Text

Proposed Tech Specs Bases Changes Made at Plant Subsequent to Receipt of License Amend 178,dtd 980731,for Conversion to Its,Through 990610
	ML20196B474
Person / Time
Site:	Cooper
Issue date:	06/17/1999
From:	; NEBRASKA PUBLIC POWER DISTRICT
To:	;
Shared Package
ML20196B472	List: ML20196B468; ML20196B474;
References
	NUDOCS 9906230204
	Download: ML20196B474 (110)
	v • d • e

1 I

Reactor Core SLs B 2.1.1 BASES APPLICABLE 2 11.2 MCPR GE Fuel (continued)

SAFETY ANALYSES i- SL calculation are given in Reference 2. Reference 2 also includes a l l

tabulation of the uncertainties used in the detennination of the MCPR !

SL and of the nominal values of the parameters used in the MCPR SL j statistica! analysis.

i l

E1.1.3 Reactor Vessel Water Level !

l During MODES 1 and 2 the reactor vessel water level is required to be l above the top of the active irradiated fuel to provide core cooling f

capability. With fuelin the reactor vessel during periods when the

! l reactor is shut down, consideration must be given to water ' el !

requirements due to the effect of decay heat. If the water level should I drop below the top of the active irradiated fuel during this period, the !

ability to remove decay heat is reduced. This reduction in cooling i capability could lead to elevated cladding temperatures and clad perforation in the event that the water level becomes < 2/3 of the core l height. The reactor vessel water level SL has been established at the i

I top of the active irradiated fuel to provide a point that can be monitored and to also provide adequate margin for effective action. Fuel zone zero (FZZ) is used as a reference point which corresponds to at or above top of the active irradiated fuel.

SAFETY LIMITS The reactor core SLs are established to protect the integrity of the fuel clad barrier to prevent the release of radioactive materials to the environs. SL 2.1.1.1 and SL 2.1.1.2 ensure that the core operates l l within the fuel design criteria. SL 2.1.1.3 ensures that the reactor l l vessel water level is greater than the top of the active irradiated fuel in l order to prevent elevated clad temperatures and resultant clad !

perforations, i

APPLICABILITY SLs 2.1.1.1,2.1.1.2, and 2.1.1.3 are applicable in all MODES.

9906230204 990617 PDR ADOCK 05000298 '.,

P PDR (continued)

Cooper B 2.0-4 June 10,1999 l

7 i

l SDM B 3.1.1 i F

B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM)

! BASES ,

BACKGROUND SDM requirements are specified to ensure:

l a. The reactor can be made subcritical from all operating conditions .

and transients and Design Basis Events;

b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits; and I

c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.

These requirements are satisfied by the control rods, as described in the USAR, Appendix F (Ref.1), which can compensate for the reactivity effects of the fuel and water temperature changes experienced during all operating conditions.

APPLICABLE The control rod drop accident (CRDA) analysis (Refs. 2 SAFETY ANALYSES and 3) assumes the core is subcritical with the highest worth control rod withdrawn. Typically, the first control rod withdrawn has a very high reactivity worth and, should the core be critical during the withdrawal of the first control rod, the consequences of a CRDA could exceed the fuel damage limits for a CRDA (see Bases for LCO 3,1.6, " Rod Pattern Control"). Also, SDM is assumed as an initial condition for the control rod removal error during refueling (Ref. 4) and fuel assembly insertion error during refueling (Ref. 5) accidents. The analysis of these reactivity insertion events assumes the refueling interlocks are OPERABLE when the reactor is in the refueling mode of operation.

These interiocks prevent the withdrawal of more than one control rod from the core during refueling. (Special consideration and requirements for multiple control rod withdrawal during refueling are covered in Special Operations LCO 3.10.6, " Multiple Control Rod Withdrawal-Refueling.") The analysis assumes this condition is acceptable since the core will be shut down with the highest worth control rod withdrawn, if adequate SDM has been demonstrated.

Prevention or mitigation of reactivity insertion events is necessary to limit energy deposition in the fuel to prevent significant fuel damage, (cont!nued)

Cooper B 3.1-1 June 10,1999 l l

r i.

SDM B 3.1.1 BASES APPLICABLE which could result in undue release of radioactivity. Adequate SDM j SAFETY ANALYSES ensures inadvertent criticalities and potential CRDAs involving l (continued) high worth control rods (namely the first control rod withdrawn) will not cause significant fuel damage.

l SDM satisfies Criterion 2 of 10 CFR 50.36(c)(2)(li) (Ref. 6).

l-l l LCO The specified SDM limit accounts for the uncertainty in the l

demonstration of SDM by testing. Separate SDM limits are provided for testing where the highest worth control rod is determined analytically or by measurement. This is due to the reduced uncertainty in the SDM test when the highest worth control rod is determined by measurement.

When SDM is demonstrated by calculations not associated with a test (e.g., to confirm SDM during the fuel loading sequence), additional margin is included to account for uncertainties in the calculation. To ensure adequate SDM during the design process, a design margin is included to account for uncertainties in the design calculations (Refs.1 l and 8).

APPLICABILITY In MODES 1 and 2, SDM must be provided because suberiticality with the highest worth control rod withdrawn is assumed in the CRDA analysis (Ref. 2). In MODES 3 and 4, SDM is required to ensure the reactor will be held subcritical with margin for a single withdrawn control

[ rod. SDM is required in MODE 5 to prevent an open vessel, ,

inadvertent criticality during the withdrawal of a single control rod from a '

core cell containing one or more fuel assemblies or a fuel assembly insertion error (Ref. 5).'

l l'

l l

I (continued)

Cooper B 3.1-2 June 10,1999 l o

SDM B 3.1.1 BASES ACTIONS 6 21.

With SDM not within the limits of the LCO in MODE 1 or 2. SDM must be restored within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Failure to meet the specified SDM may be caused by a control rod that cannot be inserted. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is acceptable, considering that the reactor can still be shut down, assuming no failures of additional control rods to insert, and the low probability of an event occurring during this interval.

Ed If the SDM cannot be restored, the plant must be brought to MODE 3 in 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , to prevent the potential for further reductions in available SDM (e.g., additional stuck control rods). The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

.Q.d With SDM not within limits in MODE 3, the operator must immediately initiate action to fully insert allinsertable control rods. Action must continue until allinsertable control rods are fully inserted. This action results in the least reactive condition for the core.

D.1. D.2. D.3. and D.4 With SDM not within limits in MODE 4, the operator must immediately initiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This action results in the least reactive condition for the core. Action must also be initiated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to provide means for control of potential radioactive releases. This includes ensuring secondary containment is OPERABLE; at least one Standby Gas Treatment (SGT) subsystem is OPERABLE; and secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactivity releases (i.e., at least one secondary containment isolation valve and associated instrumentation are OPERABLE, or other acceptable administrative I

(continued)

Cooper B 3.1-3 June 10,1999 l l

SDM B 3.1.1 BASES ACTIONS D.1. D.2. D.3. and D.4 (continued) l

)

controls to assure isolation capability. These administrative controls I consist of stationing a dedicated operator, who is in continuous I communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated). This may be performed as an administrative check, by examining logs or other l information, to determine if the components are out of service for !

maintenance or other reasons. It is not necessary to perform the !

surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to 4 be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.

)

l E.1. E.2. E.3. E.4. and E.5 {

With SDM not within limits in MODE 5, the operator must immediately suspend CORE ALTERATIONS that could reduce SDM (e.g., insertion of fuel in the core or the withdrawal of control rods). Suspension of these activities shall not preclude completion of movement of a component to a safe condition. Inserting control rods or removing fuel from the core will reduce the total reactivity and are therefore excluded from the suspended actions.

Action must also be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies.

Action must continue until all insertable control rods in core cells containing one or more fuel assemblies have been fully inserted.

Control rods in core cells containing no fuel assemblies do not affect .

the reactivity of the core and therefore do not have to be inserted. l Action must also be initiated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to provide means for control !

of potential radioactive releases. This includes ensuririg secondary containment is OPERABLE; at least one SGT subsystem is '

OPERABLE; and secondary containment isolation capability is available in each associated secondary containment penetration flow path not .

isolated that is assumed to be isolated to mitigate radioactivity releases (i.e., at least one secondary containment isolation valve and associated instrumentation are OPERABLE, or other acceptable administrative controls to assure isolation capability. These administrative controls (continued)

Cooper B 3.1-4 June 10,1999 l

s SDM B 3.1.1 BASES ,

ACTIONS E.1. E.2. E.3. E.4. and E.5 (continued) consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated). This may be performed as an administrative check, by examining logs or other information, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances as needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status. Action must continue until all required components are OPERABLE.

SURVEILLANCE SR 3.1.1.1

' REQUIREMENTS Adequate SDM must be verified to ensure that the reactor can be made subcritical from any initial operating condition with the highest reactivity worth control rod fully withdrawn and all other control rods fully inserted.

This can be accomplished by a test (by withdrawing control rods), an evaluation, or a combination of the two. Adequate SDM is demonstrated by testing before or during the first startup after fuel movement or control rod replacement. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Since core reactivity will vary during the cycle as a function of fuel depletion and poison bumup, the beginning of cycle (BOC) test must also account for changes in core reactivity during the cycle. Therefore, to ,

obtain the SDM, the initial measured value must be increased by an '

adder, "R", which is the difference between the calculated value of maximum core reactivity during the operating cycle and the calculated BOC core reactivity. If the value of R is negative (that is. BOC is the most reactive point in the cycle), no correction to the BOC measured value is required (Ref. 9). For the SDM demonstrations that rely solely on calculation of the highest worth control rod, additional margin (0.10% Ak/k) must be added to the SDM limit of 0.28% Ak/k to account for uncertainties in the calculation.

The SDM may be demonstrated during an in-sequence control rod withdrawal, in which the highest worth control rod is analytically (continued)

Cooper B 3.1-5 June 10,1999 l.

T SDM B 3.1.1 BASES SURVEILLANCE SR 3.1.1.1 (continued)

REQUIREMENTS determined, or during local criticals, where the highest worth control rod is determined by testing.

l Local critical tests require the withdrawal of out of sequence control rods.

This testing would therefore require bypassing of the rod worth minimizer to allow the out of sequence withdrawal, and therefore additional requirements must be met (see LCO 3.10.7, " Control Rod Testing-Operating" and LCO 3.10.8, " Shutdown Margin (SDM)

Test--Refueling").

The Frequency of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after reaching criticality is allowed to provide a reasonable amount of time to perform the required calculations and have appropriate verification.

During MODES 3 and 4, analytical calculation of SDM may be used to assure the requirements of SR 3.1.1.1 are met. During MODE 5, adequate SDM is required to ensure that the reactor does not reach criticality during control rod withdrawals. An evaluation of each in-vessel fuel movement during fuel loading (including shuffling fuel within the core) is required to ensure adequate SDM is maintained during refueling. This evaluation ensures that the intermediate loading pattems are bounded by the safety analyses for the final' core loading pattem. For example, bounding analyses that demonstrate adequate SDM for the most reactive I configurations during the refueling may be performed to demonstrate acceptability of the entire fuel movement sequence. These bounding analyses include additional margins to the associated uncertainties.

Spiral offload / reload sequences inherently eatisfy the SR, provided the fuel assemblies are reloaded in the same configuration analyzed for the new cycle. Removing fuel from the core will always result in an increase in SDM.

(continued) i I

Cooper B 3.1-6 June 10,1999 l

SDM B 3.1.1 I

-BASES REFERENCES 1. USAR, Appendix F. 1

2. USAR, Section XIV-6.0.

3. NEDE-24011-P-A-US," General Electric Standard Application for Reactor Fuel," Supplement for United States (Revision specified in the COLR).

4. USAR, Section XIV-5.3.3.

5. USAR, Section XIV-5.3.4.

6. 10 CFR 50.36(c)(2)(ii).

7. Deleted l l

l

6. USAR, Section ill-6.

9. NEDE-24011-P-A, " General Electric Standard Application for Reactor Fuel," Section 3.2.4.1 (Revision specified in the COLR).

Cooper B 3.1-7 June 10,1999 l I

p ]

l Reactivity Anomalies

) B 3.1.2 l B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Reactivity Anomalies i

BASES l

BACKGROUND in accordance with USAR, Appendix F (Ref.1), reactivity shall be controllable such that suberiticality is maintained under cold conditions and acceptable fuel design limits are not exceeded during normal operation and abnormal operational transients. Therefore, Reactivity Anomalies are used as a measure of the predicted versus measured core reactivity during power operation. The continual confirmation of core reactivity is necessary to ensure that the Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity anomaly could be the result of unanticipated changes in fuel reactivity or control rod worth or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM requirements (LCO 3.1.1,

" SHUTDOWN MARGIN (SDM)") in assuring the reactor can be brought safely to cold, suberitical conditions.

When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as bumable absorbers, producing zero net reactivity.

In order to achieve the required fuel cycle energy output, the uranium enrichment in the new fuel loading and the fuel loaded in the previous cycles provide excess positive reactivity beyond that required to sustain steady state operation at the beginning of cycle (BOC). When the reactor is critical at RTP and operating moderator temperature, the excess positive reactivity is compensated by bumable absorbers (if any), .

control rods, and whatever neutron poisons (mainly xenon and samarium) l are present in the fuel. The predicted core reactivity, as represented by l control rod density, is calculated by a 3D core simulator code as a function of cycle exposure. This calculation is performed for projected operating states and conditions throughout the cycle. The core reactivity is determined from control rod densities for actual plant conditions ihd is then compared to the predicted value for the cycle exposure.

(cont!nued) i L Cooper B 3.1-8 June 10,1999 l

a Reactivity Anomalies B 3.1.2 BASES APPLICABLE Accurate prediction of core reactivity is either an explicit SAFETY ANALYSES or implicit assumption in the accident analysis evaluations (Ref. 2). In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod drop accidents, are very sensitive to accurate prediction ,

of core reactivity. These accident analysis evaluations rely on computer '

codes that have been qualified against available test data, operating plant data, and analytical benchmarks. Monitoring reactivity anomaly provides additional assurance that the nuclear methods provide an accurato representation of the core reactivity.

I The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted rod density for identical core conditions at BOC do not reasonably agree, then the assumptions used in the reload cycle design analysis or the calculation models used to predict rod density may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured value. Thereafter, any significant deviations in the measured rod density from the predicted rod j density that develop during fuel depletion may be an indication that the assumptions of the DBA and transient analyses are no longer valid, or j that an unexpected change in core conditions has occurred.

Reactivity Anomalies satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

l l

i I

(continued)

Cooper B 3.1-9 June 10,1999 l

1 1

i Reactivity Anomalies B 3.1.2 ,

l BASES (continued)

LCO The reactivity anomaly limit is established to ensure plant operation is l maintained within the assumptions of the safety analyses. Large differences between monitored and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the " Nuclear Design Methodology" are larger than expected. A limit on the difference between the monitored and the predicted rod density ofi 1% Ak/k has been established based on engineering judgment. A > 1% deviation in reactivity from that predicted is larger than expected for normal operation and should j therefore be evaluated.

l l

APPLICABILITY In MODE 1, most of the control rods are withdrawn and steady state operation is typically achieved. Under these conditions, the comparison between predicted and monitored core reactivity provides an effective measure of the reactivity anomaly. In MODE 2, control rods are typically being withdrawn during a startup. In MODES 3 and 4, all control rods are fully inserted and therefore the reactor is in the least reactive state, where monitoring core reactivity is not necessary. In MODE 5, fuel loading results in a continually changing core reactivity. SDM requirements (LCO 3.1.1) ensure that fuel movements aro performed within the bounds i of the safety analysis, and an SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, control rod replacement, shuffling). The SDM test, required by LCO 3.1.1, provides a direct comparison of the predicted and monitored core reactivity at cold conditions; therefore, the Ret ctivity Anomalies Specification is not required during these conditions.

ACTIONS &j.

1 Should an anomaly develop between measured and predicted core reactivity, the core reactivity difference must be restored to within the limit to ensure contiriued operation is within the core design a.ssumptions. l Restoration to within the limit could be performed by an evaluation of the I core design and safety analysis to determine the reason for the anomaly. l This evaluation normally reviews the core conditions to determine their l consistency with input to design calculations. Measured core and process parameters are also normally evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models may be reviewed to verify that they are adequate for

, representation of the core conditions.

l (continued)

Cooper B 3.1-10 June 10,1999 l

1 Reactivity Anomalies B 3.1.2 BASES ACTIONS AJ. (continued)

The required Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis.

El If the core reactivity cannot be restored to within the 1% Ak/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Verifying the reactivity difference between the monitored and predicted rod density is within the limits of the LCO provides added assurance that plant operation is maintained within the assumptions of the DBA and transient analyses. The core monitoring system calculates the rod density for the reactor conditions obtained from plant instrumentation. A comparison of the monitored rod density to the predicted rod density at the same cycle exposure is used to calculate the reactivity difference.

The comparison is required when the core reactivity has potentially changed by a significant amount. This may occur following a refueling in which new fuel assemblies are loaded, fuel assemblies are shuffled within the core, or control rods are replaced or shuffled. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Also, core reactlyity changes during the cycle. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months interval after reaching equilibrium conditions following a startup is based on the need for equilibrium xenon concentrations in the core, such that an accurate comparison between the monitored and predicted rod density can be made.

