Text

Part 04 - Generic Technical Specifications - NuScale Nuclear Power Plants (Rev. 4.1) - Part 04 - Generic Technical Specifications - NuScale Nuclear Power Plants - Volume 2 - Bases - Chapters 02 - 03 (Rev. 4.1)
	ML20197A420
Person / Time
Site:	NuScale
Issue date:	06/19/2020
From:	Bergman T; NuScale
To:	; Office of Nuclear Reactor Regulation
	Cranston G
References
	NUSCALESMRDC, NUSCALESMRDC.SUBMISSION.12, NUSCALEPART04.NP, NUSCALEPART04.NP.5
	Download: ML20197A420 (273)
	v • d • e

DCA Part 4 Volume 2 Revision 4.1 Generic Technical Specifications NuScale Nuclear Power Plants Volume 2: Bases

TABLE OF CONTENTS Revision B 2.0 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core Safety Limits (SLs) ............................................................................. 4.1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL........................................................... 4.1 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY .............................. 4.1 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY ............................................. 4.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM)............................................................................ 4.1 B 3.1.2 Core Reactivity ................................................................................................... 4.1 B 3.1.3 Moderator Temperature Coefficient (MTC) ........................................................ 4.1 B 3.1.4 Rod Group Alignment Limits .............................................................................. 4.1 B 3.1.5 Shutdown Bank Insertion Limits ......................................................................... 4.1 B 3.1.6 Regulating Bank Insertion Limits ........................................................................ 4.1 B 3.1.7 Rod Position Indication ....................................................................................... 4.1 B 3.1.8 PHYSICS TEST Exceptions ............................................................................... 4.1 B 3.1.9 Boron Dilution Control ........................................................................................ 4.1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Enthalpy Rise Hot Channel Factor ..................................................................... 4.1 B 3.2.2 AXIAL OFFSET (AO).......................................................................................... 4.1 B 3.3 INSTRUMENTATION B 3.3.1 MPS Instrumentation .......................................................................................... 4.1 B 3.3.2 Reactor Trip System (RTS) Logic and Actuation................................................ 4.1 B 3.3.3 Engineered Safety Features Actuation System (ESFAS) Logic and Actuation ..................................................................................................... 4.1 B 3.3.4 Manual Actuation Functions ............................................................................... 4.1 B 3.3.5 Remote Shutdown Station (RSS) ....................................................................... 4.1 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.1 RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits ............................................................................................... 4.1 B 3.4.2 RCS Minimum Temperature for Criticality .......................................................... 4.1 B 3.4.3 RCS Pressure and Temperature (P/T) Limits..................................................... 4.1 B 3.4.4 Reactor Safety Valves (RSVs) ........................................................................... 4.1 B 3.4.5 RCS Operational LEAKAGE............................................................................... 4.1 B 3.4.6 Chemical and Volume Control System (CVCS) Isolation Valves ....................... 4.1 B 3.4.7 RCS Leakage Detection Instrumentation ........................................................... 4.1 B 3.4.8 RCS Specific Activity .......................................................................................... 4.1 B 3.4.9 Steam Generator (SG) Tube Integrity ................................................................ 4.1 B 3.4.10 Low Temperature Overpressure Protection (LTOP) Valves ............................... 4.1 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.1 Emergency Core Cooling System (ECCS) - Operating ..................................... 4.1 B 3.5.2 Decay Heat Removal System (DHRS) ............................................................... 4.1 B 3.5.3 Ultimate Heat Sink .............................................................................................. 4.1 NuScale [US600] i Revision 4.1

TABLE OF CONTENTS Revision B 3.0 LIMITING CONDITION FOR OPERATION AND SURVEILLANCE REQUIREMENTS (continued)

B 3.6 CONTAINMENT SYSTEMS B 3.6.1 Containment ....................................................................................................... 4.1 B 3.6.2 Containment Isolation Valves ............................................................................. 4.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Isolation Valves (MSIVs) ................................................................ 4.1 B 3.7.2 Feedwater Isolation ............................................................................................ 4.1 B 3.7.3 In-Containment Secondary Piping Leakage ....................................................... 4.1 B 3.8 REFUELING OPERATIONS B 3.8.1 Nuclear Instrumentation ..................................................................................... 4.1 B 3.8.2 Decay Time ........................................................................................................ 4.1 NuScale [US600] ii Revision 4.1

Reactor Core SLs B 2.1.1 B 2.0 SAFETY LIMITS (SLs)

B 2.1.1 Reactor Core Safety Limits (SLs)

BASES BACKGROUND GDC 10 (Ref. 1) requires that specified acceptable fuel design limits are not to be exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having critical heat flux (CHF) design bases, which corresponds to a 95% probability at a 95% confidence level (the 95/95 CHF criterion) that CHF will not occur during the evaluated conditions, and by requiring that the fuel centerline temperature stays below the melting temperature.

The restriction of this SL prevents overheating of the fuel and cladding, as well as possible cladding perforation that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state peak linear heat rate (LHR) below the level at which fuel centerline melting occurs. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.

Multiple MCHFR limits are provided and identified by reference to the CHF correlation that the limit is based upon. The multiple correlations are used to accurately reflect the wide range of conditions that are postulated to exist during steady state operation, normal operational transients, anticipated operational occurrences, and postulated accidents.

The applicable limit that is used to evaluate conditions is described in the individual safety analyses. The NSP2 and NSP4 correlations limits are used for comparison to conditions representative of normal operating conditions, operational transients, operational occurrences, and accidents other than events that are initiated by rapid reductions in primary system inventory. The Extended Hench-Levy correlation is used to evaluate postulated conditions that analyses indicate would occur during events that postulate a rapid reduction in primary system inventory.

Fuel centerline melting occurs when the local LHR or power peaking in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.

NuScale [US600] B 2.1.1-1 Revision 4.1

Reactor Core SLs B 2.1.1 BASES BACKGROUND (continued)

Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of departure from nucleate boiling and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (Zirconium water) reaction may take place.

This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.

The proper functioning of the Module Protection System (MPS) and decay heat removal system prevents violation of the reactor core SLs.

APPLICABLE The fuel cladding must not sustain damage as a result of normal SAFETY operation and AOOs. The reactor core SLs are established to preclude ANALYSES violation of the following fuel design criteria:

a. There must be at least 95% probability at a 95% confidence level (the 95/95 CHF criterion) that the hot fuel rod in the core does not experience CHF; and

b. The hot fuel pellet in the core must not experience centerline fuel melting.

The Module Protection System (MPS) setpoints (Ref. 2), in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System (RCS) temperature, pressure, and THERMAL POWER level that would result in a critical heat flux ratio (CHFR) of less than the CHFR limit and preclude the existence of flow instabilities.

Automatic enforcement of these reactor core SLs is provided by the appropriate operation of the MPS and the decay heat removal system.

The SLs represent a design requirement for establishing the MPS Trip System setpoints (Ref. 2). LCO 3.4.1, RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits, or the assumed initial conditions of the safety analyses (as indicated in FSAR Chapter 15, Ref. 3) provide more restrictive limits to ensure that the SLs are not exceeded.

NuScale [US600] B 2.1.1-2 Revision 4.1

Reactor Core SLs B 2.1.1 BASES SAFETY LIMITS The reactor core SLs are established to preclude violation of the following fuel design criteria:

a. There must be at least a 95% probability at a 95% confidence level (the 95/95 CHF criterion) that the hot fuel rod in the core does not experience CHF; and

b. There must be at least a 95% probability at a 95% confidence level that the hot fuel pellet in the core does not experience centerline fuel melting.

The reactor core SLs are used to define the various MPS functions such that the above criteria are satisfied during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs).

To ensure that the MPS precludes violation of the above criteria, additional criteria are applied to the low pressurizer pressure reactor trip functions. That is, it must be demonstrated that the core exit quality is within the limits defined by the CHF correlation and that the low pressurizer pressure reactor trip protection functions continues to provide protection if core exit streams approach saturation temperature.

Appropriate functioning of the MPS ensures that for variations in THERMAL POWER, RCS Pressure, and RCS temperature the reactor core SLs will be satisfied during steady state operation, normal operational transients, and AOOs.

APPLICABILITY SL 2.1.1 only applies in MODE 1 because this is the only MODE in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODE 1 to ensure operation within the reactor core SLs. The decay heat removal system and automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function which forces the unit into MODE 2. Setpoints for the reactor trip functions are described in LCO 3.3.1, Module Protection System (MPS) Instrumentation and specified in the

[owner-controlled requirements manual]. In MODES 2, 3, 4, and 5, applicability is not required since the reactor is not generating significant THERMAL POWER.

NuScale [US600] B 2.1.1-3 Revision 4.1

Reactor Core SLs B 2.1.1 BASES SAFETY LIMIT The following SL violation responses are applicable to the reactor core VIOLATIONS SLs. If SL 2.1.1 is violated, the requirement to go to MODE 2 places the unit in a MODE in which this SL is not applicable.

The allowed Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probability of fuel damage.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. FSAR, Chapter 7.

3. FSAR, Chapter 15.

NuScale [US600] B 2.1.1-4 Revision 4.1

RCS Pressure SL B 2.1.2 B 2.0 SAFETY LIMITS (SLs)

B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASES BACKGROUND The SL on RCS pressure protects the integrity of the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. By establishing an upper limit on RCS pressure, the continued integrity of the RCS is ensured. According to 10 CFR 50, Appendix A, GDC 14, Reactor Coolant Pressure Boundary, and GDC 15, Reactor Coolant System Design (Ref. 1), the reactor coolant pressure boundary (RCPB) design conditions are not to be exceeded during normal operation and anticipated operational occurrences (AOOs).

Also, in accordance with GDC 28, Reactivity Limits (Ref. 1), reactivity accidents, including rod ejection, do not result in damage to the RCPB greater than limited local yielding.

The design pressure of the RCS is 2100 psia. During normal operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with Section III of the American Society of Mechanical Engineers (ASME) Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, according to the ASME Code requirements prior to initial operation when there is no fuel in the core. Following inception of unit operation, RCS components shall be pressure tested, in accordance with the requirements of ASME Code,Section XI (Ref. 3).

Overpressurization of the RCS could result in a breach of the RCPB. If such a breach occurs in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere, raising concerns relative to limits on radioactive releases.

APPLICABLE The reactor safety valves (RSVs), and the reactor high pressurizer SAFETY pressure trip have settings established to ensure that the RCS pressure ANALYSES SL will not be exceeded.

The RCS pressure SL has been selected such that it is at a pressure below which it can be shown that the integrity of the system is not endangered. The reactor pressure vessel is designed to Section III of the ASME, Boiler and Pressure Vessel Code, [2013 Edition], which permits a maximum pressure transient of 110%, 2310 psia, of design pressure 2100 psia. The SL of 2285 psia, as measured in the pressurizer, is equivalent to 2310 psia at the lowest elevation of the RCS.

NuScale [US600] B 2.1.2-1 Revision 4.1

RCS Pressure SL B 2.1.2 BASES APPLICABLE SAFETY ANALYSES (continued)

The RSVs are sized to prevent system pressure from exceeding the design pressure by more than 10%, as specified in Section III of the ASME Code for Nuclear Power Plant Components (Ref. 2). The transient that establishes the required relief capacity, and hence valve size requirements and lift settings, is a turbine trip at full power without bypass capability. During the transient, no control actions are assumed except that the Decay Heat Removal System valves on the secondary plant are assumed to open when the pressurizer pressure reaches the Decay Heat Removal System actuation setpoint.

The Module Protection System (MPS) setpoints provide pressure protection for normal operation and AOOs. The MPS high pressurizer pressure trip setpoint is set to provide protection against overpressurization (Ref. 4). The safety analyses for both the high pressurizer pressure trip and the RSVs are performed using conservative assumptions relative to pressure control devices.

More specifically, no credit is taken for operation of the following:

a. Turbine Bypass System;

b. Reactor Control System;

c. Pressurizer Level Control System; or

d. Pressurizer spray.

SAFETY LIMITS The maximum transient pressure allowed in the RCS pressure vessel, piping, valves, and fittings under the ASME Code,Section III, is 110% of design pressure; therefore, the maximum allowable pressurizer pressure is 2285 psia.

APPLICABILITY SL 2.1.2 applies in MODES 1, 2, and 3 because this SL could be approached or exceeded in these MODES due to overpressurization events. The SL is not applicable in MODES 4 and 5 since the reactor vessel is vented to the containment until the upper reactor vessel assembly is removed, following which, the reactor vessel is vented directly to the ultimate heat sink; thus, making it unlikely that the RCS can be pressurized.

NuScale [US600] B 2.1.2-2 Revision 4.1

RCS Pressure SL B 2.1.2 BASES SAFETY LIMIT If the RCS pressure SL is violated when the reactor is in MODE 1 VIOLATIONS the requirement is to restore compliance and be in MODE 2 within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Exceeding the RCS pressure SL may cause immediate RCS failure and create a potential for abnormal radioactive releases (Ref. 5).

The allowable Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months recognizes the importance of reducing power level to a MODE of operation where the potential for challenges to safety systems is minimized.

If the RCS pressure SL is exceeded in MODE 2 or 3, RCS pressure must be restored to within the SL value within 5 minutes. Exceeding the RCS pressure SL in MODE 2 or 3 may be more severe than exceeding this SL in MODE 1 since the reactor vessel temperature is lower and the vessel material, consequently, less ductile. As such, pressurizer pressure must be reduced to less than the SL within 5 minutes. The action does not require reducing MODES, since this would require reducing temperature, which would compound the problem by adding thermal gradient stresses to the existing pressure stress.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 14, GDC 15, and GDC 28.

2. ASME, Boiler and Pressure Vessel Code,Section III, Article NB-7000,

[2013 edition]

3. ASME, Boiler and Pressure Vessel Code,Section XI, Article IWA-5000, [2013 edition]

4. FSAR, Chapter 7.

5. 10 CFR 50.34.

NuScale [US600] B 2.1.2-3 Revision 4.1

LCO Applicability B 3.0 B 3.0 LIMITING CONDITIONS FOR OPERATION (LCO) APPLICABILITY BASES LCOs LCO 3.0.1 through LCO [3.0.7 or 3.0.8] establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirements for when the LCO is required to be met (i.e. when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification).

LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that the ACTIONS Condition is entered, unless otherwise specified. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:

a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and

b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met.

This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS). The second type of Required Action specifies the remedial measures that permit continued operation of the unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.

NuScale [US600] B 3.0-1 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.2 (continued)

Completing the Required Actions is not required when an LCO is met, or is no longer applicable, unless otherwise stated in the individual Specifications.

The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCOs ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.3, RCS Pressure and Temperature (P/T) Limits.

The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The ACTIONS for not meeting a single LCO adequately manage any increase in plant risk, provided any unusual external conditions (e.g.,

severe weather, offsite power instability) are considered. In addition, the increased risk associated with simultaneous removal of multiple structures, systems, trains or components from service is assessed and managed in accordance with 10 CFR 50.65(a)(4).

When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable.

In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.

LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met; and:

a. An associated Required Action and Completion Time is not met and no other Condition applies; or

b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.

NuScale [US600] B 3.0-2 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.3 (continued)

This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. Planned entry into LCO 3.0.3 should be avoided. If it is not practicable to avoid planned entry into LCO 3.0.3, plant risk should be assessed and managed in accordance with 10 CFR 50.65(a)(4), and the planned entry into LCO 3.0.3 should have less effect on plant safety than other practicable alternatives.

Upon entering into LCO 3.0.3, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to enter lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.

A unit shutdown required in accordance with LCO 3.0.3 may be terminated, and LCO 3.0.3 exited if any of the following occurs:

a. The LCO in now met,

b. The LCO is no longer applicable,

c. A Condition exists for which the Required Actions have now been performed, or

d. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition was initially entered and not from the time LCO 3.0.3 is exited.

The time limits of LCO 3.0.3 allow 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months for the unit to be in MODE 3 and PASSIVELY COOLED when a shutdown is required during MODE 1 operation. If the unit is in MODE 2 when a shutdown is required, the time limit for entering MODE 3 and PASSIVE COOLING applies. If MODE 2 is entered in less time than allowed, however, the NuScale [US600] B 3.0-3 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.3 (continued) total allowable time to enter MODE 3 and be PASSIVELY COOLED is not reduced. For example, if MODE 2 is entered in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then the time allowed for entering MODE 3 and to establish PASSIVE COOLING is the next 35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months , because the total time for entering MODE 3 and to be PASSIVELY COOLED is not reduced from the allowable limit of 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months . Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to enter a lower MODE of operation in less than the total time allowed.

The Completion Times are established considering the limited likelihood of a design basis event during the 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months allowed to enter MODE 3 and be PASSIVELY COOLED. They also provide adequate time to permit evaluation of conditions and restoration of OPERABILITY without challenging plant systems during a shutdown. Analysis shows that 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months from entry into 3.0.3 is a reasonable time to enter MODE 3 and be PASSIVELY COOLED using normal plant systems and procedures.

In MODES 1, 2, and MODE 3 when not PASSIVELY COOLED, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODE 3 when PASSIVELY COOLED, and MODES 4 and 5 because the unit is already in the most restrictive condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, or MODE 3 when not PASSIVELY COOLED) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

Exceptions to 3.0.3 are provided in instances where requiring a unit shutdown in accordance with LCO 3.0.3 would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.5.3, Ultimate Heat Sink. This Specification has an Applicability of "At all times." Therefore, this LCO can be applicable during any or all MODES. If the LCO and the Required Actions of LCO 3.5.3 are not met while in MODE 1 or 2, there is no safety benefit to be gained by placing the unit in a shutdown condition where it is dependent on the ultimate heat sink to perform its safety function to remove decay heat. The Required Action of LCO 3.5.3 for a level not within its normal upper range limits include a requirement to Suspend movement of irradiated fuel assemblies in the refueling area and to Suspend module movements which are the appropriate Required Actions to complete in lieu of the actions of LCO 3.0.3 for those NuScale [US600] B 3.0-4 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.3 (continued) conditions. The Required Action of LCO 3.5.3 at a level, temperature, or boron concentration that could limit the ability to support decay heat removal or containment flooding after a shutdown include a requirement to immediately restore the affected parameters which is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3 for that condition that could challenge the functions supported by the ultimate heat sink that are inoperable. These exceptions are addressed in the individual Specifications.

LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with either LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c.

LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered following entry into the MODE or other specified condition in the Applicability will permit continued operation within the MODE or other specified condition for an unlimited period of time. Compliance with ACTIONS that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change.

Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made and the Required Actions followed after entry into the Applicability.

For example, LCO 3.0.4.a may be used when the Required Action to be entered states that an inoperable instrument channel must be placed in the trip condition within the Completion Time. Transition into a MODE or other specified condition in the Applicability may be made in accordance with LCO 3.0.4 and the channel is subsequently placed in the tripped condition within the Completion Time, which begins when the Applicability is entered. If the instrument channel cannot be placed in the tripped condition and the subsequent default ACTION ("Required Action and associated Completion Time not met") allows the OPERABLE train to be placed in operation, use of LCO 3.0.4.a is acceptable because the subsequent ACTIONS to be entered following entry into the MODE include ACTIONS (place the OPERABLE train in operation) that permit safe unit operation for an unlimited period of time in the MODE or other specified condition to be entered.

NuScale [US600] B 3.0-5 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued)

LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate.

The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4.b, must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope.

The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 3.

Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE or other specified condition change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.

LCO 3.0.4.b may be used with single, or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components.

LCO 3.0.4.c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not NuScale [US600] B 3.0-6 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.4 (continued) provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications which describe values and parameters (e.g., RCS Specific Activity) and may be applied to other Specifications based on NRC unit-specific approval.

The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 not PASSIVELY COOLED to MODE 3 PASSIVELY COOLED.

Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification.

Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.

NuScale [US600] B 3.0-7 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.5 LCO 3.0.5 establishes the allowance of restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate:

a. The OPERABILITY of the equipment being returned to service; or

b. The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance. LCO 3.0.5 should not be used in lieu of other practicable alternatives that comply with Required Actions and that do not require changing the MODE or other specified conditions in the Applicability in order to demonstrate equipment is OPERABLE. LCO 3.0.5 is not intended to be used repeatedly.

An example of demonstrating equipment is OPERABLE with the Required Actions not met is opening a manual valve that was closed to comply with Required Actions to isolate a chemical and volume control system (CVCS) flowpath with an inoperable CVCS isolation valve in order to perform testing to demonstrate that the isolation valve is now OPERABLE.

Examples of demonstrating equipment OPERABILITY include instances in which it is necessary to take an inoperable channel or trip system out of a tripped condition that was directed by a Required Action, if there is no Required Action Note for this purpose. An example of verifying OPERABILITY of equipment removed from service is taking a tripped channel out of the tripped condition to permit the logic to function and indicate the appropriate response during performance of required testing on the inoperable channel. Examples of demonstrating the OPERABILITY of other equipment are taking an inoperable channel or trip system out of the tripped condition 1) to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system, or 2) to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.

NuScale [US600] B 3.0-8 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.5 (continued)

The administrative controls in LCO 3.0.5 apply in all cases to systems or components in Chapter 3 of the Technical Specifications, as long as the testing could not be conducted while complying with the Required Actions. This includes the realignment or repositioning of redundant or alternate equipment or trains previously manipulated to comply with ACTIONS, as well as equipment removed from service or declared inoperable to comply with ACTIONS.

LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for supported systems that have a support system LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCOs Required Actions. These Required Actions may include entering the supported systems Conditions and Required Actions or may specify other Required Actions.

When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However it is not necessary to enter into the supported systems Conditions and Required Actions unless directed to do so by the support systems Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems LCOs Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the support systems Required Actions.

However, there are instances where a support systems Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system.

This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support systems Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.

NuScale [US600] B 3.0-9 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.6 (continued)

Specification 5.5.8, Safety Function Determination Program (SFDP),

ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.

Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required. The cross train check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety functions exists are required to be entered.

This loss of safety function does not require the assumption of additional single failures or loss of electrical power. Since operations are being restricted in accordance with the ACTIONS of the support system, any resulting temporary loss of redundancy or single failure protection is taken into account. There are no support system LCO requirements for electrical power based on the safety related passive design.

When loss of safety function is determined to exist, and the SFDP requires entry into the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists, consideration must be given to the specific type of function affected. Where a loss of function is solely due to a single Technical Specification support system (e.g., loss of automatic actuation capability due to inoperable instrumentation) the appropriate LCO is the LCO for the support system.

The ACTIONS for a support system LCO adequately address the inoperabilities of that system without reliance on entering its supported system LCO. When the loss of function is the result of multiple support systems, the appropriate LCO is the LCO for the supported system.

NuScale [US600] B 3.0-10 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions. Test Exception LCO 3.1.8 allows specified Technical Specification (TS) requirements to be changed to permit performance of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.

The Applicability of a Test Exception LCO represents a condition not necessarily in compliance with the normal requirements of the TS.

Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.

[ ------------------------------ REVIEWERS NOTE ------------------------------------

A COL applicant who wants to adopt LCO 3.0.8 must perform or reference a risk assessment for the NuScale design that has been submitted to and accepted by the NRC, and that was prepared consistent with the bounding generic risk assessment provided in TSTF-427-A, Allowance for Non-Technical Specification Barrier Degradation on Supported System OPERABILITY, Revision 2.

]

[LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems described in the Technical Specifications are considered to remain OPERABLE when required barriers are not capable of providing their related support function(s).

Barriers are doors, walls, floor plugs, curbs, hatches, installed structures or components, or other devices, not explicitly described in Technical Specifications that support the performance of the safety function of systems described in the Technical Specifications. This LCO states that the supported system is not considered to be inoperable solely due to required barriers not capable of performing their related support function(s) under the described conditions. LCO 3.0.8 allows 30 days before declaring the supported system(s) inoperable and the LCO(s)

NuScale [US600] B 3.0-11 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.8 (continued) associated with the supported system(s) not met. A maximum time is placed on each use of this allowance to ensure that as required barriers are found or are otherwise made unavailable, they are restored.

However, the allowable duration may be less than the specified maximum time based on the risk assessment.

If the allowed time expires and the barriers are unable to perform their related support function(s), the supported systems LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.

This provision does not apply to barriers which support ventilation systems or to fire barriers. Ventilation system barriers and fire barriers are addressed by other regulatory requirements and associated plant programs. This provision does not apply to barriers which are not required to support system OPERABILITY (see NRC Regulatory Issue Summary 2001-09, "Control of Hazard Barriers," dated April 2, 2001).

The provisions of LCO 3.0.8 are justified because of the low risk associated with required barriers not being capable of performing their related support function. This provision is based on consideration of the following initiating event categories:

[ ------------------------------ REVIEWERS NOTE ------------------------------------

LCO 3.0.8 may be expanded to other initiating event categories provided plant-specific analysis demonstrates that the frequency of the additional initiating events is bounded by the generic analysis or if plant-specific approval is obtained from the NRC.

