 3. The 72-hour outage limit which initiated the start of the frequent l scram testing is arbitrary, having no logical basis other than quantifying a " major outage" which might reasonably be caused by an event so severe as to possibly affect drive performance. This requirement is unwise because it provides an incentive for shortcut actions to hasten returning "on line" to avoid the additional testing due a 72-hour outage. O BFN 3.3/4.3-18 Unit 3

l 3.3/4.3 BASES D. Reactivity Anomalies During each fuel cycle excess operative reactivity varies as fuel depletes and as any burnable poison in supplementary control is burned. The magnitude of this excess reactivity may be inferred from the critical rod configuration. As fuel burnup progresses, anomalous behavior in the excess reactivity may be detected by comparison of the critical rod pattern at selected base states to the predicted rod inventory at that state. Power operating base conditions provide the most sensitive and directly interpretable data relative to core reactivity. Furthermore, using power operating base conditions permits frequent reactivity comparisons. Requiring a reactivity comparison at the specified frequency assures that a comparison will be made before the core reactivity channe exceeds 1 percent AK. Deviations in core reactivity greater than 1 percent AK are not expected and require thorough evaluation. One percent reactivity limit is considered safe since an insertion of one percent reactivity into the core would not lead to transients l exceeding design conditions of the reactor system. E. No BASES provided for this specification F. Scram Discharge Volume The nominal stroke time for the scram discharge volume vent and drain valves is 1 30 seconds following a scram. The purpose of these valves is to limit the quantity of reactor water discharged after a scram and no direct safety function is performed. The surveillance for the valves assures that system drainage is not impeded by a valve which fails to open and that the valves are OPERABLE and capable of closing upon a scram. References 1. Generic Reload Fuel Application, Licensing Topical Report, NEDE-24011-P-A and Addenda. BFN 3.3/4.3-20 Unit 3

-. _ _ _. _ _. ~ _. _ _. _ _ _ _ _ _ _ _ _ _. _ _..._ _._._ _ t j 3.5 BASES 3.5.A. Core Sorav System (CSS) and 3.5.B Residual Heat Removal System (RHRS) I Analyses presented in the FSAR* and analyses presented in conformance with 10 CFR 50, Appendix K, demonstrated that the core spray system in conjunction with two LPCI pumps provides adequate cooling to the core i to dissipate the energy associated with the loss-of-coolant accident j and to limit fuel clad temperature to below 2,200*F which assures that j core geometry remains intact and to limit the core average clad metal-water reaction to less than 1 percent. Core spray distribution has been shown in tests of systems similar in design to BFNP to exceed 4 l the minimum requirements. In addition, cooling effectiveness has been demonstrated at less than half the rated flow in simulated fuel assemblies with heater rods to duplicate the decay heat characteristics of irradiated fuel. ) The RHRS (LPCI mode) is designed to provide emergency cooling to the core by flooding in the event of a loss-of-coolant accident. This system is completely independent of the core spray system; however, it does function in combination with the core spray system to prevent excessive fuel clad temperature. The LPCI mode of the RERS and the core spray system provide adequate cooling for break areas of approximately 0.2 square feet up to and including the double-ended recirculation line break without assistance from the high-pressure emergency core cooling subsystems. The intent of the CSS and RHRS specifications is to not allow startup from the cold condition without all associated equipment being OPERABLE. However, during operation, certain components may be out of service for the specified allowable repair times. The allowable repair times have been selected using engineering judgment based on experiences and supported by availability analysis. Should one core spray loop become inoperable, the remaining core spray loop, the RHR System, and the diesel generators are required to be OPERABLE should the need for core cooling arise. These provide extensive margin over the OPERABLE equipment needed for adequate core cooling. With due regard for this margin, the allowable repair time of seven days was chosen. Should one RHR pump (LPCI mode) become inoperable, three RHR pumps (LPCI mode) and the core spray system are available. Since adequate core cooling is assured with this complement of ECCS, a seven day repair period is justified. Should two RHR pumps (LPCI mode) become inoperable, there remains no reserve (redundant) capacity within the RHRS (LPCI mode). Therefore, the affected unit shall be placed in cold shutdown within 24 hours.