(continued)

Cooper B 3.1-11 June 10,1999 l

T Reactivity Anomalies B 3.1.2 BASES SURVEILLANCE - SR 3.1.2.1 (continued)

REQUIREMENTS For the purposes of this SR, the reactor is assumed to be at equilibrium conditions when steady state operations (no control rod movement or core flow changes) at > 75% RTP have been obtained. The 1000 MWD /T Frequency was developed, considering the relatively slow

- change in core reactivity with exposure and operating experience related to variations in core reactivity. This comparison requires the core to be operating at power levels which minimize the uncertainties and measurement errors, in order to obtain meaningful results. Therefore, the comparison is oa!y done when in MODE 1. The tests performed at this Frequency also use base data obtained during the first test of the specific fuel. cycle.

REFERENCES 1. USAR, Appendix F.

2. USAR,Section XIV.

3. 10 CFR 50.36(c)(2)(ii).

Cooper B 3,1-12 June 10,1999 l m'

I Control Rod OPERABILITY B 3.1.3 BASES APPLICABLE The capability to insert the control rods provides assurance SAFETY ANALYSES that the assumptions for scram reactivity in the DBA and (continued) transient analyses are not violated. Since the SDM ensures the reactor will be subcritical with the highest worth control rod withdrawn (assumed single failure), the additional failure of a second control rod to insert, if required, could invalidate the demonstrated SDM and potentially limit the ability of the CRD System to hold the reactor subcritical. If the control rod is stuck at an inserted position and becomes decoupled from the CRD, a control rod drop accident (CRDA) can possibly occur. Therefore, the requirement that all control rods be OPERABLE ensures the CRD System can perform its intended function.

The control rods also protect the fuel from damage which could result in release of radioactivity. The limits protected are the MCPR Safety Limit (SL) (see Bases for SL 2.1.1, " Reactor Core SLs," and LCO 3.2.2,

! " MINIMUM CRITICAL POWER RATIO (MCPR)"), the 1% claddlng plastic strain fuel design limit (see Bases for LCO 3.2.1, " AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," and the fuel damage limit (see Bases for LCO 3.1.6, " Rod Pattern Control") during reactivity insertion events.

The negative reactivity insertion (scram) provided by the CRD System l provides the analytical basis for determination of plant thermal limits and provides protection against fuel damage limits during a CRDA. The Bases for LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6 discuss in more detail how the SLs are protected by the CRD System.

Control rod OPERABILITY satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 5).

l

! LCO The OPERABILITY of an individual control rod is based on a combination ,

( of factors, primarily, the scram insertion times, the control rod coupling l l integrity, and the ability to determine the control rod position.

Accumulator OPERABILITY is addressed by LCO 3.1.5. .The associated scram accumulator status for a control rod only affects the scram insertion times; therefore, an inoperable accumulator does not immediately require declaring a control rod inoperable. Although not all control rods are required to be OPERABLE to satisfy the Inte.nded ,

reactivity control requirements, strict control over the number and distribution of inoperable control rods is required to satisfy the assumptions of the DBA and transient analyses.

(continued)

Cooper B 3.1-14 June 10,1999 l

l Control Rod OPERABILITY !

B 3.1.3 BASES APPLICABILITY in MODES 1 and 2, the control rods are assumed to function during a DBA or transient and are therefore required to be OPERABLE in these MODES. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is l applied. This provides adequate requirements for control rod OPERABILITY during these conditions. Control rod requirements in MODE 5 are located in LCO 3.9.5, " Control Rod 1 OPERABILITY - Refueling."

ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable control rod. Complying with the Required Actions may allow for continued operation, and subsequent inoperable control rods are govemed by subsequent Condition entry and application of associated Required Actions.

A.1. A.2. A.3. and A.4 A control rod is considered stuck if it will not insert by either CRD drive water or scram pressure. With a fully inserted control rod stuck, no actions are required as long as the control rod remains fully inserted.

The Required Actions are modified by a Note, which allows the rod worth minimizer (RWM) to be bypassed if required to allow continued operation.

LCO 3.3.2.1, " Control Rod Block Instrumentation," provides additional requirements when the RWM is bypassed to ensure compliance with the l CRDA analysis. With one withdrawn control rod stuck, the local scram reactivity rate assumptions may not be met if the stuck control rod separation criteria are not met. Therefore, a verification that the separation criteria are met must be performed immediately. The separation criteria are not met if a) the stuck control rod occupies a location adjacent to two " slow" control rods, b) the stuck control rod occupies a location adjacent to one " slow" control rod, and the one " slow" control rod is also adjacent to another " slow" control rod; or c) if the stuck control rod occupies a location adjacent to one " slow" control rod when there is another pair of " slow" control rods adjacent to one another.

(continued)

Cooper B 3.1-15 June 10,1999 l

E ,

1 Control Rod OPERABillTY B 3.1.3 BASES ACTIONS A.1. A.2. A.3. and A.4 (continued)

The description of " slow" control rods is provided in LCO 3.1.4, " Control Rod Scram Times." In addition, the associated control rod drive must be disarmed (hydraulically) in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is acceptable, considering the reactor can still be shut down, assuming no additional control rods fall to insert, and provides a reasonable time to perform the Required Action in an orderly manner.

The control rod must be isolated from both scram and normal insert and withdraw pressure. Isolating the control rod from scram and normal insert and withdraw pressure prevents damage to the CRDM. The control rod should be isolated from scram and normal insert and withdraw pressure, while maintaining cooling water to the CRD.

Monitoring of the insertion capability of each withdrawn control rod must also be performed within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of Condition A l 1

concurrent with THERMAL POWER greater than the low power l setpoint (LPSP) of the RWM. SR 3.1.3.2 and SR 3.1.3.3 perform periodic tests of the control rod insertion capability of withdrawn control rods. Testing each withdrawn control rod ensures that a generic problem I

does not exist. This Completion Time also allows for an exception to the normal " time zero" for beginning the allowed outage time " clock". The l Required Action A.3 Completion Time only begins upon discovery of Condition A concurrent with THERMAL POWER greater than the actual LPSP of the RWM since the notch insertions may not be compatible with l j

the requirements of rod pattem control (LCO 3.1.6) and the RWM i (LCO 3.3.2.1). The allowed Completion Time provides a reasonable time to test the control rods, considering the potential for a need to reduce power to perform the tests.

To allow continued operation with a withdrawn control rod stuck, an evaluation of adequate SDM is also required within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Should a DBA or transient require a shutdown, to preserve the single failure criterion, an additional control rod would have to be assumed to fall to insert when required. Therefore, the original SDM demonstration may !

not be valid. The SDM must therefore be evaluated (by measurement or analysis) with the stuck control rod at its stuck position and the highest !

worth OPERABLE control rod assumed to be fully withdrawn. l l

l (continued)

Cooper B 3.1-16 June 10,1999 l

Control Rod OPERABILITY ;

l B 3.1.3 BASES l

ACTIONS A.1. A.2. A.3. and A.4 (continued)

The allowed Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to varify SDM is adequate, considering that with a single control rod stuck in a withdrawn position, i the remaining OPERABLE control rods are capable of providing the required scram and shutdown reactivity. Failure to reach MODE 4 is only ;

likely if an additional control rod adjacent to the stuck control rod also '

fails to insert during a required scram. Even with the postulated additional single failure of an adjacent control rod to insert, sufficient reactivity control remains to reach and maintain MODE 3 (subcritical) conditions (Ref. 6).

El With two or more withdrawn control rods stuck, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The occurrence of more than one control rod stuck at a withdrawn position increases the probability that the reactor cannot be shut down if required. Insertion of allinsertable control rods l eliminates the possibility of an additional failure of a control rod to insert. '

The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 With one or more control rods inoperable for reasons other than being stuck in the withdrawn position, operation may continue, provided the control rods are fully inserted within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months and disarmed (electrically or hydraulically) within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be (continued)

Cooper B 3.1-17 June 10,1999 l

SDV Vent and Drain Valves B 3.1.8 BASES SURVEILLANCE SR 3.1.8.2 -

. REQUIREMENTS )

(continued) During a scram, the SDV vent and drain valves should close to contain the reactor water discharged to the SDV piping. Cycling each valve through its complete range of motion (closed and open) ensures that the valve will function properly during a scram. The 92 day Frequency is l based on operating experience and takes into account the level of l

redundancy in the system design. l SR 3.1.8.3 SR 3.1.8.3 is an integrated test of the SDV vent and drain valves to verify total system performance. After receipt of a simulated or actual scram signal, the closure of the automatic SDV vent and drain vaives is verified.

The closure time of 30 seconds after receipt of a scram signalis based on the bounding leakage case evaluated in the accident analysis. l Similarly, after receipt of a simulated or actual scram reset signal, the opening of the SDV vent and drain valves is verified. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1 and the scram time testing of control rods in LCO 3.1.3, " Control Rod Operability," overlap this Surveillance to provide complete testing of the assumed safety function. ,

The 18 month Frequency is based on the need to perform this j Surveillance under the conditions that apply during a plant outage and j the potential for an unplanned transient if the Surveillance were l

performed with the reactor at power. Operating experience has shown /

' these components usually pass the Surveillance when performed at the 18 month Frequency; therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

1 1

(continued)

Cooper B 3.1-50 June 10,1999 l

r !

SDV Vent and Drain Valves B 3.1.8 BASES l

REFERENCES I

1. USAR, Section 111-5.

l

2. 10 CFR 100.

3. NUREG-0803, " Generic Safety Evaluation Report Regarding integrity of BWR Scram System Piping," August 1981.

4. 10 CFR 50.36(c)(2)(ii).

5. Deleted

[

i Cooper B 3.1-51 June 10,1999 l

)

APLHGR l

B 3.2.1 BASES APPLICABLE generated. Due to the sensitivity of the transient response SAFETY ANALYSES to initial core flow levels at power levels below those at (continued) which turbine stop valve closure and turbine control valve fast closure scram trips are bypassed, both high and low core flow MAPFAC, limits are provided for operation at power levels between 25% RTP and the previously mentioned bypass power level. The exposure dependent APLHGR limits are reduced by MAPFAC, and MAPFAC, at various operating conditions to ensure that all fuel design criteria are met for normal operation and abnormal operational transients. A complete discussion of the analysis code is provided in Reference 8.

LOCA analyses are then performed to ensure that the above determined APLHGR limits are adequate to meet the PCT and maximum oxidation limits of 10 CFR 50.46. The analysis is performed using calculational models that are consistent with the requirements of 10 CFR 50, Appendix K. A complete discussion of the analysis code is provided in References 9 and 10. The PCT following a postulated LOCA is a l function of the average heat generation rate of all the rods of a fuel assembly at any axial location and is not strongly influenced by the rod to rod power distribution within an assembly. The APLHGR limits specified are equivalent to the LHGR of the highest powered fuel rod assumed in the LOCA analysis divided by its local peaking factor. A conservative multiplier is applied to the LHGR assumed in the LOCA analysis to l at count for the uncertainty associated with the measurement of the APLHGR.

For single recirculation loop operation, the MAPFAC multiplier is contained in the COLR. This maximum limit is due to the conservative analysis assumption of an earlier departure from nucleate boiling with one recirculation loop available, resulting in a more severe cladding heatup during a LOCA (Refs. 5 and 9). l ;

The APLHGR satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref.12).

LCO The APLHGR limits (for each type of fuel as a function of average planar exposure) specified in the COLR are the result of the fuel design, DBA, and transient analyses. For i

(continued)

Cooper B 3.2-2 June 10,1999 l l

L

1 APLHGR B 3.2.1 !

BASES LCO two recirculation loops operating, the limit is determined (continued) by multiplying the smaller of the MAPFAC, and MAPFAC, factors times the exposure dependent APLHGR limits. With only one recirculation loop in operation, in conformance with the requirements of LCO 3.4.1,

" Recirculation Loops Operating," the limit is determined by multiplying the exposure dependent APLHGR limit by the one recirculation loop operation multiplier contained in the COLR.

APPLICABILITY The APLHGR limits are primarily derived from fuel design evaluations and LOCA and transient analyses that are assumed to occur at high power levels. Design calculations (Ref. 6) and operating experience have shown that as power is reduced, the margin to the required APLHGR limits increases. This trend continues down to the power range of 5% to 15% RTP when entry into MODE 2 occurs. When in MODE 2, the intermediate range monitor scram function provides prompt scram initiation during any significant transient, thereby effectively removing any APLHGR limit compliance concem in MODE 2. Therefore, at THERMAL POWER levels s 25% RTP, the reactor is operating with substantial margin to the APLHGR limits; thus, this LCO is not required.

ACTIONS AJ.

If any APLHGR exceeds the required limits, an assumption regarding an initial condition of the DBA and transient analyses may not be met.

Therefore, prompt action should be taken to restore the APLHGR(s) to within the required limits such that the plant operates within analyzed conditions and within design limits of the fuel rods. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient to restore the APLHGR(s) to within its limits and is acceptable based on the low probability of a transient or DBA occurring simultaneously with the APLHGR out of specification.

J kl '

If the APLHGR cannot be restored to within its required ilmits within the associated Completion Time, the plant must (continued)

Cooper B 3.2-3 June 10,1999 l

[- I APLHGR B 3.2.1 l --

BASES REFERENCES 8. NEDO-24154, " Qualification of the One-Dimensional Core (continued) Transient Model for Boiling Water Reactors," October 1978.

9. NEDC-32687P, Revision 1, " Cooper Nuclear Station j

SAFER /GESTR-LOCA Loss-of-Coolant Accident Analysis," March 1997.

10. NEDE-23785-1-PA, "The GESTR-LOCA and SAFER Models for ;

I ,

the Evaluation of Loss-of-Coolant Accident," Volume Ill, Revision 1, October 1984.

11. Deleted.

l

12. 10 CFR 50.36(c)(2)(ii).

1 1

1 l

l l

1 l

I Cooper B 3.2-5 June 10,1999 l u

i I

RPS Instrumentation B 3.3.1.1 BASES .

I 1

APPLICABLE the limiting values of the process parameters obtained from !

SAFETY ANALYSES, the safety analysis or other appropriate documents. l LCO, and The Allowable Values are derived from the analytic limits, !

APPLICABILITY corrected for calibration, process, and some of the '

(continued) instrument errors. The trip setpoints are then determined ;

, accounting for the remaining instrument errors (e.g., l drift). The trip setpoints derived in this manner provide ,

adequate protection because instrumentation uncertainties, '

process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

The OPERABILITY of scram pilot valves and associated I solenoids, backup scram valves, and SDV valves, described in the Background section, are not addressed by this LCO.

The individual Functions are required to be OPERABLE in the MODES or other Conditions specified in the table, which may require an RPS trip to mitigate the consequences of a design basis accident or transient. To ensure a reliable scram ,

function, a combination of Functions are required in each j MODE to provide primary and diverse initiation signals.

The only MODES specified in Table 3.3.1.1-1 are MODES 1 and l 2 and MODE 5 with any control rod withdrawn from a core cell I containing one or more fuel assemblies. No RPS Function is required in MODES 3 and 4 since, all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block (LC0 3.3.2.1) does not allow any control rod to be withdrawn. In MODE 5, control rods I withdrawn from a core cell containing no fuel assemblies do not affect the reactivity of the core and, therefore, are 4 not required to have the capability to scram. Provided all other control rods remain inserted, no RPS Function is required, In this condition, the required SDM (LC0 3.1.1) and refuel position one-rod-out interlock (LC0 3.9.2) ensure that no event requiring RPS will occur.

The trip that results from the removal of a circuit card is a basic design feature of selected circuits. This feature is excluded from periodic testing in order to minimize component wear and damage.

(continued)

Cooper B 3.3-4 Revision 1

RPS_ Instrumentation

. , B 3.3.1.1 BASES APPLICABLE The specific Applicable Safety Analyses, LCO, and SAFETY ANALYSES, Applicability discussions are listed below on a Function by LCO, and Function basis.

APPLICABILITY (continued) Intermediate Ranae Monitor (IRM) 1.a. Intermediate Ranae Monitor Neutron Flux - Hiah The IRMs monitor neutron flux levels from the upper range of the source range monitor (SRM) to the lower range of the average power range monitors (APRMs). The IRMs are capable of generating trip signals that can be used to prevent fuel damage resulting from abnormal operating transients in the intermediate power range. In this power range, the most !

I significant source of reactivity change is due to control rod withdrawal. The IRM provides diverse protection from '

the rod worth minimizer (RWM), which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during startup that could result in an unacceptable neutron flux l excursion (Ref. 2). The IRM provides mitigation of the l neutron flux excursion. To demonstrate the capability of the IRM System to mitigate control rod withdrawal events, generic analyses have been performed (Ref. 3) to evaluate the consequences of control rod withdrawal events during startup that are mitigated only by the IRM. The continuous rod withdrawal during reactor startup analysis (Refs. 2 and 3), which assumes that one IRM channel in each trip system is bypassed, demonstrates that the IRMs provide protection against local control rod withdrawal errors and results in peak fuel enthalpy below the 170 cal /gm fuel failure threshold criterion.

The IRMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed.

The IRM System is divided into two groups of IRM channels, with four IRM channels inputting to each trip system. The analysis of Reference 3 assumes that one channel in each trip system is bypassed. Therefore, six channels with three channels in each trip system are required for IRM OPERABILITY to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This (continued)

Cooper B 3.3-5 RevisionIl

RPS Instrumentation

.- 1 B 3.3.1.1 BASES l

APPLICABLE 1.a. Intermediate Ranae Monitor Neutron Flux-Hiah SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY trip is active in each of the 9 ranges of the IRM, which must be selected by the operator to maintain the neutron flux within the monitored level of an IRM range. '

The analysis of Reference 3 has adequate conservatism to permit an IRM Allowable Value of 121 divisions of a 125 division scale.