]

Loss of coolant accidents;

High energy line breaks;

Feedwater line breaks;

Internal flooding;

External flooding;

Turbine missile ejection; and

Tornado or high wind.

NuScale [US600] B 3.0-12 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)

The risk impact of the barriers which cannot perform their related support function(s) must be addressed pursuant to the risk assessment and management provision of the Maintenance Rule, 10 CFR 50.65 (a)(4), and the associated implementation guidance, Regulatory Guide 1.160, " Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," Revision 3. Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants."

This guidance provides for the consideration of dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the barriers unable to perform their related support function(s). These considerations may result in risk management and other compensatory actions being required during the period that barriers are unable to perform their related support function(s).

[ ------------------------------ REVIEWERS NOTE ------------------------------------

Adoption of LCO 3.0.8 requires the licensee to make the following commitment:

[LICENSEE] commits to the guidance of NEI 04-08, "Allowance for Non Technical Specification Barrier Degradation on Supported System OPERABILITY (TSTF-427) Industry Implementation Guidance,"

March 2006.

]

LCO 3.0.8 may be applied to one or more trains or subsystems of a system supported by barriers that cannot provide their related support function(s), provided that risk is assessed and managed (including consideration of the effects on Large Early Release and from external events). If applied concurrently to more than one train or subsystem of a multiple train or subsystem supported system, the barriers supporting each of these trains or subsystems must provide their related support function(s) for different categories of initiating events. For example, LCO 3.0.8 may be applied for up to 30 days for more than one train of a multiple train supported system if the affected barrier for one train protects against internal flooding and the affected barrier for the other train protects against tornado missiles. In this example, the affected barrier may be the same physical barrier but serve different protection functions for each train.

NuScale [US600] B 3.0-13 Revision 4.1

LCO Applicability B 3.0 BASES LCO 3.0.8 (continued)

If during the time that LCO 3.0.8 is being used, the required OPERABLE train or subsystem becomes inoperable, it must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Otherwise, the train(s) or subsystem(s) supported by barriers that cannot perform their related support function(s) must be declared inoperable and the associated LCOs declared not met. This 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period provides time to respond to emergent conditions that would otherwise likely lead to entry into LCO 3.0.3 and a rapid unit shutdown, which is not justified given the low probability of an initiating event which would require the barrier(s) not capable of performing their related support function(s). During this 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period, the unit risk associated with the existing conditions is assessed and managed in accordance with 10 CFR 50.65(a)(4).]

NuScale [US600] B 3.0-14 Revision 4.1

SR Applicability B 3.0 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

SR 3.0.2 and SR 3.0.3 apply in Chapter 5 only when invoked by a Chapter 5 Specification.

SR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification ensures that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO. Surveillances may be performed by means of any series of sequential, overlapping, or total steps provided the entire Surveillance is performed within the specified Frequency. Additionally, the definitions related to instrument testing (e.g., CHANNEL CALIBRATION) specify that these tests are performed by means of any series of sequential, overlapping, or total steps.

Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:

a. The systems or components are known to be inoperable, although still meeting the SRs; or

b. The requirements of the Surveillance(s) are known not to be met between required Surveillance performances.

Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a test exception are only applicable when the test exception is used as an allowable exception to the requirements of a Specification.

Unplanned events may satisfy the requirements (including applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normally precluded in a given MODE or other specified condition.

NuScale [US600] B 3.0-15 Revision 4.1

SR Applicability B 3.0 BASES SR 3.0.1 (continued)

Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met in accordance with SR 3.0.2 prior to returning equipment to OPERABLE status.

Upon completion of maintenance, appropriate post maintenance testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

An example of this process is the calibration of the excore neutron detectors, which cannot be accomplished until the reactor power is high enough to provide representative calorimetric information and the neutron flux can be measured by the instrumentation.

SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Actions with a Completion Time that requires the periodic performance of the Required Action on a once per interval.

SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers unit operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).

When a Section 5.5, "Programs and Manuals," Specification states that the provisions of SR 3.0.2 are applicable, a 25% extension of the testing interval, whether stated in the Specification or incorporated by reference, is permitted.

NuScale [US600] B 3.0-16 Revision 4.1

SR Applicability B 3.0 BASES SR 3.0.2 (continued)

The 25% extension does not significantly degrade the reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular surveillance being performed is the verification of conformance with the SRs.

The exceptions to SR 3.0.2 are those Surveillances for which the 25%

extension of the interval specified in the Frequency does not apply.

These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS. Examples of where SR 3.0.2 does not apply are in the Containment Leakage Rate Testing Program required by 10 CFR 50, Appendix J, and the inservice testing of pumps and valves in accordance with applicable American Society of Mechanical Engineers Operation and Maintenance Code, as required by 10 CFR 50.55a. These programs establish testing requirements and Frequencies in accordance with the requirements of regulations. The TS cannot, in and of themselves, extend a test interval specified in the regulations directly or by reference.

As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a once per basis. The 25% extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.

The provisions of SR 3.0.2 are not intended to be used repeatedly to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.

SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been performed within the specified Frequency. A delay period of up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.

NuScale [US600] B 3.0-17 Revision 4.1

SR Applicability B 3.0 BASES SR 3.0.3 (continued)

When a Section 5.5, "Programs and Manuals," Specification states that the provisions of SR 3.0.3 are applicable, it permits the flexibility to defer declaring the testing requirement not met in accordance with SR 3.0.3 when the testing has not been performed within the testing interval (including the allowance of SR 3.0.2 if invoked by the Section 5.5 Specification).

This delay period provides adequate time to perform Surveillances that have been missed. This delay period permits the performance of a Surveillance before complying with Required Actions or other remedial measures that might preclude performance of the Surveillance.

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operational situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

SR 3.0.3 is only applicable if there is a reasonable expectation the associated equipment is OPERABLE or that variables are within limits, and it is expected that the Surveillance will be met when performed.

Many factors should be considered, such as the period of time since the Surveillance was last performed, or whether the Surveillance, or a portion thereof, has ever been performed, and any other indications, tests, or activities that might support the expectation that the Surveillance will be met when performed. An example of the use of SR 3.0.3 would be a relay contact that was not tested as required in accordance with a particular SR, but previous successful performances NuScale [US600] B 3.0-18 Revision 4.1

SR Applicability B 3.0 BASES SR 3.0.3 (continued) of the SR included the relay contact; the adjacent, physically connected relay contacts were tested during the SR performance; the subject relay contact has been tested by another SR; or historical operation of the subject relay contact has been successful. It is not sufficient to infer the behavior of the associated equipment from the performance of similar equipment. The rigor of determining whether there is a reasonable expectation a Surveillance will be met when performed should increase based on the length of time since the last performance of the Surveillance. If the Surveillance has been performed recently, a review of the Surveillance history and equipment performance may be sufficient to support a reasonable expectation that the Surveillance will be met when performed. For Surveillances that have not been performed for a long period or that have never been performed, a rigorous evaluation based on objective evidence should provide a high degree of confidence that the equipment is OPERABLE. The evaluation should be documented in sufficient detail to allow a knowledgeable individual to understand the basis for the determination.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used repeatedly to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the unit down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in place to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," Revision 3. This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including unit shutdown.

The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine NuScale [US600] B 3.0-19 Revision 4.1

SR Applicability B 3.0 BASES SR 3.0.3 (continued) the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensees Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.

This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

A provision is included to allow entry into a MODE or other specified condition in the Applicability when an LCO is not met due to a Surveillance not being met in accordance with LCO 3.0.4.

However, in certain circumstances, failing to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment.

When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is NuScale [US600] B 3.0-20 Revision 4.1

SR Applicability B 3.0 BASES SR 3.0.4 (continued) removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability.

However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3.

The provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 not PASSIVELY COOLED to MODE 3 PASSIVELY COOLED.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into a MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCOs Applicability, would have its Frequency specified such that it is not due until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note, as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs annotation is found in Section 1.4, Frequency.

NuScale [US600] B 3.0-21 Revision 4.1

SDM B 3.1.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM)

BASES BACKGROUND According to GDC 26 (Ref. 1) the reactivity control systems must be redundant and capable of holding the reactor core subcritical when shutdown under cold conditions. Maintenance of the SDM ensures that postulated reactivity events will not damage the fuel.

SDM requirements provide sufficient reactivity margin to assure that specified acceptable fuel design limits (SAFDLs) will not be exceeded for normal shutdown and anticipated operational occurrences (AOOs).

As such, the SDM defines the degree of subcriticality that would be obtained immediately following the insertion or scram of all shutdown and regulating bank control rod assemblies (CRAs), assuming that the single CRA of highest reactivity worth is fully withdrawn.

Additionally SDM requirements provide sufficient reactivity margin to ensure that the reactor will remain shutdown at all temperatures with all control rods inserted.

The system design requires that two independent reactivity control systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These requirements are provided by the use of movable CRAs and soluble boric acid in the Reactor Coolant System (RCS). The CRA System provides the SDM during power operation and is capable of making the core subcritical rapidly enough to prevent exceeding acceptable fuel damage limits, following all AOOs and postulated accidents, assuming that the CRA of highest reactivity worth remains withdrawn.

The soluble boron system can compensate for fuel depletion during operation and all xenon burnout reactivity changes and maintain the reactor subcritical under cold conditions.

During power operation, SDM control is ensured by operating with the shutdown bank groups fully withdrawn and the regulating bank groups within the limits of LCO 3.1.6, Regulating Bank Insertion Limits.

When the unit is in MODES 2, 3, 4 or 5, the SDM requirements are met by means of adjustments to the RCS boron concentration and the boron requirements for the pool, LCO 3.5.3, "Ultimate Heat Sink" and CRA controls.

NuScale [US600] B 3.1.1-1 Revision 4.1

SDM B 3.1.1 BASES APPLICABLE The minimum required SDM is assumed as an initial condition in SAFETY safety analyses. The safety analyses (Ref. 2) establish a SDM that ANALYSES ensures that SAFDLs are not exceeded for normal operation and AOOs, with the assumption of the highest worth CRA stuck out on scram. For MODES 2 and 3, the primary safety analysis that relies on the SDM limits is the boron dilution analysis.

The acceptance criteria for the SDM requirements are that SAFDLs are maintained. This is done by ensuring that:

a. The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events;

b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits; and

c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.

The SDM requirement also protects against:

a. Inadvertent boron dilution;

b. An uncontrolled CRA withdrawal from subcritical or low power condition; and

c. CRA ejection.

Each of these events is discussed below.

In the boron dilution analysis, the required SDM defines the reactivity difference between an initial subcritical boron concentration and the corresponding critical boron concentration. These values, in conjunction with the configuration of the RCS and the assumed dilution flow rate, directly affect the results of the analysis. This event is most limiting at the beginning of core life, when critical boron concentrations are highest.

Depending on the system initial conditions and reactivity insertion rate, the uncontrolled CRA withdrawal transient is terminated by either a decade per minute trip, high power trip or a high pressurizer pressure trip. In all cases, power level, RCS pressure, linear heat rate, and the CHFR do not exceed allowable limits.

NuScale [US600] B 3.1.1-2 Revision 4.1

SDM B 3.1.1 BASES APPLICABLE SAFETY ANALYSES (continued)

SDM satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Even though it is not directly observed from the main control room, SDM is considered an initial condition process variable because it is periodically monitored to ensure that the unit is operating within the bounds of accident analysis assumptions.

LCO SDM is a core design condition that can be ensured during operation through CRA positioning (regulating and shutdown banks) and through the soluble boron concentration.

APPLICABILITY In MODE 1 with keff 1.0, SDM requirements are ensured by complying with LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Regulating Bank Insertion Limits."

In MODE 1 with keff < 1.0 and in MODES 2, 3, and 4, the SDM requirements are applicable to provide sufficient negative reactivity to meet the assumptions of the safety analyses discussed above.

In MODE 5 the shutdown reactivity requirements are given in LCO 3.5.3, "Ultimate Heat Sink.

ACTIONS A.1 If the SDM requirements are not met, boration must be initiated promptly. A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. It is assumed that boration will be continued until the SDM requirements are met.

In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the RCS as soon as possible, the boron concentration should be a concentrated solution. The operator should begin boration with the best source available for the plant conditions.

NuScale [US600] B 3.1.1-3 Revision 4.1

SDM B 3.1.1 BASES SURVEILLANCE SR 3.1.1.1 REQUIREMENTS In MODE 1 with keff 1.0, SDM is verified by observing that the requirements of LCO 3.1.5 and LCO 3.1.6 are met. In the event that a CRA is known to be untrippable, however, SDM verification must account for the worth of the untrippable CRA as well as another CRA of maximum worth.

In MODE 1 with keff < 1.0, and in MODES 2, 3, and 4, the SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects:

a. RCS boron concentration;

b. CRA position;

c. RCS average temperature;

d. Fuel burnup based on gross thermal energy generation;

e. Xenon concentration;

f. Samarium concentration; and

g. Isothermal Temperature Coefficient (ITC).

Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical and the fuel temperature will be changing at the same rate as the RCS.

SR 3.1.1.1 is modified by a Note that indicates the surveillance is not required to be performed in MODE 4. In MODE 4 Table 1.1-1, MODES requires the module to be isolated from control systems and process lines that could change the SDM. Verification that the SDM will be met in MODE 4 is required before entry from MODE 5, and before entry from MODE 3 in accordance with SR 3.0.4.

During module movement instrumentation is not available to measure variables that could affect the SDM. Therefore reactivity calculations performed to verify the SDM conservatively account for passive phenomena that may occur such as temperature changes and Xenon decay, effects that may occur and affect reactivity during MODE 4 conditions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.1.1-4 Revision 4.1

SDM B 3.1.1 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

2. FSAR, Chapter 15.

NuScale [US600] B 3.1.1-5 Revision 4.1

Core Reactivity B 3.1.2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Core Reactivity BASES BACKGROUND According to GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity shall be controllable, such that subcriticality is maintained under cold conditions, and acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus measured core reactivity during power operation. The periodic confirmation of core reactivity is necessary to ensure that Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity difference could be the result of unanticipated changes in fuel, control rod assembly (CRA) worth, or operation at conditions not consistent with those assumed in the predictions of core reactivity and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, SHUTDOWN MARGIN (SDM))

in ensuring the reactor can be brought safely to cold, subcritical conditions.

When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance since parameters are being maintained relatively stable under steady-state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers producing zero net reactivity. Excess reactivity can be inferred from the boron letdown curve (or critical boron curve), which provides an indication of the soluble boron concentration in the Reactor Coolant System (RCS) versus cycle burnup. Periodic measurement of the RCS boron concentration for comparison with the predicted value with other variables fixed (such as rod height, temperature, pressure, and power), provides a convenient method of ensuring that core reactivity is within design expectations, and that the calculation models used to generate the safety analysis are adequate.

In order to achieve the required fuel cycle energy output, the uranium enrichment, in the new fuel loading and in the fuel remaining from the previous cycle, provides excess positive reactivity beyond that required to sustain steady state operation throughout the cycle. When the reactor is critical the excess positive reactivity is compensated by NuScale [US600] B 3.1.2-1 Revision 4.1

Core Reactivity B 3.1.2 BASES BACKGROUND (continued) burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and samarium) are present in the fuel, and the RCS boron concentration.

When the core is producing THERMAL POWER, the fuel is being depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduced to decrease negative reactivity and maintain constant THERMAL POWER. The boron letdown curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate deficiencies in the design analysis, deficiencies in the calculational models, or abnormal core conditions, and must be evaluated.

APPLICABLE The acceptance criteria for core reactivity are that the reactivity SAFETY balance limit ensures plant operation is maintained within the ANALYSES assumptions of the safety analyses.

Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis evaluations. Accident evaluations (Ref. 2) are, therefore, dependent upon accurate evaluation of core reactivity. In particular, SDM and reactivity transients, such as CRA withdrawal accidents or CRA ejection accidents, are sensitive to accurate predictions of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks.

Monitoring reactivity balance provides additional assurance that the nuclear methods provide an accurate representation of the core reactivity.

Design calculations and safety analysis are performed for each fuel cycle for the purpose of predetermining reactivity behavior and the RCS boron concentration requirements for reactivity control during fuel depletion.

The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle (BOC) do not agree, then the assumptions used in the reload cycle design analysis or the calculation models used to predict soluble boron requirements may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured boron concentration.

NuScale [US600] B 3.1.2-2 Revision 4.1

Core Reactivity B 3.1.2 BASES APPLICABLE SAFETY ANALYSES (continued)

Thereafter, any significant deviations in the measured boron concentration from the predicted boron letdown curve that develop during fuel depletion may be an indication that the calculational model is not adequate for core burnups beyond BOC, or that an unexpected change in core conditions has occurred.

The normalization of predicted RCS boron concentration to the measured value is typically performed after reaching RTP following startup from a refueling outage, with the CRAs in their normal positions for power operation. The normalization is performed at BOC conditions so that core reactivity relative to predicted values can be continually monitored and evaluated as core conditions change during the cycle.

Core reactivity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Long term core reactivity behavior is a result of the core physics design and cannot be easily controlled once the core design is fixed.

During operation, therefore, the Conditions of the LCO can only be ensured through measurement and tracking, and appropriate actions taken as necessary. Large differences between actual and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the nuclear design methodology are larger than expected. A limit on the reactivity balance of +/- 1% k/k has been established based on engineering judgment and operating experience. A 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated.

When measured core reactivity is within 1% k/k of the predicted value at steady state thermal conditions, the core is considered to be operating within acceptable design limits. Since deviations from the limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference between measured and predicted values would be approximately 100 ppm (depending on the boron worth) before the limit is reached. These values are well within the uncertainty limits for analysis of boron concentration samples, so that spurious violations of the limit due to uncertainty in measuring the RCS boron concentration are unlikely.

NuScale [US600] B 3.1.2-3 Revision 4.1

Core Reactivity B 3.1.2 BASES APPLICABILITY The limits on core reactivity must be maintained during MODE 1 because a reactivity balance must exist when the reactor is critical or producing THERMAL POWER. As the fuel depletes, core conditions are changing, and confirmation of the reactivity balance ensures the core is operating as designed. This specification does not apply in MODES 2, 3, and 4 because the reactor is shut down and the reactivity balance is not changing.

In MODE 5, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO 3.5.3, Ultimate Heat Sink and CRA limits) ensure that fuel movements are performed within the bounds of the safety analysis. An SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, or CRA replacement).

NuScale will rely on CRAs for part of the shutdown requirement during refueling activities; as described in the COLR.

ACTIONS A.1 and A.2 Should an anomaly develop between measured and predicted core reactivity, an evaluation of the core design and safety analysis must be performed. Core conditions are evaluated to determine their consistency with input to design calculations. Measured core and process parameters are evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models are reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 7 days is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis.

Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the reactivity anomaly is a mismatch in core conditions at the time of RCS boron concentration sampling, then a recalculation of the RCS boron concentration requirements may be performed to demonstrate that core reactivity is behaving as expected. If an unexpected physical change in the condition of the core has occurred, it must be evaluated and corrected, if possible. If the cause of the reactivity anomaly is in the calculation technique, then the calculational models must be revised to provide more accurate predictions. If any of these results are demonstrated and it is concluded that the reactor core is NuScale [US600] B 3.1.2-4 Revision 4.1

Core Reactivity B 3.1.2 BASES ACTIONS (continued) acceptable for continued operation, then the boron letdown curve may be renormalized and power operation may continue. If operational restriction or additional SRs are necessary to ensure the reactor core is acceptable for continued operation, then they must be defined.

The required Completion Time of 7 days is adequate for preparing and implementing whatever operating restrictions that may be required to allow continued reactor operation.

B.1 If the core reactivity cannot be restored to within the 1% k/k limit, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . If the SDM for MODE 2 is not met, then boration may be required to meet SR 3.1.1.1 prior to entry into MODE 2. The allowed Completion Time is reasonable, for reaching MODE 2 from full power conditions in an orderly manner.

SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made considering that other core conditions are fixed or stable, including CRA position, moderator temperature, fuel temperature, fuel depletion, xenon concentration, and samarium concentration. The Surveillance is performed prior to exceeding 5% RTP as an initial check on core conditions and design calculations at BOC. The Surveillance is performed again prior to exceeding 60 effective full power days (EFPDs) to confirm the core reactivity is responding to reactivity predictions and then periodically thereafter during the operating cycle in accordance with the Surveillance Frequency Control Program. The SR is modified by a Note indicating that the predicted core reactivity may be adjusted to the measured value provided this normalization is performed prior to exceeding a fuel burnup of 60 EFPDs. This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without establishing a benchmark for the design calculations.

The subsequent Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.1.2-5 Revision 4.1

Core Reactivity B 3.1.2 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29.

2. FSAR, Chapter 15.

NuScale [US600] B 3.1.2-6 Revision 4.1

MTC B 3.1.3 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Moderator Temperature Coefficient (MTC)

BASES BACKGROUND According to GDC 11 (Ref. 1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently stable power operation even in the possible event of an accident. In particular, the net reactivity feedback in the system must compensate for any unintended reactivity increases.

The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases with increasing moderator temperature; conversely, a negative MTC means that reactivity decreases with increasing moderator temperature). The reactor is designed to operate with a non-positive MTC during the majority of fuel cycle operation. Therefore, a coolant temperature increase will cause a reactivity decrease, so that the coolant temperature tends to return toward its initial value. Reactivity increases that cause a coolant temperature increase will thus be self-limiting, and stable power operation will result. There are times at the beginning of cycle and at less than normal operating temperature the MTC may be slightly positive.

MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by measurements. Both initial and reload cores are designed so that the MTC is less than zero when reactor power is at RTP. The actual value of the MTC is dependent on core characteristics such as fuel loading and reactor coolant soluble boron concentration. The core design may require additional fixed distributed poisons (burnable absorbers) to yield an MTC within the range analyzed in the plant accident analysis.

The end of cycle (EOC) MTC is also limited by the requirements of the accident analysis. Fuel cycles that are designed to achieve high burnups or that have changes to other characteristics are evaluated to ensure that the MTC does not exceed the EOC limit.

The limitations on MTC are provided to ensure that the value of this coefficient remains within the limiting conditions assumed in the FSAR accident and transient analyses (Ref. 2).

If the LCO limits are not met, the unit response during transients may not be as predicted. The core could violate criteria that prohibit a return to criticality, or the departure from nucleate boiling ratio criteria of the approved correlation may be violated, which could lead to a loss of the fuel cladding integrity.

NuScale [US600] B 3.1.3-1 Revision 4.1

MTC B 3.1.3 BASES BACKGROUND (continued)

The SRs for measurement of the MTC at the beginning and near the end of the fuel cycle are adequate to confirm that the MTC remains within its limits since this coefficient changes slowly, due principally to the RCS boron concentration associated with fuel burnup and burnable absorbers.

APPLICABLE The acceptance criteria for the specified MTC are:

SAFETY ANALYSES a. The MTC values must remain within the bounds of those used in the accident analysis (Ref. 2); and

b. The MTC must be such that inherently stable power operations result during normal operation and accidents, such as overheating and overcooling events.

FSAR Chapter 15 (Ref. 2) contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is one of the controlling parameters for core reactivity in these accidents. Both the least negative value and most negative value of the MTC are important to safety, and both values must be bounded. Values used in the analyses consider worst case conditions to ensure that the accident results are bounding (Ref. 2).

Accidents that cause core overheating, either by decreased heat removal or increased power production, must be evaluated for results when the MTC is least negative. Reactivity accidents that cause increased power production include the control rod assembly (CRA) withdrawal transient from either zero or full power. The limiting overheating event relative to unit response is based on the maximum difference between core power and steam generator heat removal during a transient. The most limiting event with respect to a positive MTC is a CRA withdrawal accident from zero power, also referred to as a startup accident (Ref. 2).

Accidents that cause core overcooling must be evaluated for results when the MTC is most negative. The event that produces the most rapid cooldown of the RCS, and is therefore the most limiting event with respect to the negative MTC, is a steam line break (SLB) event.

Following the reactor trip for the postulated EOC SLB event, the large moderator temperature reduction combined with the large negative MTC may produce reactivity increases that are as much as the shutdown reactivity. When this occurs, a substantial fraction of core power is produced with all CRAs inserted, except the most reactive NuScale [US600] B 3.1.3-2 Revision 4.1

MTC B 3.1.3 BASES APPLICABLE SAFETY ANALYSES (continued) one, which is assumed withdrawn. Even if the reactivity increase produces slightly subcritical conditions, a large fraction of core power may be produced through the effects of subcritical neutron multiplication.