  • A detailed functional analysis is given in Section 6 of the BFNP FSAR.

BFN 3.5/4.5-27 Unit 3

3.5 BASES (Cont'd) With the RCICS inoperable, a seven-day period to return the system to ~ service is justified based on the availability of the HPCIS to cool l the core and upon consideration that the average risk associated with failure of the RCICS to' cool the core when required is not increased. The surveillance requirements, which are based on industry codes and standards, provide adequate assurance that the RCICS will be OPERABLE when required. 3.5.G Automatic Deoressurization System (ADS) The ADS consists of six of the thirteen relief valves. It is designed l to provide depressurization of the reactor coolant system during a small break loss of coolant accident (LOCA) if HPCI fails or is unable i to maintain the required water level in the reactor vessel. ADS operation reduces the reactor vessel pressure to within the operating pressure range of the low pressure emergency core cooling systems (core spray and LPCI) so that they can operate to protect the fuel barrier. Specification 3.5.G applies only to the automatic feature of the pressure relief system. Specification 3.6.D specifies the requirements for the pressure relief function of the valves. It is possible for any number of the valves assigned to the ADS to be incapable of performing their ADS functions because of instrumentation failures, yet be fully capable of performing their pressure relief function. The emergency core cooling system LOCA analyses for small line breaks assumed that four of the six ADS valves were OPERABLE. By requiring six valves to be OPERABLE, additional conservatism is provided to account for the possibility of a single failure in the ADS system. Reactor operation with one of the six ADS valves inoperable is allowed to continue for fourteen days provided the HPCI, core spray, and LPCI systems are OPERABLE. Operation with more than one ADS valve inoperable is not acceptable. With one ADS valve known to be incapable of automatic operation, five valves remain OPERABLE to perform the ADS function. This condition is within the analyses for a small break LOCA and the peak clad temperature is well below the 10 CFR 50.46 limit. Analysis has shown that four valves are capable of depressurizing the reactor rapidly enough to maintain peak clad temperature within acceptable limits. 3.5.H. Maintenance of Filled Discharme Pioe If the discharge piping of the core spray, LPCI, HPCIS, and RCICS are not filled, a water hammer can develop in this piping when the pump I and/or pumps are started. To minimize damage to the discharge piping and to ensure added margin in the operation of these systems, this Technical Specification requires the discharge lines to be filled BFN 3.5/4.5-33 Unit 3

I 3.6/4.6 BASES 1 3.6.C/4.6.C (Cont'd) suggest a reasonable margin of safety that such leakage magnitude would j not result from a crack approaching the critical size for rapid propagation. Leakage less than the magnitude specified can be detected } reasonably in a matter of a few hours utilizing the available leakage j detection schemes, and if the origin cannot be determined in a reasonably short time, the unit should be shut down to allow further investigation i and corrective action. i The two spm limit for coolant leakage rate increases over any 24-hour l period is a limit specified by the NRC (Reference 2). This limit applies only during the RUN mode to avoid being penalized for the expected-coolant leakage increase during pressurization. The total leakage rate consists of all leakage, identified and i unidentified, which flows to the drywell floor drain and equipment drain sumps. The capacity of the drywell floor sump pump is 50 spa and the capacity of the drywell equipment sump pump is also 50 spa. Removal of 25 spa from either of these sumps can be accomplished with considerable margin. References 1. Nuclear System Leakage Rate Limits (BFNP FSAR Subsection 4.10) 2. Safety Evaluation Report (SER) on IE Bulletin 82-03 3.6.D/4.6.D Relief Valves To meet the safety basis,13 relief valves have been installed on the unit with a total capacity of 84.1 percent of nuclear boiler rated steam l flow. The analysis of the worst overpressure transient, (3-second closure of all main steam line isolation valves) neglecting the direct scram (valve position scram) results in a maximum vessel pressure which, if a neutron flux scram is assumed considering 12 valves OPERABLE, results in adequate margin to the code allowable overpressure limit of 1,375 psig. To meet operational design, the analysis of the plant isolation transient (generator load reject with bypass valve failure to open) shows that 1 12 of the 13 relief valves limit peak system pressure to a value which is I well below the allowed vessel overpressure of 1,375 psig. Experience in relief valve operation shows that a testing of 50 percent i of the valves per year is adequate to detect failures or deteriorations. The relief valves are benchtested every second operating cycle to ensure d that their setpoints are within the i 1 percent tolerance. The relief valves are tested in place in accordance with Specification 1.0.MM to establish that they will open and pass steam. BFN 3.6/4.6-30 Unit 3 r-rmw w =+ w-m m