The Intermediate Range Monitor Neutron Flux-High Function must be OPERABLE during h0DE 2 when control rods may be withdrawn and the potential for criticality exists. In MODE 5, when a cell with fuel has its control rod withdrawn, the IRMs provide monitoring for and protection against unexpected reactivity excursions. In MODE 1, the APRM System and the RWM provide protection against control rod withdrawal error events and the IRMs are not required. An IRM is automatically bypassed when the mode switch is in the "Run" position and its companion APRM is above its downscale -

trip setpoint.

1.b. Intermediate Ranae Monitor-Inoo This trip signal provides assurance that a minimum number of IRMs are OPERABLE. Anytime an IRM mode switch is moved to any position other than " Operate," the detector voltage drops below a preset level, loss of the negative or positive DC voltages, or when a module is not plugged in, an inoperative trip signal will be received by the RPS unless the IRM is bypassed. Since only one IRM in each trip system may be bypassed, only one IRM in each RPS trip system may be inoperable without resulting in an RPS trip signal.

This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

Six channels of Intermediate Range Monitor-Inop with three channels in each trip system are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.

(continued)

Cooper B 3.3-6 Revision 1l

t 7 RPS Instrumentation i s B 3.3.1.1 j BASES APPLICABLE 1.a. Intermediate Ranae Monitor Neutron Flux-Hiah SAFETY ANALYSES, (continued) l LCO, and !

APPLICABILITY Since this Function is not assumed in the safety analysis, there is no Allowable Value for this Function.

I This Function is required to be OPERABLE when the j Intermediate Range Monitor Neutron Flux-High Function is f required.

1 Averaae Power Ranae Monitor 2.a. Averaae Power Ranae Monitor Neutron Flux-Hiah I (Startuo)

The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core that provide )

an indication of the power distribution and local power i changes. The APRM channels average these LPRM signals to

. provide a continuous indication of average reactor power from a few percent to greater than RTP. For operation at --

low power (i.e., MODE 2), the Average Power Range Monitor Neutron Flux-High (Startup) Function is capable of generating a trip signal that prevents fuel damage resulting from abnormal operating transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux-High (Startup) Function will provide a secondary scram to the Intermediate Range Monitor Neutron Flux-High Function because of the relative setpoints. With the IRMs at Range 9, it is possible that the Average Power Range Monitor Neutron Flux-High (Startup) Function will provide the primary trip signal for a core-wide increase in power.

No specific safety analyses take direct credit for the l Average Power Range Monitor Neutron Flux-High (Startup)

Function. However, this Function indirectly ensures that before the reactor mode switch is placed in the run position, reactor power does not exceed 25% RTP (SL 2.1.1.1) when operating at low reactor pressure and low core flow.

Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER

< 25% RTP.

(continued)

Cooper B 3.3-7 Revision 1l

RPS Instrumentation

.- s B 3.3.1.1 BASES APPLICABLE 2.a. Averaae Power Ranae Monitor Neutron Flux-Hiah SAFETY ANALYSES, (Startuo) (continued)

LCO, and APPLICABILITY The APRM System is divided into two groups of channels with three APRM channel inputs to each trip system. The system is designed to allow one channel in each trip system to be bypassed. Any one APRM channel in a trip system can cause the associated trip system to trip. Four channels of Average Power Range Monitor Neutron Flux-High (Startup) with two channels in each trip system are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. In addition, to provide

.dequate coverage of the entire core, at least 11 LPRM l inputs are required for each APRM channel, with at least two i LPRM inputs from each of the four axial levels at which the LPRMs are located.

The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 25% RTP.

The Average Power Range Monitor Neutron Flux-High (Startup) - ,

Function must be OPERABLE during MODE 2 when control rods I may be withdrawn since t.ie potential for criticality exists.

In MODE 1, the Average Power Range Monitor Neutron Flux-High (Fixed) Function provides protection against reactivity transients and the RWM and rod block monitor protect against control rod withdrawal error events. Function 2.a is bypassed when the reactor mode switch is in run.

2.b. Averaae Power Ranae Monitor Neutron Flux-Hiah (Flow Biased)

The Average Power Range Monitor Neutron Flux-High (Flow Biased) Function monitcc., neutron flux to approximate the THERMAL POWER being transferred to the reactor coolant. The APRM neutron flux trip level is varied as a function of recirculation drive flow (i.e., at lower core flows, the setpoint is reduced proportional to the reduction in power experienced as core flow is reduced with a fixed control rod pattern) but is clamped at an upper limit, the Function 2.c, Average Power Range Monitor Neutron Flux-High (Fixed)

Function Allowable Value. The Average Power Range Monitor Neutron Flux-High (Flow Biased) Function is not specifically credited in the safety analyses, but is intended to provide protection against transients where THERMAL POWER increases (continued)

Cooper B 3.3-8 Revision 1l

RPL Instrumentation i i s B 3.3.1.1 1 1

BASES APPLICABLE 2.b. Averaae Power Ranae Monitor Neutron Flux-Hiah SAFETY ANALYSES, (Flow Biased) (continued)

LCO, and APPLICABILITY slowly, and to provide protection for power oscillations which may result from reactor thermal hydraulic instability.

The APRM System is divided into two groups of channels with three APRM Channel inputs to each trip system. The system is designed to allow one channel in each trip system to be bypassed. Any one APRM channel in a trip system can cause the associated trip system to trip. Four channels of Average Power Range Monitor Neutron Flux-High (Flow Biased) with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located. Each APRM channel receives a flow signal representative of total recirculation loop flow. The total -

recirculation loop drive flow signals are generated by two flow units, one of which supalies signals to the trip system A APRMs, while the otler supplies signals to the trip system B APRMs. Each flow unit signal is provided by summing up the flow signals from the two recirculation loops. The instrumentation is an analog type with redundant flow signals that can be compared. Each required Average Power Range Monitor Neutron Flux-High (Flow Biased) channel requires an input from one OPERABLE flow unit. If a flow unit is inoperable, the associated Average Power Range Monitor Neutron Flux-High (Flow Biased) channels must be considered inoperable.

The terms for the Allowable Value of the APRM Neutron Flux-High (Flow Biased) trip are defined as follows: S is the j setting in percent rated power; W is the two loop l recirculation flow rate in percent rated flow (rated loop )

recirculation flow rate is that recirculation flow rate which provides 100% core flow at 100% power); AW is the difference between two loop and single loop effective drive l flow at the same core flow. AW equals zero for two recirculation loop operation. !

(continued)

Cooper B 3.3-9 Revision 1 l l

l

RPS< Instrumentation i s B 3.3.1.1 l

i BASES APPLICABLE 2.b. Averace Power Ranae Monitor Neutron Flux-Hiah SAFETY ANALYSES, (Flow. Biased) (continued)

LCO, and APPLICABILITY No specific safety analyses take credit for the APRM Neutron Flux-High (Flow Biased) Function. Originally the clamped Allowable Value was based on analyses that took credit for the Average Power Range Monitor Neutron Flux-High (Flow Biased) Function for the mitigation of the loss of feedwater heating event. However, the current methodology for this event is based on a steady state analysis that allows power to increase beyond the clamped Allowable Value. Therefore, applying a clamp is conservative.

The Average Power Range Monitor Neutron Flux-High (Flow Biased) Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions provide protection for fuel cladding integrity.

2.c. Averaae Power Ranae Monitor Neutron Flux-Hiah (Fixed)

The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases. The Average Power Range Monitor Neutron Flux-High (Fixed) Function is capable of generating a trip signal to prevent fuel damage or excessive Reactor Coolant System (RCS) pressure. For the overpressarization protection analysis of Reference 6, the Average Power Range Monitor Neutron Flux-High (Fixed) Function is assumed to terminate the main steam isolation valve (MSIV) closure event and, along with the safety / relief valves (SRVs),

limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 7) takes credit for the Average Power Range Monitor Neutron Flux-High (Fixed)

Function to terminate the CRDA.

The APRM System is divided into two groups of channels with three APRM channels inputting to each trip system. The system is designed to allow one channel in each trip system to be bypassed. Any one APRM channel in a trip system can cause the associated trip system to trip. Four channels of Average Power Range Monitor Neutron Flux-High (Fixed) with two channels in each trip system arranged in a one-out-of-(continued)

Cooper B 3.3-10 Revision 1l

F RPS Instrumentation

~

- s B 3.3.1.1 BASES APPLICABLE 2.c. Averaae Power Ranae Monitor Neutron Flux-Hiah (Fixed)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located.

The Allowable Value is based on the Analytical Limit assumed in the CRDA analyses.

The Average Power Range Monitor Neutron Flux-High (Fixed)

Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded. Although the Average Power Range Monitor Neutron Flux-High (Fixed) Function is assumed in the CRDA analysis (Ref. 7), which is applicable in MODE 2, the Average Power -

Range Monitor Neutron Flux-High, (Startup) Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection.

Therefore, the Average Power Range Monitor Neutron Flux-High (Fixed) Function is not required in MODE 2.

2.d. Averaae Power Ranae Monitor-Downscale This signal ensures that there is adequate Neutron Monitoring System protection if the reactor mode switch is placed in the run position prior to the APRMs coming on i scale. With the reactor mode switch in run, an APRM downscale signal coincident with an associated Intermediate Range Monitor Neutron Flux-High or Inop signal generates a trip signal. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

The APRM System is divided into two groups of channels with three inputs into each trip system. The system is designed to allow one channel in each trip system to he bypassed.

Four channels of Average Power Range Monite "ownscale with two channels in each trip system arranged ic. 5 one-out-of-two logic are required to be OPERABLE to ensure that no (continued)

Cooper B 3.3-11 Revision 1l

l RPS Instrumentation i s B 3.3.1.1 l

BASES I APPLICABLE 2.d. Averaae Power Ranae Monitor-Downscale SAFETY ANALYSES, (continued) I LCO, and APPLICABILITY single failure will preclude a scram from this Function on a l valid signal. The Intermediate Range Monitor Neutron Flux-High and Inop Functions are also part of the OPERABILITY of the Average Power Range Monitor-Downscale Function. If 4 either of these IRM Functions cannot send a signal to the i Average Power Range Monitor-Downscale Function, either !

automatically when the trip conditions exist or manually I when the IRM is inoperable (e.g., when the IRM is taken out of operate or bypassed), the associated Average Power Range Monitor-Downscale channel is considered inoperable.

The Allowable Value is based upon ensuring that the APRMs are on scale when transfers are made between APRMs and IRMs.

This Function is required to be OPERABLE in MODE 1 since this is when the APRMs are the primary indicators of reactor power. This Function is automatically bypassed when the reactor mode switch is in the run position and the companion -

IRM instrumentation is OPERABLE and not upscale, and when the reactor mode switch is not in the run position.

2.e. Averaae Power Ranae Monitor-Inoo This signal provides assurance that a minimum number of APRMs are OPERABLE. Anytime an APRM mode switch is moved to

,any position other than " Operate," an APRM module is unplugged or the APRM has too few LPRM inputs (< 11), an inoperative trip signal will be received by the RPS, unless the APRM is bypassed. An APRM will be considered inoperable if there are less than two LPRM inputs per level. Since only one APRM in each trip system may be bypassed, only one APRM in each trip system may be inoperable without resulting in an RPS trip signal. This Function was not specifically credited in the accident analysis, but it is retained for i the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

Four channels of Average Power Range Monitor-Inop with two channels in each trip system are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal.

There is no Allowable Value for this Function. l 1

(continued) j l

Cooper B 3.3-12 Revision 1 1

RPS Instrumentation !

. s B 3.3.1.1

~ BASES APPLICABLE 2.e. Averace Power Ranae Monitor-Inoo (continued) i SAFETY ANALYSES, LCO, and This Function is required to be OPERABLE in the MODES where APPLICABILITY the APRM Functions are required. l

3. Reactor Vessel Pressure-Hiah !

An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes the neutron flux and l THERMAL POWER transferred to the reactor coolant to increase, which could challenge the integrity of the fuel cladding and the RCPB. No specific safety analysis takes i direct credit for this Function. However, the Reactor Vessel Pressure-High Function initiates a scram for i transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power. For the overpressurization protection analysis of Reference 6, t reactor scram (the analyses conservatively assume scram on the Average Power Range Monitor Neutron Flux-High (Fixed) -

signal, not the Reactor Vessel Pressure - High signal), along with the SRVs, limits the peak RPV pressure to less than the ASME Section III Code limits.

High reactor pressure signals are initiated from four pressure switches that sense reactor pressure. The Reactor Vessel Pressure-High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during the event.

Four channels of Reactor Vessel Pressure-High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 when the RCS is pressurized and the potential for pressure increase exists.

4. Reactor Vessel Water Level-Low (Level 3)

Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat (continued)

Cooper B 3.3-13 Revision 1l

RPS Instrumentation i s B 3.3.1.1 BASES APPLICABLE 4. Reactor Vessel Water Level-Low. Level 3 (continued)

SAFETY ANALYSES, LCO, and generated in the fuel from fission. The Reactor Vessel APPLICABILITY Water Level-Low (Level 3) Function is assumed in the analysis of a loss of feedwater. flow (Ref. 8). The reacter

, scram reduces the amount of energy required to be absorbed

! and, along with the actions of the Emergency Core Cooling Systems (ECCS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

l Reactor Vessel Water Level-Low (Level 3) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water i

(reference leg) and the pressure due to the actual water t

level (variable leg) in the vessel.

Four channels of Reactor Vessel Water Level-Low (Level 3) l Function, with two channels in each trip system arranged in

! a one-out-of-two logic, are required to be OPERABLE to

! ensure that no single instrument failure will preclude a l

scram from this Function on a valid signal. -

l The Reactor Vessel Water Level-Low (Level 3) Allowable Value is selected to ensure that during normal operation the 1 separator skirts are not uncovered (this protects available ^

recirculation pump net positive suction head (NPSH) from significant carryunder) and, for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS subsystems at Reactor Vessel Water-Low Low Low (Level 1) will not be required.

The Function is required in MODES 1 and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. ECCS initiations at Reactor

Vessel Water Level-Low Low (Level 2) and Low Low Low (Level 1) provide sufficient protection for level transients i l

in all other MODES.

5. Main Steam Isolation Valve-Closure MSIV closure results in loss of the main turbine and the ,

condenser as a heat sink for the nuclear steam supply system j and indicates a need to shut down the reactor to reduce heat j generation. Therefore, a reactor scram is initiated on a i Main Steam Isolation Valve-Closure signal before the MSIVs (continued)

Cooper B 3.3-14 Revision 1l

1 RPS. Instrumentation i s B 3.3.1.1

'4ASES i

APPLICABLE 5. Main Steam Isolation Valve-Closure (continued) i SAFETY ANALYSES, LCO, and are completely closed in anticipation of the complete loss APPLICABILITY of the normal heat sink and subsequent overpressarization ,

transient. However, for the overpressurization protection l analysis of Reference 6, the Average Power Range Monitor j Neutron Flux-High (Fixed) Function, along with the SRVs, limits the peak RPV pressure to less than the ASME Code J limits. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis.

The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures j j

that the fuel peak cladding temperature remains below the I

limits of 10 CFR 50.46.

{

MSIV closure signals are initiated from position switches l '

located on each of the eight MSIVs. Each MSIV has two position switches; one inputs to RPS trip system A while the other inputs to RPS trip system B. Each RPS trip system ..

receives an input from four Main Steam Isolation Valve- l' Closure channels, each consisting of two position switches (one for the inboard MSIV and one for the outboard MSIV in the same steam line) in series with a sensor relay. The logic for the Main Steam Isolation Valve-Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines must close in order for a scram to occur. The design permits closure of any two lines without a full scram being initiated.

The Main Steam Isolation Valve-Closure Allowable Value is specified to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient.

Eight channels of the Main Steam Isolation Valve-Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection.

(continued) l Cooper B 3.3-15 Revision 1l

RPS Instrum:ntition B 3.3.1.1 i l

BASES SURVEILLANCE SR 3.3.1.1.5 and SR 3.3.1.1.6 (continued)

REQUIREMENTS The overlap between SRMs and IRMs is required to be demonstrated to ensure that reactor power will not be increased into a neutron flux region without adequate indication. This is required prior to withdrawing SRMs from the fully inserted position since indication is being transitioned from the SRMs to the IRMs.

The overlap between IRMs and APRMs is of concern when reducing power into the IRM range. On power increases, the system design will prevent further increases (by initiating a rod block) if adequate overlap is not maintained. Overlap between IRMs and APRMs exists when sufficient IRMs and APRMs concurrently have onscale readings such that the transition between MODE 1 and MODE 2 can be made without either APRM downscale rod block, or IRM upscale rod block. On controlled shutdowns, the IRM reading 121/125 of full scale will be set equal to or less than 45% of rated power. All range scales above that scale on which the most recent IRM calibration was performed will be mechanically blocked. Overlap between SRMs and IRMs similarly exists when, prior to withdrawing the SRMs from the fully inserted position, all j

operable IRM channels shall be on scale.

As noted, SR 3.3.1.1.6 is only required to be met during entry into l MODE 2 from MODE 1. That is, after the overlap requirement has been l

met and indication has transitioned to the IRMs, maintaining overlap is '

not required (APRMs may be reading downscale once in MODE 2).

l If overlap for a group of channels is not demonstrated (e.g., IRM/APRM overlap), the reason for the failure of the Surveillance should be determined and the appropriate channel (s) declared inoperable. Only those appropriate channels that are required in the current MODE or condition should be declared inoperable.