MTC values are bounded in reload safety evaluations assuming steady state conditions at core beginning of cycle (BOC) and EOC. A measurement is conducted two-thirds of the core operating cycle; when the RCS boron concentration reaches approximately 300 ppm.

The measured value may be extrapolated to project the EOC value, in order to confirm reload design predictions.

MTC satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO LCO 3.1.3 requires the MTC to be within specified limits of the COLR to ensure the core operates within the assumptions of the accident analysis. During the reload core safety evaluation, the MTC is analyzed to determine that its values remain within the bounds of the original accident analysis during operation. The limit on a least negative MTC ensures that core overheating accidents will not violate the accident analysis assumptions. The most negative MTC limit for EOC specified in the COLR ensures that core overcooling accidents will not violate the accident analysis assumptions.

MTC is a core physics parameter determined by the fuel and fuel cycle design and cannot be easily controlled once the core design is fixed.

During operation, therefore, the LCO can only be ensured through measurement. The surveillance checks of MTC at BOC and near two-thirds of core burnup provide confirmation that the MTC is behaving as anticipated, so that the acceptance criteria are met.

APPLICABILITY In MODE 1, the upper limit on the MTC must be maintained to ensure that any accident will not violate the design assumptions of the accident analysis. The limits must also be maintained to ensure startup and subcritical accidents, such as the uncontrolled CRA withdrawal, will not violate the assumptions of the accident analysis.

The lower MTC limit must be maintained in MODES 1 and 2 and MODE 3 with any RCS temperature 200 °F, to ensure that cooldown accidents will not violate the assumptions of the accident analysis.

NuScale [US600] B 3.1.3-3 Revision 4.1

MTC B 3.1.3 BASES APPLICABILITY (continued)

In MODE 3 with all RCS temperatures < 200 °F and in MODES 4 and 5, this LCO is not applicable because no Design Basis Accidents (DBAs) using the MTC as an analysis assumption are initiated from these conditions.

ACTIONS A.1 MTC is a function of the fuel and fuel cycle designs, and cannot be controlled directly once the designs have been implemented in the core. If MTC exceeds its limits, the reactor must be placed in MODE 2.

This eliminates the potential for violation of the accident analysis bounds. The associated Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, considering the probability of an accident occurring during the time period that would require an MTC value within the LCO limits, and the time for reaching MODE 2 from full power conditions in an orderly manner.

B.1 Operating outside the lower MTC limit means the safety analysis assumptions for the EOC accidents that use a bounding negative MTC value may be invalid. If the lower MTC limit is exceeded, the unit must be placed in a MODE or condition in which the LCO requirements are not applicable. In addition to Required Action A.1, Required Action B.1 also requires the unit to be in MODE 3 with all RCS temperatures < 200 °F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

The allowed Completion Time is a reasonable time based on the activities needed to reach the required MODE from full power operation in an orderly manner.

SURVEILLANCE SR 3.1.3.1 and SR 3.1.3.2 REQUIREMENTS The SRs for measurement of the MTC at the beginning and two-thirds of each fuel cycle provide for confirmation of the limiting MTC values.

The MTC changes smoothly from least negative to most negative value during fuel cycle operation, as the RCS boron concentration is reduced to compensate for fuel depletion.

The requirement for measurement prior to operation > 5% RTP satisfies the confirmatory check on the upper MTC value.

NuScale [US600] B 3.1.3-4 Revision 4.1

MTC B 3.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)

The requirement for measurement, within 7 effective full power days (EFPDs) after reaching a core burnup of 40 EFPDs from core beginning of cycle (BOC) and again within 7 EFPDs after reaching two-thirds 2/3 core burnup from core BOC, satisfies the confirmatory check of the lower MTC value. The measurement is performed at any power level so that the projected EOC MTC may be evaluated before the reactor actually reaches the EOC condition. MTC values may be extrapolated and compensated to permit direct comparison to the specified MTC limits.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 11.

2. FSAR, Chapter 15.

NuScale [US600] B 3.1.3-5 Revision 4.1

Rod Group Alignment Limits B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Rod Group Alignment Limits BASES BACKGROUND The OPERABILITY (i.e., trippability) of the shutdown and regulating control rod assemblies (CRAs) is an initial assumption in all safety analyses that assume CRA insertion upon reactor trip. Maximum CRA misalignment is an initial assumption in the safety analysis that directly affects core power distributions and assumptions of available shutdown margin (SDM).

The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, Reactor Design, and GDC 26, Reactivity Control System Redundancy and Capability (Ref. 1), and 10 CFR 50.46, Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Plants (Ref. 2).

Mechanical or electrical failures may cause a CRA to become inoperable or to become misaligned from its group. CRA inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the total available CRA worth for reactor shutdown. Therefore, CRA alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.

Sixteen CRAs are arranged in four symmetrical groups. There are two shutdown bank groups of four CRAs each and two regulating bank groups of four CRAs each.

Limits on CRA alignment and OPERABILITY have been established, and CRA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

CRAs are moved by their control rod drive mechanisms (CRDMs).

Each CRDM moves its CRA one step (approximately 3/8 inch) at a time.

The CRAs are arranged into groups that are radially symmetric.

Therefore, movement of the CRAs by group does not introduce radial asymmetries in the core power distribution. The shutdown and regulating CRAs provide the required reactivity worth for immediate reactor shutdown upon a reactor trip. The regulating bank CRAs also provide power level control during normal operation and transients.

NuScale [US600] B 3.1.4-1 Revision 4.1

Rod Group Alignment Limits B 3.1.4 BASES BACKGROUND (continued)

Their movement may be automatically controlled by the reactivity control systems.

The axial position of shutdown and regulating group CRAs is indicated by two separate and independent rod position indication systems.

APPLICABLE CRA misalignment accidents are analyzed in the safety analysis SAFETY (Ref. 3). The accident analysis defines CRA misoperation as any event ANALYSES with the single failure of a safety-related component and multiple failures of non-safety related controls. The acceptance criteria for addressing CRA inoperability or misalignment are that:

a. With the most reactive CRA stuck out of the core there will be no violations of either:

1. Specified acceptable fuel design limits (SAFDLs); or

2. Reactor Coolant System (RCS) pressure boundary integrity; and

b. The core must remain subcritical after design basis events with all CRAs fully inserted.

Accident and transient analyses associated with CRA misalignment, static and dynamic, account for misalignment of 6 steps at the initiation of the event. The results of the CRA misoperation analysis show that during the most limiting misoperation events, no violations of the SAFDLs, or the SLs on critical heat flux ratio, fuel centerline temperature, or pressurizer pressure occur.

CRA alignment limits and OPERABILITY requirements satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

NuScale [US600] B 3.1.4-2 Revision 4.1

Rod Group Alignment Limits B 3.1.4 BASES LCO The limits on shutdown and regulating CRA alignments ensure that the assumptions in the safety analysis will remain valid. The requirements on CRA OPERABILITY ensure that upon reactor trip, the CRAs will be available and will be inserted to provide enough negative reactivity to shut down the reactor. The CRA OPERABILITY requirements (i.e.,

trippability) are separate from alignment requirements which ensure that the CRA groups maintain the correct power distribution and CRA alignment. The CRA OPERABILITY requirement is satisfied provided the CRA will fully insert in the required CRA drop time assumed in the safety analysis. CRA control malfunctions that result in the inability to move a CRA (e.g., CRA rod lift coil failures), but do not impact trippability, do not result in CRA inoperability.

The requirement is to maintain the CRA alignment to within 6 steps between any CRA and its group position. Failure to meet the requirements of this LCO may produce unacceptable power peaking factors, or unacceptable SDMs, both of which may constitute initial conditions inconsistent with the safety analysis.

APPLICABILITY The requirements on CRA OPERABILITY and alignment are applicable in MODE 1 because this is the only MODE in which neutron (or fission) power is generated, and the OPERABILITY (i.e.,

trippability) and alignment of CRAs have the potential to affect the safety of the unit. In MODES 2, 3, 4, and 5, the alignment limits do not apply because the CRAs are bottomed, and the reactor is shut down and not producing fission power. In the shutdown Modes, the OPERABILITY of the shutdown and regulating CRAs has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the RCS. See LCO 3.1.1, SHUTDOWN MARGIN (SDM), for SDM in MODE 1 with keff < 1.0, MODES 2, 3, and 4 and LCO 3.5.3, "Ultimate Heat Sink" in MODE 5,"

for boron concentration requirements during refueling.

ACTIONS A.1.1 and A.1.2 When one or more CRAs are inoperable (i.e. untrippable), there is a possibility that the required SDM may be adversely affected. Under these conditions, it is important to determine the SDM, and if it is less than the required value, initiate boration until the required SDM is recovered.

When a CRA(s) becomes misaligned, it can usually be moved and is still trippable. If the CRA can be realigned within the Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , local xenon redistribution during this short interval will not be NuScale [US600] B 3.1.4-3 Revision 4.1

Rod Group Alignment Limits B 3.1.4 BASES ACTIONS (continued) significant, and operation may proceed without further restriction. An alternative to realigning a single misaligned CRA to the group average position is to align the remainder of the group to the position of the misaligned CRA. However, this must be done without violating the group sequence, overlap, and insertion limits specified in LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Regulating Bank Insertion Limits." The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is adequate for determining SDM and, if necessary, for initiating boration and restoring SDM.

In this situation, SDM verification must include the worth of any untrippable CRA, in addition to the CRA of maximum worth.

A.2 When Required Action cannot be completed within their Completion Time, the unit must be brought to a MODE or Condition in which the LCO requirements are not applicable. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , which obviates concerns about the development of undesirable xenon and power distributions. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching MODE 2 from full power conditions in an orderly manner.

SURVEILLANCE SR 3.1.4.1 REQUIREMENTS Verification that the position of individual rods is within alignment limits allows the operator to detect that a rod is beginning to deviate from its expected position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note that permits it not to be performed for rods associated with an inoperable rod position indicator. The alignment limit is based on rod position indicator which is not available if the indicator is inoperable. LCO 3.1.7, Rod Position Indication, provides Actions to verify the rods are in alignment when one or more rod position indicators are inoperable.

NuScale [US600] B 3.1.4-4 Revision 4.1

Rod Group Alignment Limits B 3.1.4 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.1.4.2 Verifying each CRA is OPERABLE would require that each CRA be tripped. In MODE 1 tripping each full length CRA would result in radial or axial power tilts, or oscillations. Exercising each individual CRA provides increased confidence that all CRAs continue to be OPERABLE without exceeding the alignment limit, even if they are not regularly tripped. Moving each control rod by 4 steps will not cause significant radial or axial power tilts, or oscillations, to occur.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Between required performances of SR 3.1.4.2, if a CRA(s) is discovered to be immovable, but remains trippable, the CRA(s) is considered to be OPERABLE. At any time, if a CRA(s) is immovable, a determination of the trippability of the CRA(s) must be made, and appropriate action taken.

SR 3.1.4.3 Verification of CRA drop times determines that the maximum CRA drop time permitted is consistent with the assumed drop time used in the safety analysis (Ref. 3). Measuring drop times prior to reactor criticality, after removal of the upper reactor pressure vessel section, ensures the reactor internals and CRDM will not interfere with CRA motion or drop time, and that no degradation in these systems has occurred that would adversely affect CRA motion or drop time.

Individual CRAs whose drop times are greater than safety analysis assumptions are not OPERABLE.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10 and GDC 26.

2. 10 CFR 50.46.

3. FSAR, Chapter 15.

NuScale [US600] B 3.1.4-5 Revision 4.1

Shutdown Bank Insertion Limits B 3.1.5 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Shutdown Bank Insertion Limits BASES BACKGROUND The insertion limits of the shutdown bank control rod assemblies (CRAs) are initial assumptions in all safety analyses that assume shutdown bank CRA insertion upon reactor trip. The insertion limits directly affect core power distributions and assumptions of available shutdown margin (SDM), ejected CRA worth, and initial reactivity insertion rate.

The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design," and GDC 26, "Reactivity Limits" (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on shutdown bank CRA insertion have been established, and all shutdown bank CRA positions are monitored and controlled during power operation to ensure that the reactivity limits, ejected CRA worth, and SDM limits are preserved.

The 16 CRAs are divided among the two regulating bank groups and two shutdown bank groups, with each group consisting of four CRAs in radially symmetric core locations. The shutdown bank CRAs are normally moved together as a group. Therefore, movement of a group of shutdown bank CRAs does not introduce radial asymmetries in the core power distribution. The shutdown bank and regulating bank CRAs provide the required reactivity worth for immediate reactor shutdown upon a reactor trip.

The design calculations are performed with the assumption that CRAs of the shutdown bank are withdrawn prior to the CRAs in the regulating bank. The CRAs of the shutdown bank can be fully withdrawn without the core going critical. This provides available negative reactivity for SDM in the event of unintended reduction of the RCS boron concentration. The shutdown bank CRAs are controlled manually by the control room operator. During normal unit operation, the shutdown bank CRAs are fully withdrawn. The shutdown bank CRAs must be completely withdrawn from the core prior to withdrawing regulating bank CRAs during an approach to criticality.

The shutdown bank CRAs are then left in the fully withdrawn position until the reactor is shut down. The eight CRAs of the shutdown bank add negative reactivity to shut down the reactor upon receipt of a reactor trip signal.

NuScale [US600] B 3.1.5-1 Revision 4.1

Shutdown Bank Insertion Limits B 3.1.5 BASES APPLICABLE On a reactor trip, all CRAs (eight CRAs in two shutdown bank groups SAFETY and eight CRAs in two regulating bank groups), except the most ANALYSES reactive CRA, are assumed to insert into the core. The shutdown bank and regulating bank CRAs shall be at or above their insertion limits and available to insert the maximum amount of negative reactivity on a reactor trip signal. The regulating bank CRAs may be partially inserted in the core as allowed by LCO 3.1.6, "Regulating Bank Insertion Limits." The shutdown and regulating bank insertion limits are established to ensure that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM (see LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") following a reactor trip from full power. The combination of regulating and shutdown bank CRAs (less the most reactive CRA, which is assumed to be fully withdrawn) are sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM at rated no load temperature (Ref. 3). The CRA shutdown bank insertion limits also ensure that the reactivity worth of an ejected shutdown CRA is within safety analysis assumptions.

The acceptance criteria for addressing CRA shutdown bank and regulating bank insertion limits and CRA inoperability or misalignment are that:

a. With the most reactive CRA stuck out there will be no violation of either:

1. Specified acceptable fuel design limits; or

2. Reactor Coolant System pressure boundary integrity; and

b. The core remains subcritical after design basis events with all CRAs fully inserted.

The CRA shutdown bank insertion limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The CRA shutdown bank must be within insertion limits any time the reactor is critical or approaching criticality. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip.

The CRA shutdown bank insertion limits are specified in the COLR.

NuScale [US600] B 3.1.5-2 Revision 4.1

Shutdown Bank Insertion Limits B 3.1.5 BASES APPLICABILITY The CRA shutdown bank must be within insertion limits, with the reactor in MODE 1. This ensures that a sufficient amount of negative reactivity is available to shut down the reactor and maintain the required SDM following a reactor trip. In MODE 2, 3, 4 the shutdown bank CRAs are fully inserted in the core and contribute to the SDM.

Refer to LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," for SDM requirements in MODES 2, 3, and 4. LCO 3.5.3, "Ultimate Heat Sink,"

ensures adequate SDM in MODES 4 and 5.

The Applicability is modified by a Note indicating the LCO requirement is not applicable while performing SR 3.1.4.2. This Note permits exceeding the CRA shutdown bank insertion limits while inserting each CRA in the bank in accordance with SR 3.1.4.2. This Surveillance verifies the freedom of the CRAs to move, and may require a shutdown bank group to move below the insertion limits specified in the COLR, which would normally violate the LCO. This Note applies to each CRA shutdown bank group as the group is moved below the insertion limit to perform the Surveillance. This Note is not applicable should a malfunction stop performance of the Surveillance. Note that the CRA group alignment limits of LCO 3.1.4 remain applicable to the CRAs in the shutdown bank group being exercised while performing this Surveillance.

ACTIONS A.1.1, A.1.2, and A.2 When one or more CRA shutdown bank groups is not within insertion limits, 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months are allowed to restore the CRA shutdown bank groups to within insertion limits. This is necessary because the available SDM may be significantly reduced with CRA shutdown bank groups not within their insertion limits. Also, verification of the SDM or initiation of boration within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is required, since the SDM in MODE 1 is continuously monitored and adhered to, in part, by the CRA regulating and shutdown bank insertion limits (see LCO 3.1.1).

The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months provides an acceptable time for evaluating and repairing minor problems without allowing the unit to remain in an unacceptable condition for an extended period of time.

B.1 If the CRA shutdown bank groups cannot be restored to within their insertion limits within two hours, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable for reaching the required MODE from full power conditions in an orderly manner.

NuScale [US600] B 3.1.5-3 Revision 4.1

Shutdown Bank Insertion Limits B 3.1.5 BASES SURVEILLANCE SR 3.1.5.1 REQUIREMENTS Verification that the CRAs of each shutdown bank group are within insertion limits prior to an approach to criticality ensures that when the reactor is critical, or being taken critical, the shutdown bank groups will be available to shut down the reactor, and the required SDM will be maintained following a reactor trip. This SR and Frequency ensure that the CRA shutdown bank groups are withdrawn before the CRA regulating bank groups are withdrawn during a unit startup.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 10 and GDC 26.

2. 10 CFR 50.46.

3. FSAR, Chapter 15.

NuScale [US600] B 3.1.5-4 Revision 4.1

Regulating Bank Insertion Limits B 3.1.6 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Regulating Bank Insertion Limits BASES BACKGROUND The insertion limits of the regulating bank control rod assemblies (CRAs) are initial assumptions in the safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions, assumptions of available SDM, and initial reactivity insertion rate.

The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, Reactor Design, GDC 26, Reactivity Control System Redundancy and Protection, GDC 28, Reactivity Limits (Ref. 1) and 10 CFR 50.46, Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors (Ref. 2). Limits on CRA regulating bank group insertion have been established, and all regulating bank group CRA positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking, ejected CRA worth, and SDM limits are preserved.

The 16 CRAs are divided among two regulating bank groups and two shutdown bank groups, with each group consisting of four CRAs in radially symmetric core locations. The regulating bank consists of two groups of four CRAs that are electrically paralleled to step simultaneously. See LCO 3.1.4, Rod Group Alignment Limits, for regulating and shutdown CRA OPERABILITY and alignment requirements, and LCO 3.1.7, Rod Position Indication, for CRA position indication requirements.

The regulating bank group insertion limits are specified in the COLR.

Each CRA of a regulating bank group is required to be at or above its regulating bank group insertion limits, as well as within its CRA group alignment limits.

The CRA regulating bank groups are used for precise reactivity control of the reactor. The positions of the CRAs in a regulating bank group are normally controlled automatically by the Module Control System (MCS) together as a group of four CRAs; a regulating bank groups CRAs can also be manually controlled both individually and as a group. The CRA regulating bank groups are capable of changing core reactivity very quickly (compared to borating or diluting).

NuScale [US600] B 3.1.6-1 Revision 4.1

Regulating Bank Insertion Limits B 3.1.6 BASES BACKGROUND (continued)

The power density at any point in the core must be limited so that the fuel design criteria are maintained. Together, LCO 3.1.4, Rod Group Alignment Limits, LCO 3.1.5, Shutdown Bank Insertion Limits, LCO 3.1.6, Regulating Bank Insertion Limits, LCO 3.2.1, Enthalpy Rise Hot Channel Factor (FH), and LCO 3.2.2, AXIAL OFFSET (AO) provide limits on control component operation and on monitored process variables which ensure that the core operates within the fuel design criteria.

The shutdown and regulating bank insertion and alignment limits and power distribution limits are process variables that together characterize and control the three dimensional power distribution of the reactor core. Additionally, the regulating bank insertion limits control the reactivity that could be added in the event of a rod ejection accident, and the shutdown and regulating bank insertion limits assure the required SDM is maintained.

Operation within the subject LCO limits will prevent fuel cladding failures that would breach the primary fission product barrier and release fission products to the reactor coolant in the event of a loss of coolant accident (LOCA), loss of flow, ejected CRA, or other accident requiring termination by a Reactor Trip System (RTS) trip function.

APPLICABLE The regulating bank insertion limits, FH, and AO LCOs are required to SAFETY prevent power distributions that could result in fuel cladding failures in ANALYSES the event of a LOCA, loss of flow, ejected CRA, or other accident requiring termination by an RTS trip function.

The acceptance criteria for addressing shutdown and regulating bank group insertion limits and inoperability or misalignment are that:

a. With the most reactive CRA stuck out there will be no violations of either:

1. specified acceptable fuel design limits; or

2. Reactor Coolant System (RCS) pressure boundary integrity; and

b. The core remains subcritical after design basis events with all CRAs fully inserted.

NuScale [US600] B 3.1.6-2 Revision 4.1

Regulating Bank Insertion Limits B 3.1.6 BASES APPLICABLE SAFETY ANALYSES (continued)

As such, the CRA shutdown and regulating bank insertion limits affect safety analysis involving core reactivity and power distributions (Ref. 3).

The SDM requirement is ensured by limiting the shutdown and regulating bank insertion limits so that allowable inserted worth of the CRAs is such that sufficient reactivity is available in the CRAs to shut down the reactor to hot zero power with a reactivity margin which assumes the maximum worth CRA remains fully withdrawn upon trip (Ref. 3).

Operation at the insertion limits or AO limits may approach the maximum allowable linear heat generation rate or peaking factor.

Operation at the insertion limit may also indicate the maximum ejected CRA worth could be equal to the limiting value in fuel cycles that have sufficiently high ejected CRA worth.

The shutdown and regulating bank insertion limits ensure that safety analyses assumptions for SDM, ejected rod worth, and power distribution peaking factors are preserved (Ref. 3).

The insertion limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii) in that they are initial conditions assumed in the safety analysis.

LCO The limits on regulating bank physical insertion as defined in the COLR, must be maintained because they serve the function of preserving power distribution, ensuring that the SDM is maintained, ensuring that ejected CRA worth is maintained, and ensuring adequate negative reactivity insertion is available on trip.

APPLICABILITY The regulating bank physical insertion limits shall be maintained with the reactor in MODE 1 when keff is 1.0. These limits must be maintained since they preserve the assumed power distribution, ejected CRA worth, SDM, and reactivity insertion rate assumptions.

Applicability in MODE 1 with keff < 1.0, and MODES 2, 3, 4, and 5 is not required, since neither the power distribution nor ejected CRA worth assumptions would be exceeded in these MODES.

The Applicability is modified by a Note indicating the LCO requirement is not applicable to CRA groups being inserted while performing SR 3.1.4.2. This SR verifies the freedom of the CRAs to move, and may require the regulating bank group to move below the LCO limits, NuScale [US600] B 3.1.6-3 Revision 4.1

Regulating Bank Insertion Limits B 3.1.6 BASES APPLICABILITY (continued) which would normally violate the LCO. This Note applies to each regulating bank group as it is moved below the insertion limit to perform the SR. This Note is not applicable should a malfunction stop performance of the SR.

ACTIONS A.1.1, A.1.2, and A.2 When one or more regulating bank groups is not within insertion limits, they must be restored to within those limits. This restoration can occur in two ways:

a. Reduce power to be consistent with CRA regulating bank group positions; or

b. Moving CRA regulating bank groups to be consistent with power.

Also, verification of SDM or initiation of boration to regain SDM is required within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , since the SDM in MODE 1 with keff 1.0 is normally ensured by adhering to the regulating and shutdown bank insertion limits (see LCO 3.1.1, "Shutdown Margin (SDM)) has been upset.

The allowed Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for restoring the regulating bank groups to within insertion limits, provides an acceptable time for evaluating and repairing minor problems without allowing the unit to remain outside the insertion limits for an extended period of time.

B.1 If the CRA regulating bank groups cannot be restored to within their insertion limits within two hours, the unit must be brought to a MODE where the LCO is not applicable. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable for reaching the required MODE from full power conditions in an orderly manner.

SURVEILLANCE SR 3.1.6.1 REQUIREMENTS Verification of the regulating bank insertion limits is sufficient to detect regulating bank groups that may be approaching the insertion limits.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.1.6-4 Revision 4.1

Regulating Bank Insertion Limits B 3.1.6 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 10, GDC 26, and GDC 28.

2. 10 CFR 50.46.

3. FSAR, Chapter 15.

NuScale [US600] B 3.1.6-5 Revision 4.1

Rod Position Indication B 3.1.7 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Rod Position Indication BASES BACKGROUND According to GDC 13 (Ref. 1), instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences (AOOs), and accident conditions must be OPERABLE. LCO 3.1.7 is required to ensure OPERABILITY of the control rod position indicators to determine control rod positions and thereby ensure compliance with the control rod alignment and power-dependent insertion limits (PDIL).