i l l 3.6/4.6 BASJJ 3.6.D/4.6.D (Cont'd) The requirements established above apply when the nuclear system can be pressurized above ambient conditions. These requirements are applicable at nuclear system pressures below normal operating pressures because abnormal operational transients could possibly start at these conditions such that eventual overpressure relief would be needed. However, these transients are much less severe, in terms of pressure, than those starting at rated conditions. The valves need not be functional when the vessel head is removed, since the nuclear system cannot be pressurized. The relief valves are not required to be OPERABLE in the COLD SHUTDOWN CONDITION. Overpressure protection is provided during hydrostatic tests by two of the relief valves whose relief setting has been established in conformance with ASME Section XI code requirements. The capacity of one relief valve exceeds the charging capacity of the pressurization source used during hydrostatic testing. Two relief valves are used to provide redundancy. References 1. Nuclear System Pressure Relief System (BFNP FSAR Subsection 4.4) 2. " Protection Against Overpressure" (ASME Boiler and Pressure Vessel Code, Section III, Article 9) 3. Browns Ferry Nuclear Plant Design Deficiency Report--Target Rock Safety-Relief Valves, transmitted by J. E. Gilliland to F. E. Kruesi, August 29, 1973 4. Generic Reload Fuel Application, Licensing Topical Report, NEDE 24011-P-A and Addenda 3.6.E/4.6.E Jet Pumos Failure of a jet pump nozzle assembly holddown mechanism, nozzle assembly and/or riser, would increase the cross-sectional flow area for blowdown following the design basis double-ended line break. Also, failure of the diffuser would eliminate the capability to reflood the core to two-thirds l height level following a recirculation line break. Therefore, if a failure I occurred, repairs must be made. The detection technique is as follows. With the two recirculation pumps balanced in speed to within i 5 percent, the flow rates in both recirculation loops will be verified by control room monitoring instruments. If the two flow rate values do not differ by more than 10 percent, riser and nozzle assembly integrity has been verified. If they do differ by 10 percent or more, the core flow rate measured by the Jet pump diffuser differential pressure system must be checked against the core flow rate derived from the measured values of loop flow to core flow correlation. If the difference between measured and derived core flow rate is BFN 3.6/4.3-31 Unit 3