A Frequency of 7 days is reasonable based on engineering judgment and the reliability of the IRMs and APRMs. ,

(continued) t Cooper B 3.3-28 December 19,1998

I RPS Instrumentation

- s B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.7 REQUIREMENTS (continued) This SR ensures that the total loop drive flow signals from the flow units used to vary the setpoint is appropriately compared to a valid core flow signal to verify the flow signal trip setpoint and, therefore, the APRM Function accurately reflects the required setpoint as a function of flow. If the flow unit signal is not within the appropriate l l

flow limit, the affected APRMs that receive an input from

! the inoperable flow unit must be declared inoperable.

l The Frequency of 31 days is based on engineering judgment, l operating experience, and the reliability of this l instrumentation. l l Y SR 3.3.1.1.8 LPRM gain settings are determined from the local flux profiles measured by the Traversing Incore Probe (TIP)

System. This establishes the relative local flux profile ..

for appropriate representative input to the APRM System. l The 1000 MWD /T Frequency is based on operating experience l l with LPRM sensitivity changes. ,

! SR 3.3.1.1.9 and SR 3.3.1.1.11 l

A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The 92 day Frequency of SR 3.3.1.1.9 is based on the reliability analysis of Reference 10.

l The 18 month Frequency of SR 3.3.1.1.11 is based on the need l

to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Testing of Function 10 requires placing

! l

' the mode switch in " Shutdown". Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

(continued)

Cooper B 3.3-29 Revision 1

RPS Instrumentation i

s B 3.3.1.1 ,

BASES SURVEILLANCE SR 3.3.1.1.13 (continued)

REQUIREMENTS The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually

- pass the Surveillance when performed at the 18 month Frequency.

SR 3.3.1.1.14 This SR ensures that scrams initiated from the Turbine Stop l Valve-Closure and Turbine Control Valve Fast Closure, Trip -

Oil Pressure-Low Functions will not be inadvertently I bypassed when THERMAL POWER is 2 30% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is -

derived from turbine first stage pressure), the main turbine bypass valves must remain closed during an in-service calibration at THERMAL POWER 2 30% RTP to ensure that the calibration is valid.

If any bypass channel's setpoint is nonconservative (i.e.,

the Functions are bypassed at 2 30% RTP, then the affected l Turbine Stop Valve-Closure and Turbine Control Valve Fast Closure, Trip 011 Pressure-Low Functions are considered inoperable. Open main turbine bypass valve (s) can also l affect these two functions. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met and the channel is considered OPERABLE.

The Frequency of 18 months is based on engineering judgment and reliability of the components.

SR 3.3.1.1.15 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. This test may be performed in one measurement or in overlapping segments, with verification (continued)

Cooper B 3.3-31 Revision 1

i 1 1

SRM Instrum:ntation

, B 3.3.1.2 l

1 BASES l l SURVEILLANCE SR 3.3.1.2.2 (continued) l REQUIREMENTS supplements operational controls over refueling activities that include steps to ensure that the SRMs required by the ,

LCO are in the proper quadrant. l SR 3.3.1.2.4 I l This Surveillance consists of a verification of the SRM I instrument readout to ensure that the SRM reading is greater i than a specified minimum count rate with the detector full-in, which ensures that the detectors are indicating count rates indicative of neutron flux levels within the core. With few fuel assemblies loaded, the SRMs will not have a high enough count rate to satisfy the SR. Therefore, allowances are made for loading sufficient " source" l

i material, in the form of irradiated fuel assemblies, to l

establish the minimum count rate.

To accomplish this, the SR is modified by a Note that states ..

that the count rate is not required to be met on an SRM that has less than or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant. With four or less fuel assemblies loaded around each SRM and no other fuel assemblies in the associated core quadrant, even with a control rod withdrawn, l the configuration will not be critical. This SR does not l require determination of the noise ratio.

The Frequency is based upon channel redundancy and other information available in the control room, and ensures that the required channels are frequently monitored while core reactivity changes are occurring. When no reactivity changes are in progress, the Frequency is relaxed from 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

l SR 3.3.1.2.5 and SR 3.3.1.2.6 1

Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly. SR 3.3.1.2.5 is required in MODE 5, and the 7 day Frequency ensures that the channels are OPERABLE while core reactivity changes could be in progress. This Frequency is retsonable, based on operating experience and on other Surve111ances (such as a (continued)

Cooper B 3.3-39 Revision 1

i Feedwater and Main Turbine High Water Level Trip. Instrumentation

.- s B 3.3.2.2 BASES APPLICABLE Feedwater and main turbine high water level trip SAFETY ANALYSES instrumentation satisfies Criterion 3 of (continued) 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LCO The LC0 requires three channels of the Reactor Vessel Water Level-High, Level 8 instrumentation to be OPERABLE to ensure that no single instrument channel failure will preventthefeedwaterpumpturbinesandmainturbinetriponl a valid Level 8 signal. Two of the three cleannels are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.2. The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Nominal trip setpoints are specified in the setpoint calculations. The setpoint calculations are performed using methodology described in NEDC-31336P-A, " General Electric Instrument ..

Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. !

Trip setpoints are those predetermined values of output at ;

which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor l vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors.

The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh (continued)

Cooper B 3.3-56 Revision 1

I Fetdwater and Main Turbine High Water Level Trip Instrumentation '

s B 3.3.2.2 !

BASES APPLICABILITY environments as defined by 10 CFR 50.49) are accounted for.

The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at 1 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases for LCO 3.2.1, " Average Planar Linear Heat Generation Rate (APLHGR)," and LC0 3.2.2, " MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these I limits exists below 25% RTP; therefore, these requirements are only necessary when operating at or above this power level .

ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip i

instrumentation channels. Section 1.3, Completion Times, specifies that once a condition has been entered, subsequent divisions subsystems, components, or variables expressed in the Condition, uscovered to be inoperable or not within --

limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel.

Ad With one channel inoperable, the remaining two OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the remaining channels concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only allowed for a limited time with one channel inoperable. If the inoperable channel cannot be restored to OPERABLE status (continued)

Cooper B 3.3-57 Revision 1l

Faedwater and Main Turbino High Water Level Trip _ Instrumentation i s B 3.3.2.2 i

BASES l ACTIONS U (continued) within the Completion Time, the channel must be placed in i the tripped condition per Required Action A.I. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a j single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel it. trip (e.g., as in the case where placing the inoperable channel in trip would result in a-feedwater or main turbine trip), Condition C must be entered and its Required Action taken.

The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel.

M With two or more channels inoperable, the feedwater and main -

turbine high water level trip instrumentation cannot perform its design function (feedwater and main turbine high water level trip capability is not maintained). Therefore, i continued operation is only permitted for a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period, i during which.feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip signal on a valid signal. This requires two channels to each be OPERABLE or in trip. If the required channels cannot be l restored to OPERABLE status or placed in trip, Condition C l must be entered and its Required Action taken.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.

(continued)

Cooper B 3.3-58 Revision 1l

PAM Instrumentation I i s B 3.3.3.1 l

i BASES APPLICABLE

Determine the potential for causing a gross breach of SAFETY ANALYSES the barriers to radioactivity release; (continued)

Determine whether a gross breach of a barrier has occurred; and

Initiate action necessary to protect the public and for an estimate of the magnitude of any impending threat.

The plant specific Regulatory Guide 1.97 Analysis (Refs. 2 and 3) documents the process that identified Type A and Category I, non-Type A, variables.

Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4). Category I, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents.

Therefore, these Category I variables are important for -

reducing public risk.

LC0 LCO 3.3.3.1 requires two OPERABLE channels for all but one l Function to ensure that no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following l that accident. Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

The first exception to the two channel requirement is primary containment isolation valve (PCIV) position. In this case, the important information is the status of the primary containment penetrations. The LC0 requires one position indicator for each active PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.

(continu::d)

Cooper B 3.3-63 Revision 1 j i

\

l

p PAM instrumentation B 3.3.3.1 BASES LCO The second exception to the two channel requirement is Reactor Vessel (continued) Water Level-Steam Nozzle. This channel uses the reactor vessel head l vent as a penetration. In order to comply with the single failure i requirement of Regulatory Guide 1.97, an additional vessel penetration !

would be needed for a redundant reference column for a second upper !

waterlevel range channel. The centerline of the main steamlines is used i as the upper end of the Regulatory Guide 1.97 recommended range in order to provide the operator with an indication of whether the reactor ,

coolant has reached, and spilled into, the main steamlines. All manual l and automatic safety functions are initiated in the range covered by the safety-related wide range level instrumentation. CNS has concluded that the existing reactor coolant level instrumentation meets the intent of the regulatory guide and that only a marginal improvement in plant safety would be achieved by installing a redundant upper water level range channel.

The following list is a discussion of the specified instrument Functions listed in Table 3.3.3.1-1 in the accompanying LCO.

i

1. Reactor Pressure Reactor pressure is a Category i variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure and associated independent wide range recorders are the primary indication used by the operator during an accident. Therefore, the PA1A Specification deals specifically with these portions of the instrument channel.

2. Reactor Vessel Water Level Reactor vessel water level is a Category i variable provided to support j monitoring of core cooling and to verify operation of the hCCS. The i reactor vessel water level channels provide the PAM Reactor Vessel Water Level Function. The reactor vessel water level channels cover a range of -318 inches (just below the bottom of fuel) to +170 inches l (referenced to the level instrument zero).

i (continued)

Cooper B 3.3-64 June 10,1999 l

f PAM Instrumentation

, B 3.3.3.1 BASES LC0 4. Primary Containment Gross Radiation Monitors (continued)

The primary containment gross radiation monitors are provided to monitor the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Two radiation detectors with a range of 1R/hr to 10E7R/hr are located inside the drywell above the 901'-6" elevation. One detector is located near the personnel airlock area and the second detector is located 180 degrees from the airlock near the access ladder to the drywell second level. The detectors provide a signal to monitors located in the control room. The monitors provide a signal via optical isolators to a common recorder. Both channels of radiation monitoring instrumentation are required to be OPERABLE for compliance with this LCO. The l common recorder is not part of the channel requirements.

Therefore, the PAM Specification deals specifically with these portions of the instrument channels.

5. Primary Containment Isolation Valve (PCIV) Position PCIV position is a Category I variable provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The LC0 requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE.

(continued)

Cooper B 3.3-66 Revision 1 I

~ _ _ _ _ _ - . _ _ . _

PAM Instrumentation

. s B 3.3.3.1 BASES SURVEILLANCE SR 3.3.3.1.1 (continued) l REQUIREMENTS CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that l

instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar plant instruments located throughout the plant. The CHANNEL CHECK does not apply to the primary containment H, and 0, analyzer that is in a normal standby configuration.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a ..

channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.

The Frequency of 31 days is based upon plant operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the channels required by the LCO.

SR- 3.3.3.1.2 and SR 3.3.3.1.3 i These SRs require a CHANNEL CALIBRATION to be performed.

CHANNEL CALIBRATION is a complete check of the instrument (

loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy. For the Primary Containment Gross Radiation ,

Monitors, the CHANNEL CALIBRATION consists of an electronic '

calibration of the channel, excluding the detector, for range decades 210 R/ hour and a one point calibration check of the detector with an installed or portable gamma source (continued)

Cooper B 3.3-72 Revision 1

~

PAM Instrumentation f s B 3.3.3.1 BASES SURVEILLANCE SR 3.3.3.1.2 and SR 3.3.3.1.3 (continued)

REQUIREMENTS for range decades < 10 R/ hour. For the PCIV Position Function, the CHANNEL CALIBRATION consists of verifying the remote indication conforms to actual value position.

The 92 day Frequency for CHANNEL CALIBRATION of the Primary

-Containment Hydrogen and Oxygen Analyzers is based on vendor recommendations. The 18 month Frequency for CHANNEL CALIBRATION of all other PAM instrumentation of Table 3.3.3.1-1 is based on operating experience and consistency with the CNS refueling cycles.

REFERENCES 1. Regulatory Guide 1.97, " Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident, Revision 3," May 1985.

2. Letter from G. A. Trevors (NPPD) to U.S. NRC dated ..

April 12,1990, "NVREG-0737, Supplement 1-Regulatory Guide 1.97 Response, Revision IX."

3. Letter from W. O. Long (NRC) to J. M. Pilant (NPPD) dated October 27, 1986, " Emergency Response Capability-Conformance to Regulatory Guide 1.97, Revision 2."

I

4. 10 CFR 50.36(c)(2)(ii).

i Cooper B 3.3-73 Revision 1l

Alternate. Shutdown System

. , B 3.3.3.2 BASES APPLICABLE The criteria governing the design and the specific system ;

SAFETY ANALYSES requirements of the Alternate Shutdown System are located in (continued) the USAR (Refs. I and 2). j The Alternate Shutdown System is considered an important contributor to reducing the risk of accidents; as such, it meets Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).

LCO The Alternate-Shutdown System LC0 provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Table B 3.3.3.2-1.

The controls, instrumentation, and transfer switches are those required for:

Reactor pressure vessel (RPV) pressure control;

Decay heat removal;

RPV inventory control; and

Safety support systems for the above functions, including cooling water, and onsite power, including a l diesel generator.

The Alternate SFutdown System is OPERABLE if all instrument and control chtnnels needed to support the remote shutdown function are OPERABLE. In some cases, the required information or control capability may be available from several alternate sources. In these cases, the Alternate Shutdown System is OPERABLE as long as one channel of any of the alternate information or control sources for each Function is OPERABLE.

The Alternate Shutdown System instruments and control circuits covered by this LC0 do not need to be energized to be considered OPERABLE. This LC0 is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Alternate Shutdown System be placed in operation.

(continued)

Cooper B 3.3-75 Revision 1

r Alternate Shutdown System B 3.3.3.2 BASES SURVEILLANCE SR 3.3.3.2.1 (continued)

REQUIREMENTS The Frequency is based upon plant operating experience that demonstrates channel failure is rare.

SR 3.3.3.2.2 SR 3.3.3.2.2 verifies each required Altemate Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the attemate shutdown panel and locally, as appropriate. Operation of the equipment from the altemate shutdown panelis not necessary. The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in a safe shutdown condition from the alternate shutdown panel and the local control stations. The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience demonstrates that Alternate Shutdown System control channels usually pass the Surveillance when performed at the 18 month Frequency. l SR 3.3.3.2.3 CHANNEL CAllBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy.

The 18 month Frequency is based upon operating experience and consistency with the typical industry refueling cycle.

REFERENCES 1. USAR, Section Vil-18.0. l

2. USAR, Section XIV-5.9.

3. 10 CFR 50.36(c)(2)(li).

l Cooper B 3.3-78 June 10,1999 l

Alternatet Shutdown System

.- s B 3.3.3.2 Table B 3.3.3.2-1 (page 1 of 2)

Alternate Shutdown System Instrtmentation/ Controls FUNCTION REQUIRED NUM8ER OF CHANNELS j i

Jnatrumerit Parenster

1. HPCI Turbine steam Inlet Pressure (Reactor 1 ;

Pressure)

2. HPCI Pump Discharge Flow 1

3. Fuel Zone Level 1

)

4. Wide Range Level 1

5. Torus Level 1

6. Emergency Condensate Storage Tank (ECST) 1 l

Level

7. RHR System Loop B Flow 1

8. Torus Tenperature 1 Transfer / Control Parameter l l

1

9. HPCI Turbine

10. HPCI Auxillary Lube Oil Pump 1 -

11. HPCI Fan Coll Unit 1

12. HPCI Flow Controller 1 l

13. HPCI Flow Transmitter (FT 82) 1

14. HPCI Turbine Steam Stpply Isolation, HPCI M0+14 1

15. HPCI Steam Supply Inboard Isolation, HPCI-MO 15 1

16. HPCI Steam Supply Outboard Isolation, HP(,1-MO-16 1

17. HPCI Ptap Suction ECST, HPCI MO-17 1

18. HPCI Injection HPCI MO-19 1

19. HPCI Puup Discharge, HPCI-MO 20 1

20. HPCI Test Bypess to ECST, HPCI-MO 21 1

21. HPCI Test Bypass Shutof f, HPCI MO-24 1

22. HPCI Minlaus Flow Bypass, HPCI MO-25 1 23 HPCI Ptap Suction f rom Stppression Pool, HPCI-MO-58 1

24. RHR HX B Outlet, RHR MO-12B 1 (continued)

Cooper B 3.3-79 Revision 1

ATWS-RPT. Instrumentation

s B 3.3.4.1 BASES BACKGROUND Vessel Water Level-Low Low (Level 2) channels or two Reactor l (continued) Pressure-High channels) will actuate one of the trip coils in each RRMG field breaker, thus tripping both recirculation pumps.

APPLICABLE The ATWS-RPT is not assumed in the safety analysis to l SAFETY ANALYSES, ' mitigate any accident or transient. The ATWS-RPT initiates LCO, and an RPT to aid in preserving the integrity of the fuel APPLICABILITY cladding following events in which a scram does not, but should, occur. Based on its contribution to the reduction of overall plant risk, however, the instrumentation meets Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

The OPERABILITY of the ATWS-RPT is dependent on the OPERABILITY of the individual instrumentation channel l Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.1.2. The l actual setpoint is calibrated consistent with applicable ..

setpoint methodology assumptions. Channel OPERABILITY also includes the associated RRMG field breakers.

Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Nominal trip setpoints are specified l in the setpoint calculations. The setpoint calculations are I performed using methodology described in NEDC-31336P-A,

" General Electric Instrument Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its i required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., switch) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and (continued)

Cooper B 3.3-82 Revision 1

ATWS-RPT Instrumentation

s B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.1 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended 3 function. !