The OPERABILITY, including position indication, of the shutdown and regulating bank control rod assemblies (CRAs) is an initial assumption in the safety analyses that assume CRA insertion upon reactor trip.

Maximum CRA misalignment is an initial assumption in the CRA misalignment safety analysis that directly affects core power distributions and assumptions of available shutdown margin (SDM).

CRA position indication is required to assess OPERABILITY and misalignment.

Mechanical or electrical failures may cause a CRA to become inoperable or to become misaligned from its group. CRA inoperability or misalignment may cause increased power peaking due to the asymmetric reactivity distribution and a reduction in the total available CRA worth for reactor shutdown. Therefore, CRA alignment and OPERABILITY are related to core operation in design power peaking limits and the core design requirement of a minimum SDM.

Limits on CRA alignment and OPERABILITY have been established, and CRA positions are monitored and controlled during power operation to aid compliance with the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.

Sixteen CRAs are arranged in four symmetrical groups. Two shutdown bank groups of four CRAs each, and two regulating bank groups of four CRAs each.

CRAs are moved out of the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms (CRDMs).

The CRAs are divided among the regulating bank groups and shutdown bank groups.

NuScale [US600] B 3.1.7-1 Revision 4.1

Rod Position Indication B 3.1.7 BASES BACKGROUND (continued)

The axial position of shutdown bank CRAs and regulating bank CRAs are determined by two separate and independent means: the Counter Position Indicators (CPIs) (commonly called bank step counters) and the Rod Position Indicators (RPIs).

The CPI counts the commands sent to the CRDM gripper coils from the Control Rod Drive System (CRDS) that moves the CRAs. There is one step counter for each CRDM. The CRA CPI is considered highly precise (+/- 1 step or +/- {3/8} inch). If a CRA does not move one step for each command signal, the step counter will still count the command and incorrectly reflect the position of the CRA.

The RPI function of the CRDS provides a highly accurate indication of actual CRA position, but at a lower precision than the step counters.

This system is based on inductive analog signals from a series of coils spaced along a hollow tube with a center to center distance of 1.125 inches, which is equivalent to 3 steps. To increase the reliability of the RPI system, the inductive coils of a CRA's two RPI channels are alternately connected to two separate data systems. Each RPI channel is associated with just one of the data systems. Thus, if one system fails, the RPI will go on half accuracy with an effective coil spacing of 2.25 inches, which is 6 steps. Therefore, the normal indication accuracy of the RPIs is +/- 3 steps (+/- 1.125 inches), and the accuracy with one channel of RPI out-of-service is +/- 6 steps

(+/- 2.25 inches).

APPLICABLE The regulating and shutdown bank groups CRA position accuracy is SAFETY essential during power operation. Power peaking, ejected CRA worth, ANALYSES or SDM limits may be violated in the event of a Design Basis Accident (Ref. 2), with regulating or shutdown bank CRAs operating outside their limits undetected. Therefore, the acceptance criteria for CRA position indication is that CRA positions must be known with sufficient accuracy in order to verify the core is operating within the group sequence, overlap, design peaking limits, ejected CRA worth, and within minimum SDM (LCO 3.1.5, Shutdown Bank Insertion Limits, LCO 3.1.6, Regulating Bank Insertion Limits). The CRA positions must also be known in order to verify the alignment limits are preserved (LCO 3.1.4, Rod Group Alignment Limits). CRA positions are continuously monitored to provide operators with information that assures the unit is operating within the bounds of the accident analysis assumptions.

NuScale [US600] B 3.1.7-2 Revision 4.1

Rod Position Indication B 3.1.7 BASES APPLICABLE SAFETY ANALYSES (continued)

The CRA position indicator channels satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii). The control rod position indicators monitor CRA position, which is an initial condition of the accident.

LCO LCO 3.1.7 specifies that the RPIs and the CPI be OPERABLE for each CRA. For the CRA position indicators to be OPERABLE requires meeting the SR of the LCO and the following:

a. The RPI indicates within 6 steps of the CRA counter position indicator as required by LCO 3.1.4, Rod Group Alignment Limits;

b. For the RPIs there are no failed coils; and

c. The CPI has been calibrated either in the fully inserted position or to the RPI System.

The 6 step agreement limit between the RPIs and the CPI indicates that the RPI is adequately calibrated and can be used for indication of the measurement of CRA position.

A deviation of less than the allowable limit given in LCO 3.1.4 in position indication for a single CRA ensures high confidence that the position uncertainty of the corresponding CRA group is within the assumed values used in the analysis (that specified CRA bank insertion limits).

These requirements provide adequate assurance that CRA position indication during power operation and PHYSICS TESTS is accurate, and that design assumptions are not challenged.

OPERABILITY of the position indicator channels ensures that inoperable, misaligned, or mispositioned CRAs can be detected.

Therefore, power peaking, ejected CRA worth, and SDM can be controlled within acceptable limits.

APPLICABILITY The requirements on the RPI and step counters are only applicable in MODE 1 (consistent with LCOs 3.1.4, 3.1.5, and 3.1.6), because this is the only MODE in which power is generated, and the OPERABILITY and alignment of CRAs has the potential to affect the safety of the unit.

In the shutdown MODES, the OPERABILITY of the shutdown and regulating banks has the potential to affect the required SDM, but this effect can be compensated for by an increase in the boron concentration of the Reactor Coolant System (RCS).

NuScale [US600] B 3.1.7-3 Revision 4.1

Rod Position Indication B 3.1.7 BASES ACTIONS The ACTIONS table is modified by a Note indicating that a separate Condition entry is allowed for each CPI and each RPI indicator. This is acceptable because the Required Actions for each Condition provide appropriate compensatory actions for each inoperable position indicator.

A.1 When one channel of RPI sensors per CRDM fails, the position of the CRA can still be determined by use of the in-core instrumentation system. Normal power operation does not require excessive movement of groups. If a group has been significantly moved, the Actions of B.1 or B.2 below are required. Therefore, verification of CRA position within the Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate to allow continued full power operation, since the probability of simultaneously having a CRA significantly out of position and an event sensitive to that CRA position is small.

B.1, B.2, and B.3 When more than one channel of RPI sensors per CRA fails, additional actions are necessary to ensure that acceptable power distribution limits are maintained, minimum SDM is maintained, and the potential effects of CRA misalignment on associated accident analyses are limited. Placing the rod control function in manual mode ensures unplanned CRA motion will not occur. Together with the position determination available via the in-core instrumentation system, this will minimize the potential for CRA misalignment. The immediate Completion Time for placing the Rod Control function in manual mode reflects the urgency with which unplanned rod motion must be prevented while in this Condition.

The position of the CRAs may be determined indirectly by use of the in-core instrumentation system neutron detectors. Plant procedures define the required number and locations of in-core neutron detectors that must function to permit evaluation of the CRA position.

Verification of CRA position once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate for allowing continued full power operation for a limited, 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period, since the probability of simultaneously having a CRA significantly out of position and an event sensitive to that CRA position is small. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides sufficient time to troubleshoot and restore the RPI system to operation while avoiding the plant challenges associated with the shutdown without full CRA position indication.

NuScale [US600] B 3.1.7-4 Revision 4.1

Rod Position Indication B 3.1.7 BASES ACTIONS (continued)

Based on industry experience, normal power operation does not require excessive CRA movement. If one or more CRAs has been significantly moved, the Required Action of C.1 below is required.

C.1 The Required Action clarifies that when one or more CRAs with inoperable position indicators have been moved in excess of 6 steps in one direction since the position was last determined, the Required Actions of A.1 or B.1 are still appropriate but must be initiated promptly under Required Action C.1 to begin verifying that these CRAs are still properly positioned relative to their group positions.

D.1 and D.2 With one counter position indicator per group inoperable, the CRA positions can be determined by the RPI System. Since normal full power operation does not require excessive movement of CRAs, verification by administrative means that the CRDS position indicators are OPERABLE and the most withdrawn CRA and the least withdrawn CRA are 6 steps apart within the allowed Completion Time of once every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is adequate E.1 If a Required Action of Condition A, B, C, or D cannot be completed within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time is based on reaching the required MODE from full power conditions in an orderly manner.

SURVEILLANCE SR 3.1.7.1 REQUIREMENTS Verification that each RPI channel agrees within 6 steps of the counter position indication provides assurance that the RPI channel is operating correctly.

This surveillance is performed prior to reactor criticality after coupling of a CRA to the associated CRDM for one or more CRAs, as there is the potential for unnecessary unit transients if the SR were performed with the reactor critical.

NuScale [US600] B 3.1.7-5 Revision 4.1

Rod Position Indication B 3.1.7 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 13.

2. FSAR, Chapter 15.

NuScale [US600] B 3.1.7-6 Revision 4.1

PHYSICS TESTS Exceptions B 3.1.8 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 PHYSICS TEST Exceptions BASES BACKGROUND The primary purpose of the PHYSICS TESTS exceptions is to permit relaxations of existing LCOs to allow certain PHYSICS TESTS to be performed.

Section XI of 10 CFR 50, Appendix B, (Ref. 1) requires that a test program be established to ensure that structures, systems, and components will perform satisfactorily in service. All functions necessary to ensure that the specified design conditions are not exceeded during normal operation and anticipated operational occurrences must be tested. This testing is an integral part of the design, construction, and operation of the plant. Requirements for notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10 CFR 50.59 (Ref. 2).

The key objectives of a test program are to (Ref. 3):

a. Ensure that the facility has been adequately designed;

b. Validate the analytical models used in the design and analysis;

c. Verify the assumptions used to predict unit response;

d. Ensure that installation of equipment in the facility has been accomplished in accordance with the design; and

e. Verify that the operating and emergency procedures are adequate.

To accomplish these objectives, testing is performed prior to initial criticality, during startup, during low power operations, during power ascension, at high power and after each refueling. The PHYSICS TEST requirements for reload fuel cycles ensure that the operating characteristics of the core are consistent with the design predictions and that the core can be operated as designed (Ref. 4).

PHYSICS TEST procedures are written and approved in accordance with established formats. The procedures include information necessary to permit a detailed execution of the testing required, to ensure that the design intent is met. PHYSICS TESTS are performed in accordance with these procedures and test results are approved prior to continued power escalation and long-term power operation.

NuScale [US600] B 3.1.8-1 Revision 4.1

PHYSICS TESTS Exceptions B 3.1.8 BASES BACKGROUND (continued)

The typical PHYSICS TESTS performed for reload fuel cycles (Ref. 4) in MODE 1 at < 5% RTP are listed below:

a. Critical Boron Concentration - Control Rods Withdrawn;

b. Control Rod Worth; and

c. Isothermal Temperature Coefficient (ITC).

These tests are initiated in MODE 1 at < 5% RTP. These and other supplementary tests may be required to calibrate the nuclear instrumentation or to diagnose operational problems. These tests may cause the operating controls and process variables to deviate from their LCO requirements during their performance.

a. The Critical Boron Concentration - Control Rods Withdrawn Test measures the critical boron concentration at hot zero power (HZP).

With rods out, the lead control group is at or near its fully withdrawn position. HZP is where the core is critical (keff = 1.0), and the Reactor Coolant System (RCS) is at design temperature and pressure for zero power. Performance of this test should not violate any of the referenced LCOs.

b. The Control Rod Worth Test is used to measure the reactivity worth of selected rod groups. This test is performed at HZP and has four alternative methods of performance. The first method, the Boron Exchange Method, varies the reactor coolant boron concentration and moves the selected regulating bank group in response to the changing boron concentration. The reactivity changes are measured with a reactivity computer. This sequence is repeated for the remaining regulating bank group. The second method, the Rod Swap Method, measures the worth of a predetermined reference group using the Boron Exchange Method above. The reference group is then nearly fully inserted into the core. The selected group is then inserted into the core as the reference group is withdrawn. The HZP critical conditions are then determined with the selected group fully inserted into the core. The worth of the selected group is calculated based on the position of the reference group with respect to the selected group. This sequence is repeated as necessary for the remaining groups. The third method, the Boron Endpoint Method, moves the selected regulating bank group over its entire length of travel while varying the reactor coolant boron concentration to maintain HZP criticality.

The difference in boron concentration is the worth of the NuScale [US600] B 3.1.8-2 Revision 4.1

PHYSICS TESTS Exceptions B 3.1.8 BASES BACKGROUND (continued) selected regulating bank group. This sequence is repeated for the remaining groups. The fourth method, Dynamic Rod Worth Measurement (DRWM), moves each group, individually, into the core to determine its worth. The group is dynamically inserted into the core while data is acquired from the excore channel. While the group is being withdrawn, the data is analyzed to determine the worth of the group. This is repeated for each regulating bank and shutdown bank group. Performance of this test will violate LCO 3.1.4, Rod Group Alignment Limits, LCO 3.1.5, Shutdown Bank Insertion Limit, or LCO 3.1.6, Regulating Bank Insertion Limits.

c. The ITC Test measures the ITC of the reactor. This test is performed at HZP. The method is to vary the RCS temperature in a slow and continuous manner. The reactivity change is measured with a reactivity computer as a function of the temperature change.

The ITC is the slope of the reactivity versus the temperature plot.

The test is repeated by reversing the direction of the temperature change and the final ITC is the average of the two calculated ITCs.

Performance of this test should not violate any of the referenced LCOs.

APPLICABLE The fuel is protected by LCOs that preserve the initial conditions of the SAFETY core assumed during the safety analyses. The methods for ANALYSES development of the LCOs that are excepted by this LCO are described in the [NuScale Reload Safety Evaluation Methodology report]

(Ref. 5). The above mentioned PHYSICS TESTS, and other tests that may be required to calibrate nuclear instrumentation or to diagnose operational problems, may require the operating control or process variables to deviate from their LCO limitations.

FSAR Chapter 14 defines requirements for initial testing of the facility, including low power PHYSICS TESTS. FSAR Sections 14.2.10.3 and 14.2.10.4 (Ref. 6) summarize the initial criticality and low power tests.

Requirements for reload fuel cycle PHYSICS TESTS are defined in ANSI/ANS-19.6.1-2011 (Ref. 4). Although these PHYSICS TESTS are generally accomplished within the limits for the LCOs, conditions may occur when one or more LCOs must be suspended to make completion of PHYSICS TESTS possible or practical. This is acceptable as long as the fuel design criteria are not violated. When one or more of the requirements specified in:

LCO 3.1.3, Moderator Temperature Coefficient (MTC);

NuScale [US600] B 3.1.8-3 Revision 4.1

PHYSICS TESTS Exceptions B 3.1.8 BASES APPLICABLE SAFETY ANALYSES (continued)

LCO 3.1.4, Rod Group Alignment Limits; LCO 3.1.5, Shutdown Bank Insertion Limit; and LCO 3.1.6, Regulating Bank Insertion Limits are suspended for PHYSICS TESTS, the fuel design criteria are preserved as long as the power level is limited to 5% RTP and SDM is within the limits provided in the COLR.

PHYSICS TESTS include measurement of core nuclear parameters or the exercise of control components that affect process variables. Also involved are the movable control components (regulating and shutdown CRAs), which are required to shut down the reactor. The limits for these variables are specified for each fuel cycle in the COLR.

As described in LCO 3.0.7, compliance with Test Exception LCOs is optional, and therefore no criteria of 10 CFR 50.36(c)(2)(ii) apply. Test Exception LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO This LCO allows the reactor parameters of MTC to be outside their specified limits. In addition, it allows selected regulating and shutdown rods to be positioned outside of their specified alignment and insertion limits. Operation beyond specified limits is permitted for the purpose of performing PHYSICS TESTS and poses no threat to fuel integrity, provided the SRs are met.

The requirements of LCO 3.1.3, LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6 may be suspended during the performance of PHYSICS TESTS provided:

a. SDM is within the limits provided in the COLR; and

b. THERMAL POWER is 5% RTP.

APPLICABILITY This LCO is applicable when performing low power PHYSICS TESTS.

The Applicability is stated as During PHYSICS TESTS initiated in MODE 1. Should the THERMAL POWER exceed 5% RTP, Required Action B.1 requires termination of critical operations by immediately opening the reactor trip breakers.

NuScale [US600] B 3.1.8-4 Revision 4.1

PHYSICS TESTS Exceptions B 3.1.8 BASES ACTIONS A.1 and A.2 If the SDM requirement is not met, boration must be initiated promptly.

A Completion Time of 15 minutes is adequate for an operator to correctly align and start the required systems and components. The operator should begin boration with the best source available for the plant conditions. Boration will be continued until SDM is within limit.

Suspension of PHYSICS TESTS exceptions requires restoration of each of the applicable LCOs to within specification.

B.1 When THERMAL POWER is > 5% RTP, the only acceptable action is to open the reactor trip breakers (RTBs) to prevent operation of the reactor beyond its design limits. Immediately opening the RTBs will shut down the reactor and prevent operation of the reactor outside of its design limits.

SURVEILLANCE SR 3.1.8.1 REQUIREMENTS Verification that the THERMAL POWER is 5% RTP will ensure that the unit is not operating in a condition that could invalidate the safety analyses.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.8.2 The SDM is verified by performing a reactivity balance calculation, considering the following reactivity effects:

a. RCS boron concentration;

b. Regulating bank group positions;

c. RCS average temperature;

d. Fuel burnup based on gross thermal energy generation;

e. Xenon concentration;

f. Samarium concentration; and

g. Isothermal temperature coefficient (ITC).

NuScale [US600] B 3.1.8-5 Revision 4.1

PHYSICS TESTS Exceptions B 3.1.8 BASES SURVEILLANCE REQUIREMENTS (continued)

Using the ITC accounts for Doppler reactivity in this calculation because the reactor is subcritical or critical but below the point of adding heat, and the fuel temperature will be changing at the same rate as the RCS.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix B.

2. 10 CFR 50.59.

3. Regulatory Guide 1.68, Revision 4, June 2013.

4. ANSI/ANS-19.6.1-2011.

5. [NuScale Reload Safety Evaluation Methodology.]

6. FSAR, Chapter 14.

NuScale [US600] B 3.1.8-6 Revision 4.1

Boron Dilution Control B 3.1.9 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.9 Boron Dilution Control BASES BACKGROUND One of the principle functions of the Chemical Volume and Control System (CVCS) is to maintain the reactor coolant chemistry conditions by controlling the concentration of boron in the coolant for unit startups, normal dilution to compensate for fuel depletion, and shutdown boration. In the dilute mode of operation, unborated demineralized water may be supplied directly to the Reactor Coolant System (RCS).

Although the CVCS is not considered a safety related system, certain isolations of the system are considered safety related functions. The appropriate components have been classified and designed as safety related. A CVCS safety related function is the termination of inadvertent boron dilution.

There are two demineralized water isolation valves in series; one controlled by Division I of the MPS ESFAS DWSI Logic and Actuation, and one controlled by Division II of the MPS ESFAS DWSI Logic and Actuation. MPS instrumentation Functions, each with four measurement channels, that initiate DWSI actuation signals to each Logic and Actuation division are described in Subsection B 3.3.1, "Module Protection System (MPS) Instrumentation," and are specified in Table 3.3.1-1.

The boric acid storage tank and boric acid batch tank contain the boric acid solution used to supply the CVCS to control the boron concentration of the reactor coolant system. The boron concentration of the boric acid supply is specified in the COLR so that it does not become an inadvertent source of uncontrolled dilution.

APPLICABLE One of the initial assumptions in the analysis of an inadvertent boron SAFETY dilution event (Ref. 1) is the assumption that the increase in core ANALYSES reactivity, created by the dilution event, can be detected by the NMS instrumentation. The NMS will provide neutron flux and flux rate signals to the MPS, and the MPS instrumentation will then determine if actuation of the CVCS demineralized water isolation valves is necessary to terminate the boron dilution event. Thus the demineralized water isolation valves are components which function to mitigate an AOO.

NuScale [US600] B 3.1.9-1 Revision 4.1

Boron Dilution Control B 3.1.9 BASES APPLICABLE SAFETY ANALYSES (continued)

The demineralized water isolation valves isolate on actuation signals initiated by the low RCS flow, High Subcritical Multiplication or reactor trip system (RTS). The low RCS Flow actuation signal is designed to ensure boron dilution cannot be performed at low RCS flowrates where the loop time is too long to be able to detect the reactivity change in the core within sufficient time to mitigate the event. The High Subcritical Multiplication actuation signal is designed to detect and mitigate inadvertent subcritical boron dilution events in MODES 2 and 3.

The RTS actuation initiates a signal to isolate the demineralized water isolation valves to support a reactor trip. The demineralized water isolation valves prevent the designed source of dilution water from contributing to events when these conditions exist. The analysis for an inadvertent boron dilution event assumes that the diluting flow is from the demineralized water source, however the boric acid storage tank and boric acid batch tank also supply flow to the CVCS. Controlling the boron concentration in these supplies ensures that they are not a source of dilution water. Thus the boric acid supply boron concentration is an assumption of the boron dilution accident.

Another initial assumption of the inadvertent boron dilution event (Ref. 1) is that the maximum CVCS dilution flow is limited at reduced power levels. The lowest maximum acceptable demineralized water flow rate is that provided by one CVCS makeup pump. And the maximum acceptable demineralized water flow rate varies with core design and boron concentration in the RCS. The initial safety analysis assumption limits maximum flow to that provided by a single makeup pump, however analyses may be performed consistent with approved methodologies listed in TS 5.6.3, "Core Operating Limits Report" to permit adjustments to the maximum demineralized water flow limit as a function of core design and boron concentration in the RCS.

CVCS demineralized water isolation valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii). The boron concentration in the boric acid supply and the CVCS makeup pump demineralized water flow path flowrate satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The requirement that two demineralized water isolation valves be OPERABLE assures that there will be redundant means available to terminate an inadvertent boron dilution event. The requirement that the boron concentration of the boric acid supply be maintained within the limits specified in the COLR ensures that the supply is not a source to the CVCS that could result in an inadvertent boron dilution event.

NuScale [US600] B 3.1.9-2 Revision 4.1

Boron Dilution Control B 3.1.9 BASES LCO (continued)

The limits on maximum CVCS makeup pump demineralized water flow path flowrate are established by restricting the flow that can be provided during system operation to within the limits in the COLR. The restrictions may be implemented by use of at least one closed manual or one closed and de-activated automatic valve, or by removing the power supply from one CVCS makeup pump.

APPLICABILITY The requirement that two demineralized water isolation valves be OPERABLE, and that the boric acid storage tank boron concentration and maximum CVCS makeup pump demineralized water flow path flowrate is within the limits specified in the COLR is applicable in MODES 1, 2, and 3 with any dilution source flow path in the CVCS makeup line not isolated. In these MODES, a boron dilution event is considered possible, and the automatic closure of these valves is assumed in the safety analysis. The boron concentration of the boric acid sources are not assumed to be capable of causing a dilution event by the boron dilution event analysis. The maximum CVCS makeup pump demineralized water flow path flowrate is an assumption of the boron dilution event.

In MODE 1 < 15% RTP, the detection and mitigation of a boron dilution event would be signaled by a High Source or Intermediate Range Log Power Rate or a High Source Range Count Rate.

In MODE 1 15% RTP, the detection and mitigation of a boron dilution event would be signaled by a High Power Range Rate or High Power Range Linear Power. In MODES 2 and 3, the detection and mitigation of a boron dilution event would be signaled by a Source Range High Count Rate trip, a trip on Source Range High Log Power Rate, or a trip on High Subcritical Multiplication, or low RCS flow.

In MODES 4 and 5, a dilution event is precluded because the CVCS RCS injection and discharge flow paths are not connected to the RCS, thus eliminating the possibility of a boron dilution event in the RCS.

Pool volume is sufficient to minimize the potential for boron dilution during MODE 5 within the surveillance intervals provided by LCO 3.5.3, Ultimate Heat Sink.

NuScale [US600] B 3.1.9-3 Revision 4.1

Boron Dilution Control B 3.1.9 BASES ACTIONS A.1 If one CVCS demineralized water isolation valve is inoperable, the valve must be restored to OPERABLE status in 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The allowed Completion Time is considered acceptable because the safety function of automatically isolating the dilution source can be accomplished by the redundant isolation valve.

B.1 If the Required Action and associated Completion Time is not met, or if both CVCS demineralized water isolation valves are not OPERABLE (i.e., not able to be closed automatically), then the demineralized water supply flow path to the RCS must be isolated to preclude a boron dilution event. Isolation can be accomplished by manually isolating the CVCS demineralized water isolation valve(s) or by positioning the manual 3-way combining valve to only take suction from the boric acid tank. Alternatively, the dilution path may be isolated by closing appropriate isolation valve(s) in the flow path(s) from the demineralized water storage tank to the RCS.