4 3.6/4.6 BASES 3.6.E/4.6.E (Cont'd) 10 percent or more (with the derived value higher) diffuser measurements will 2 be taken to define the location within the vessel of failed jet pump nozzle (or riser) and the unit shut down for repairs. If the potential blowdown flow area is increased, the system resistance to the recirculation pump is also reduced; hence, the affected drive pump will "run out" to a substantially higher flow rate (approximately 115 percent to 120 percent for a single nozzle failure). If the two loops are balanced in flow at the same pump speed, the resistance characteristics cannot have changed. Any imbalance between drive loop flow rates would be indicated by the plant process instrumentation. In addition, the affected jet pump would provide a leakage path past the core thus reducing the core flow rate. The reverse flow through the inactive jet j pump would still be indicated by a positive differential pressure but the net effect would be a slight decrease (3 percent to 6 percent) in the total core flow measured. This decrease, together with the loop flow increase, would result in a lack of correlation between measured and derived core flow rate. Finally, the affected jet pump diffuser differential pressure signal would be reduced because the backflow would be less than the normal forward flow. A nozzle-riser system failure could also generate the coincident failure of a j jet pump diffuser body; however, the converse is not true. The lack of any substantial stress in the jet pump diffuser body makes failure impossible without an initial nozzle-riser system failure. 4 3.6.F/4.6.F Recirculation Pumo Operation Operation without forced recirculation is permitted up to 12 hours when the reactor is.not in the RUN mode. And the start of a recirculation pump from I the natural circulation condition will not be permitted unless the temperature difference between the loop to be started and the core coolant temperature is less than 75'F. This reduces the positive reactivity insertion to an acceptably low value. Requiring at least one recirculation pump to be OPERABLE while in the RUN mode (i.e., requiring a manual scram if both recirculation pumps are tripped) provides protection against the potential occurrence of core thermal-hydraulic instabilities at low flow conditions. Requiring the discharge valve of the lower speed loop to remain closed until the speed of the faster pump is below 50 percent of its rated speed provides assurance when going from one-to-two pump operation that excessive vibration of the jet pump risers will not occur. 4 3.6.G/4.6.G Structural Intearity The requirements for the reactor coolant systems inservice inspection program have been identified by evaluating the need for a sampling examination of areas of high stress and highest probability of failure in the system and the need to meet as closely as possible the requirements of Section XI, of the ASME Boiler and Pressure Vessel Code. 3.6/4.6-32l BFN Unit 3

i 3.6/4.6 BASES 3.6.G/4.6.G (Cont'd) The program reflects the built-in limitations of access to the reactor coolant j systems. It is intended that th required examinations and inspection be completed ) during each 10-year interval. The periodic araminations are to be done during refueling outages or other extended plant shutdown periods. Only proven nondestructive testing techniques will be used. More frequent inspections shall be performed on certain circumferential pipe welds as listed in plant procedures to provide additional protection against pipe whip. These welds were selected in respect to their distance from hangers or supports wherein a failure of the weld would permit the unsupported segments of pipe to strike the drywell wall or nearby auxiliary systems or control systems. Selection was based on judgment from actual plant observation of hanger and support locations and review of drawings. Inspection of all these welds during each 10-year inspection interval will result in three additional examinations above the requirements of Section XI of ASME Code. j References 1. BFNP FSAR Subsection 4.12, Inservice Inspection and Testing l 2. Inservice Inspection of Nuclear Reactor Coolant Systems, Section XI, ASME Boiler and Pressure Vessel Code 3. ASME Boiler and Pressure Vessel Code, Section III (1968 Edition) 4. American Society for Nondestructive Testing No. SNT-TC-1A (1968 Edition) i BFN 3.6/4.6-33 Unit 3

l i ) 3.7/4.7 BASES (Cont'd) Maintaining the water level between these_ levels will ensure that the torus 4 water volume and downconer submergence are within the aforementioned limits i during normal plant operation. Alarms, adjusted for instrument error, will I notify the operator when the limits of the torus water level are approached. The maximum permissible bulk pool temperature is limited by the potential for stable and complete condensation of steam discharged from safety relief valves and adequate core spray pump net positive auction head. At reactor vessel pressures above approximately 555 pais, the bulk pool temperature shall not exceed 180*F. At pressures below approximately 240 psig, the bulk temperature may be as much as 184*F. At intermediate pressures, linear interpolation of the bulk temperature is permitted. They also represent the bounding upper limits that are used in suppressien pool temperature response analyses for safety relief valve discharge and loss-of-coolant accident (LOCA) cases. The actions required by Specifications 4 3.7.C. - 3.7.F. assure the reactor can be depressurized in a timely manner to l avoid exceeding the maximum bulk suppression pool water limits. Furthermore, the 184*F limit provides that adequate RRR and core spray pump NPSH will be available without dependency on containment overpressure. Should it be necessary to drain the suppression chamber, this should only be done when there is no requirement for Core Standby Cooling Systems OPERABILITY. Under full power operation conditions, blowdown from an initial suppression chamber water temperature of 95'F results in a peak long term water temperature which is sufficient for complete condensation. l Limiting suppression pool temperature to 105'F during RCIC, HPCI, or relief valve operation when decay heat and stored energy is removed from the primary system by discharging reactor steam directly to the suppression chamber assures adequate margin for controlled blowdown anytime during RCIC operation and ensures margin for complete condensation of steam from the design basis i loss-of-coolant accident (LOCA). In addition to the limits on temperature of the suppression chamber pool 4 water, operating procedures define the action to be taken in the event a relief valve inadvertently opens or sticks open. This action would include: (1) use of all available means to close the valve, (2) initiate suppression pool water cooling heat exchangers, (3) initiate reactor shutdown, and (4) if 4 other relief valves are used to depressurize the reactor, their discharge shall be separated from that of the stuck-open relief valve to assure mixing and uniformity of energy insertion to the pool. l If a LOCA were to occur when the reactor water temperature is below l approximately 330*F, the containment pressure will not exceed the 62 psig code permissible pressures even if no condensation were to occur. The maximum l allowable pool temperature, whenever the reactor is above 212*F, shall be governed by this specification. Thus, specifying water volume-temperature requirements applicable for reactor-water temperature above 212*F provides additional margin above that available at 330*F. BFN 3.7/4.7-25 Unit 3