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability ,

analysis of Reference 3. I SR 3.3.4.1.2 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel j adjusted to account for instrument drifts between successive ..

calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.4.1.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the i OPERABILITY of the required trip logic for a specific j channel. For the Reactor Vessel Water Level-Low Low (Level

2) logic, this shall include the nominal 9 second time delay l .

of the RRMG field breaker trip. The system functional test of the RRMG field breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. !

Therefore, if an RRMG field breaker is incapable of I operating, the associated instrument channel (s) would be inoperable.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant !

(continued) l Cooper B 3.3-88 Revision 1

c ECCS Instrumentation l , B 3.3.5.1

- BASES BACKGROUND Hiah Pressure Coolant In.iection System (continued)

Pressure-High. Each of these variables is monitored by four redundant switches, which are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

The HPCI pump discharge flow is monitored by a flow switch (only one trip system). When the pump is running and l discharge flow is low enough so that pump overheating may ,

occur, the minimum flow return line valve is opened. The I valve is automatically closed if flow is above the minimum I flow setpoint. It is not necessary for the minimum flow valve to close to achieve adequate system flow assumed in the accident analysis (Ref. 3).

The HPCI test line isolation valves are closed upon receipt of a HPCI initiation signal to allow the full system flow l assumed in the accident analysis and maintain primary containment isolated in the event HPCI is not operating.

The HPCI System also monitors the water levels in the emergency condensate storage tanks (ECSTs) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the ECSTs is the normal source. The ECST suction source consists of two ECSTs connected in parallel to the HPCI pump suction.

Upon receipt of a HPCI initiation signal, the ECST suction valve is automatically signaled to open (it is normally in the open position) unless the suppression pool suction valve is open. If the water level in the ECSTs falls below a preselected level, first the suppression pool suction valve automatically opens, and then the ECST suction valve automatically closes. Two level switches are used to detect low water level in the ECST. Either switch can cause the suppression pool suction valve to open and the ECST suction valve to close. The suppression pool suction valve also automatically opens and the ECST suction valve closes if high water level is detected in the suppression pool. Two level switches monitor the suppression pool water level. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be full open before the other automatically closes.

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water (continued)

Cooper B 3.3-93 Revision 1

1 ECCS Instrumentation

.~ s B 3.3.5.1 BASES BACKGROUND Hiah Pressure Coolant Iniection System (continued)

Level-High (Level 8) setting, at which time the HPCI l

turbine trips, which causes the turbine's stop valve to l close. The logic is two-out-of-two to provide high reliability of the HPCI System (only one trip system). The l

HPCISystemautomaticallyrestartsifaReactorVesselWaterl Level-Low Low (Level 2) signal is subsequently received.

Automatic Deoressurization System I

The ADS is initiated by automatic means. Automatic initiation occurs when signals indicating Reactor Vessel Water Level-Low Low Low (Level 1); confirmed Reactor Vessel Water Level-Low (Level 3); and CS or LPCI Putnp Discharge Pressure-High are all present and the ADS Initiation Timer has timed out. There are two level switches each for Reactor Vessel Water Level-Low Low Low (Level 1), and one level switch for confirmed Reactor Vessel Water Level-Low (Level 3) in each of the two ADS trip systems. Each of .. )

these switches connects to a relay whose contacts form the initiation logic.

Each ADS trip system includes a time dehy between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers.

The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge pressure permissive switches from one CS and from two LPCI pumps in the associated Division (i.e.,

Division 1 CS subsystem A and LPCI subsystems A and C input to ADS trip system A, and Division 2 CS subsystem B and LPCI l subsystems B and D input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that 4 there is a source of core coolant available once the ADS has depressurized the vessel. Any one of the six low pressure (continued)

Cooper B 3.3-94 Revision 1

1 ECCS Instrumentation !

i s B 3.3.5.I i

BASES l

APPLICABLE 2.d. Reactor Pressure-Low (Recirculation Discharae Valve SAFETY tinLYSES, Permissive)

LCO, and APPLICABILITY Low reactor pressure signals are used as permissives for (continued) recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Pressure-Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in References 5 and 7. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Ref. 6). j The Reactor Pressure-Low signals are initiated from four f pressure switches that sense the reactor dome pressure.

The Allowable Value is chosen high enough that the vaives close prior to when LPCI injection flow into the core is ..

required (as assumed in the safety analysis) and low enough to avoid excessive differential pressures. l Four channels of the Reactor Pressure-Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve (s) closed, the function of the instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

2.e. Reactor Vessel Shroud Level-Level 0 i The Reactor Vessel Shroud Level-Level 0 Function is provided !

as a permissive to allow the RHR System to be manually aligned from the LPCI mode to the suppression pool cooling / spray or drywell spray modes. The reactor vessel shroud level permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be (continued)

Cooper B 3.3-102 Revision 1

j ECCS Instrumentation ;

B 3.3.5.1 l BASES i

APPLICABLE 2.e. Reactor Vessel Shroud Level-Level 0 (continued)

SAFETY ANALYSES, {

LCO, and overridden during accident conditions as allowed by plant procedures. ],

APPLICABILITY Reactor Vessel Shroud Level- Level 0 Function is implicitly assumed in the analysis of the recirculation line break (Ref. 6) since the analysis l assumes that no LPCI flow diversion occurs when reactor water level is i below Level 0. !

Reactor Vessel Shroud Level- Level 0 signals are initiated from two level transmitters that sense the difference between the pressure due to I a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level- Level 0 Allowable Value of - 193.19 inches referenced to instrument zero (which is equivalent to 35 inches below FZZ) is chosen to l allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer.

Two channels of the Reactor Vessel Shroud Level- Level 0 Function I are only required to be OPERABLE in MODES 1,2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves associated with this Function (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used).

2.f. Low Pressure Coolant inlection Pumo Start-Time Delav Relav The purpose of this time delay is to stagger the start of the LPCI pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV emergency buses. This Function is only necessary when power is being supplied from the standby power sources (DG). However, since the time delay does not degrade ECCS operation, it remains in the pump start logic at all times. The LPCI Pump Start -Time Delay Relays are assumed to be OPERABLE in the accident analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.

(continued)

Cooper B 3.3-103 June 10,1999 l

c-ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.f. Low Pressure Coolant inlection Pumo Start-TimeDelav Relav SAFETY ANALYSES,(contjnued)

LCO, and APPLICABILITY There are four LPCI Pump Start -Time Delay Relays, one in each of the RHR pump start logic circuits. While each time delay relay is dedicated to a single pump start logic, a single failure of a LPCI Pump Start -Time Delay Relay could result in the failure of the two low pressure ECCS pumps, powered for the same ESF bus, to perform their intended function (e.g., as in the case where both ECCS pumps on one ESF bus start simultaneously due to an inoperable time delay relay). This still leaves four of the six low pressure ECCS pumps OPERABLE; thus, the

.. single failure criterion is met (i.e., loss of one instrument does not preclude ECCS Initiation). The Allowable Value for the LPCI Pump Start-Time Delay Relays is chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4.16 kV emergency bus and short enough so that ECCS operation is not degraded.

Each LPCI Pump Start -Time Delay Relay Function is required to be OPERABLE only when the associated LPCI subsystem is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.

Hioh Pressure Coolant inlection (HPCI) System l 3.a. Reactor Vessel Water Level-Low Low (Level 2) '

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above fuel zone zero. The Reactor Vessel Water Level- Low Low l (Level 2) is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in References 5 and 7.

Additionally, the Reactor Vesul Water Level - Low Low (Level 2)

Function associated with HPCI is directly assumed in th5 analysis of the recirculation line break (Ref. 6). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

Cooper B 3.3-104 June 10,1999 l

E

]

ECCS Instrumentation i s B 3.3.5.1 f BASES l

APPLICABLE 3.a. Reactor Vessel Water level-Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY Reactor Vessel Water Level-Low Low (Level 2) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water ,

level (variable leg) in the vessel. l The Reactor Vessel Water Level-Low Low (Level 2) Allowable I Value is high enough such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC)

System flow with HPCI assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level-Low Low Low (Level 1).

Four channels of Reactor Vessel Water Level-Low Low (Level 2) Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LC0 3.5.1 for HPCI Applicability Bases. ..

3.b. Drywell Pressure-Hiah High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, the Drywell Pressure-High Function, along with the Reactor Water Level-Low Low (Level 2) Function, is capable of initiating HPCI during a LOCA (Ref. 7). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure switches that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure-High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI. initiation. Refer to LC0 3.5.1 for the Applicability Bases for the HPCI System.

(continued)

Cooper B 3.3-105 Revision 1l

r i

ECCS Instrumentation

s B 3.3.5.1 BASES ACTIONS B.1. B.2. and B.3 (continued) would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if (a) two or more Function 1.a channels are inoperable and untripped such that both trip systems lose initiation capability, (b) two or more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability, (c) two or more Function 1.b channels are inoperable and untripped such that both trip systems lose initiation capability, or (d) two or more Function 2.b channels are inoperable and untripped such that both trip systems lose initiation capability. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and DGs to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the ..

affected portions in the associated low pressure ECCS and DGs being concurrently declared inoperable.

For Required Action B.2, automatic initiation capability is lost if the combination of Function 3.a or Function 3.b channels that are inoperable and untripped result in the inability to energize the Function's trip relay; i.e.,

parallel pair logic channels are untrippable. In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action B.3 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action B.3) is allowed during MODES 4 and 5. There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary.

Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry (continued)

Cooper B 3.3-113 Revision 1

1 i

RCIC System Instrumentation j B 3.3.5.2 i BASES ,

1 I

APPLICABLE Operation with a trip setpoint less conservative than the ~ nominal trip SAFETY aNALYSF.S, setpoint, but within its Allowable Value, is acceptable. A channel is LCO, and inoperable if its actual trip setpoint is not within its required Allowable APPLICABILITY Values. Trip setpoints are those predetermined values of output at which (continued) an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., switch) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors.

The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh l environments as defined by 10 CFR 50.49) are accounted for. )

l The individual Functions are required to be OPEPABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System.)

The specific Applicable Safety Analyses, LCO, and Applicability l discussions are listed below on a Function by Function basis. !

1. Reactor Vessel Water Level - Low Low (Level 2)

Low reactor pressure vessel (RPV) water level indicates that normal feedwater flow is insufficient to maintain reactor vessel water level and that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above fuel zone zero. l Reactor Vessel Water Level - Low Low (Level 2) signals are initiated from four level switches that sense the difference (continued) !

Cooper B 3.3-128 June 10,1999 l

RCIC System Instrumentation

. s B 3.3.5.2 BASES APPLICABLE 1. Reactor Vessel Water Level - Low Low (Level 2)

SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level-Low Low (Level 2) Allowable Value is set high enough such that for complete loss of feedw.ter flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1.

Four channels of Reactor Vessel Water Level-Low Low (Level 2) Funct kn are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation.

Refer to LC0 3.5.3 for RCIC Applicability Bases.

2. Reactor Vessel Water Level - Hiah (Level 8) -

High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam supply shutoff and turbine trip-throttle valves to prevent overflow into the main steam lines (MSLs).

Reactor Vessel Water Level-High (Level 8) signals for RCIC are initiated from two level switches from the narrow range water level measurement instrumentation, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Both Level 8 signals are required in order to trip the RCIC turbine trip throttle valve (only one trip system). l The Reactor Vessel Water Level-High (Level 8) Allowable Value is high enough to preclude isolating the injection valve of the RCIC during normal operation, yet low enough to trip the RCIC System prior to water overflowing into the MSLs.

Two channels of Reactor Vessel Water Level-High (Level 8)

Function are available and are required to be OPERABLE when (continued)

I l

Cooper B 3.3-129 Revision 1 1

l l

r I

l I l

RC' : stem Instrumentation

.~ s B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.3 and SR 3.3.5.2.4 (continued)

REQUIREMENTS The Frequency of SR 3.3.5.2.3 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

The Frequency of SR 3.3.5.2.4 is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.5.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific )

channel. The system functional testing performed in l LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function. Simulated automatic l actuation is performed each operating cycle.

The 18 month Frequency is based on the need to perform this ..

Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown that these components usually pass the Surveillance when performed at the 18 month Frequency.

l REFERENCES 1. 10CFR50.36(c)(2)(ii).

2. GENE-770-06-2, " Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

l Cooper B 3.3-136 Revision 1

Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Primary Containment Isolation SAFETY ANALYSES, LCO, and 2.a. Reactor Vessel Water level - Low (Level 31 APPLICABILITY (continued) Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations ,

communicate with the primary containment are isolated to I limit the release of fission products. The isolation of the l primary containment on Level 3 supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded.

The Reactor Vessel Water Level-Low (Level 3) Function associated with isolation is implicitly assumed in the USAR analysis as these leakage paths are assumed to be isolated '

post LOCA.

Reactor Vessel Water Level-Low (Level 3) signals are initiated from four vessel level instrument switches that l sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Eight channels of Reactor Vessel Water Level-Low (Level 3) ..

Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the j isolation function. l The Reactor Vessel Water Level-Low (Level 3) Allowable i Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LC0 3.3.1.1), since isolation of these I valves is not critical to orderly plant shutdown.

This Function isolates the Group 2, 3, and 6 valves listed l in Reference 1.

2.b. Drywell Pressure - Hiah j High drywell pressure can indicate a break in the RCPB i inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Drywell Pressure-High Function, associated with isolation of the primary containment, is implicitly assumed in the USAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

(continued)

Cooper B 3.3-148 Revision 1

Primary containment Isolation Instrumentation

,- s B 3.3.6.1 l

BASES !

APPLICABLE 5.d. Reactor Vessel Water level - Low (Level 3) (continued) l

~

SAFETY ANALYSES, LCO, and peak cladding temperature remains below the limits of APPLICABILITY 10 CFR 50.46. The Reactor Vessel Water Level-Low (Level 3) i Function associated with RWCU isolation is not directly assumed in the USAR safety analyses because the RWCU System-line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting).

Reactor Vessel Water Level-Low (Level 3) signals are initiated from four level switches that sense the difference l between the pressure due to a constant column of water !

(reference leg) and the pressure due to the actual water I level (variable leg) in the vessel. Eight channels of Reactor Vessel Water Level-Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

1 The Reactor Vessel Water Level-Low (Level 3) Allowable Value was chosen to be the same as the ECCS Reactor Vessel ..

Water Level-Low (Level 3) Allowable Value (LC0 3.3.5.1),

since the capability to cool the fuel may be threatened.

This Function isolates the Group 3 valves, as listed in I Reference 1. f Shutdown Coolina System Isolation 6.a. Reactor Pressure - Hiah The Reactor Pressure-High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System. This Function is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or l transient analysis in the USAR.

The Reactor Pressure-High signals are initiated from two ,

pressure switches that are connected to different taps on a !

recirculation pump suction line. Two channels of Reactor Pressure-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these (continued)

Cooper B 3.3-156 Revision 1

7 l

4 Primary Containment isolation Instrumentation B 3.3.6.1 i BASES APPLICABLE 6.a. Reactor Pressure-Hioh (continued)

SAFETY ANALYSES, LCO, and ~ are the only MODES in which the reactor can be pressurized; thus, A.PPLICABILITY equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization.

l This Function isolates both RHR shutdown cooling pump suction valves. I I

6.b. Reactor Vessel Water Level - Low (Level 3) l Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel Interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level- Low (Level 3) Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses l because a break of the RHR Shutdown Cooling System is bounded by breaks of the recirculation and MSL. The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV i water level does not drop below fuel zone zero during a vessel draindown l event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.

)

Reactor Vessel Water Level- Low (Level 3) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Eight channels (four channels per trip system) of the Reactor Vessel Water Level- Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. As noted (footnote (b) to Table 3.3.6.1-1), only one trip system !

of the Reactor Vessel Water Level - Low (Level 3) Function is required l to be OPERABLE in MODES 4 and 5, provided the RHR Shutdown !

Cooling System integrity is maintained. System integrity is maintained provided the piping is intact and no maintenance is being performed that hw the potential for draining the reactor vessel through the system.

The Reactor Vessel Water Level- Low (Level 3) Allowable Value was chosen to be the same as the RPS Reactor Vessel (continued)

Cooper - B 3.3-157 June 10,1999 l

n Primary Containment Isolation Instrumentation

. s B 3.3.6.1 BASES l

SURVEILLANCE SR 3.3.6.1.1 (continued) l REQUIREMENTS The Frequency is based on operating experience that j demonstrates channel failure is rare. The CHANNEL CHECK l supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

f SR 3.3.6.1.2 l A CHANNEL FUNCTIONAL TEST is performed on each required j channel to ensure that the channel will perform the intended '

function.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 92 day Frequency of SR 3.3.6.1.2 is based on the reliability analysis described in References 10 and 11. ..

SR 3.3.6.1.3. SR 3.3.6.1.4 and SR 3.3.6.1.5

' A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel 4 responds to the measured parameter within the necessary I range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology. SR 3.3.6.1.5, however, is only a calibration - j of the radiation detectors using a standard radiation . '

source.

As noted for SR 3.3.6.1.4, the main steam line radiation detectors (Function 2.d) are excluded from CW.HNEL i CALIBRATION due to ALARA reasons (when the plant is l operating, the radiation detectors are generally in a high radiation area; the steam tunnel). This exclusion is acceptable because the radiation detectors are passive i devices, with minimal drift. The radiation detectors are I calibrated in accordance with SR 3.3.6.1.5 on an 18 month Frequency using a standard current source and radiation l l source. The CHANNEL CALIBRATION of the remaining portions (continued)

Cooper B 3.3-164 Revision 1

Primary Containment Isolation Instrumentation

. , B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.3. SR 3.3.6.1.4 and SR 3.3.6.1.5 (continued)

REQUIREMENTS of the channel (SR 3.3.6.1.4) are performed using a standard current source.