If the boric acid concentration in the boric acid supply or if the CVCS makeup pump demineralized water flow path flowrate are not within the limits specified in the COLR, then the flow path to the RCS must be isolated to preclude a boron dilution event. Condition B permits indefinite operation with the boric acid storage tank or the boric acid batch tank not meeting the COLR concentration limits with the source isolated from the CVCS.

The Required Action is modified by a Note allowing either flow path to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the main control room. In this way, the flow path can be rapidly isolated when a need for isolation is indicated.

NuScale [US600] B 3.1.9-4 Revision 4.1

Boron Dilution Control B 3.1.9 BASES SURVEILLANCE SR 3.1.9.1 REQUIREMENTS This Surveillance verifies that CVCS makeup pump demineralized water flow path is configured to ensure that the maximum dilution flow rate that can exist during makeup pump operation remains within the limits specified in the COLR. The Surveillance accomplishes this by assuring that when the maximum demineralized water flowrate is restricted to that of a single CVCS makeup pump, at least one closed manual or one closed and de-activated automatic valve is correctly configured, or verifying that the power supply has been removed from one CVCS makeup pump. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.9.2 This Surveillance demonstrates that each automatic CVCS demineralized water isolation valve actuates to the isolated position on an actual or simulated actuation signal. This Surveillance is not required for automatic valves that are locked, sealed, or otherwise controlled under administrative controls.

In addition to this Surveillance, the automatic actuation logic is tested as part of Engineered Safety Features Actuation System Actuation and Logic testing, and valve performance is monitored as part of the INSERVICE TESTING PROGRAM.

The Surveillance Frequency for this test is controlled under the Surveillance Frequency Control Program.

SR 3.1.9.3 This Surveillance ensures that the boric acid supply is not a potential source of dilution water.

The Surveillance is applicable to the boric acid storage tank and the boric acid batch tank when the tank is aligned to supply boric acid to the CVCS. The batch tank is routinely isolated from the CVCS during preparation of boric acid solution, and either tank may be used as a source of boric acid or isolated from use during normal operations.

Condition B permits indefinite operation with a source not meeting the COLR concentration limits with the source isolated from the CVCS.

SR 3.0.4 requires verification that the boric acid supply boron concentration is within limits before aligning the tank to supply the CVCS.

NuScale [US600] B 3.1.9-5 Revision 4.1

Boron Dilution Control B 3.1.9 BASES SURVEILLANCE REQUIREMENTS (continued)

Boron concentration in the supply is verified to be within the limits specified in the COLR by periodic measurement.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.9.4 This Surveillance verifies that CVCS makeup pump maximum flowrate is 25 gpm. The lowest maximum makeup pump demineralized water flowrate that can be used while in operation is that of one CVCS makeup pump as assumed in the boron dilution analysis. The Surveillance verifies the maximum flowrate of each CVCS makeup pump is consistent with the analysis assumptions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.The limits on maximum CVCS makeup pump demineralized water flow path flowrate are established by restricting the flow that can be provided during system operation to within the limits in the COLR.

The restrictions may be implemented by use of at least one closed manual or one closed and de-activated automatic valve, or by removing the power supply from one CVCS makeup pump.

REFERENCES 1. FSAR, Chapter 15.

NuScale [US600] B 3.1.9-6 Revision 4.1

FH B 3.2.1 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 Enthalpy Rise Hot Channel Factor (FH)

BASES BACKGROUND The purpose of this LCO is to establish limits on the power density at any point in the core so that the fuel design criteria are not exceeded and the accident analysis assumptions remain valid. Control of the core power distribution with respect to these limits ensures that local conditions in the fuel rods and coolant channels do not challenge core integrity at any location during either normal operation or a postulated accident analyzed in the safety analyses.

FH is defined as the ratio of the maximum integrated rod power within the core to the average rod power. Therefore, FH is a measure of the maximum total power produced in a fuel rod.

FH is sensitive to fuel loading patterns, regulating bank group insertion, and fuel burnup. FH typically increases with regulating bank group insertion and typically decreases with fuel burnup.

FH is not directly measurable but is inferred from a power distribution map obtained with the fixed in-core neutron detectors. Specifically, the measurements taken from the fixed in-core instrument system are analyzed by a computer to determine FH. This value is calculated continuously with operator notification on unexpected results and validated by engineering in accordance with the surveillance frequency.

The COLR provides peaking limits that ensure that the safety analysis values for critical heat flux (CHF) are not exceeded for normal operation, operational transients, and any transient condition arising from analyzed events. The safety analysis precludes CHF and is met by limiting the minimum critical heat flux ratio (MCHFR) to that value defined in the COLR. All transient events are assumed to begin with an FH value that satisfies the LCO requirements.

Operation outside the LCO limits may produce unacceptable consequences if an event occurs. The CHF safety analysis ensures that there is no overheating of the fuel that results in possible cladding perforation with the release of fission products to the reactor coolant.

NuScale [US600] B 3.2.1-1 Revision 4.1

FH B 3.2.1 BASES APPLICABLE Limits on FH preclude core power distributions that exceed fuel design SAFETY limits.

ANALYSES There must be at least 95% probability at the 95% confidence level (the 95/95 CHF criterion) that the hottest fuel rod in the core does not experience a CHF condition.

The limits on FH ensure that the safety analysis values for CHF are not exceeded for normal operation, operational transients, and any transient condition arising from analyzed events. The safety analysis precludes CHF and is met by limiting the MCHFR to that value defined in the COLR.

This value provides a high degree of assurance that the hottest fuel rod in the core does not experience a CHF condition.

The allowable FH limit increases with decreasing power level. This functionality in FH is included in the analyses that provide the Reactor Core Safety Limits (SLs) of SL 2.1.1. Therefore, any CHF events in which the calculation of the core limits is modeled implicitly use this variable value of FH in the analyses. Likewise, all transients that may be CHF limited are assumed to begin with an initial FH as a function of power level defined by the COLR limit equation.

The fuel is protected in part by Technical Specifications, which ensure that the initial conditions assumed in the safety and accident analyses remain valid.

FH is measured periodically using the fixed in-core instrument system.

Measurements are generally taken with the core at, or near, steady state conditions. Core monitoring and control under transient conditions are accomplished by operating the core within the limits of the LCOs on AO and Bank Insertion Limits.

FH satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO FH shall be maintained within the limits of the relationship provided in the COLR.

The FH limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has the least heat removal capability and thus the highest probability for a CHF condition.

The limiting value of FH, described by the equation contained in the COLR, is the design radial peaking limit used in the safety analyses.

NuScale [US600] B 3.2.1-2 Revision 4.1

FH B 3.2.1 BASES APPLICABILITY The FH limits must be maintained in MODE 1 with THERMAL POWER 25% RTP to preclude core power distributions from exceeding the fuel design limits for MCHFR. Applicability with THERMAL POWER < 25%

RTP and in other modes is not required because there is either insufficient stored energy in the fuel or insufficient energy being transferred to the coolant to require a limit on the distribution of core power. Specifically, the design bases events that are sensitive to FH in other conditions and modes (with THERMAL POWER < 25% RTP and MODES 2 through 5) have significant margin to CHF, and therefore, there is no need to restrict FH in these modes.

ACTIONS A.1 With FH exceeding its limit, the unit must be placed in a mode or condition in which the LCO requirements are not applicable. This is done by reducing THERMAL POWER to 25% RTP within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provides sufficient time for the unit to restore FH to within its limits. This restoration may, for example, involve realigning any misaligned rods or reducing power enough to bring FH within its power dependent limit. When the FH limit is exceeded, the MCHFR limit is not likely violated in steady state operation, because events that could significantly perturb the FH value (e.g., static control rod misalignment) are considered in the safety analyses. However, the MCHFR may be violated if a CHF limiting event occurs. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable based on the time required to possibly restore the FH value and exit the Condition and if unsuccessful, to reduce THERMAL POWER to 25% RTP from full power conditions in an orderly manner and without challenging plant systems.

NuScale [US600] B 3.2.1-3 Revision 4.1

FH B 3.2.1 BASES SURVEILLANCE SR 3.2.1.1 REQUIREMENTS The value of FH is determined by using the fixed in-core instrument system to obtain a flux distribution map. A data reduction computer program then calculates the maximum value of FH from the measured flux distributions. The in-core instrument design and procedures incorporate the methods and process for measuring FH using the available in-core instrumentation. The procedures include verification that adequate instrument indications are available to provide a representative value of FH consistent with the methodology used to establish the FH limits in the COLR. This assures that the FH is within limits of the LCO.

After each refueling, FH must be determined in MODE 1 prior to exceeding 25% RTP. This requirement ensures that FH limits are met at the beginning of each fuel cycle and in accordance with the misload event analysis. (Ref. 1)

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 15.

NuScale [US600] B 3.2.1-4 Revision 4.1

AO B 3.2.2 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 AXIAL OFFSET (AO)

BASES BACKGROUND The purpose of this LCO is to establish limits on the values of AO in order to limit the amount of axial power distribution skewing to either the top or bottom of the core. By limiting the amount of power distribution skewing, core peaking factors are consistent with the assumptions used in the safety analyses. Limiting power distribution skewing over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution control.

The AO limits are selected by considering a range of axial xenon distributions that may occur as a result of large variations of the AO.

Subsequently, power peaking factors and power distributions are examined to ensure that the postulated event limits are met. Violation of the AO limits invalidate the conclusions of the accident and transient analyses with regard to fuel cladding integrity. (Ref. 1)

The in-core instrumentation system's neutron detectors are arranged equally spaced radially and axially throughout the core. This neutron detector arrangement promotes an accurate indication for the module control system to analyze core power distributions and will be used to monitor AO.

APPLICABLE The AO is a measure of the axial power distribution skewing to either the SAFETY top or bottom half of the core. The AO is sensitive to many core related ANALYSES parameters such as regulating bank group positions, core power level, axial burnup, axial xenon distribution, reactor coolant temperature, and boron concentration.

The allowed range of the AO is used in the nuclear design process to confirm that operation within these limits produces core peaking factors and axial power distributions that meet safety analysis requirements.

The limits on the AO ensure that the bounding axial power distribution is not exceeded during either normal operation or in the event of xenon redistribution following power changes. The limits on the AO also restrict the range of power distributions that are used as initial conditions in the analyses of anticipated operational occurrences (AOO), infrequent events (IE), and accidents. This ensures that the fuel cladding integrity is maintained for these postulated accidents. The most important AOO is the Control Rod Misoperation - Single Rod Withdrawal. The most NuScale [US600] B 3.2.2-1 Revision 4.1

AO B 3.2.2 BASES APPLICABLE SAFETY ANALYSES (continued) important IE is the Uncontrolled Control Rod Assembly Withdrawal from Power. The most important accident is the Rod Ejection Accident.

The limits on the AO satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Information about the units AO is provided to the operator from the in-core instrumentation system. (Ref. 2) Separate signals are taken from the four neutron detectors on each of the 12 strings of in-core instrumentation. The AO is defined in Section 1.1.

The AO limits are provided in the COLR. Figure B 3.2.2-1 shows a typical AO limit.

APPLICABILITY The AO requirements are applicable in MODE 1 25% RTP when the combination of THERMAL POWER and core peaking factors are of primary importance in safety analysis.

The value of the AO does not affect the limiting accident consequences with THERMAL POWER < 25% RTP and for lower operating power MODES.

ACTIONS A.1 AO is a controllable and measurable parameter. With AO not within LCO limits, action must be taken to place the unit in a MODE or condition in which the LCO requirements are not applicable. Reducing THERMAL POWER to < 25% RTP places the core in a condition for which the value of the AO is not important in the applicable safety analyses.

The associated Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, considering the probability of an accident occurring during the time period that would require AO to be within the LCO limits, and the time for reaching < 25%

RTP from full power conditions in an orderly manner and without challenging plant systems.

NuScale [US600] B 3.2.2-2 Revision 4.1

AO B 3.2.2 BASES SURVEILLANCE SR 3.2.2.1 REQUIREMENTS This Surveillance verifies that the AO, as indicated by the in-core instrumentation system, is within its specified limits.

The in-core instrument design and procedures incorporate the methods and process for verifying the AO is within limits using the available in-core instrumentation. The surveillance procedures include verification that adequate instrument indications are available to provide a representative value of the AO consistent with the methodology used to establish the AO limits in the COLR. This assures that the AO is within limits of the LCO.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 15.

2. FSAR, Chapter 4.

NuScale [US600] B 3.2.2-3 Revision 4.1

AO B 3.2.2 BASES Figure B 3.2.2-1 (page 1 of 1)

Axial Offset Window NuScale [US600] B 3.2.2-4 Revision 4.1

MPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Module Protection System (MPS) Instrumentation BASES BACKGROUND The Module Protection System (MPS) initiates reactor trips and other safety systems to protect against violating specified acceptable fuel design limits, and inadvertent breaching of the reactor coolant pressure boundary (RCPB) during anticipated operational occurrences (AOOs). It also initiates other safety systems to ensure acceptable consequences during accidents.

The MPS is designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of process variables directly monitored by the MPS, as well as LCOs on other reactor system variables and equipment performance. The MPS is separate and independent for each unit.

Technical Specifications are required by 10 CFR 50.36 to include LSSS.

LSSS are defined by the regulation as "settings for automatic protective devices related to those variables having significant safety functions.

Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded."

The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a SL is not exceeded. Any automatic protective action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for channel uncertainties related to the setting at which the automatic protective action would actually occur. The LSSS values are identified and maintained in the Setpoint Program (SP) controlled by 10 CFR 50.59.

The Limiting Trip Setpoint (LTSP) specified in the SP is a predetermined setting for a protective channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded. As such, the LTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments). In this manner, the LTSP ensures that SLs are not exceeded. As such, the LTSP meets the definition of a LSSS (Ref. 1).

NuScale [US600] B 3.3.1-1 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as "...being capable of performing its safety function(s)." Relying solely on the LTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel device with a setting that has been found to be different from the LTSP due to some drift of the setting may still be OPERABLE because drift is to be expected. This expected drift would have been specifically accounted for in the setpoint methodology for calculating the LTSP and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel.

Therefore, the channel would still be OPERABLE because it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around the LTSP to account for further drift during the next surveillance interval.

Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

However, there is also some point beyond which the channel may not be able to perform its function due to, for example, greater than expected drift.

If all as-found measured values during calibration and surveillance testing are inside the as-left tolerance band, then the channel is fully operable, no additional actions are required.

If all as-found measured values during calibration testing and surveillance testing are within the as-found tolerance band but outside the as-left tolerance band, then the instrumentation channel is fully operable, however, calibration is required to restore the channel within the as-left tolerance band.

If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The NuScale [US600] B 3.3.1-2 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued) reactor module must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE.

During AOOs, which are those events expected to occur one or more times during the plant life, the acceptable limits are:

The critical heat flux ratio (CHFR) shall be maintained above the SL value to prevent critical heat flux (CHF);

Fuel centerline melting shall not occur; and

Pressurizer pressure SL of 2285 psia shall not be exceeded.

Maintaining the variables within the above values ensures that the offsite dose will be within the 10 CFR 50 (Ref. 2) and 10 CFR 50.34 (Ref. 3) criteria during AOOs.

Accidents are events that are analyzed even though they are not expected to occur during the plant life. The acceptable limit during accidents is that the offsite dose shall be maintained within an acceptable fraction of 10 CFR 50.34 (Ref. 3) limits. Different accident categories allow a different fraction of these limits based on probability of occurrence. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

The MPS includes devices and circuitry that generate the following signals when monitored variables reach levels that are indicative of conditions requiring protective action:

1. Reactor Trip System (RTS) actuation;

2. Emergency Core Cooling System (ECCS) actuation;

3. Decay Heat Removal System (DHRS) actuation;

4. Containment Isolation System (CIS) actuation;

5. Secondary System Isolation (SSI);

6. Chemical and Volume Control System Isolation (CVCSI) actuation;

7. Demineralized Water Supply Isolation (DWSI) actuation; NuScale [US600] B 3.3.1-3 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

8. Pressurizer Heater Trip (PHT) actuation; and

9. Low Temperature Overpressure Protection (LTOP) actuation.

Equipment actuated by each of the above signals is identified in the FSAR (Ref. 4). Setpoints are specified in the [owner-controlled requirements manual].

This LCO addresses the equipment from the MPS input sensors to the input to the RTS and ESFAS SVMs. The MPS RTS and ESFAS equipment from the inputs of the SVMs to the outputs of the equipment interface modules (EIMs) to the actuated devices is addressed in LCO 3.3.2, Reactor Trip System (RTS) Logic and Actuation, and LCO 3.3.3, "Engineered Safety Features Actuation System (ESFAS)

Logic and Actuation", respectively. Manual actuation of the RTS and ESFAS from the actuating switches to the backplane connections of the chassis are addressed in LCO 3.3.4, Manual Actuation Functions.

The roles of each of the MPS functions in the RTS and ESFAS, including the actuation logic of LCO 3.3.2, 3.3.3, and 3.3.4 are discussed below.

Measurement Channels Measurement channels, consisting of field transmitters or process sensors and associated instrumentation, provide a measurable electronic signal based upon the physical characteristics of the process variable being measured. Some measurement channels that are processed by MPS are sent to MCS for control functions (e.g., pressurizer pressure and level).

The excore nuclear instruments are considered components in the measurement channels of the High Power Range Linear Power, High Power Range Positive and Negative Rate, Source Range Count Rate, Source Range Log Power Rate, and High Intermediate Range Log Power Rate Neutron Flux trips.

Four identical measurement channels (also designated separation group-A through D) with electrical and physical separation are provided for each variable used in the generation of trip and actuation signals.

NuScale [US600] B 3.3.1-4 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

MPS sensor processing consists of four separation groups of sensors.

Each of the four groups is composed of safety function modules (SFMs) that condition input signals and provide channel trip and actuation determination. In addition, SFMs provide indication that can be displayed in the control room. Each SFM is comprised of:

signal conditioning and analog to digital conversion sub-modules;

digital logic circuits; and

communication engines.

The signal conditioning input sub-modules of the SFM are comprised of an analog circuit and a digital circuit. The analog circuit converts analog voltages or currents into a digital representation. The digital representation of the process sensor output is communicated from the signal conditioning input sub-module to the digital logic circuits that form the trip or actuation determination block.

An SFM trip or actuation determination block accepts input from up to four signal conditioning input sub-modules. The output of each of the signal conditioning input sub-modules is sent to three redundant core logic signal paths in the programmable portion of the SFM that form the trip determination block.

The core logic functions in each of the three redundant signal paths independently:

performs the safety function algorithm;

compares the safety function algorithm output to a setpoint and makes a reactor trip and ESF actuation determination; and

generates permissives and control interlocks.

The information provided via the signal conditioning input sub-modules to the core logic is also provided to the module control system (MCS), the safety display and indication (SDI) system, and the maintenance workstation (MWS) via the monitoring and indication bus communication module (MIB-CM).

NuScale [US600] B 3.3.1-5 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The trip and actuation setpoints used in the SFM core logic function are based on the analytical limits derived from safety analysis (Ref. 5). The calculation of the LTSP specified in the Setpoint Program (SP) is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those MPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 6), the LTSP specified in the SP is conservative with respect to the analytical limits. The nominal trip setpoint (NTSP) is the LTSP with margin added and is always equal to or more conservative than the LTSP. A detailed description of the methodology used to calculate the NTSPs is provided in the "NuScale Instrument Setpoint Methodology" (Ref. 7). The as-left tolerance and as-found tolerance band methodology is provided in the SP. The as-found OPERABILITY limit for the purpose of the CHANNEL CALIBRATION is defined as the as-left limit plus the acceptable drift about the NTSP.

The NTSPs listed in the SP are based on the methodology described in Reference 7, which incorporates all of the known uncertainties applicable for each channel. The magnitudes of these uncertainties are factored into the determination of each NTSP. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. Transmitter and signal processing equipment calibration tolerances and drift allowances must be specified in plant calibration procedures, and must be consistent with the values used in the setpoint methodology.

The OPERABILITY of each transmitter or sensor can be evaluated when its as-found calibration data are compared against the as-left data and are shown to be within the setpoint methodology assumptions. The as-left and as-found tolerances listed in the SP define the OPERABILITY limits for a channel during a periodic CHANNEL CALIBRATION that requires trip setpoint verification.

NTSPs, in conjunction with the use of as-found and as-left tolerances, consistent with the requirements of the SP will ensure that SLs of Chapter 2.0, "SAFETY LIMITS (SLs)," are not violated during AOOs, and the consequences of DBAs will be acceptable, providing the unit is operated from within the LCOs at the onset of the AOO or DBA and the equipment functions as designed.

NuScale [US600] B 3.3.1-6 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

The MPS incorporates continuous system self-testing features from the sensor input to the output switching logic, with the exception of the actuation and priority logic (APL). The self-testing features evaluate whether the MPS is functioning correctly. Surveillance testing verifies OPERABILITY of the APL. Self-testing features include on-line diagnostics for the MPS hardware and communications tests. These self-tests do not interfere with normal system operation.

In addition to the self-testing features, the system includes functional testing features. Functional testing of the entire MPS, from SFM input through the opening of individual RTBs and actuation of ESFAS components, can be performed either at power or shutdown. The manual actuation switches in the MCR cannot be tested at power because they would cause a reactor trip or ESF actuation. FSAR Chapter 7 (Ref. 4) provides more detail on MPS testing.

The output of the three SFM core logic function signal paths are each routed to one of three independent safety data buses. Each of the safety data buses carry the trip determination data to one of three respective scheduling and bypass modules (SBMs). The SBM transmits the data to both divisions of the RTS and the ESFAS scheduling and voting modules (SVMs). Redundant data from all four separation groups are received by each divisions set of RTS and ESFAS SVMs. The failure of one or more components in one of the three safety data paths in any separation group has no impact on the safety function (i.e., SBM and SVM).

A trip is determined by two-out-of-four logic. If two or more of the four redundant channels call for trip, then a trip will be generated. If a channel is taken to maintenance bypass, two of the remaining three channels (two-out-of-three) are required to generate a trip. By placing one channel in maintenance trip, only one of the remaining three channels (one-out-of-three) is required to generate a trip.

Two-out-of-three and two-out-of-four logic prevents inadvertent trips caused by any single channel failure in a trip condition.

In addition to the channel maintenance bypasses, there are also operating bypasses on select trips or actuations. These bypasses are enabled automatically or manually, depending on the function, in both divisions when unit conditions do not warrant the specific trip or actuation protection. All operating bypasses are automatically removed when the permissive or interlock conditions are no longer satisfied. Operating bypasses are implemented in the SVM.

NuScale [US600] B 3.3.1-7 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Logic for Trip or Actuation Initiation The MPS logic, addressed in LCO 3.3.2 and LCO 3.3.3, is implemented in two divisions each of RTS and ESFAS. It employs a scheme that provides a reactor trip or ESFAS actuation when an SFM in any two of the four separation group channels sense and signal the same input variable trip. The three SVMs in the RTS and the three SVMs in the ESFAS evaluate the trip information received from the SFMs from all four separation groups. If two or more of the four redundant channels call for a trip, then a trip request is passed to the associated EIMs.

The output of the three SVM communication modules is sent via three independent safety data buses to the EIMs. The EIMs receive the information from the three SVMs and performs a two-out-of-three vote. If two or more of the SVMs call for a trip, then a trip is generated and the EIM actuates the component it controls.

RTS Actuation The EIMs for each division of RTS interrupts power to the control rod drive mechanisms (CRDMs) by opening two reactor trip breakers associated with that division.

The RTS EIMs interrupt power to the reactor trip breaker undervoltage trip coils and energizes the reactor breaker shunt trip coil.

The reactor trip switchgear, addressed in LCO 3.3.2, consists of four RTBs, which are operated in two sets of two breakers (two divisions).

Power input to the reactor trip switchgear comes from the 3-phase 120/208 VAC EDNS power source.

Each of the two RTS divisions is capable of producing an automatic reactor trip output signal that opens two of the four reactor trip breakers associated with that division. The four reactor trip breakers are connected in a series-parallel arrangement. Each parallel path contains two trip breakers in series, one from each RTS division, to ensure that a reactor trip signal from a single division will initiate a reactor trip.

When a reactor trip signal is actuated in any two of the four separation groups, four trip breakers open, two in each RTS division, power is interrupted to the rod drive power supply, and the control rods are inserted into the core.

NuScale [US600] B 3.3.1-8 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued)

Each set of RTBs is operated by either a manual reactor trip switch or via an MPS-actuated EIM for each RTB. The OPERABILITY of the manual trip switches and their function are addressed in LCO 3.3.4.