~ __.___. __ _ _ _ - _.. _ ____ _ _ _ _ _ 1 3.7/4.7 BASES (Cont'd) In conjunction with the Mark I Containment Short Term Program, a plant-unique analysis was performed (" Torus Support System and Attached Piping Analysis for the Browns Ferry Nuclear Plant Units 1, 2, and 3," dated September 9, 1976 and i i supplemented October 12, 1976) which demonstrated a factor of safety of at least two for the weakest element in the suppression chamber support system and-attached piping.. The maintenance of a drywell-suppression chamber differential pressure of 1.1 paid and a supprcesion chamber water level corresponding to a downcomer submergence range of 3.06 feet to 3.58 feet will assure the integrity of the suppression chamber when subjected to. post-loss-of-coolant suppression pool hydrodynamic forces. Inertina The relativity small containment volume inherent in the GE-BWR pressure I suppression containment and the large amount of zirconium in the core are such that the occurrence of a very limited (a percent or so) reaction of the zirconium and steam during a LOCA could lead to the liberation of hydrogen l combined with an air atmosphere to result in a flammable concentration in the containment. If a sufficient amount of hydrogen is generated and oxygen is available in stoichiometric quantities the subsequent ignition of the hydrogen in rapid recombination rate could lead to failure of the containment to maintain low leakage integrity. The <4 percent hydrogen concentration minimizes the possibility of hydrogen combustion following a LOCA. l The occurrence of primary system leakage following a major refueling outage or j otherscheduledshutdownismuchmoreprobablethantheoccurrenceoftheLOCAl upon which the specified oxygen concentration limit is based. Permitting access to the drywell for leak inspections during a startup is judged prudent in terms of the added plant safety offered without significantly reducing the margin of safety. Thus, to preclude the possibility of starting the reactor and operating for extended periods of time with significant leaks in the primary system, leak inspections are scheduled during startup periods, when the primary system is at or near rated operating temperature and pressure. The 24-hour period to provide inerting is judged sufficient to perform the s leak inspection and establish the required oxygen concentration. To ensure that the hydrogen concentration is maintained less than 4 percent following an accident, liquid nitrogen is maintained onsite for containment atmosphere dilution. About 2,260 gallons would be sufficient as a seven-day supply, and replenishment facilities can deliver liquid nitrogen to the site within one day; therefore, a requirement of 2,500 gallons is conservative. Following a LOCA, the Containment Air Monitoring (CAM) System continuously monitors the hydrogen concentration of the containment volume. Two independent systems are capable of sampling and monitoring hydrogen concentration in the drywell and the torus. Each sensor and associated circuit is periodically checked by a calibration gas to verify operation. Failure of one system does not reduce the ability to monitor the hydrogen concentration in the drywell or torus atmosphere as a second independent and redundant system will still be OPERABLE. BFN 3.7/4.7-26 Unit 3