The Frequency of SR 3.3.6.1.3 is based on the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequency of SR 3.3.6.1.4 and SR 3.3.6.1.5 is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

SR 3.3.6.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. Simulated l ..

automatic actuation is performed each operating cycle. The 18 month Frequency is based on the need to perform the Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.

Operating experience has shown these components usually pass the Surveillance when performed at the 18 month Frequency.

REFERENCES 1. USAR, Table VII-3-1.

2. USAR, Chapter XIV. ,

3. 10CFR50.36(c)(2)(ii).

4. USAR, Section V-5.0.

5. USAR, Section XIV-5.4.1.

6. USAR, Section XIV-6.5.

7. USAR, Section XIV-6.2.11.

(continued)

Cooper B 3.3-165 Revision 1

i Pricary Containment Isolation Instrumentation

. B 3.3.6.1 BASES REFERENCE 8. NED0-31466, " Technical Specification Screening (continued) Criteria Application and Risk Assessment,"

November 1987.

9. USAR, Section IV-9.3.

10. NEDC-31677P-A, " Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation,"

July 1990.

11. NEDC-30851P-A Supplement 2, " Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

Cooper B 3.3-166 Revision 1l

- Jet Pumps

s B 3.4.2 BASES ACTIONS 8.d (continued) reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.2.1 REQUIREMENTS This SR is designed to detect significant degradation in jet pump performance that precedes jet pump failure (Ref. 3).

This SR is required to be performed only when the loop has forced recirculation flow since surveillance checks and measurements can only be performed during jet pump operation. The jet pump failure of concern is a complete mixer displacement due to jet pump beam failure. Jet pump plugging is also of concern since it adds flow resistance to the recirculation loop. Significant degradation is indicated if the specified criteria confirm unacceptable deviations from established patterns or relationshi)s. The -

allowable deviations from the established patterns lave been !

developed based on the variations experienced at plants i during normal operation and with jet pump assembly failures l (Refs. 3 and 4). Each recirculation loop must satisfy one i of the performance criteria provided. Since refueling activities (fuel assembly replacement or shuffle, as well as ;

any modifications to fuel support orifice size or core plate bypass flow) can affect the relationship between core flow, jet pump loop flow, and recirculation loop flow, these relationships may need to be re-established each cycle.

Similarly, initial entry into extended single loop operation j may also require establishment of these relationships.

During the initial weeks of operation under such conditions, while base-lining new " established patterns", engineering judgement of the daily Surveillance results is used to detect significant abnormalities which could indicate a jet pump failure.

The recirculation pump speed is directly proportional to the speed of the reactor recirculation motor generator. The recirculation pump speed operating characteristics (recirculation pump flow and jet pump loop flow versus pump speed) are determined by the flow resistance from the loop suction through the jet pump nozzles. A change in the (continued)

Cooper ~B 3.4-11 Revision 1

. Jet Pumps

. s B 3.4.2 BASES SURVEILLANCE SR 3.4.2.1 (continued) I REQUIREMENTS relationship may indicate a plug, flow restriction, loss in pump hydraulic performance, leakage, or new flow path between the recirculation pump discharge and jet pump nozzle. For this criterion, the recirculation pump flow and jet pump loop flow versus pump speed relationship must be verified.

Individual jet pumps in a recirculation loop normally do not have the same flow. The unequal flow is due to the drive flow manifold, which does not distribute flow equally to all I risers. The jet pump diffuser to lower plenum differential I pressure pattern is repeatable. An appreciable change in this relationship is an indication that increased (or {

reduced) resistance has occurred in one of the jet pumps.

The deviations from normal are considered indicative of a potential problem in the recirculation drive flow or jet pucp system (Ref. 3). Normal flow ranges and established jet pump differential pressure patterns are established by -

plotting historical data as discussed in Reference 3.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency has been shown by operating experience to be timely for detecting jet pump degradation and is consistent with the Surveillance Frequency for recirculation loop OPERABILITY verification.

This SR is modified by two Notes. Note 1 allows this Surveillance not to be perfoixed until 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after the associated recirculation loop is in operation, since these checks can only be performed during jet pump operation. The 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is an acceptable time to establish conditions appropriate for data collection and evaluation.

Note 2 allows this SR not to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after THERMAL POWER exceeds 25% of RTP. During low flow conditions, jet pump noise approaches the threshold response ,

of the associated flow instrumentation and precludes the '

collection of repeatable and meaningful data. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months I is an acceptable time to establish conditions appropriate to '

perform this SR.

(continued)

Cooper B 3.4-12 Revision 1l

r-SRVs and SVs l B 3.4.3 BASES (continued)

REFERENCES 1. ASME Boiler and Pressure Vessel Code, Section 111.

2. USAR, Section IV-4.9.

l

3. NEDC-31628P, SRV Setpoint Tolerance Analysis for Cooper Nuclear Station, October 1988.

4. USAR,Section XIV.

5. 10 CFR 50.36(c)(2)(ii). l

6. ASME, Boiler and Pressure Vessel Code,Section XI.

.----.-___.------.-..--------.._+---.---.----..a_.-_...m_.--__..._ f l

4 Cooper B 3.4-18 June 10,1999 l

n. ],

RHR Shutdown Cooling Systsm-Hot Shutdown B 3.4.7

. s B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat l during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to reduce the temperature of the reactor coolant to 1212*F in preparation for performing Refueling or Cold Shutdown maintenance operations, or the decay heat must be removed for maintaining the reactor in the Hot Shutdown condition.

The two redundant, manually controlled shutdown cooling loops of the RHR System provide decay heat removal. Each l loop consists of two motor driven pumps, a heat exchanger, ,

and associated piping and valves. Both loops have a common (

suction from the same recirculation loop. Each pump I discharges'the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the -

associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System (LC0 3.7.1,

" Residual Heat Removal Service Water Booster (RHRSWB)

System").

APPLICABLE Decay heat removal by operation of the RHR System in the SAFETY ANALYSES . shutdown cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses (Ref.1).

Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LC0 Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one shutdown cooling subsystem must be in operation. An '

OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump, one heat exchanger, and the associated l piping and valves. The two subsystems have a common suction l source and are allowed to have a common heat exchanger and l common discharge piping. Thus, to meet the LCO, both pumps !

(cofitinued) ;

Cooper B 3.4-33 Revision 1

)

RHR Shutdown Cooling System-Cold Shutdown

. s B 3.4.8 8 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to maintain the temperature of the reactor coolant 5 212*F in preparation for performing Refueling operations, or the decay heat must be removed for maintaining the reactor in the Cold Shutdown condition.

The two redundant, manually controlled shutdown cooling loops of the RHR System provide decay heat removal. Each l loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers -

transfer heat to the RHR Service Water Booster System.

APPLICABLE Decay heat removal by operation of the RHR System in the SAFETY ANALYSES shutdown cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses (Ref.1).

Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).

LC0 Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one RHR shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump, one heat exchanger, an RHRSWB pump capable of providing cooling water to the heat exchanger (passing service water through a wind milling RHRSWB pump is an acceptable alternative), and the associated piping and valves. In addition, the necessary portion of the Service Water System is required to provide a suction source for the RHR3WB pump. The two subsystems have a common suction (continued)

Cooper B 3.4-39 Revision 1

. ECCS-Operating B 3.5.1 8 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.1 ECCS -Operating l

BASES BACKGROUND The ECCS is designed, in conjunction with the primary and secondary containment, to limit the release of radioactive materials to the environment following a loss of coolant accident (LOCA). The ECCS uses two independent methods (flooding and spraying) to cool the core during a LOCA. The ECCS network consists of the High Pressure Coolant Injection (HPCI) System, the Core Spray (CS) System, the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System, and the Automatic Depressurization System (ADS). The suppression pool provides the required source of water for the ECCS. The emergency condensate storage tanks (ECSTs) are capable of providing a source of water for the HPCI System. Although no credit is taken in the safety analyses for the condensate storage tank (CST), it is capable of providing a source of water for the CS System and ..

LPCI subsystems.

On receipt of an initiation signal, ECCS pumps automatically start; simultaneously, the system aligns and the pumps inject water, taken either from the ECSTs or suppression pool, into the Reactor Coolant System (RCS) as RCS pressure is overcome by the discharge pressure of the ECCS pumps.

Although the system is initiated, ADS action is delayed, allowing the operator to interrupt the timed sequence if the system is not needed. The HPCI pump discharge pressure almost immediately exceeds that of the RCS, and the pump injects coolant into the vessel to cool the core. If the break is small, the HPCI System will maintain coolant j inventory as well as vessel level while the RCS is still pressurized. If HPCI fails, it is backed up by ADS in combination with LPCI and CS. In this event, if the ADS timed sequence is allowed to time out, the selected safety / relief valves (SRVs) would open, depressurizing the i RCS, thus allowing the LPCI and CS to overcome RCS pressure and inject coolant into the vessel. If the break is large, RCS pressure initially drops rapidly and the LPCI and CS cool the core.

(continued)

Cooper B 3.5-1 Revision 1 l

l

. ECCS -Operating

.~ . B 3.5.1 j i

BASES BACKGROUND Water from the break returns to the suppression pool where (continued) it is used again and again. Water in the suppression pool is circulated through a heat exchanger cooled by the RHR Service Water Booster System. Depending on the location and {

size of the break, portions of the ECCS may be ineffective; however, the overall design is effective in cooling the core regardless of the size or location of the piping break.

All ECCS subsystems are designed to ensure that no single active component failure will prevent automatic initiation and successful operation of the minimum required ECCS equipment. !

The CS System (Ref.1) is composed of two independent !

subsystems. Each subsystem consists of a motor driven pump, {

a spray sparger above the core, and piping and valves to transfer water from the suppression pool to the sparger.

The CS System is designed to provide cooling to the reactor core when reactor pressure is low. Upon receipt of an initiation signal, the CS pumps in both subsystems are automatically started, following an approximate 10 second ..

time delay, when AC power is available. When the RPV pressure drops sufficiently, CS System flow to the RPV begins. A full flow test line is provided to route water to the suppression pool to allow testing of the CS System without spraying water in the RPV.

LPCI is an independent operating mode of the RHR System. l There are two LPCI subsystems (Ref. 2), each consisting of l two motor driven pumps and piping and valves to transfer water from the suppression pool to the RPV via the corresponding recirculation loop. The two LPCI subsystems can be interconnected via the RHR System cross tie shutoff valve; however, the cross tie shutoff valve is maintained closed to prevent loss of both LPCI subsystems during a LOCA. The LPCI subsystems are designed to provide core cooling at low RPV pressure. Upon receipt of an initiation signal, all four LPCI pumps are automatically started (pumps A and D immediately when AC power is available, and pumps B and C approximately 5 seconds after AC power is available). RHR System valves in the LPCI flow path are automatically positioned to ensure the proper flow path for water from the suppression pool to inject into the recirculation loops. When the RPV pressure drops sufficiently, the LPCI flow to the RPV, via the (continued)

Cooper B 3.5-2 Revision 1l

ECCS - Operating 8 3.5.1 BASES APPLICABLE e. Adequate long term cooling capability is maintained.

SAFETY ANALYSES (continued) The limiting single failures are discussed in Reference 9.

-For large or small beak LOCA, failure of a DC power source is considered the most severe failure. Credit is taken for 5 of 6 ADS valves. The remaining OPERABLE ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage.

The ECCS satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii)

(Ref. 10).

LC0 Each ECCS injection / spray subsystem and six ADS valves are required to be OPERABLE. The ECCS injection / spray subsystems are defined as the two CS subsystems, the two LPCI subsystems, and one HPCI System. The low pressure ECCS injection / spray subsystems are defined as the two CS subsystems and the two LPCI subsystems.

With less than the required number of ECCS subsystems "

OPERABLE, the potential exists that during a limiting design basis LOCA concurrent with the worst case single failure, the limits specified in Reference 8 could be exceeded. All ECCS subsystems must therefore be OPERABLE to satisfy the single failure criterion required by Reference 8.

Two pumps are required for an OPERABLE LPCI subsystem. LPCIl subsystems may be considered OPERABLE during alignment and operation for decay heat removal when below the actual RHR cut in permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. Alignment and operation for decay heat removal includes when the required RHR pump is not operating or when the system is realigned from or to the RHR shutdown cooling mode. At these low pressures and decay heat levels, a reduced complement of ECCS subsystems should provide the required core cooling, thereby allowing operation of RHR shutdown cooling when necessary.

(continued)

Cooper B 3.5-5 Revision 1

_ ECCS-Operating i , B 3.5.1 1

BASES ACTIONS G.1 and G 2 (continued)_

If any Required Action and associated Completion Time of Condition C, D, E, or F is not met, or if two or more ADS valves are inoperable, the plant must be brought to a i condition in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 3 within i 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and reactor steam dome pressure reduced to i 1 150 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an l orderly manner and without challenging plant systems.

H.1 j When multiple ECCS subsystems are inoperable, as stated in Condition H, the plant is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

.. l l

SURVEILLANCE SR 3.5.1.1 l REQUIREMENTS i The flow path piping has the potential to develop voids and l pockets of entrained air. Maintaining the pump discharge lines of the HPCI System, CS System, and LpCI subsystems ,

full of water ensures that the ECCS will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent a water hammer following an ECCS initiation signal. One acceptable method is to vent from the system high point until water flow is observed. The 31 day Frequency is based on the gradual nature of void buildup in the ECCS piping, the procedural controls governing system operation, and operating experience.

SR 3.5.1.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR applies only to valves affecting the direct flow path. This SR excludes valves that, if mispositioned, would not affect system or subsystem (continued)

Cooper B 3.5-9 Revision 1

RCIC System i

~

B 3.5.3 '

l BASES l

BACKGROUND The RCIC pump is provided with a minimum flow bypass line, (continued) which discharges to the suppression pool. The valve in this line automatically opens to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, the RCIC System discharge piping is kept full of water. The RCIC System is normally aligned to the ECSTs. The RCIC discharge line is kept full of water {

using a " keep fill" system (Pressure Maintenance System).

APPLICABLE The function of the RCIC System is to respond to transient SAFETY ANALYSES events by providing makeup coolant to the reactor. The RCIC l System is neither an ECCS nor an Engineered Safety Feature l l System and no credit is taken in the safety analyses for '

RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system satisfies Criterion 4 of 10 CFR 50.36 (c)(2)(ii) (Ref. 3). !

LC0 The OPERABILITY of the RCIC System provides adequate core cooling such that actuation of any of the low pressure ECCS subsystems is not required in the event of RPV isolation accompanied by a loss of feedwater flow. The RCIC System has sufficient capacity for maintaining RPV inventory during an isolation event.

APPLICABILITY The RCIC System is required to be OPERABLE during MODE 1, and MODES 2 and 3 with reactor steam dome pressure '

> 150 psig, since RCIC is the primary non-ECCS water source for core cooling when the reactor is isolated and pressurized. in MODES 2 and 3 with reactor steam dome pressure s 150 psig, and in MODES 4 and 5, RCIC is not required to be OPERABLE since the low pressure ECCS injection / spray subsystems can provide sufficient flow to the RPV.

1 (continued) ,

Cooper B 3.5-25 Revision 1

I l

PCIVs !

B 3.6.1.3

. 1

{

t BASES BACKGROUND The primary containment purge lines are 24 inches in (continued) diameter; vent lines are 24 inches in diameter. The 24 inch primary containment purge valves are normally j maintained closed in MODES 1, 2, and 3 to ensure the primary containment boundary is maintained. The isolation valves on the 24 inch vent lines have bypass lines around them for when the 24 inch valves cannot be opened. Two additional parallel isolation valves (one leading to the reactor building exhaust plenum, the other leading directly to the Standby Gas Treatment (SGT) System) are provided on the vent ;

line. Only one SGT subsystem is allowed to be operating 1 when the 24 inch vent and purge valves are open, due to the j potential damage the filters would experience from excessive differential pressure caused by a LOCA, to ensure at least one SGT subsystem is OPERABLE following a LOCA. l Closure of the isolation valves will not prevent the SGT {

System from performing its design function (that is, to !

maintain a negative pressure in the secondary containment). i APPLICABLE The PCIVs LC0 was derived from the assumptions related to SAFETY ANALYSES minimizing the loss of reactor coolant inventory, and establishing the primary containment boundary during major accidents. As part of the primary containment boundary, PCIV OPERABILITY supports leak tightness of primary containment. Therefore, the safety analysis of any event requiring isolation of primary containment is applicable to this LCO.

The DBAs that result in a release of radioactive material for which the consequences are mitigated by PCIVs are a LOCA 1 and a main steam line break (MSLB). In the analysis for 1

each of these accidents, it is assumed that PCIVs are either ,

closed or close within the required isolation times i l

following event initiation. This ensures that potential paths to the environment through PCIVs (including primary containment purge and vent valves) are minimized. Of the events analyzed in Reference 1, the MSLB is the most limiting event due to radiological consequences. The closure time of the main steam isolation valves (MSIVs) is a significant variable from a radiological standpoint. The '

MSIVs are required to close within 3 to 5 seconds since the l

(continued)

Cooper B 3.6-16 Revision 1

r PCIVs .