Functional testing of the entire MPS, from sensor input to the SFM through the opening of individual sets of RTBs, can be performed either at power or shutdown. FSAR Chapter 7 (Ref. 4) explains MPS testing in more detail.

ESFAS Actuation Each ESFAS actuation consists of closing or opening components whose safety position is achieved by interruption of electrical power to a breaker or valve controls.

Each division of ESFAS can control an independent component or in some cases either division can control one component. For example there are two containment isolation valves in series, one controlled by Division I and the other controlled by Division II. There is only one MSIV per steam line and either Division I or II can close it.

Manual ESFAS initiation capability is provided to permit the operator to manually actuate ESF when necessary. Switches are located in the control room for each automatic ESF function, and each switch (one per division for each function) actuates its respective division. These manual switch signals are converted to logic level voltages by the HWMs in each RTS and ESFAS chassis and are available on the backplane for the associated actuation. The OPERABILITY of the manual actuation switches and their function are addressed in LCO 3.3.4.

Overall Functional Analysis Three of the four measurement separation groups are necessary to meet the redundancy and testability of 10 CFR 50, Appendix A, GDC 21 (Ref. 2). The fourth channel provides additional flexibility by allowing one group to be removed from service (channel bypass) for maintenance or testing while still maintaining a minimum two-out-of-three logic.

The failure of one or more components in one of the three safety data paths in any separation group has no impact on the safety function (i.e.,

SBM and SVM). Adequate channel to channel independence includes physical and electrical independence of each channel from the others.

This allows operation in two-out-of-three logic with one channel removed NuScale [US600] B 3.3.1-9 Revision 4.1

MPS Instrumentation B 3.3.1 BASES BACKGROUND (continued) from service and bypassed until the next MODE 3 entry since no single failure will either cause or prevent a protective system actuation. This arrangement meets the requirements of IEEE Standard 603-1991 (Ref. 8).

APPLICABLE The MPS is designed to ensure that the following operational criteria are SAFETY met:

ANALYSES, LCO, and APPLICABILITY

The associated actuation will occur when the variable monitored by each channel reaches its setpoint and the specific coincidence logic is satisfied; and

Separation and redundancy are maintained to permit a channel to be out of service for testing or maintenance while still maintaining redundancy within the MPS instrumentation architecture.

Each of the analyzed accidents and transients which require a reactor trip or engineered safety feature can be detected by one or more MPS Functions. The MPS Functions that are credited to mitigate specific design basis events are described in FSAR Chapter 15 (Ref. 5). Setpoints are specified in the [owner-controlled requirements manual].

Each MPS setpoint is chosen to be consistent with the function of the respective trip. The basis for each setpoint falls into one of three general categories:

To ensure that the SLs are not exceeded during AOOs;

To actuate the RTS and ESFAS during accidents; and

To prevent material damage to major components (equipment protection).

The MPS maintains the SLs during AOOs and mitigates the consequences of DBAs in all MODES in which the RTBs are closed.

The Module Protection System instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Permissive and interlock setpoints automatically provide, or allow manual or automatic blocking of trips during unit evolutions. They are not explicitly modeled in the Safety Analyses. These permissives and interlocks ensure that the initial conditions are consistent with the safety analysis, before NuScale [US600] B 3.3.1-10 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative initial conditions for the safety analysis, they are generally considered as nominal values without regard to measurement accuracy.

Operating bypasses are addressed in the footnotes to Table 3.3.1-1.

They are not otherwise addressed as specific Table entries.

The automatic bypass removal features must function as a backup to manual actions for all safety related trips to ensure the trip Functions are not operationally bypassed when the safety analysis assumes the Functions are OPERABLE.

RTS and ESFAS Operating Bypass Interlocks and Permissives Reactor protection permissives and interlocks are provided to ensure reactor trips and ESF actuations are in the correct configuration for the current unit status (Ref. 4). This is to ensure that the protection system functions are not bypassed during unit conditions under which the safety analysis assumes the functions are OPERABLE. Therefore, the permissive and interlock functions do not need to be OPERABLE when the associated reactor trip and ESF functions are outside the applicable MODES. Proper operation of these permissive and interlocks supports OPERABILITY of the associated reactor trip and ESF functions and/or the requirement for actuation logic OPERABILITY. The permissives and interlocks must be in the required state, as appropriate, to support OPERABILITY of the associated functions. The permissives and interlocks associated with each MPS Instrumentation Function channel, each Reactor Trip System (RTS) Logic and Actuation Function division, and each Engineered Safety Features Actuation System (ESFAS) Logic and Actuation Function division, respectively, must be OPERABLE for the associated Function channel or Function division to be OPERABLE. The combination of the continuous self-testing features of the MPS and the CHANNEL CALIBRATION specified by SR 3.3.1.4 verify the OPERABILITY of the interlocks and permissives. Specification 5.5.10, Setpoint Program is used to control interlock and permissive setpoints.

The permissives and interlocks are:

Intermediate Range Log Power Permissive, N-1 The Intermediate Range Log Power, N-1 permissive is established when the Intermediate Range Log Power channel increases to approximately one decade above the channel lower range limit. The N-1 permissive performs the following:

NuScale [US600] B 3.3.1-11 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1. On increasing power, the N-1 permissive allows the manual block of the following:

High Source Range Count Rate Reactor Trip and Demineralized Water System Isolation actuation; and

High Source Range Log Power Rate Reactor Trip and Demineralized Water System Isolation actuation.

This prevents the premature block of the High Source Range Count Rate and High Source Range Log Power Rate trips and allows the operator to ensure that the Intermediate Range channel is OPERABLE as power increases prior to leaving the source range.

2. On increasing power, the N-1 interlock automatically establishes an operating bypass for High Source Range Subcritical Multiplication Demineralized Water System Isolation actuation.

3. On decreasing power, the N-1 interlock automatically removes the operating bypass for the following:

High Source Range Count Rate Reactor Trip and Demineralized Water System Isolation actuation;

High Source Range Log Power Rate Reactor Trip and Demineralized Water System Isolation; and

High Source Range Subcritical Multiplication Demineralized Water System Isolation actuation.

Power Range Linear Power Permissive, N-2L The Power Range Linear Power, N-2L permissive is active on increasing power at approximately 15% power. On increasing power, the N-2L permissive allows the operator to manually establish an operating bypass of the following:

Reactor Trip on High-1 Power Range Linear Power. This increases the High Power Range Linear Power trip to the High-2 trip setpoint; and

Demineralized Water System Isolation actuation on High-1 Power Range Linear Power.

NuScale [US600] B 3.3.1-12 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

On decreasing power, the N-2L permissive automatically removes the above operating bypasses.

Power Range Linear Power Interlock, N-2L The Power Range Linear Power, N-2L interlock is active on increasing power at approximately 15% power. The N-2L interlock automatically establishes an operating bypass of the following:

Reactor Trip on High Intermediate Range Log Power Rate; and

Demineralized Water System Isolation actuation on High Intermediate Range Log Power Rate.

On decreasing power, the N-2L interlock automatically removes the above operating bypasses.

Power Range Linear Power Interlock, N-2H The Power Range Linear Power, N-2H interlock is active on decreasing power at approximately 15% power. The N-2H interlock automatically establishes an operating bypass of the following:

Reactor Trip on High Power Range Positive Rate;

Reactor Trip on High Power Range Negative Rate;

Demineralized Water System Isolation actuation on High Power Range Positive Rate;

Demineralized Water System Isolation actuation on High Power Range Negative Rate;

Reactor Trip on Low Main Steam Pressure;

Secondary System Isolation on Low Main Steam Pressure; and

Demineralized Water System Isolation actuation on Low Main Steam Pressure.

On increasing power, the N-2H interlock automatically removes the above operating bypasses.

NuScale [US600] B 3.3.1-13 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Tripped Permissive, RT-1 The Reactor Tripped Permissive, RT-1 is established when both divisional reactor trip breakers indicate open. The RT-1 permissive is used in conjunction with the T-2, T-5, F-1, and L-1 interlocks, and the override function O-1.

Feedwater Isolation Valve (FWIV) Closed Interlock, V-1 The FWIV Closed interlock, V-1 is active when one or both FWIV indicate closed.

1. When the V-1 interlock AND the N-2H interlock are active, an automatic operating bypass is established for the Low Main Steam Superheat reactor trip.

2. When the V-1 interlock AND the N-2H interlock are active, OR the containment level interlock, L-1, is active, an automatic operating bypass is established for the Low Main Steam Superheat Secondary System Isolation actuation.

3. When the V-1 interlock OR the N-2H interlock are not active, AND L-1 is not active, the operating bypass is automatically removed for the Low Main Steam Superheat Secondary System Isolation actuation.

4. When the V-1 interlock OR the N-2H interlock are not active, the operating bypass is automatically removed for the Low Main Steam Superheat reactor trip.

Wide Range RCS Cold Temperature Interlock, T-1 The Wide Range RCS Cold Temperature Interlock, T-1, is established when Wide Range RCS Cold Temperature is greater than approximately 325 °F.

1. On increasing temperature, the T-1 interlock automatically bypasses the Low Temperature Overpressure Protection actuation on High WR RCS Pressure.

2. On decreasing temperature, the T-1 interlock automatically enables the Low Temperature Overpressure Protection actuation on High WR RCS Pressure.

NuScale [US600] B 3.3.1-14 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Wide Range RCS Hot Temperature Interlock, T-2 The Wide Range RCS Hot Temperature interlock, T-2, is established when Wide Range RCS Hot Temperature is below approximately 200 °F and the Reactor Tripped Permissive, RT-1 is established.

1. On decreasing temperature, the T-2 interlock automatically bypasses the Low Low Pressurizer Level trip for:

Secondary System Isolation;

CVCS Isolation actuation; and

Containment Isolation actuation.

2. On increasing temperature above the T-2 interlock or RT-1 not established (RTBs closed), the T-2 interlock automatically enables the Low Low Pressurizer Level trip for:

Secondary System Isolation;

CVCS Isolation actuation; and

Containment Isolation actuation.

Wide Range RCS Hot Temperature Interlock, T-3 The Wide Range RCS Hot Temperature interlock, T-3, is established when Wide Range Hot Temperature is below approximately 350 °F.

1. On decreasing temperature, the T-3 interlock automatically bypasses:

High Narrow Range Containment Pressure trip for SSI actuation, Containment Isolation actuation, and CVCS Isolation actuation.

2. On increasing temperature, the T-3 interlock automatically enables:

High Narrow Range Containment Pressure trip for SSI actuation, Containment Isolation actuation, and CVCS Isolation actuation.

NuScale [US600] B 3.3.1-15 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Narrow Range RCS Hot Temperature Interlock, T-4 The Narrow Range RCS Hot Temperature Interlock, T-4, is established when Narrow Range RCS Hot Temperature is below approximately 600 °F.

1. On decreasing temperature, the T-4 interlock automatically bypasses the Low Pressurizer Pressure trip for Reactor Trip and DWSI actuation.

2. On increasing temperature, the T-4 interlock automatically enables the Low Pressurizer Pressure trip for Reactor Trip and DWSI actuation.

Wide Range RCS Hot Temperature Interlock, T-5 The Wide Range RCS Hot Temperature Interlock, T-5, is established when Wide Range Hot Temperature is below approximately 420 °F.

1. When RT-1 is active (reactor trip breakers open) and on decreasing temperature, the T-5 interlock automatically bypasses:

Low Low Pressurizer Pressure Secondary System Isolation actuation;

DWSI actuation signals from any automatic Reactor Trip actuation; and

Low Low Pressurizer Pressure CVCS Isolation actuation.

2. When RT-1 is not active, or on increasing temperature, the T-5 interlock is not active, the following functions are automatically enabled:

Low Low Pressurizer Pressure Secondary System Isolation actuation;

DWSI actuation signals from any automatic Reactor Trip actuation; and

Low Low Pressurizer Pressure CVCS Isolation actuation.

NuScale [US600] B 3.3.1-16 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Narrow Range RCS Hot Temperature Interlock, T-6 The Narrow Range RCS Hot Temperature Interlock, T-6, is established when Narrow Range RCS Hot Temperature is below approximately 475 °F.

1. On decreasing temperature, the T-6 interlock automatically bypasses the Low RCS Pressure trip for ECCS actuation.

2. On increasing temperature, the T-6 interlock automatically enables the Low RCS Pressure trip for ECCS actuation.

Containment Level Interlock, L-1 The Containment Level Interlock, L-1 is established when Containment Water Level is above approximately 45 ft. and RT-1 (RTBs open) is active.

1. When L-1 is active, an automatic operating bypass is established for the:

Low Low Main Steam Pressure Secondary System Isolation actuation,

Low Main Steam Superheat Secondary System Isolation actuation,

High Narrow Range Containment Pressure Secondary System Isolation actuation,

Low Low Pressurizer Level Secondary System Isolation actuation,

Low Low Pressurizer Level CVCS isolation, and

Low Low Pressurizer Level Containment System Isolation actuation.

2. When the L-1 interlock is not active, the operating bypass is automatically removed for the:

Low Low Main Steam Pressure Secondary System Isolation actuation.

NuScale [US600] B 3.3.1-17 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

3. When the L-1 interlock is not active, and the N-2H interlock OR the V-1 interlock is not active, the operating bypass is automatically removed for the:

Low Main Steam Superheat Secondary System Isolation actuation.

4. When the L-1 interlock and the WR RCS Thot interlock, T-3, are not active, the operating bypass is automatically removed for the:

High Narrow Range Containment Pressure Secondary System Isolation actuation.

5. When the L-1 interlock and the WR RCS Thot interlock, T-2, are not active, the operating bypass is automatically removed for the:

Low Low Pressurizer Level Secondary System Isolation actuation,

Low Low Pressurizer Level CVCS isolation, and

Low Low Pressurizer Level Containment System Isolation actuation.

Pressurizer Level Interlock, L-2 The L-2 interlock is active when pressurizer level is greater than 20%.

1. When L-2 AND the WR RCS Thot Interlock, T-3, are active, an automatic operating bypass is established for the High Containment Level ECCS actuation.

2. When L-2 OR the WR RCS Thot Interlock, T-3, are not active, the operating bypass is automatically removed for the High Containment Level ECCS actuation.

Low Low RCS Flow CVCSI Interlock, F-1 When RCS flow goes below the Low Low RCS Flow setpoint, a reactor trip and CVCSI actuation are generated, opening the reactor trip breakers and isolating the CVCS. The CVCS, in conjunction with the module heatup system, is used to establish RCS flow and to heat-up the RCS during reactor startup. The F-1 interlock allows opening of the CVCS isolation valves, using the Enable NS Control switch and MCS, with RCS NuScale [US600] B 3.3.1-18 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) flow below the Low Low RCS Flow setpoint as long as the reactor trip breakers are open.

1. When two or more RCS flow channels are less than or equal to the Low Low RCS Flow setpoint, a reactor trip and CVCSI actuation are generated. When more than two RCS flow channels are less than or equal to the Low Low RCS Flow setpoint for more than a short time delay AND RT-1 is active (both divisional reactor trip breakers open),

F-1 is active and an automatic operating bypass is established for the Low Low RCS Flow CVCSI actuation.

2. When RT-1 is not active, or two or more RCS flow channels are greater than the Low Low RCS Flow setpoint for more than a short time delay, the F-1 interlock is not active and the operating bypass is automatically removed.

Containment System Isolation Override, O-1 The containment system isolation override, O-1, is established when the manual override switch (one for each division) in the main control room is in the override position for the respective ESFAS division and the RT-1 permissive is established. The O-1 override allows for manual control of the CVCS RCS injection and pressurizer spray containment isolation valves and the containment flood and drain containment isolation valves, from the module control system with an active automatic containment system isolation or automatic CVCS isolation signal present.

The override does not affect the CVCS containment isolation valves closure signal when the isolation signal is generated on High Pressurizer Level. The O-1 override switch must be manually taken out of override when the override O-1 is no longer needed. The override is automatically removed if the RT-1 permissive is removed.

Containment Pressure Interlock, P-1 The P-1 interlock is active when the narrow range containment pressure is less than about 1 psia.

1. On decreasing narrow range containment pressure, the P-1 interlock automatically bypasses the Low RCS Pressure ECCS actuation.

2. On increasing narrow range containment pressure, the P-1 interlock automatically enables the Low RCS Pressure ECCS actuation.

NuScale [US600] B 3.3.1-19 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Trip System and ESFAS Functions The specific safety analyses applicable to each protective function are identified below:

1. Excore Nuclear Power Neutron flux provides indication of reactor power and is measured at detectors located outside the containment vessel at the height of the core region. Wide range detectors are used at all power levels with continuous indication from subcritical conditions and startup to operating power levels. The neutron monitoring system provides indication from approximately 10E-6 to 125% RTP.

Neutron flux signals that exceed their setpoints or the rate of change limits cause the reactor trip breakers to open and the demineralized water supply valves to be isolated. Four channels of neutron flux are required to be OPERABLE when the unit is in a condition capable of withdrawing any CRA.

a. High Power Range Linear Power - Reactor Trip and Demineralized Water System Isolation The High Power Range Linear Power trip compares the measured power range neutron flux to setpoints to initiate actuations if reactor power level exceeds the expected levels. The trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Decrease in feedwater temperature;

Increase in feedwater flow;

Increase in steam flow;

Inadvertent opening of the turbine bypass system;

Control rod misoperation;

Inadvertent decrease in boron concentration in the RCS;

Spectrum of rod ejection accidents;

Uncontrolled control rod assembly (CRA) withdrawal at power; and NuScale [US600] B 3.3.1-20 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Steam system piping failures inside and outside of containment.

Four channels of High Power Range Linear Power are required to be OPERABLE in MODE 1 and in MODES 2 and 3 with the RTBs closed and the CRDMs capable of withdrawing any CRA. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit. Four channels are provided to permit one channel to be in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Power Range Linear Power trip logic functions include a permissive, N-2L, that allows the operator to manually bypass the lower Power Range Neutron Flux High trip when power is increased above the N-2L permissive. The Power Range High Linear Power trip setpoint is automatically reset to the lower setpoint when power is reduced below the N-2L permissive.

Actual, interlock and permissive setpoints are established in accordance with the Setpoint Program.

b. High Power Range Positive and Negative Rate - Reactor Trip and Demineralized Water System Isolation The Power Range Rate is measured using the power range neutron monitors that measure neutron flux for the High Linear Power trip. The Power Range Rate function measures the rate-of-change in neutron flux received at the detectors. The SFM logic unit performs calculations to determine the rate of change and compares the result to a setpoint. The trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Inadvertent decrease in boron concentration in the RCS; and

Control Rod Misoperation.

These trips provide protection from the effects of transients that occur at power levels above the N-2H interlock. The High Positive and Negative Power Range Rate trips are automatically bypassed below the N-2H interlock and automatically enabled above the N-2H interlock. Actual trip, isolation, interlock, and permissive setpoints are established and governed by the Setpoint Program.

NuScale [US600] B 3.3.1-21 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four channels of Power Range Rate are required to be OPERABLE in MODE 1 with reactor power above the N-2H interlock to limit the rate of change of the reactor power as measured by the excore neutron detectors. In MODE 1 with reactor power below the N-2L interlock, and MODES 2 and 3, the High Source and Intermediate Range Log Power Rate trips provide protection from transients that result in high rates of change in reactor power. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

c. High Intermediate Range Log Power Rate - Reactor Trip and Demineralized Water System Isolation The Neutron Monitoring System (NMS) provides an intermediate range doubling time signal which is used by the SFM to determine the rate of change and compares the result to a setpoint. The High Intermediate Range Log Power Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during an inadvertent decrease in boron concentration in the RCS that is postulated to occur at low power.

The High Intermediate Range Log Power Rate trip is only necessary for events that are postulated to occur from a subcritical condition or during the approach to critical operations and at low-power levels. It is not required to be OPERABLE at power levels above the N-2L interlock. The High Intermediate Range Log Power Rate trip is automatically bypassed when above the N-2L interlock and automatically enabled below the N-2L interlock. Interlock and permissive setpoints are governed by the Setpoint Program.

Four channels of High Intermediate Range Log Power Rate are required to be OPERABLE in MODE 1 with reactor power below the N-2L interlock and in MODES 2 and 3 when capable of CRA withdrawal because the events that it is design to protect against occur at low power levels. This will limit the rate of change of the reactor power as measured by the excore neutron detectors. At power levels above the N-2L interlock, the High Power Rate trip provides protection from events that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical.

NuScale [US600] B 3.3.1-22 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

d. High Source Range Count Rate - Reactor Trip and Demineralized Water System Isolation The NMS provides a source range log power signal which is used by the SFM to determine a source range count rate and compares the result to a setpoint. The High Source Range Count Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Inadvertent decrease in boron concentration in the RCS; and

Uncontrolled CRA withdrawal from a subcritical or low power.

Four channels of High Source Range Count Rate are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and in MODES 2 and 3 when capable of CRA withdrawal. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Source Range Count Rate trip can be manually bypassed when the intermediate range flux increases to approximately one decade above the channel lower limit (above the N-1 permissive) and is automatically enabled when the intermediate range flux decreases below the N-1 permissive.

Interlock and permissive setpoints are governed by the Setpoint Program.

NuScale [US600] B 3.3.1-23 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

e. High Source Range Log Power Rate - Reactor Trip and Demineralized Water System Isolation The NMS provides a source range doubling time signal which is used by the SFM to determine a source range log power rate and compares the result to a setpoint. The High Source Range Log Power Rate trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Inadvertent decrease in boron concentration in the RCS; and

Uncontrolled CRA withdrawal from a subcritical or low power.

Four channels of Source Range Log Power Rate are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and in MODES 2 and 3 when capable of CRA withdrawal. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Source Range Log Power Rate trip can be manually bypassed above the N-1 permissive and is automatically enabled when the intermediate range flux decreases below the N-1 permissive. Interlock and permissive setpoints are governed by the Setpoint Program.

f. High Subcritical Multiplication - Demineralized Water System Isolation The NMS provides a source range log power signal which is used by the SFM to determine a subcritical multiplication rate and compares the result to a setpoint. The High Subcritical NuScale [US600] B 3.3.1-24 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Multiplication trip provides protection against core damage and protects the reactor coolant pressure boundary (RCPB) during the following events:

Inadvertent decrease in boron concentration in the RCS; and

Uncontrolled CRA withdrawal from a subcritical or low power.

Four channels of Subcritical Multiplication are required to be OPERABLE in MODE 1 with power less than approximately one decade above the Intermediate Range channel lower limit and at all times in MODES 2 and 3. In MODE 1 with power approximately one decade above the Intermediate Range channel lower limit, the Intermediate Range Log Power Rate trips and the Power Range High Linear Power trip provide protection from transients that result in high rates of change in reactor power. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single failure will disable this trip Function.

The High Subcritical Multiplication trip is automatically bypassed above the N-1 interlock and is automatically enabled when the intermediate range flux decreases below the N-1 interlock.

Interlock and permissive setpoints are governed by the Setpoint Program.

2. Pressurizer Pressure Pressurizer pressure is measured to determine the RCS pressure, as represented by the steam space near the top of the reactor vessel.

The MPS is supplied signals from four sensors (one for each separation group) that measure pressure from about 1500 to 2200 psia.

a. High Pressurizer Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, Demineralized Water System Isolation, and Secondary System Isolation The High Pressurizer Pressure trip is designed to protect against exceeding RPV pressure limits for reactivity and heatup events.

NuScale [US600] B 3.3.1-25 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The trip provides protection for the following events:

Loss of external load;

Turbine trip;

Loss of condenser vacuum;

Closure of a main steam isolation valve (MSIV);

Loss of nonemergency AC power to station auxiliaries;

Loss of normal feedwater flow;

Pressurizer heater malfunction;

Inadvertent operation of DHRS;

Uncontrolled CRA withdrawal at power;

System malfunctions that increases reactor coolant inventory; and

Feedwater system pipe breaks inside and outside the containment vessel.

Four High Pressurizer Pressure Reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3, with no capability of withdrawing any CRA, the reactor will remain subcritical. In MODES 4 and 5 the reactor is subcritical with the CRDMs and CVCS incapable of affecting the reactivity in the unit.

Four High Pressurizer Pressure DHRS and four SSI channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. When PASSIVE COOLING is established sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

NuScale [US600] B 3.3.1-26 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater breakers closed. In MODES 2 and 3 with the pressurizer heater breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

b. Low Pressurizer Pressure - Reactor Trip, and Demineralized Water System Isolation The Low Pressurizer Pressure trip is designed to protect against RCS line breaks outside of containment, CRA drop, and protect the RCS subcooled margin against flow instability events.