3.7/4.7 BASES (Cont'd) Vacuum Relief i The purpose of the vacuum relief valves is to equalize the pressure between the drywell and suppression chamber and reactor building so that the structural integrity of the containment is maintained. The vacuum relief system from the pressure suppression chamber to reactor building consists of two 100-percent vacuum relief breakers (two parallel sets of two valves in series). Operation of either system will maintain the pressure differential less than 2 psig; the external design pressure. One reactor building vacuum J breaker may be out of service for repairs ~for a period of seven days. If repairs cannot be completed within seven days, the reactor coolant system is brought to a condition where vacuum relief is no longer required. When a dryvell-suppression chamber vacuum breaker valve is exercised through an opening-closing cycle the position indicating lights in the control room are designed.to function as specified below: Initial and Final Check - On (Fully Closed) Condition Green - On Red - Off Opening Cycle Check - Off (Cracked Open) Green - Off (> 80* Open) Red - On (> 3* Open) Closing Cycle Check - On (Fully Closed) Green - On (< 80* Open) i j Red - Off (< 3* Open) i The valve position indicating lights consist of one check light on the check light panel which confirms full closure, one green light next to the hand switch which confirms 80* of full opening and one red light next to the hand i switch which confirms "near closure" (within 3* of full closure). Each light is on a separate switch. If the check light circuit is OPERABLE when the valve is exercised by its air operator there exists a confirmation that the l valve will fully close. If the red light circuit is OPERABLE, there exists a i i T BFN 3.7/4.7-27 Unit 3 1

. - ~. -.. - ~ - 3.7/4.7 BASES (Cont'd) in the system, isolation is provided by,high temperature in the cleanup system Also, since the vessel could potentially be drained through the cleanup area. system, a low-level isolation is provided. Groues 4 and 5 - Process lines are designed to remain OPERABLE and mitigate the consequences of an accident which results in the isolation of other I process lines. 102e signals which initiate isolation of Groups 4 and 5 process lines are therefore indicative of a condition which would render them inoperable. Groun 6 - Lines are connected to the primary containment but not directly to the reactor vessel. -These valves are isolated on reactor low water level (538"), high drywell pressure, or reactor building ventilation high radiation which would indicate a possible accident and necessitate primary containment isolation. Groun 7 - (Deleted) Groun 8 - Line (traveling in-core probe) is isolated on high drywell pressure or reactor low water level (538"). This is to assure that this line does not provide a leakage path when containment pressure or reactor water level indicates a possible accident condition. The maximum closure time for the automatic isolation valves of the primary containment and reactor vessel isolation control system have been selected in consideration of the design intent to prevent core uncovering following pipe breaks outside the primary containment and the need to contain released fission products following pipe breaks inside the primary containment. In satisfying this design intent, an additional margin has been included in specifying maximum closure times. This margin permits identification of degraded valve performance prior to exceeding the design closure times. 1 In order to assure that the doses that may result from a steam line break do not exceed the 10 CFR 100 guidelines, it is necessary that no fuel rod perforation resulting from the accident occur prior to closure of the main i steam line isolation valves. Analyses indicate that fuel rod cladding perforations would be avoided for main steam valve closure times, including instrument delay, as long as 10.5 seconds. BFN 3.7/4.7-34 Unit 3