. s B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.1 (continued)

REQUIREMENTS Only one SGT subsystem is allowed to be operating when the 24 inch ) urge and vent valves are open, due to the potential damage t1e filters would experience from excessive differential pressure caused by a LOCA, to ensure at least one SGT subsystem is OPERABLE following a LOCA. If a LOCA occurs when the 24 inch purge and vent valves are open, these valves are capable of closing in the environment following the LOCA. Therefore, these valves are allowed to be open for limited periods of time. The 31 day Frequency is consistent with other PCIV requirements discussed in SR 3.6.1.3.2.

SR 3.6.1.3.2 )

l This SR verifies that each primary containment isolation manual valve and blind flange that is located outside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident ...

conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. This SR does not apply to valves and blind flanges that are locked, sealed, or otherwise secured in the correct position, since these valves were verified to be in the correct position upon locking, sealing, or securing.

This SR does not require any testing or valve manipulation.

Rather, it involves verification _that those PCIVs outside primary containment, and capable of being mispositioned, are in the correct position. Since verification of valve position for PCIVs outside primary containment is relatively easy, the 31 day Frequency was chosen to provide added assurance that the PCIVs are in the correct positions.

Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since access to these areas is typically l restricted during MODES 1, 2, and 3 for ALARA reasons.

Therefore, the probability of misalignment of these PCIVs, (continued)

Cooper B 3.6-24 Revision 1

PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.2 (continued)

REQUIREMENTS once they have been verified to be in the proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous !

communication with the control room. In this way, the !

penetration can be rapidly isolated when a need for primary containment isolation is indicated.

SR 3.6.1.3.3 This SR verifies that each primary containment manual isolation valve and blind flange that is located inside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the -

j primary containment boundary is within design limits. For i PCIVs inside primary containment, the Frequency defined as

" prior to entering MODE 2 or 3 from MODE 4 if primary i containment was de-inerted while in MODE 4, if not )erformed I within the previous 92 days" is appropriate since t1ese PCIVs are operated under administrative controls and the probability of their misalignment is low. This SR does not apply to valves and blind flanges that are locked, sealed, or otherwise secured in the correct position, since these valves were verified to be in the correct position upon l locking, sealing, or securing. l l

Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to l be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PCIVs, once they have been verified to be in their proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. These (continued)

Cooper B 3.6-25 Revision 1l

r- 1 PCIVs B 3.6.1.3 1

BASES (continued) j REFERENCES 1. USAR, Chapter XIV.

2. Amendment 25 to the FSAR.

3. NEDC 96-006, " Estimate of Steam Tunnel's HELB," dated March 30,1996.

4. USAR Section IV-4.9. ,

l S. 10 CFR 50.36(c)(2)(ii).

6. USAR, Table Vll-3-1.

7. USAR, Burns and Roe Drawing 4259, Sheets 1 and 1 A, and Burns and Roe Drawing 4260, Sheets 2A and 2B (incorporated by Reference).

8. t'SAR, Section V-2.0, i i

9. USAR, Section XIV-6.3. j

10. 10 CFR 50, Appendix J, Option A.

)

i 1

1 l

l Cooper B 3.6-29 June 10,1999 l .

1

Supp'ression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 l

l BASiiS BACKGROUND less than the suppression chamber pressure, there will be an increase in 1 (continued) the vent waterleg. This will result in an increase in the water clearing inertia in the event of a postulated LOCA, resulting in an increase in the peak drywell pressure. This in tum will result in an increase in the pool swell dynamic loads. The intemal vacuum breakers limit the height of the waterleg in the vent system during normal operation.

APPLICABLE Analytical methods and assumptions involving the suppression SAFETY ANALYSES chamber-to-drywell vacuum breakers are presented in Reference 1 as part of the accident response of the primary containment systems.

Intemal (suppression chamber-to-drywell) and extemal (reactor building-to-suppression chamber) vacuum breakers are provided as part of the !

primary containment to limit the negative differential pressure across the i drywell and suppression chamber walls that form part of the primary I containment boundary.

The safety analyses assume that the internal vacuum breakers are

{

closed initially and are fully open at a differential pressure of 0.5 psid 1 (Ref. 2). Additionally,4 of the 12 intemal vacuum breakers are assumed to failin a closed position. The results of the analyses show that the l design pressure is not exceeded even under the worst case accident scenario. The vacuum breaker opening differential pressure setpoint and the requirement that 9 of 12 vacuum breakers be OPERABLE (the additional vacuum breaker is required to meet the single failure criterion) 4 are a result of the requirement placed on the vacuum breakers to limit the vent system waterleg height. The cross section areas of the vacuum breakers are sized on the basis of the Bodega Bay Pressure Suppression Tests (Ref 1). The vacuum breaker capacity selected on this test basis is i more than adequate to limit the pressure differential between the suppression chamber and drywell during post-accident drywell cooling operations to a value which is within the suppression system design values (Ref. 4). Design Basis Accident (DBA) analyses assume the vacuum breakers to be closed initially and to remain closed and leak tight, until the suppression pool is at a positive pressure, relative to the drywell. j (continued)

Cooper B 3.6-46 June 10,1999 l

Supprtssion Chrmber-to-Drywell Vacuum Breakers B 3.6.1.8 BASES SURVEILLANCE SR 3.6.1.8.2 (continued)

REQUIREMENTS requirements to perform valve testing at least once every 92 days. A

31. day Frequency was chosen to provide additional assurance that the vacuum breakers are OPERABLE, since they are located in a harsh environment (the suppression chamber airspace).

SR 3.6.1.8.3 Verification of the vacuum breaker setpoint for opening is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of 0.5 psid is valid. The 18 month Frequency is based on the need to perform this Surveillance under the conditicos that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 18 month Frequency has been shown to be acceptable, based on operating experience, and is further justified because of other surveillances performed at shorter Frequencies that convey the proper functioning status of each vacuum breaker.

REFERENCES 1. Bodega Bay Preliminary Hazards Summary Report, Appendix 1,

. Docket 50-205, December 28,1962.

2. USAR, Section XIV-6.3.

1

3. Deleted l

4. USAR, Section V-2.3.6.

5. 10 CFR 50.36(c)(2)(li).

6. FSAR Question No. 5.17.

I Cooper B 3.6-50 June 10,1999 l

Secondary Containment

. s B 3.6.4.1 BASES ACTIONS C.I. C.2. and C.3 (continued) movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.6.4.1.1

. REQUIREMENTS This SR ensures that the secondary containment boundary is sufficiently leak tight to preclude exfiltration under expected wind conditions. Momentary transients on installed instrumentation due to gusty wind conditions are considered acceptable and are not cause for failure to meet this SR.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency of this SR was developed based on operating experience related to secondary containment vacuum variations during the applicable MODES and the low probability of a DBA occurring between surveillances.

Furthermore, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Frequency is considered adequate in view of other indications available in the control room, ."

including alarms, to alert the operator to an abnormal secondary containment vacuum condition.

SR 3.6.4.1.2 and SR 3.6.4.1.3 Verifying that secondary containment equipment hatches and one access door in each access opening are closed ensures that the infiltration of outside air of such a magnitude as to prevent maintaining the desired negative pressure does not occur. Verifying that all such openings are closed provides adequate assurance that exfiltration from the secondary containment will not occur. SR 3.6.4.1.2 also requires equipment hatches to be sealed. In this application, the term " sealed" has no connotation of leak )

tightness. Maintaining secondary containment OPERABILITY requires verifying one door in the access opening is closed.

However, each secondary containment access door is normally kept closed, except when the access opening is being used for normal transient entry and exit or when maintenance is being performed on an access. The 31 day Frequency for these SRs has been shown to be adequate, based on operating experience, and is considered adequate in view of the other indications of door and hatch status that are available to the operator.

continued)

Cooper B 3.6-70 Revision 1

. RHRSWB System B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Residual Heat Removal Service Water Booster (RHRSWB) System BASES BACKGROUND The RHRSWB System is designed to provide cooling water for the Residual Heat Removal (RHR) System heat exchangers, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient. The RHRSWB System is operated whenever the RHR heat exchanger.s are required to operate in the shutdown cooling or suppression pool cooling l mode.

The RHRSWB System consists of two independent and redundant subsystems. Each subsystem is made up of a header, two 4000 gpm pumps, a suction source, valves, piping, heat exchanger, and associated instrumentation. Either of the two subsystems is capable of providing the required cooling capacity with one pump operating to maintain safe shutdown conditions. The two subsystems are separated from each other by normally closed manually operated cross tie valves, .

so that failure of one subsystem will not affect the OPERABILITY of the other subsystem. The RHRSWB System is ,

designed with sufficient redundancy so that no single active !

component failure can prevent it from achieving its design 1 function. The RHRSWB System is described in the USAR, Section X-8.2, Reference 1.

Normal cooling water is pum)ed by the RHRSWB pumps from the Service Water System throug1 the tube side of the RHR heat exchangers, and discharges to the circulating water discharge canal. Minimum flow through the RHRSWB pumps is ensured by an interlock with their respective RHR heat exchanger discharge valves. When the pump control switch is taken to " Start", the associated discharge valve opens enough to pass approximately 2500 gpm, ensuring minimum flow through the pump. The pump will then start.

The system is initiated manually from the control room. If operating during a loss of coolant accident (LOCA), the system is automatically tripped to allow the diesel generators to automatically power only that equipment necessary to reflood the core. The system is assumed in the (continued)

Cooper B 3.7-1 Revision 1

I SW System and UHS B 3.7.2 BASES LCO The isolation of the SW System to components or systems may (continued) render those components or systems inoperable, but does not affect the OPERABILITY of the SW System.

4 APPLICABILITY In MODES 1, 2, and 3, the SW System and UHS are required to be OPERABLE to support OPERABILITY of the equipment serviced by the SW System. Therefore, the SW System and UHS are required to be OPERABLE in these MODES.

Under other plant conditions, the OPERABILITY requirements l of the SW System and UHS are determined by the systems they support and therefore, the requirements are not the same for l all facets of operation. Thus, the LCOs of the RHR Shutdown Cooling System (LCO 3.4.8, "RHR Shutdown Cooling Systen-Co Shutdown," LCO 3.5.2, "ECCS-6hutdown," LC0 3.8.2, "AC Sources-Shutdown," LC0 3.9.7, "RHR-High Water Level," and LCO 3.9.8, "RHR-Low Water Level"), which require portions of the SW System to be OPERABLE, will govern SW System operation in MODES 4 and 5. -

ACTIONS Ad With one SW subsystem inoperable, the SW subsystem must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE SW subsystem is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE SW subsystem could result in loss of SW function.

The 30 day Completion Time is based on the redundant SW System capabilities afforded by the OPERABLE subsystem and the low probability of an accident occurring during this time period.

Required Action A.1 is modified by two Notes indicating that the applicable Conditions of LC0 3.8.1, "AC Sources-Operating," LCO 3.4.7, " Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown," be entered and Required Actions taken if the inoperable SW subsystem results in an (continued)

Cooper B 3.7-8 Revision 1

SW System and UHS B 3.7.2 BASES i

'l SURVEILLANCE SR 3.7.2.3 REQUIREMENTS (continued) Verifying the correct alignment for each manual, power operated, and automatic valve in each SW subsystem flow path provides assurance that the proper flow paths will exist for SW operation. This SR applies only to valves affecting the i direct flow path. This SR excludes valves that, if mispositioned, would not affect system or subsystem OPERABILITY. Also, this SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR docs not apply to valves that cannot be inadvertently misaligned, such as check valves.

This SR is modified by a Note indicating that isolation of l the SW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the SW System. As such, when all SW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the SW System is still OPERABLE.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

4 SR 3.7.2.4 This SR verifies that the automatic isolation valves of the SW System will automatically switch to the safety or emergency position to provide cooling water exclusively to the safety related equipment during an accident event. This is demonstrated by the use of an actual or simulated initiation signal. The initiation signal is caused by low SW header pressure (approximately 20 psig). This SR also l Verifies the automatic start capability of one of the two SW pumps in each subsystem.

(continued)

' Cooper B 3.7-10 Revision 1

REC System

- s B 3.7.3 83.7 PLANT SYSTEMS B 3.7.3 Reactor Equipment Cooling (REC) System BASES BACKGROUND The REC System is designed to provide cooling water for the removal of heat from equipment, such as the room coolers for the core spray pump rooms and HPCI pump room, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient. The REC System also provides cooling to unit components, as required, during normal operation. In the event of a loss of REC System pressure, automatic valving is provided to shut off all supply to nonessential loads, thus assuring supply to the essential loads.

The REC. System consists of two, closed subsystems, each consisting of two 1350 gpm pumps, a heat exchanger, valves, piping and associated instrumentation. A 550 gallon capacity surge tank, located at the highest point of thesystem,accom pressure in the loops, detects gross leaks in the REC System, and provides a means for adding water. Either of the two subsystems is capable of providing the required cooling capacity to support the required systems with one REC pump operating. The two subsystems have sufficient redundancy and independence from each other such that no active component failure in one subsystem will affect the OPERABILITY of the other. Additionally, each subsystem is provided with Service Water backup cross tie valves to provide required component cooling in the event of a passive failure, such as a Class IE pipe break.

Cooling water is pumped by the REC pumps, delivered to the REC heat exchangers, which are cooled by the Service Water System, and then to the components through the two main headers. After removing heat from the components, the water is then recirculated back to the REC pump suction.

APPLICABLE Either REC loop has sufficient capacity with one pump SAFETY ANALYSIS operating to transfer the essential services design cooling heat load during postulated transient or accident conditions (Ref. 1). However, to provide additional margin, two REC (continued)

Cooper B 3.7-12 Revision 1

REC System B 3.7.3 BASES SURVEILLANCE SR 3.7.3.4 (continued)

REQUIREMENTS the safety related equipment during an accident event. This is demonstrated by the use of an actual or simulated initiation signal. The initiation signal is caused by low REC heat exchanger outlet pressure (approximately 60.5 psig for REC heat exchanger outlet, approximately 61.5 psig for !

REC heat exchanger IA outlet pressure, and approximately 59.5 psig for REC heat exchanger 1B outlet pressure). Also, a Group VI isolation signal will open the REC heat exchanger service water outlet valves and the REC critical loop supply valves to provide cooling water to essential components.

Operating experience has shown that these components usually '

pass the SR when performed at the 18 month Frequency.

Therefore, this Frequency is concluded to be acceptable from ;

a reliability standpoint.

REFERENCES 1. USAR, Section X-6. -

2. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.7-16 Revision 1

I Main Turbine Bypass System B 3.7.7 BASES ACTIONS M

-(continued)

If. the inoperable Main Turbine Bypass Valve cannot be restored to OPERABLE status and the MCPR operating limits l for one inoperable Main Turbine Bypass Valve are not applied within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , or two or more Main Turbine Bypass Valves are inoperable, THERMAL POWER must be reduced to < 25% RTP.

As discussed in the Applicability section, operation at

< 25% RTP results in sufficient margin to the required l limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the Applicable Safety Analyses transients. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.7.1 REQUIREMENTS l Cycling each main turbine bypass valve through at least half .

of one cycle of full travel (50% open) demonstrates that the l valves are mechanically OPERABLE and will function when required. The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions. Operating experience has shown that these components usually pass the SR when performed at the 31 day Frequency. Therefore, the Frequency is acceptable from a reliability standpoint.

SR 3.7.7.2 l

The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the valves will actuate to their required position.

The 18 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 18 month Frequency, which is based on the refueling cycle, 1s acceptable from a reliability standpoint.

l (continued)

Cooper B 3.7-30 Revision 1 l

Main Turbine Bypass System

, , B 3.7.7 BASES SURVEILLANCE SR 3.7.7.2 (continued)

REQUIREMENTS Cycling open a bypass valve at slightly above 30% RTP may affect the RPS Turbine Stop and Control Valve functions.

SR 3.7.7.3 This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analyses. The response time limits are specified in I the COLR. The 18 month Frequency is based on the need to l perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with ,

the reactor at power. Operating experience has shown the l 18 month Frequency, which is based on the refueling cycle, l 1s acceptable from a reliability standpoint.

REFERENCES 1. USAR, Section VII-11.3.

2. Amendment 25 to the FSAR.

3. NEDC 96-006, " Estimate of Steam Tunnel's HELB,"

March 3, 1996.

4. USAR, Section XIV-5.8.1.

5. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.7-31 Revision 1

AC Sources-Operating

. 1 B 3.8.1 BASES BACKGROUND Certain required plant loads are returned to service in a (continued) predetermined sequence in order to prevent overloading of the DGs in the process. Within 44 seconds after the initiating signal is received, all automatic and permanently >

connected loads needed to recover the unit or maintain it in a safe condition are returned to service. The failure of i any one DG does not impair safe shutdown because each DG serves an independent, redundant 4.16 kV critical bus. The a remaining DG and critical bus have sufficient capacity to mitigate the consequences of a DBA, support the shutdown of the unit, and maintain the unit in a safe condition. 4 Ratings for the DGs satisfy the requirements of Safety Guide 9-(Ref. 3). DG-1 and DG-2 have the following ratings:

a. 4000 kW-continuous,

b. 4400 kW-2 hours per day, )

c. 5000 kW-320 hours / total .

4 APPLICABLE The initial conditions of DBA and transient analyses in the .

SAFETY ANALYSES USAR, Chapter VI (Ref. 4) and Chapter XIV (Ref. 5), assume '

ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability,

'^

redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of:

(continued)

Cooper B 3.8-3 Revision 1

AC Sources-Operating

. , B 3.8.1 BASES LC0 The AC sources must be separate and independent (to the (continued) extent possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A circuit may be connected to more than one 4.16 kV critical bus, with fast transfer capability, as applicable, to the other circuit OPERABLE, and not violate j separation criteria. A circuit that is not connected to a {

critical bus is required to have OPERABLE automatic or fast transfer interlock mechanisms, as applicable, to one critical bus to support OPERABILITY of that circuit. That '

is, power can be supplied to both critical buses via the SSST provided that the automatic transfer capability to the l ESST exists for one of the critical buses. However, if l power is supplied to both critical buses via the ESST, then '

one offsite circuit is inoperable, since no automatic transfer capability from the ESST to the SSST exists.