The RTS and ESFAS Low Pressurizer Pressure setpoint is approximately 1720 psia. Actual setpoints are established in accordance with the Setpoint Control Program. Four Low Pressurizer Pressure reactor trip and ESFAS channels are required to be OPERABLE when operating in MODE 1 with RCS hot temperature above the T-4 interlock. In MODE 1 with RCS hot temperature below the T-4 interlock and in MODES 2, 3, 4, and 5 the RCS temperatures are well below T-4 and with the reactor subcritical the heat input will be insufficient to reach T-4. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The Reactor Trip and ESFAS actuation of the DWSI by the Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T-4 interlock, and is automatically enabled when RCS temperature is above the T-4 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.

c. Low Low Pressurizer Pressure - Reactor Trip, Demineralized Water System Isolation, CVCS Isolation and Secondary System Isolation The Low Low Pressurizer Pressure trip is designed to protect against RCS line breaks outside of containment and protect the RCS subcooled margin against flow instability events.

NuScale [US600] B 3.3.1-27 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The RTS and ESFAS Low Low Pressurizer Pressure setpoint is approximately 1600 psia. Actual setpoints are established in accordance with the Setpoint Program.

Four Low Low Pressurizer Pressure reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the function is fulfilled because the CRAs are inserted.

Four Low Low Pressurizer Pressure CVCSI and Secondary System Isolation channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 when capable of CRA withdrawal. The ESFAS actuation of CVCSI and SSI by the Low Low Pressurizer Pressure trip function is automatically bypassed when the RCS temperature is below the T-5 interlock and the reactor trip breakers are open (RT-1) and is automatically enabled when RCS temperature is above the T-5 interlock or when the reactor trip breakers are not open. In MODES 4 and 5 the reactor is subcritical at low RCS pressures with the CVCS and secondary system isolation valves de-energized and closed.

3. Reactor Coolant System Level RCS Level is measured by four (one per separation group) detectors to detect the water level in the RCS vessel. The sensors are located such that they can monitor water level from above the reactor core to the top of the pressurizer.

a. High Pressurizer Level - Reactor Trip, CVCS Isolation, and Demineralized Water System Isolation The High Pressurizer Level trip provides protection for system malfunctions that increase the reactor coolant system inventory.

Four High Pressurizer Level reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the reactor will remain subcritical. Four High Pressurizer Level CVCSI channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 the reactor will remain subcritical. Four channels are provided to permit one NuScale [US600] B 3.3.1-28 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

b. Low Pressurizer Level - Reactor Trip, Pressurizer Heater Trip, and Demineralized Water System Isolation The Low Pressurizer Level trip provides protection for:

Radiological consequences of failure of small lines carrying primary coolant outside the containment vessel;

Loss-of-coolant accidents outside the containment vessel; and

Steam generator tube failure.

The Low Pressurizer Level trip causes the reactor trip breakers to open, demineralized water system isolation, and the pressurizer heaters electrical supply to be isolated. Four Low Pressurizer Level reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1, and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the reactor will remain subcritical. Four Low Pressurizer Level Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1, and MODES 2 and 3 with the pressurizer heater breakers closed. In MODES 2 and 3 with the pressurizer heater breakers open and in MODES 4 and 5 this function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

c. Low Low Pressurizer Level - Containment Isolation, Secondary System Isolation, and CVCS Isolation The Low Low Pressurizer Level trip provides protection for:

Steam system piping failures inside and outside containment;

Radiological consequences of failure of small lines carrying primary coolant outside the containment vessel;

Loss-of-coolant accidents outside the containment vessel; and

Steam generator tube failure.

NuScale [US600] B 3.3.1-29 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four Low Low Pressurizer Level Containment Isolation, SSI, and CVCSI trip channels are required to be OPERABLE when operating in MODES 1, and 2, and MODE 3 when RCS temperature is above the T-2 interlock and CNV level is less than L-1. In MODE 3 with RCS temperature below the T-2 interlock, and in MODES 4 and 5, the reactor will remain subcritical.

The Low Low Pressurizer Level CIS, SSI, and CVCS Isolation trip channels are automatically bypassed when the RCS temperature is below the T-2 interlock or containment water level is above the L-1 interlock. The Low Low Pressurizer Level CIS, SSI, and CVCS Isolation trip channels are automatically enabled when RCS temperature is above the T-2 interlock and containment water level is below the L-1 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.

4. RCS Hot Temperature Narrow Range RCS Hot Temperature is measured by three resistance temperature detectors (RTDs) per separation group (a total of 12 RTDs), located in the RCS flow near the top of the reactor vessel downcomer.

a. High Narrow Range RCS Hot Temperature - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, and Demineralized Water System Isolation, Secondary System Isolation The High RCS Hot Temperature trip provides protection for:

Instability events;

Control rod misoperation; and

Uncontrolled CRA withdrawal at power.

The High RCS Hot Temperature trip causes a reactor trip, DWSI, DHRS actuation, SSI and a pressurizer heater trip.

Four High Narrow Range RCS Hot Temperature reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.

NuScale [US600] B 3.3.1-30 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four High Narrow Range RCS Hot Temperature DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater breakers closed. In MODES 2 and 3 with the pressurizer heater breakers open and in MODES 4 and 5 this function is fulfilled.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

5. RCS Flow RCS Flow is measured by four sensors (one per separation group located such that they measure the RCS flow below the steam generator region of the reactor vessel downcomer.

a. Low RCS Flow - Demineralized Water System Isolation The Low RCS Flow trip ensures boron dilution cannot be performed at low RCS flowrates where the loop time is too long to be able to detect the reactivity change in the core within sufficient time to mitigate the event.

The Low RCS Flow trip causes the demineralized water supply isolation valves to be closed. Four Low RCS Flow trip channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

b. Low Low RCS Flow - Reactor Trip, Demineralized Water System Isolation, and CVCS Isolation The Low Low RCS Flow trip provides protection due to failure of the module heatup system during startup conditions resulting in colder water being injected into the riser causing a loss of normal NuScale [US600] B 3.3.1-31 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) startup flow. It ensures RCS flow remains measurable and positive during low power startup conditions.

Four Low Low RCS Flow reactor trip, CVCSI and DWSI channels are required to be OPERABLE when operating in MODE 1, and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA, and in MODES 4 and 5 the reactor will remain subcritical.

The Low Low RCS Flow CVCSI is automatically bypassed when the Low Low RCS Flow CVCSI Interlock, F-1, is active.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

6. Main Steam Pressure Main Steam pressure is measured by eight pressure sensors (two per separation group, one on each steam line) located on the main steam lines upstream of the MSIVs near the connection to the DHRS lines.

Steam pressure sensors are shared between the High and Low Main Steam Pressure trips and are used as input to the High and Low Steam Superheat trips.

a. High Main Steam Pressure - Reactor Trip, Decay Heat Removal System Actuation, Pressurizer Heater Trip, Secondary System Isolation, and Demineralized Water System Isolation The High Main Steam Pressure trip provides protection for:

Loss of external load;

Turbine trip;

Loss of condenser vacuum;

Loss of nonemergency AC power to the station auxiliaries;

Closure of a MSIV; and

Inadvertent operation of the DHRS.

NuScale [US600] B 3.3.1-32 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The High Main Steam Pressure trip causes the reactor trip breakers to open and the DHRS, SSI, DWSI, and Pressurizer Heater Trip to actuate.

Four High Main Steam Pressure reactor trip and DWSI channels measuring pressure on each steam line are required to be OPERABLE when operating in MODE 1 and MODE 2 when capable of CRA withdrawal. In MODE 2 with no capability of withdrawing any CRA, and in MODES 3, 4, and 5 the reactor will remain subcritical.

Four Main Steam Pressure DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 with the pressurizer heater breakers closed. In MODES 2 and 3 with the pressurizer heater breakers open and in MODES 4 and 5 this function is fulfilled.

b. Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, and Secondary System Isolation The Low Main Steam Pressure trip provides protection for:

Increase in steam flow;

Inadvertent opening of the turbine bypass system;

Loss of feedwater flow;

Steam system piping failures inside and outside the containment vessel; and

Feedwater system pipe breaks inside and outside the containment vessel.

The Low Main Steam Pressure trip causes the reactor trip breakers to open and the DWSI, and SSI to actuate.

NuScale [US600] B 3.3.1-33 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four Low Main Steam Pressure reactor trip, DWSI, and SSI Trip channels measuring pressure on each steam line are required to be OPERABLE when operating in MODES 1 with power range linear power above N-2H. In MODE 1 below N-2H and in MODE 2 the unit is protected by the Low Low Main Steam Pressure function. In MODES 3, 4, and 5 the reactor is subcritical. Interlock and permissive setpoints are governed by the Setpoint Program.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

c. Low Low Main Steam Pressure - Reactor Trip, Demineralized Water System Isolation, and Secondary System Isolation The Low Low Main Steam Pressure trip provides protection for:

Increase in steam flow;

Inadvertent opening of the turbine bypass system;

Loss of feedwater flow;

Steam system piping failures inside and outside the containment vessel; and

Feedwater system pipe breaks inside and outside the containment vessel.

The Low Low Main Steam Pressure trip causes the reactor trip breakers to open and the DWSI and SSI to actuate.

Four Low Low Main Steam Pressure reactor trip and DWSI channels measuring pressure on each steam line are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.

Four Low Low Main Steam Pressure SSI actuation channels measuring pressure on each steam line are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with containment water level below the L-1 interlock. In MODES 4 and 5 the MPS and SSI actuation do not perform any function and are not required.

NuScale [US600] B 3.3.1-34 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. Interlock and permissive setpoints are governed by the Setpoint Program.

7. Steam Superheat Steam Superheat is determined by MPS SFM processing of main steam temperature and pressure data. Steam pressure sensors are shared between the High and Low Main Steam Pressure trips and are used as input to the High and Low Steam Superheat trips. Four steam temperature sensors are located on each steam pipe upstream of the MSIVs. Each channel of superheat receives two steam generator pressure inputs and two steam temperature inputs (one pressure and one temperature signal from each steam line). The degree of superheat is found by determining the saturation temperature (TSAT) at the measured main steam pressure (PSTM), and subtracting this value from the measured main steam temperature (TSTM). The main steam saturation temperature is found via a simple steam table lookup function using the measured steam pressure value.

TSH = TSTM - TSAT(PSTM)

a. High Steam Superheat - Reactor Trip, Demineralized Water System Isolation, and Secondary System Isolation The High Steam Superheat trip provides protection for steam generator (SG) boil-off.

The High Steam Superheat trip causes the reactor trip breakers to open and the DWSI, and SSI to actuate.

Four High Steam Superheat reactor trip, DWSI and SSI channels are required to be OPERABLE when operating in MODE 1. In MODES 2, 3, 4, and 5 the reactor is subcritical.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

b. Low Steam Superheat - Reactor Trip, Demineralized Water System Isolation, and Secondary System Isolation The Low Steam Superheat trip provides mitigation of SG overfilling.

NuScale [US600] B 3.3.1-35 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Low Steam Superheat trip causes the reactor trip breakers to open and the DWSI and SSI to actuate. Steam Superheat is determined by MPS processing of temperature and pressure data.

Four Low Steam Superheat reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 with power above the N-2H interlock or both feedwater isolation valves (FWIVs) open. When below the N-2H interlock with one FWIV closed, the reactor trip and DWSI are not needed to mitigate any events.

Four Low Steam Superheat SSI channels are required to be OPERABLE in MODE 1 with the containment level below the L-1 interlock with power above the N-2H interlock, or with containment water level below the L-1 interlock with both FWIVs open.

In MODES 2, 3, 4, and 5 the reactor is subcritical.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. Reactor trip and DWSI are automatically bypassed when reactor power is below the N-2H interlock and V-1 is active (one FWIV closed). SSI is automatically bypassed when reactor power is below the N-2H interlock and the V-1 is active (one FWIV closed). SSI is also automatically bypassed if containment level is above the L-1 interlock. The bypass logic is necessary to permit unit startup without resulting in a Low Main Steam Superheat actuation.

8. Containment Pressure Narrow Range Containment pressure is measured by four sensors (one per separation group) located near the top of the containment vessel.

a. High Narrow Range Containment Pressure - Reactor Trip, Demineralized Water System Isolation, Containment Isolation, Secondary System Isolation, and CVCS Isolation The High Containment Pressure trip provides protection for:

System malfunctions that increase the RCS inventory;

Inadvertent operation of the ECCS; NuScale [US600] B 3.3.1-36 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Loss of containment vacuum;

Steam system piping failures inside and outside the containment vessel;

Feedwater system pipe breaks inside and outside the containment vessel; and

Loss-of-coolant accidents from a spectrum of postulated piping breaks inside the containment vessel.

The High Narrow Range Containment Pressure trip causes the reactor trip breakers to open, the containment to be isolated, the SSI to be actuated, and the DWS and CVCS to be isolated.

Four High Narrow Range Containment Pressure reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal.

Four High Narrow Range Containment Pressure SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 with RCS temperature above the T-3 interlock and containment water level below the L-1 interlock. In MODE 3 with RCS temperature below the T-3 interlock or containment water level above the L-1 interlock the High Narrow Range Containment Pressure actuation of SSI is not required to function to mitigate the safety analyses events. These operating bypasses are needed to permit unit startup. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Four High Containment Pressure CVCSI and CIS channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 with RCS temperature above the T-3 interlock. In MODE 3 with RCS temperature is below the T-3 interlock, and in MODES 4 and 5 the containment pressure is allowed to exceed this setpoint and is expected, isolation is not required.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

The High Containment Pressure Containment Isolation, SSI, and CVCSI actuations are automatically bypassed when RCS temperature is below the T-3 interlock. The High Containment NuScale [US600] B 3.3.1-37 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Pressure SSI is also automatically bypassed when containment water level is above the L-1 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.

9. Containment Water Level The High Containment Water Level trip signal causes ECCS actuation. Four ECCS High Containment Water Level trip channels are required to be OPERABLE when operating in MODES 1 and 2, and MODE 3 with RCS hot temperature above T-3 or pressurizer level below L-2. In MODE 3 with RCS hot temperature below T-3 and pressurizer level above L-2, and MODES 4 and 5 the function is fulfilled. Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function. The high containment water level ECCS actuation is automatically bypassed when RCS temperature is below the T-3 interlock and the pressurizer level is above L-2, and automatically enabled when RCS temperature is above the T-3 interlock or pressurizer level is below L-2. Interlock and permissive setpoints are governed by the Setpoint Program.

10. Wide Range RCS Pressure and Wide Range RCS Cold Temperature Wide range RCS pressure is measured to determine the RCS pressure, as represented by the steam space near the top of the reactor vessel. The MPS is supplied signals from four sensors (one for each separation group) that measure pressure from about 0 to 2500 psia.

Wide range RCS cold temperature is measured to determine a representative minimum temperature in the RCS as measured at four locations in the lower downcomer region of the reactor vessel. The MPS is supplied signals from four sensors (one for each separation group) that measure temperature from about 40 to 700 °F.

a. Low RCS Pressure - ECCS The Low RCS Pressure - ECCS trip actuation provides protection from postulated boron re-distribution events during extended RCS steam space small break loss of coolant events. The Low RCS Pressure trip causes ECCS actuation.

The Low RCS Pressure - ECCS setpoint is approximately 800 psia. Actual setpoints are established in accordance with the Setpoint Program.

NuScale [US600] B 3.3.1-38 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four low RCS pressure trip channels are required to be OPERABLE when operating in MODES 1 and 2 with RCS hot temperature above T-6.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single failure will disable this trip Function.

The Low RCS Pressure ECCS trip design includes interlocks that ensure the actuation occurs when conditions could result in a boron re-distribution event. These features ensure the ECCS trip on low RCS pressure will not actuate during inappropriate evolutions such as startup and controlled shutdowns. The Low RCS Pressure trip is automatically bypassed when RCS hot temperature is below the T-6 interlock or containment pressure is below the P-1 interlock, and automatically enabled when RCS hot temperature is above the T-6 interlock and containment pressure is above the P-1 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.

b. High RCS Pressure - Low Temperature Overpressure Protection (LTOP)

The High RCS Pressure - Low Temperature trip provides protection for low temperature overpressure events.

The High RCS Pressure - Low Temperature trip signal causes the reactor vessel vent valves to open.

Four High RCS Pressure - Low Temperature trip channels are required to be OPERABLE when operating in MODE 3 with wide range RCS cold temperature below the LTOP enable temperature specified in the PTLR (T-1 Interlock) and more than one reactor vent valve closed. In MODES 1 and 2 the reactor vessel is at a higher temperature and overpressure protection is provided by the safety valves and the DHRS. In MODE 3 with two RVVs open, and MODES 4 and 5 the reactor vessel is protected from overpressure by the openings that exist between the reactor vessel and the containment or the conduction of heat between the reactor vessel and the refueling pool. The LTOP function is automatically bypassed when wide range RCS cold temperature is above the T-1 interlock and automatically enabled when wide NuScale [US600] B 3.3.1-39 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) range RCS cold temperature is below the T-1 interlock. Interlock and permissive setpoints are governed by the Setpoint Program.

11. Low AC Voltage to ELVS Battery Chargers The Low AC Voltage function ensures the MPS will operate in a predictable manner if a degraded or loss of electrical power condition occurs. An uncredited function also delays ECCS actuation to allow operators time to restore AC power without ECCS actuation occurring.

An ECCS actuation will occur if required by unit conditions during this time delay.

a. Low ELVS Voltage - ECCS Hold Low ELVS Voltage is determined by measuring two ELVS 480 VAC buses that provide power to the EDSS battery chargers with two sensors per separation group. If both 480 VAC bus voltages are below the setpoint, the following occurs:

Reactor Trip;

DHRS Actuation;

Pressurizer Heater Trip Actuation;

Containment Isolation Actuation;

Chemical and Volume Control System Isolation;

Secondary System Isolation; and

Demineralized Water System Isolation.

Eight (4/bus) Low ELVS Voltage DWSI and reactor trip channels are required to be OPERABLE when operating in MODE 1 and MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.

Eight (4/bus) Low ELVS Voltage Containment Isolation and CVCSI channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 the functions are fulfilled.

NuScale [US600] B 3.3.1-40 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Eight (4/bus) Low ELVS Voltage DHRS and SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical and passively cooled.

Eight (4/bus) Low ELVS Voltage Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater breakers closed. In MODES 2 with the pressurizer heater breakers open and in MODES 3, 4, and 5 this function is fulfilled.

Four channels per bus are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

12. Under-the-Bioshield Temperature Temperature under the bioshield is measured by 4 sensors (one per separation group) mounted on the pool wall outside containment.

a. High Under-the-Bioshield Temperature - Reactor Trip, Demineralized Water System Isolation, Containment Isolation, Chemical and Volume Control System Isolation, and Secondary System Isolation An undetected small main steam line break under the bioshield would expose the equipment to sustained elevated temperatures challenging the safety-related functions of the MSIVs and DHR valves. The High Temperature Under-the-Bioshield trip provides protection for the safety-related equipment that would be exposed to these harsh temperature conditions.

Four High Under-the-Bioshield Temperature reactor trip and DWSI channels are required to be OPERABLE when operating in MODE 1 and in MODES 2 and 3 when capable of CRA withdrawal. In MODES 2 and 3 with no capability of withdrawing any CRA and in MODES 4 and 5 the reactor is subcritical.

Four High Under-the-Bioshield Temperature Containment Isolation and CVCSI channels are required to be OPERABLE when operating in MODES 1, 2, and 3. In MODES 4 and 5 these functions are fulfilled.

NuScale [US600] B 3.3.1-41 Revision 4.1

MPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Four High Under-the-Bioshield Temperature SSI channels are required to be OPERABLE in MODES 1 and 2, and MODE 3 without PASSIVE COOLING in operation. In MODE 3 with PASSIVE COOLING in operation, sufficient cooling for decay heat loads is met. In MODES 4 and 5 the reactor is subcritical, passively cooled, and the MSIVs would be in their credited safety position.

Four High Under-the-Bioshield Temperature Pressurizer Heater Trip channels are required to be OPERABLE when operating in MODE 1 and in MODE 2 with the pressurizer heater breakers closed. In MODES 2 with the pressurizer heater breakers open and in MODES 3, 4, and 5 this function is fulfilled.

Four channels are provided to permit one channel in trip or bypass indefinitely and still ensure no single random failure will disable this trip Function.

ACTIONS The most common causes of channel inoperability are outright failure of a sensor or MPS SFM module sufficient to exceed the tolerance allowed by the unit-specific setpoint analysis as specified by the SP. Typically, sensor drift is found to be small and results in a delay of actuation rather than a total loss of capability to actuate within the allowed tolerance around the NTSP. This determination is of the channel's actual trip setting generally made during the performance of a CHANNEL CALIBRATION when the process sensor output signal is measured and verified to be within specification. If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The unit must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE status.

When more than two channels of an MPS Function are inoperable, the affected MPS Function is lost and the unit is outside the assumptions of the applicable safety analyses. This condition is addressed for all MPS Functions by the second Condition statement C (One or more Functions with three or more channels inoperable).

Required Action C.1 directs immediately entering the Condition referenced in Table 3.3.1-1 for the affected MPS Function. The referenced Condition provides appropriate actions to place the unit in an NuScale [US600] B 3.3.1-42 Revision 4.1

MPS Instrumentation B 3.3.1 BASES ACTIONS (continued) operational condition where the LCO for the affected MPS Function does not apply.

Notes have been added to the ACTIONS. The first Note has been added to clarify the application of the Completion Time rules to each Function in Table 3.3.1-1. The Conditions of this Specification may be entered independently for each Function. The Completion Times of each inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered for that Function.

A second Note has been added to clarify the Completion Time rules for Functions required on a per steam generator (SG) basis. The Completion Times of each combination of inoperable Function and SG will be tracked separately.

A third Note has been added to clarify the Completion Time rules for Function 25 which applies to individual electrical supply buses supplying power to the ELVS battery chargers. The Completion Times of each inoperable low AC voltage to ELVS battery charger Function will be tracked separately starting from the time the Condition was entered for that electrical bus.

A.1 Condition A applies to the failure of a single instrument channel of one or more MPS Functions.

If one MPS channel is inoperable, operation is allowed to continue, providing the inoperable channel is placed in bypass or trip in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allotted to bypass or trip the channel are sufficient to allow the operator to take all appropriate actions for the failed channel and still ensure that the risk of operating with the failed channel is acceptable. The failed channel must be restored to OPERABLE status prior to entering the applicable MODE or specified condition if the unit is in a MODE not requiring that channel to be OPERABLE. With a channel in bypass, the coincidence logic is now effectively two-out-of-three for the remaining operable channels.

B.1 and B.2 Condition B applies to the failure of two channels of one or more MPS Functions.

NuScale [US600] B 3.3.1-43 Revision 4.1

MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

Required Actions B.1 and B.2 direct placing one inoperable channel in bypass and the other inoperable channel in trip within a Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This Completion Time is sufficient to allow the operator to take all appropriate actions for the failed channels while ensuring the risk of operating with two failed channels is acceptable. With one channel of an MPS instrumentation Function bypassed, the MPS Function is in a two-out-of-three logic configuration; but with another channel of the same MPS Function failed, the MPS Function may be operating in a two-out-of-two logic configuration. This is outside the assumptions made in the applicable safety analyses and must be corrected. To correct this situation, the other inoperable channel can be placed in trip. This places the affected MPS Function in a one-out-of-two logic configuration. If just one of the two OPERABLE channels of the affected MPS Function generates a trip signal, each division of coincidence logic for the MPS Function will generate an actuation signal to the associated RTS and ESFAS logic and actuation Functions.

C.1 Condition C is entered when a Required Action and associated Completion Time of Condition A or B are not met, or one or more MPS Functions have three or more channels inoperable.

The Required Action is to immediately enter the Condition referenced in Table 3.3.1-1 for the MPS Function with the affected instrument channel(s). The Required Actions of the referenced Condition must be accomplished within the associated Completion Times.

D.1 Condition D is entered when Condition C applies to the following Functions that result in a reactor trip as listed in Table 3.3.1-1.

1a, Power Range Linear Power - High (RTS)

3a, Intermediate Range Log Power Rate - High (RTS)

4a, Source Range Count Rate - High (RTS)

5a, Source Range Log Power Rate - High (RTS)

7a, Pressurizer Pressure - High (RTS)

8a, Pressurizer Pressure - Low (RTS)

NuScale [US600] B 3.3.1-44 Revision 4.1

MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

9a, Pressurizer Pressure - Low Low (RTS)

10a, Pressurizer Level - High (RTS)

11a, Pressurizer Level - Low (RTS)

13a, NR RCS Hot Temperature - High (RTS)

15a, RCS Flow - Low Low (RTS)

16a, Main Steam Pressure - High (RTS)

18a, Main Steam Pressure - Low Low (RTS)

19a, Steam Superheat - High (RTS)

20a, Steam Superheat - Low (RTS)

21a, NR Containment Pressure - High (RTS)

If a Required Action associated with Condition A or B cannot be completed within the required Completion Time for the referenced MPS Function, or three or more channels of the referenced MPS Function are inoperable, the unit must be brought to a MODE or other specified condition where the LCO and Required Actions for the referenced MPS Function do not apply. This is accomplished by opening the reactor trip breakers. The above MPS Functions that result in a reactor trip are not required to be OPERABLE when the reactor trip breakers are open. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required MODE from full power conditions in an orderly manner.