i ( 3.9 BASES The objective of this specification is to assure an adequate source of ~ electrical power to operate facilities to cool the units during shutdown l and to operate the engineered safeguards following an accident. There are three sources of alternating current electrical energy available, namely, the 161-kV transmission system, the 500-kV transmission system, l and the diesel generators. The unit station-service transformer B for unit 3 provides a noninterruptible source of offsite power from the 500-kV transmission system to the unit 3 shutdown boards. Auxiliary power can also be supplied from the 161-kV transmission system through the common station-service transformers or through the cooling tower transformers by way of the bus tie board. The 4-kV bus tie board may remain out of service indefinitely provided one of the required offsite power sources is not supplied from the 161-kV system through the bus tie board. The minimum fuel oil requirement of 35,280 gallons for each diesel generator fuel tank assembly is sufficient for seven days of full load i operation of each diesel and is conservatively based on availability of a replenishment supply. Each diesel generator has its own independent 7-day fuel oil storage tank assembly. The degraded voltage sensing relays provide a start signal to the diesel generators in the event that a deteriorated voltage condition exists on a 4-kV shutdown board. This starting signal is independent of the starting signal generated by the complete loss of voltage relays and will continue to function and start the diesel generators on complete loss of voltage should the loss of voltage relays become inoperable. The 15-day inoperable time limit specified when one of the three phase-to-phase degraded voltage relays is inoperable is justified based on the two-out-of-three permissive logic scheme provided with these relays. A 4-kV shutdown board is allowed to be out of operation for a brief period to allow for maintenance and testing, provided all remaining 4-kV shutdown boards and associated diesel generators, CS, RHR, (LPCI and containment cooling) systems supplied by the remaining 4-kV shutdown boards, and all emergency 480-V power boards are OPERABLE. The 480-V diesel auxiliary board may be out of service for short periods for tests and maintenance. There is a safety related 250-V de unit battery located in each unit. Each 250-V de unit battery system consists of a battery, a battery charger, and a distribution panel. There is also a backup charger which can be assigned to any one of the three unit batteries. The 250-V de unit battery systems provide power for unit control functions, unit DC motor loads and alternate control power to the 4160 and 480-V ac shutdown boards. The primary control power supplies to the 3A, 3C and BFN 3.9/4.9-18 Unit 3

3.10 BASES (Cont'd) suberitical even when the highest worth control rod is fully withdrawn..The combination of r'efueling interlocks for control rods and the refueling platform provide redundant methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality. Fuel handling is normally conducted with the fuel grapple hoist. The total load on this hoist when the interlock is required consists of the weight of the fuel grapple and the fuel assembly. This total is approximately 1,500 lbs, in comparison to the load-trip setting of 1,000 lbs. Provisions have also been made to allow fuel handling with either of the three auxiliary hoists and still maintain the refueling interlocks. The 400-lb load-trip setting on these hoists is adequate to trip the interlock when one of the more than 550-lb l fuel bundles is being handled. During certain periods, it is desirable to perform maintenance on two control rods and/or control rod drives at the same time without removing fuel from the cells. The maintenance is performed with the mode switch in the refuel position to provide the refueling interlocks normally available during refueling operations. In order to withdraw a second control rod after withdrawal of the first rod, it is necessary to bypass the refueling interlock on the first control rod which prevents more than one control rod from being withdrawn at the same time. The requirement that an adequate shutdown margin be demonstrated and that all remaining control rods have their directional control valves electrically disarmed ensures that inadvertent criticality cannot occur during this maintenance.- The adequacy of the shutdown margin is verified by demonstrating that at least 0.38 percent Ak shutdown margin is available. Disarming the directional control valves does not inhibit control rod scram capability. Specification 3.10.A.7 allows unloading of a significant portion of the reactor core. This operation is performed with the mode switch in the REFUEL position to provide the refueling. interlocks normally available during refueling operations. In order to withdraw more than one control rod, it is necessary to bypass the refueling interlock on each withdrawn control rod which prevents more than one control rod from being withdrawn at a time. The requirement that the fuel assemblies in the cell controlled by the control rod be removed from the reactor core before the interlock can be bypassed ensures that withdrawal of another control rod does not result in inadvertent criticality. Each control rod provides primary reactivity control for the fuel assemblies in the cell associated with that control rod. Thus, removal of an entire cell (fuel assemblies plus control rod) results in a lower reactivity potential of the core. The requirements for SRM OPERABILITY during these CORE ALTERATIONS assure sufficient core monitoring. BFN 3.10/4.10-11 Unit 3