Additionally, power to the critical buses is allowed to be j supplied from the NSST. In this case, the SSST offsite 1 circuit is considered OPERABLE provided the automatic )

transfer capability from the NSST to the SSST is OPERABLE .. 1 for one of the critical buses. For the ESST to be I considered OPERABLE, the automatic transfer capability from i the NSST to the ESST must be OPERABLE for the other critical I bus (the automatic transfer capability from the NSST to the l ESST is allowed to go through an intermediate step of 4 transferring to the first offsite source, i.e., SSST).

A verification of OPERABILITY is an administrative check, by J examination of appropriate plant records (logs, surveillance test records), to determine that a system, subsystem, train, component or device is not inoperable. Such verification does not preclude the demonstration (testing) of a given system, subsystem, train, component or device to determine OPERABILITY.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

(continued) l Cooper B 3.8-5 Revision 1 I J

l AC Sources -Operating

. s B 3.8.1 BASES APPLICABILITY The AC power requirements for MODES 4 and 5 are covered in (continued) LC0 3.8.2, "AC Sources - Shutdown."

ACTIONS A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining offsite circuit on a more frequent basis. Since the Required Action only specifies

" perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if the second circuit fails SR 3.8.1.1, the second offsite circuit 1 is inoperable, and Condition C, for two offsite circuits l inoperable, is entered.

A.2 Required Action A.2, which only applies if the division cannot be powered from an offsite source, is intended to -

provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e.,

single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has no offsite power.

The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal " time zero" for beginning the allowed outage time " clock." In this Required Action the Completion Time only begins on discovery that both:

a. The division has no offsite power supplying its loads; and

b. A redundant required feature on the other division is inoperable.

l (continued)

Cooper B 3.8-6 Revision 1l

AC Sources-Operating

s B 3.8.1 BASES ACTIONS A.2 (continued)

-If, at any time during the existence of this Condition (one offsite circuit inoperable) a redundant required feature subsequently.becomes inoperable, this Completion Time would begin to be tracked.

Discovering no offsite power to one 4.16 kV critical bus of the onsite Class IE Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with any other critical bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown.

The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class IE Distribution System. Thus, on a component basis, single failure protection may have been lost for.the required ...

feature's function; however, function is not lost. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. 1 I

A.3 The 4.16 kV critical bus design and loading is sufficient to allow operation to continue in Condition A for a period that should not exceed 7 days. With one offsite circuit ,

inoperable, the reliability of the offsite system is !

degraded, and the potential for a loss of offsite power is 1 increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class IE Distribution 1 System.

(continued)

. Cooper B 3.8-7 Revision 1l

AC Sources-Operating

, s B 3.8.1 BASES ACTIONS A.3 (continued)

The 7 day Completion Time takes into account the redundancy, capacity and capability of the remaining AC sources, !

reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable ,

during any single contiguous occurrence of failing to meet '

the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LC0 may already have been not met for up to 7 days. This situation could lead to a total of 14 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 7 days (for a total of 21 days) allowed prior to complete restoration of the LCO. The 14 day Completion Time provides a limit on the time allowed in a specified condition after ,

discovery of failure to meet the LC0. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 14 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

Similar to Required Action A.2, the second Completion Time of Required Action A.3 allows for an exception to the normal

" time zero" for beginning the allowed outage time " clock."

This exception results in establishing the " time zero" at the time the LC0 was initially not met, instead of at the !

time that Condition A was entered. >

l B.1 i To ensure a highly reliable power source remains with one DG 4 inoperable, it is necessary to verify the availability of '

the offsite circuits on a more frequent basis. Since the Required Action only specifies " perform," a failure of i

(continued) j

(

Cooper B 3.8-8 Revision 1l

r AC Sources-Operating

. s B 3.8.1 dASES ACTIONS 8.1 (continued) l SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed to be powered from redundant safety related 4.16 kV critical buses. Redundant required features failures consist of inoperable features associated with a critical bus redundant to the critical bus that has an inoperable DG.

The Completion Time is intended to allow the operator time ...

to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal

" time zero" for beginning the allowed outage time " clock."

In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable DG exists; and

b. A redundant required feature on the other division is inoperable.

If, at any time during the existence of this Condition (one DG inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering one DG inoperable coincident with one or more ;

inoperable required support or supported features, or both, !

that are associated with the OPERABLE DG results in starting the Completion Time for the Required Action. Four hours ACTIONS B.2 (continued)

(continued)

Cooper B 3.8-9 Revision 1l

E l AC Sources-Operating B 3.8.1 SASES from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for I

restoration before subjecting the station to transients associated with shutdown.

The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class lE j Distribution System. Thus, on a component basis, single c failure protection for the required feature's function may I have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable )

required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time i takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid .

unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition E of LC0 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on I the reniaining DG, performance of SR 3.8.1.2 suffices to l

provide assurance of continued OPERABILITY of the remaining DG.

In the event the inoperable DG is restored to OPERABLE !

status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition B.

According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is a i reasonable time to confirm that the OPERABLE DG is not affected by the same problem as the inoperable DG.

t (continued) l Cooper B 3.8-10 Revision 1l :

l

i AC Sources-Operating B 3.8.1 BASES ACTIONS 8.4 (continued)

In Condition B,-the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class lE Distribution System. The 7 day Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

The second Completion Time for' Required Action B.4 )

establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an !

offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have i been not met for up to 7 days. This situation could lead to a total of 14 days, since initial failure of the LCO, to ,

restore the DG. At this time, an offsite circuit could I again become inoperable, the DG restored OPERABLE, and an ... j additional 7 days (for a total of 21 days) allowed prior to '

complete restoration of the LCO. The 14 day Completion Time provides a limit on the time allowed in a specified i condition after discovery of failure to meet the LCO. This l limit is considered reasonable for situations in which Conditions A and B are entered concurrently.

The "AND" connector between the 7 day and 14 day Completion Times ;

means that both Completion Times apply simultaneously, and the more restrictive must be met.

Similar to Required Action B.2, the second Completion Time 4 of Required Action B.4 allows for an exception to the normal i

" time zero" for beginning the allowed outage time " clock." i This exception results in establishing the " time zero" at the time that the LC0 was initially not met, instead of the time that Condition B was entered.

(continued)

Cooper B 3.8-11 Revision 1l

l AC Sources-Operating

. , B 3.8.1 J l

l I

BASES ACTIONS- C.1 and C.2

-(continued)

Required Action C.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two offsite circuits.

Required Action C.1 reduces the vulnerability to a loss of

. function. The Completion Time for taking these actions is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from that allowed with one division without offsite power (Required Action A.2). The rationale i for the reduction to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is that Regulatory Guide 1.93 l (Ref. 8) allows a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for two required offsite circuits inoperable, based upon the 3 assumption that two compli safety divisions are OPERABLE. l When a concurrent redundar : required feature failure exists, '

this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are designed with redundant safety related divisions, (i.e., J single division systems are not included in the list).

Redundant required features failures consist of any of these j features that are inoperable because any inoperability is on -

a division redundant to a division with inoperable offsite .

circuits.

The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any l discovered inoperabilities. This Completion Time also l

. allows for an exception to the normal " time zero" for j

.beginning the allowed outage time " clock." In this Required

~

Action, the Completion Time only begins on discovery that

-both:

a. Both offsite circuits-are inoperable; and

b. A redundant required feature is inoperable.

If, at any time during the existence of this Condition (both offsite circuits inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

According to the recommendations in Regulatory Guide 1.93 (Ref. 8), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system may not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have (continued)

Cooper B 3.8-12 Revision 1l

n.

AC Sources-Operating B 3.8.1 BASES ACTIONS C.1 and C.2 (continued) not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that_ involve one or more DGs inoperable. However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable I offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source. ...

With both of the offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient.

In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time in Required Action C.2 provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining tn AC 1 electrical power-system capable of meeting its design criteria.

According to the recommendations in Regulatory Guide 1.93 (Ref. 8), with the available offsite AC sources two less i than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If both offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A.

(continued)

Cooper B 3.8-13 Revision 1l

AC Sources-Operating B 3.8.1 BASES ACTIONS D,1 and 0.2 (continued)

Pursuant to LC0 3.0.6, the Distribution Systems - Operating ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any 4.16 kV critical bus, ACTIONS for LC0 3.8.7,

" Distribution Systems-Operating," must be immediately ,

entered. This allows Condition D to provide requirements ;

for the loss of the offsite circuit and one DG without regard to whether a division is de-ene gized. LC0 3.8.7 provides the appropriate restrictions 'or a de-energized 4.16 kV critical bus.

In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of ,

the power systems in this Condition may appear higher than that in Condition C (loss of both offsite circuits). This ..

difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the 1 capacity and capability of the remaining AC sources, I reasonable time for repairs, and the low probability of a l DBA occurring during this period.

~

E.1 With two DGs inoperable, there is no remaining standby AC source. Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also resun in a total loss of offsite AC power, (continued)

Cooper B 3.8-14 Revision 1l

E l

AC Sources -Operating

.' s B 3.8.1 BASES i 1

ACTIONS E.1 (continued) )

however, the time allowed for continued operation is J l severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to

! minimize the risk associated with this level of degradation.

! I

According to the recommendations in Regulatory Guide 1.93 l (Ref. 8), with both DGs inoperable, operation may continue i for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

l i

F.1 and F.2 l If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LC0 l does not apply. To achieve this status, the unit must be i brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the .

required plant conditions from full power conditions in an l orderly manner and without challenging plant systems.

l l

[ G.1 Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The station is required by LC0 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and REQUIREMENTS testing of all important areas and features, especially those that have a standby function, in accordance with USAR, Appendix F (Ref. 1). Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for l demonstrating the OPERABILITY of the DGs are in general l

conformance with the recommendations of Regulatory Guide 1.9 (Ref. 9), Regulatory Guide 1.108 (Ref. 10), and Regulatory Guide 1.137 (Ref. 11).

(continued)

Cooper B 3.8-15 Revision 1l l

l 1

l i

Ar Turces - Operating

, s B 3.8.1 BASES (continued) l SURVEILLANCE The minimum steady state output voltage of 3950 V is )

. REQUIREMENTS approximately 95% of the nominal 4160 V output voltage. 1 (continued) This value, which is consistent with ANSI C84.1 (Ref.12),

allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V. It also allows for voltage drops to motors and ,

l other equipment down through the 120 V level where minimum l operating voltage is also usually specified as 90% of name j

plate rating. The specified maximum steady state output i voltage of 4400 V is equal to the maximum operating voltage l specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages. The specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to i 2% of the 60 Hz nominal frequency and are derived from the recommendations found in Safety Guide 9 (Ref. 3).

SR 3.8.1.1 ,_

This SR ensures proper circuit continuity for the offsite AC i

electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source and that appropriate independence of offsite circuits is maintained.

This can be accomplished by verifying that a critical bus is energized and that the status of offsite supply breakers displayed in the control room is correct. The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room.

(continued) l Cooper B 3.8-16 Revision 1l l

I )

\'

Diesel Fuel Oil, Lube Oil, and Starting Air

,' B 3.8.3 BASES (continued)

SURVEILLANCE Sf 3.8.3.1 ;

REQUIREMENTS I L This SR provides verification that there is an adequate l inventory of fuel oil in the storage tanks to support a single DG's operation for 7 days at maximum post-LOCA load demand. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in !

I replenishment fuel from an offsite location.

l The 31 day Frequency is adequate to ensure that a sufficient l supply of fuel oil is available, since low level alarms are l provided and unit operators would be aware of any large uses l l of fuel oil during this period.

SR 3.8.3.2 This Surveillance ensures that sufficient lubricating oil inventory (combined inventory in the DG lube oil sump and in i the warehouse) is available to support at least 7 days of operation for one DG at maximum post-LOCA load demand. The l ."

504 gal requirement is based on a 3 gallon per hour l consumption value for the run time of the DG. Implicit in i this SR is the requirement to verify that adequate DG lube oil is stored onsite to ensure that sump level does not drop i below the manufacturer's recommended minimum level.

4 A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since DG starts and run time are c.Wsely monitored by the plant staff.

SR 3.8.3.3 The tests of new fuel oil prior to addition to the storage tanks are a means of determining whether new fuel oil is of i the appropriate grade and has not been contaminated with l substances that would have an immediate detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank (s), but in no case is the time betoen the (continued)

Cooper B 3.8-37 Revision 1 L

r T Diesel Fuel Oil, Lube Oil, and Starting Air

, 8 3.8.3 BASES SURVEILLANCE SR 3.8.3.4 (continued) j REQUIREMENTS pressure specified in this SR is intended to reflect the lowest value at which the requirements of Reference 7 can be i satisfied. {

l The 31 day frequency takes into account the capacity, !

capability, redundancy, and diversity of the AC sources and other indications available in the control room, including alarms, to alert the operator to below normal air start pressure.

SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the ."

most effective means of controlling microbiological fouling.

In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come-from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Frequen+ checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent i with Regulatory Guide 1.137 (Ref. 2), as supplemented by j ANSI N195 (Ref. 3). This SR is for preventive maintenance. (

The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed to the j extent possible during performance of the Surveillance.

REFERENCES 1. USAR, Section Vill-5.2.

2. Regulatory Guide 1.137, Revision 1, October 1979. i

3. ANSI N195, Appendix B, 1976.

4. USAR, Chapter VI.

(continued)

Cooper B 3.8-40 Revision 1

Multiple Control Rod Withdrawal- Refueling B 3.10.6 8 3.10 SPECIAL OPERATIONS

, B 3.10.6 Multiple Control Rod Withdrawal-Refueling BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit multiple control rod withdrawal during refueling by imposing certain administrative controls.

Refueling interlocks restrict the movement of control rods and the '

operation of the refueling equipment to reinforce opera'ional procedures that prevent the reactor from becoming critical during refueling

/ operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. When all four fuel assemblies are removed from a cell, the control rod may be withdrawn with no restrictions. Any number c control rods may be withdrawn and removed from the reactor vessel if their cells contain no fuel.

The refueling interlocks use the " full-in" position indicators to determine t

~ he position of all control rods. If the " full-in" position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod.

I To allow more than one control rod to be withdrawn during refueling, these interlocks must be defeated. This Special Operations LCO establishes the necessary administrative controls to allow bypassing the

" full-In" position indicators. !

APPLICABLE Explicit safety analyses in the USAR (Refs.1 and 3) l SAFETY ANALYSES demonstrate that the functioning of the refueling interlocks and adequate SDM will prevent unacceptable recctivity excursions during refueling. To allow multiple control rod withdrawals, control rod removals, associated control rod drive (CRD) removal, or any combination of these, the " full-in"

' position indication is allowed to be bypassed for (continued)

Cooper B 3.10-26 June 10,1999 l

m Multipl3 Control Rod Withdrawal- Refueling B 3.10.6 BASES APPLICABLE each withdrawn control rod if all fuel has been removed from SAFETY ANALYSES the cell. With no fuel assemblies in the core cell, the (continued) associated control rod has no reactivity control function and is not required to remain inserted. Prior to reloading fuel into the cell, however, the associated control rod must be inserted to ensure that an inadvertent criticality does not occur, as evaluated in the Reference 3 analysis. l l

As described in LCO 3.0.7, compliance with Special Operations LCOs is ;

optional, and therefore, no criteria of 10 CFR 50.36 (c)(2)(ii) (Ref. 4) l apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with either LCO 3.9.3, " Control Rod Position," LCO 3.9.4, " Control Rod Position Indication," or LCO 3.9.5, l

" Control Rod OPERABILITY - Refueling," not met, can be performed in i accordance with the Required Actions of these LCOs without meeting this l Special Operations LCO or its ACTIONS. If multiple control rod l withdrawal or removal, or CRD removal is desired, all four fuel ;

assemblies are required to be removed from the associated cells. Prior I to entering this LCO, any fuel remaining in a cell whose CRD was '

previously removed under the provisions of another LCO must be removed. " Withdrawal"in this application includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.

When fuel is loaded into the core with multiple control rods withdrawn, special spiral reload sequences are used to ensure that reactivity additions are minimized. Additionally, the spiral reload is associated with fuel, at least 50% of which has previously accumulated a minimum exposure of 1000 MWD /T. Spiral reloading encompasses reloading a cell (four fuel locations immediately adjacent to a control rod) on the edge of a continuous fueled region (the cell can be loaded in any sequence).

Prior to loading fuel in a core cell using the spiral reload, the control (continued)

Cooper B 3.10-27 June 10,1999 l

Multiple Control Rod Withdrawal- Refueling B 3.10.6 BASES SURVEILLANCE SR 3.10.6.1. SR 3.10.6.2. and SR 3.10.6.3 (continued) ;

REQUIREMENTS Frequency is acceptable, given the administrative controls on fuel assembly and control rod removal, and takes into account other ('

indications of control rod status available in the control room.

REFERENCES 1. USAR, Section Vil-6.4.

l

2. Deleted l l l

3. USAR, Section XIV-5.3.3.

4. 10 CFR 50.36(c)(2)(ii).

I 1

Cooper B 3.10-29 June 10,1999 l

_

ML20196B474

Text

Navigation menu

Search