3.10 BASES (Cont'd) REFERENCES 1. Refueling interlocks (BFNP FSAR Subsection 7.6) B. Cora Monitorinn The SRMs are provided to monitor the core during periods of unit shutdown and to guide the operator during refueling operations and unit startup. Requiring two OPERABLE SRMs (FLCs) during CORE ALTERATIONS assures adequate monitoring of the fueled region (s) and the core 4 quadrant where CORE ALTERATIONS are being performed. The fueled region is any set of contiguous (adjacent) control cells which contain one or more fuel assemblies. An SRM is considered to be in the fueled region when one or more of the four fuel assembly locations surrounding the SRM dry tube contain a fuel assembly. An FLC is considered to be in i the fueled region if the FLC is positioned such that it is monitoring the fuel assemblies in its associated core quadrant, even if the actual position of the FLC is outside the fueled region. Each SRM (FLC) is not required to read 1 3 cps until after four fuel assemblies have been loaded adjacent to the SRM (FLC) if no other fuel assemblies are in the associated core quadrant. These four locations are adjacent to the SRM dry tube. When utilizing FLCs, the FLCs will be located such that the required count rate is achieved without exceeding the SRM upscale setpoint. With four fuel assemblies or fewer loaded around each SRM, even with a control rod withdrawn, the configuration will not be critical. Under the special condition of removing the full core with all control rods inserted and electrically disarmed, it is permissible to allow SRM count rate to decrease below three counts per second. All fuel moves during core unloading will reduce reactivity. It is expected that the SRMs will drop below three counts per second before all of the fuel is unloaded. Since there will be no reactivity additions during this period, the low number of counts will not present a hazard. When sufficient fuel has been removed to the spent fuel storage pool to drop the SRM count rate below 3 cps, SRMs will no longer be required to be OPERABLE. Requiring the SRMs to be functionally tested prior to fuel removal assures that the SRMs will be OPERABLE at the start of fuel removal. The once per 12 hours verification of the SRM count rate and signal-to-noise ratio ensures their continued OPERABILITY until the count rate diminishes due to fuel removal. Control rods in cells from which all fuel has been removed and which are outside the periphery of the then existing fuel matrix may be armed electrically and moved for maintenance purposes during full core removal, provided all rods that control fuel are fully inserted and electrically disarmed. REFERENCES 1. Neutron Monitoring System (BFNP FSAR Subsection 7.5) BFN 3.10/4.10-12 Unit 3

1 i 3.10 BASES (Cont'd) 2. Morgan, W. R., "In-Core Neutron Monitoring System for General Electric Boiling Water Reactors," General Electric Company, Atomic Power Equipment Department, November 1968, revised April 1969 (APED-5706) C. Scent Fuel Pool Water The design of the spent fuel storage pool provides a storage location 4 for approximately 140 percent of the full core load of fuel assemblies in the reactor building which ensures adequate shielding, cooling, and reactivity control of irradiated fuel. An analysis has been performed which shows that a water level at or in excess of eight and one-half feet over the top of the stored assemblies will provide shielding such that the maximum calculated radiological doses do not exceed the limits of 10 CFR 20. The normal water level provides 14-1/2 feet of l additional water shielding. The capacity of the skimmer surge tanks is available to maintain the water level at its normal height for three days in the absence of additional water input from the condensate storage tanks. All penetrations of the fuel pool have been installed 1 at such a height that their presence does not provide a possible drainage route that could lower the normal water level more than one-half foot. The fuel pool cooling system is designed to maintain the pool water temperature less than 125'F during normal heat loads. If the reactor 1 core is completely unloaded when the pool contains two previous discharge batches, the temperatures may increase to greater than 125'F. The RER system supplemental fuel pool cooling mode will be used under these conditions to maintain the pool temperature to less than 125'F. l D. Egaetor Building Crane The reactor building crane and 125-ton hoist are required to be OPERABLE for handling of the spent fuel in the reactor building. The controls for the 125-ton hoist are located in the crane cab. The five-ton has both cab and pendant controls. A visual inspection of the load-bearing hoist wire rope assures detection of signs of distress or wear so that corrections can be promptly made if needed. The testing of the various limits and interlocks assures their proper operation when the crane is used. E. Spent Puel Cask The spent fuel cask design incorporates removable lifting trunnions. The visual inspection of the trunnions and fasteners prior to BFN 3.10/4.10-13 Unit 3 - -}}

Retrieved from "https://kanterella.com/w/index.php?title=ML20094M770&oldid=4324066"