E.1 Condition E is entered when Condition C applies to Functions that result in a reactor trip signal when reactor THERMAL POWER is above the N-2H interlock, as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by reducing THERMAL POWER to below the N-2H interlock. The allowed Completion Time for E.1 of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required condition from full power conditions in an orderly manner.

NuScale [US600] B 3.3.1-45 Revision 4.1

MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

F.1 Condition F is entered when Condition C applies to Functions that result in isolation of the CVCS system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by isolating all four CVCS flow paths to and from the RCS. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for aligning the system in an orderly manner.

Required Action F.1 is modified by a Note that allows isolated flow paths to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for isolation is indicated. This allowance permits the isolation signal to be reset when appropriate conditions exist to do so.

G.1 Condition G is entered when Condition C applies to Functions that result in automatic removal of electrical power from the pressurizer heaters as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by opening the power supply breakers to the pressurizer heaters. The allowed Completion Time for G.1 of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, for reaching the required conditions in an orderly manner.

The Action is modified by a Note that permits the heaters to be energized intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the breaker controls, who is in continuous communication with the main control room. In this way, the pressurizer heaters can be de-energized when a need for de-energization is indicated. This permits the unit to continue to operate while in the Condition.

NuScale [US600] B 3.3.1-46 Revision 4.1

MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

H.1 Condition H is entered when Condition C applies to Functions that result in automatic isolation of the demineralized water system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by isolating the dilution source flow paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valve. The allowed Completion Time for H.1 of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on operating experience, for reaching the required condition in an orderly manner.

I.1 and I.2 Condition I is entered when Condition C applies to Functions that result in a DHRS or ECCS actuation, as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions I.1 and I.2.

I.1 places the unit in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This action limits the time the unit may continue to operate with a limited or inoperable automatic channel.

I.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months of entering the Condition. These conditions assure adequate passive decay heat transfer to the UHS and result in the unit being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a LOCA event that would require ECCS or DHRS actuation. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

J.1 As listed in Table 3.3.1-1, Condition J is entered when Condition C applies to Function 24.a, "High RCS Pressure - Low Temperature NuScale [US600] B 3.3.1-47 Revision 4.1

MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

Overpressure Protection (LTOP)," which results in actuation of the LTOP system.

If a Required Action associated with Condition A or B cannot be completed within the required Completion Time, or three or more channels of this Function are inoperable, the unit must be brought to a MODE or other specified condition where the LCO and Required Actions for this Function do not apply. This is accomplished by opening at least two RVVs. The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is reasonable, based on operating experience, for establishing an RCS vent flow path sufficient to ensure low temperature overpressure protection.

K.1 and K.2 Condition K is entered when Condition C applies to Functions that result in actuation of the Containment Isolation system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. This is accomplished by Required Actions K.1 and K.2. K.1 places the unit in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This action limits the time the unit may continue to operate with a limited or inoperable CIS automatic channel. K.2 places the unit in MODE 3 with RCS hot temperature < 200 °F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of entering the Condition. This Condition assures the unit will maintain the RCS depressurized and the unit being in a condition for which the LCO no longer applies.

Completion Times are established considering the likelihood of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

L.1, L.2, L.3, L.4, and L.5 Condition L is entered when Condition C applies to Functions that result in a reactor trip, CIS actuation, DHR actuation, DWSI, SSI, and Pressurizer Heater Trip due to the Low ELVS Voltage or High Under-the-Bioshield Temperature as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition where the Required Actions do not apply. This is accomplished by Required Actions L.1, L.2, L.3, L.4, and L.5.

NuScale [US600] B 3.3.1-48 Revision 4.1

MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

L.1 places the unit in MODE 2 within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This action limits the time the unit may continue to operate with a limited or inoperable automatic channel. L.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months of entering the Condition. These conditions assure adequate passive decay heat transfer to the UHS and result in the unit being in a condition for which the DHRS OPERABILITY is no longer required.

L.3 places the unit in MODE 3 with RCS temperature below the T-2 interlock within 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months of entering the Condition. This Condition assures the unit will maintain the RCS depressurized and the unit being in a condition for which the LCO no longer applies.

L.4 isolates the dilution source flow paths in the CVCS makeup line by use of at least one closed manual or one closed and de-activated automatic valve within 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . This completes the function of the DWSI.

L.5 opens the power supply breakers to the pressurizer heaters within 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months .

Completion Times are established considering the likelihood of a design basis event that would require automatic actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

M.1 and M.2 Condition M is entered when Condition C applies to Function 21.b, High Narrow Range Containment Pressure - Containment Isolation System that results in actuation of the Containment Isolation system as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition in which the LCO and Required Actions for this Function does not apply. This is accomplished by Required Actions M.1 and M.2. M.1 places the unit in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This action limits the time the unit may continue to operate with a limited or inoperable CIS automatic channel. M.2 places the unit in MODE 3 with RCS hot temperature < 350 °F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of entering the Condition. This Condition assures the unit will be in a condition for which the LCO no longer applies.

NuScale [US600] B 3.3.1-49 Revision 4.1

MPS Instrumentation B 3.3.1 BASES ACTIONS (continued)

Completion Times are established considering the likelihood of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems during a shutdown.

N.1 Condition N is entered when Condition C applies to Function 23.a, Low RCS Pressure - ECCS that results in actuation of the ECCS as listed in Table 3.3.1-1.

If the Required Actions associated with this Condition cannot be completed within the required Completion Time, the unit must be brought to a MODE or other specified condition in which the LCO and Required Actions for this Function does not apply. This is accomplished by Required Action N.1 that places the unit in MODE 2 with the RCS temperature below the T-6 interlock within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This Condition assures the unit will be in a condition for which the LCO no longer applies.

The Completion Time was established considering the likelihood of a design basis event that would require the ECCS actuation on low RCS pressure during the period of inoperability. It also provides adequate time to permit evaluation of conditions and restoration of channel OPERABILITY without challenging plant systems to reach the required configuration.

SURVEILLANCE SR 3.3.1.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is verification through the absence of alarms from the automatic analog and binary process signal monitoring features used to monitor channel behavior during operation. Deviation beyond the established acceptance criteria is alarmed to allow appropriate action to be taken.

This determination includes, where possible, comparison of channel indication and status to other indications or status derived from the independent channels measuring the same process variable. This determination is made using computer software or may be performed manually.

NuScale [US600] B 3.3.1-50 Revision 4.1

MPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

It is based on the assumption that instrument channels monitoring the same process variable should read approximately the same value.

Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying that the instrumentation continues to operate properly between CHANNEL CALIBRATIONS.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment is operating outside its limits.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.2 A periodic calibration (heat balance) is performed when THERMAL POWER is above 15%. The Linear Power Level signal and the nuclear instrumentation system addressable constant multipliers are adjusted to make the nuclear power calculations agree with the calorimetric calculation if the absolute difference is 1%. The value of 1% is adequate because this value is assumed in the safety analysis. These checks (and, if necessary, the adjustment of the nuclear power signal) are adequate to ensure that the accuracy is maintained within the analyzed error margins.

The power level must be above 15% RTP to obtain accurate data. At lower power levels, the accuracy of calorimetric data is questionable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The Surveillance is modified by three Notes. The first Note indicates that the neutron monitoring system nuclear instrument channel must must be calibrated when the absolute difference is > 1% when compared to the calorimetric heat balance. The second Note indicates that this Surveillance need only be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reaching 15% RTP. The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reaching 15% RTP is required for unit stabilization, data taking, and flow verification. The secondary calorimetric is inaccurate at lower power levels. A third Note is provided that permits operation below 15% RTP without adjusting the instrument channel as long as the indicated nuclear instrument power is conservatively higher than the calorimetric heat balance results. This third Note is an exception to the first Note and only applies when below 15% RTP.

NuScale [US600] B 3.3.1-51 Revision 4.1

MPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.3 This SR 3.3.1.3 measures the individual CHANNEL RESPONSE TIMES.

The CHANNEL RESPONSE TIME is combined with the allocated MPS digital time response and the ACTUATION RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. Response time testing criteria are included in FSAR Chapter 7.

CHANNEL RESPONSE TIME may be verified by any series of sequential, overlapping or total channel measurements, including allocated sensor response time, such that the CHANNEL RESPONSE TIME is verified. [Allocations for sensor response times may be obtained from records of test results, vendor test data, or vendor engineering specifications.] The ACTUATION RESPONSE TIME testing of the RTS and ESFAS divisions are tested in accordance with LCO 3.3.2, "Reactor Trip System Logic and Actuation," 3.3.3, "Engineered Safety Features Actuation Logic and Actuation," LCO. 3.4.6, "Chemical and Volume Control System Isolation Valves," LCO 3.4.10, "LTOP Valves," LCO 3.5.1, "ECCS," LCO 3.5.2, "DHRS," LCO 3.6.2, "Containment Isolation Valves,"

LCO 3.7.1, "MSIVs," and LCO 3.7.2, "Feedwater Isolation."

SR 3.3.1.3 is modified by a Note indicating that neutron detectors are excluded from CHANNEL RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.4 This SR is modified by a Note that indicates that neutron detectors are excluded from CHANNEL CALIBRATION.

The Surveillance verifies that the channel responds to a measured process variable within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift between successive calibrations to ensure that the channel remains operational between successive tests. The test is performed in accordance with the SP. If all as-found measured values during calibration and surveillance testing are inside the as-left tolerance band, then the channel is fully operable, no additional actions are required.

NuScale [US600] B 3.3.1-52 Revision 4.1

MPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

If all as-found measured values during calibration testing and surveillance testing are within the as-found tolerance band but outside the as-left tolerance band, then the instrumentation channel is fully operable, however, calibration is required to restore the channel within the as-left tolerance band.

If any as-found measured value is outside the as-found tolerance band, then the channel is inoperable, and corrective action is required. The unit must enter the Condition for the particular MPS Functions affected. The channel as-found condition will be entered into the Corrective Action Program for further evaluation and to determine the required maintenance to return the channel to OPERABLE.

Interlocks and permissives are required to support the Function's OPERABILITY and are addressed by this CHANNEL CALIBRATION.

This is accomplished by ensuring the channels are calibrated properly in accordance with the SP. If the interlock or permissive is not functioning as designed, the condition is entered into the Corrective Action Program and appropriate OPERABILITY evaluations are performed for the affected Function(s). The affected Function's OPERABILITY can be met if the interlock is manually enforced to properly enable the affected Function.

When an interlock or permissive is not supporting the associated Function's OPERABILITY at the existing plant conditions, the affected Function's channels must be declared inoperable and appropriate ACTIONS taken.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.5 SR 3.3.1.5 is the performance of a CHANNEL CALIBRATION of the Class 1E isolation devices, as described in SR 3.3.1.4.

Class 1E isolation devices ensure that electrical power to the associated MPS circuitry and logic will not adversely affect the ability of the system to perform its safety functions. The devices de-energize and isolate the MPS components if such a condition is detected. This surveillance verifies the setpoints and functions of the isolation devices including associated alarms and indications by performing a CHANNEL CALIBRATION of required Class 1E isolation devices. The overcurrent and undervoltage setpoints of the Class 1E isolation devices are established and controlled NuScale [US600] B 3.3.1-53 Revision 4.1

MPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) in accordance with the Setpoint Program. The calibration parameters associated with the CHANNEL CALIBRATION of these Class 1E isolation devices are established to assure component OPERABILITY of the device electrical protection and isolation functions. There are no LSSSs associated with the Class 1E devices such that the establishment of a limiting trip setpoint (LTSP) or nominal trip setpoint (NTSP) is not governed by the Setpoint Program. However, the performance of a CHANNEL CALIBRATION implements sections of the Setpoint Program and includes the channel OPERABILITY determination based on the As-Found and As-Left settings for the Class 1E device calibration parameters.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Regulatory Guide 1.105, Revision 3, December 1999.

2. 10 CFR 50, Appendix A, GDC 21.

3. 10 CFR 50.34.

4. FSAR, Chapter 7.

5. FSAR, Chapter 15.

6. 10 CFR 50.49.

7. TR-0606-49121, NuScale Instrument Setpoint Methodology, Rev. [2].

8. IEEE Standard 603-1991.

NuScale [US600] B 3.3.1-54 Revision 4.1

RTS Logic and Actuation B 3.3.2 B 3.3 INSTRUMENTATION B 3.3.2 Reactor Trip System (RTS) Logic and Actuation BASES BACKGROUND The RTS portion of the Module Protection System (MPS) initiates a reactor trip to protect against violating the core fuel design limits and maintain reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs) and postulated accidents. By tripping the reactor, the RTS also assists the Engineered Safety Features (ESF) systems in mitigating accidents.

LCO 3.3.2 addresses only the logic and actuation portions of the MPS that perform the RTS function. The scope of this LCO begins at the inputs to the scheduling and voting modules (SVM) and extends through the actuated components. This includes the reactor trip breakers (RTBs).

LCO 3.3.1, Module Protection System (MPS) Instrumentation, LCO 3.3.3, "Engineered Safety Features Actuation System (ESFAS)

Logic and Actuation," provide requirements on the other portions of the MPS that automatically initiate the Functions described in Table 3.3.1-1.

Details of the design and operation of the entire MPS are provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.

Setpoints are specified in the [owner-controlled requirements manual]. As noted there, the MPS transmits trip determination data to both divisions of the RTS SVMs. Redundant data from all four separation groups is received by each division of the RTS SVMs.

Logic for Reactor Trip Initiation The MPS reactor trip initiation logic is implemented in two divisions of RTS. The three SVMs, in each division, generate a reactor trip signal when safety function modules (SFMs) in any two of the four separation groups determine a reactor trip is required. Each of the two RTS divisions evaluate the input signals from the SFMs from all four separation groups.

Each SVM compares the four inputs received from the SFMs, and generates a reactor trip signal if required by two of the four separation groups. The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs).

The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate.

NuScale [US600] B 3.3.2-1 Revision 4.1

RTS Logic and Actuation B 3.3.2 BASES BACKGROUND (continued)

RTS Actuation The EIMs for the RTBs for each division of RTS interrupt power to the control rod drive mechanisms (CRDMs) by opening two reactor trip breakers associated with that division.

Power input to the reactor trip switchgear and supplied to the CRDMs comes from the 3-phase 120/208 VAC EDNS power source.

The reactor trip switchgear consists of four RTBs, which are operated in two sets of two breakers (two divisions). Each of the two trip paths consists of two RTBs in series. For example, if a reactor trip breaker receives an open signal in trip path A, an identical breaker in trip path B will also receive an open signal. This arrangement ensures that power is interrupted to the CRDM buses.

The RTS EIMs interrupt power to the reactor trip breaker undervoltage trip coils which will cause the breakers to open. If electrical power is available, the MPS will also apply power to the breaker shunt trip coil causing the reactor trip breaker to open.

Each set of RTBs can also be operated by manual reactor trip actuation.

The OPERABILITY of the manual trip switches and their function are addressed in LCO 3.3.4.

Functional testing of the entire MPS, from sensor input to the SFM through the opening of individual RTBs can be performed at power, at reduced power or shutdown conditions. FSAR Section 7.2 (Ref. 1) describes MPS testing in more detail.

APPLICABLE The Applicable Safety Analyses for the RTS are described in the Bases of SAFETY LCO 3.3.1, Module Protection System (MPS) Instrumentation.

ANALYSES, LCO, and APPLICABILITY The LCO requires the RTS Logic and Actuation to be OPERABLE in MODE 1 and in MODES 2 and 3 when any RTB is closed. These are the MODES or other specified conditions when the CRAs are capable of withdrawal using the CRDMs. In MODES 4 and 5, the CRDMs are disconnected from their power supply and the CRAs cannot be withdrawn.

The RTS Logic and Actuation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

NuScale [US600] B 3.3.2-2 Revision 4.1

RTS Logic and Actuation B 3.3.2 BASES ACTIONS A.1 and A.2 Condition A applies if a single RTB is inoperable. This Condition permits performance of required periodic surveillance testing of the RTBs. With the inoperable RTB open, both divisions of RTS logic remain capable of automatically causing a reactor trip.

The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is reasonable to perform any required troubleshooting, required periodic surveillance testing, and restore the RTB to OPERABLE status while minimizing the likelihood of unnecessary reactor trips. The MPS and RTS remain capable of automatically causing a reactor trip during this time.

B.1 Condition B applies when one division of RTS Logic and Actuation is inoperable. RTS logic as used in the Condition includes the SVM, EIM, and associated communication paths of a single division of RTS function.

In this Condition, the other division remains OPERABLE and capable of performing the required safety function. The redundant signal paths and logic of the OPERABLE division provides sufficient capability to automatically trip the reactor.

The Required Action for this Condition is to restore the inoperable logic division to OPERABLE within six hours. The six hour limit provides a maximum time during which the reactor may be operated without an OPERABLE logic division.

C.1 Condition C is entered if the Required Action or Completion Time of Condition A or B are not met, if both divisions of RTS Logic and Actuation are inoperable, or if more than one RTB is inoperable.

The Required Action is for all RTBs to be opened immediately. Conditions A and B provide adequate time to troubleshoot and make necessary repairs without resulting in an unnecessary forced shutdown of the reactor. Therefore, a Completion Time of immediately is reasonable based on the limited ability of the RTS to shut down the reactor.

NuScale [US600] B 3.3.2-3 Revision 4.1

RTS Logic and Actuation B 3.3.2 BASES SURVEILLANCE SR 3.3.2.1 REQUIREMENTS An ACTUATION LOGIC TEST on each RTS Logic division is performed to ensure the division will perform its intended function when needed.

These tests verify that the RTS is capable of performing its intended function, from SFM input signals to the SVM through actuation of the RTBs.

MPS testing from the input sensors to the SVMs is addressed by surveillance requirements specified in LCO 3.3.1, Module Protection System (MPS) Instrumentation. The RTS Logic and Actuation circuitry functional testing is accomplished with continuous system self-testing features on the SVMs and EIMs and the communication between them.

The self-testing features are designed to perform complete functional testing of all circuits on the SVM and EIM, with the exception of the actuation and priority logic (APL) circuitry. The self-testing includes testing of the voting and interlock/permissive logic functions. The built-in self-testing will report a failure to the operator and place the SVM or EIM in a fail-safe state.

The only portion of the RTS Logic and Actuation circuitry that is not self-tested is the APL. The manual actuation switches, enable nonsafety control switches, and operating bypass switches do not include self-testing features. The manual actuation switches are addressed by surveillance requirements specified in LCO 3.3.4, "Manual Actuation Functions."

This ACTUATION LOGIC TEST includes testing of the APL on all RTS EIMs, the enable nonsafety control switches, and the operating bypass switches. The ACTUATION LOGIC TEST includes a review of any alarms or failures reported by the self-testing features.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.3.2-4 Revision 4.1

RTS Logic and Actuation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.2 This SR measures the ACTUATION RESPONSE TIME of the RTS divisions. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis.

Individual component response times are not modeled in the analyses.

The analyses model the overall or total elapsed time, from the point at which the process variable exceeds the trip setpoint value at the sensor to the time at which the RTBs open. TOTAL RESPONSE TIME may be verified by any series of sequential, overlapping, or total division measurements.

CHANNEL RESPONSE TIMES are tested in accordance with LCO 3.3.1.

The maximum digital time response is described in the FSAR. This SR encompasses the ACTUATION RESPONSE TIME of the RTS division from the output of the equipment interface modules until the RTBs are open.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.3 SR 3.3.2.3 is the performance of a CHANNEL CALIBRATION of the Class 1E isolation devices, as described in SR 3.3.1.4.

Class 1E isolation devices ensure that electrical power to the associated MPS circuitry and logic will not adversely affect the ability of the system to perform its safety function. The devices de-energize and isolate the MPS components if such a condition is detected. This surveillance verifies the setpoints and functions of the isolation devices including associated alarms and indications by performing a CHANNEL CALIBRATION of required Class 1E isolation devices.

The overcurrent and undervoltage setpoints of the Class 1E isolation devices are established and controlled in accordance with the Setpoint Program. The calibration parameters associated with the CHANNEL CALIBRATION of these Class 1E isolation devices are established to assure component OPERABILITY of the device electrical protection and isolation functions. There are no LSSSs associated with the Class 1E devices such that the establishment of a limiting trip setpoint (LTSP) or nominal trip setpoint (NTSP) is not governed by the Setpoint Program.

NuScale [US600] B 3.3.2-5 Revision 4.1

RTS Logic and Actuation B 3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued)

However, the performance of a CHANNEL CALIBRATION implements sections of the Setpoint Program and includes the channel OPERABILITY determination based on the As-Found and As-Left settings for the Class 1E device calibration parameters.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.4 SR 3.3.2.4 verifies the reactor trip breaker (RTB) actuates to the open position on an actual or simulated trip signal. This test verifies OPERABILITY by actuation of the end devices.

The RTB test verifies the under voltage trip mechanism opens the breaker. Each RTB in a division is tested separately to minimize the possibility of an inadvertent reactor trip.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 7.2.

NuScale [US600] B 3.3.2-6 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 B 3.3 INSTRUMENTATION B 3.3.3 Engineered Safety Features Actuation System (ESFAS) Logic and Actuation BASES BACKGROUND The ESFAS portion of the Module Protection System (MPS) protects against violating the core fuel design limits, ensures reactor coolant pressure boundary integrity during anticipated operational occurrences (AOOs) and postulated accidents, and ensures acceptable consequences during accidents by initiating necessary safety systems.

Details of the design and operation of the entire MPS are provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.

Setpoints are specified in the [owner-controlled requirements manual]. As noted there, the MPS transmits trip determination data to both divisions of the ESFAS scheduling and voting modules (SVMs). Redundant data from all four separation groups is received by each division of the ESFAS SVMs.

LCO 3.3.3 addresses only the logic and actuation portions of the MPS that perform the ESFAS functions. The scope of this LCO begins at the inputs to the SVMs and extends through the actuating contacts on the actuated components. This LCO also includes the pressurizer heater breakers. Component OPERABILITY and surveillance requirements are provided in the system LCOs and by programmatic requirements identified in Chapter 5, Administrative Controls.

LCO 3.3.1, Module Protection System (MPS) Instrumentation, and LCO 3.3.2, "Reactor Trip System (RTS) Logic and Actuation," provide requirements on the other portions of the MPS that automatically initiate the Functions described in Table 3.3.1-1.

The ESFAS logic and actuation consists of:

1. Emergency Core Cooling System (ECCS) actuation;

2. Decay Heat Removal System (DHRS) actuation;

3. Containment Isolation System (CIS) actuation;

4. Demineralized Water Supply Isolation (DWSI) actuation;

5. Chemical and Volume Control System Isolation (CVCSI) actuation;

6. Pressurizer Heater Trip (PHT);

NuScale [US600] B 3.3.3-1 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES BACKGROUND (continued)

7. Low Temperature Overpressure Protection (LTOP) actuation; and

8. Secondary System Isolation (SSI) actuation.

Logic for Actuation Initiation The MPS ESFAS logic is implemented in two divisions. The three SVMs, in each division, generate actuation signals when the safety function modules (SFMs) in any two of the four separation groups determine that an actuation is required. Both ESFAS divisions evaluate the input signals from the SFMs in each of three redundant SVMs. Each SVM compares the four inputs received from the SFMs, and generates an appropriate actuation signal if required by two or more of the four separation groups.

The output of the three redundant SVMs is communicated via three independent safety data buses to the associated equipment interface modules (EIMs). There are multiple EIMs associated with each division - independent and redundant EIMs for each division of ESFAS.

The EIMs compare inputs from the three SVMs and initiate an actuation if two out of three signals agree on the need to actuate.

ESFAS Actuation Each ESFAS actuation consists of closing or opening components whose safety position is achieved by interruption of electrical power to breaker or valve controls.

Each division of ESFAS can control an independent component or in some cases either division can control one component. For example, there are two containment isolation valves in series, one controlled by Division I and the other controlled by Division II. There is only one safety-related MSIV, per steam line (two total), and either Division I or II actuation will close it.

Each ESFAS actuation can also be initiated by manual controls. The OPERABILITY of the manual controls and their function are addressed in LCO 3.3.4.

Most functional testing of the MPS from sensor input to the SFM and through the opening of individual contacts can be conducted at power, with the limited remaining scope tested at reduced power or when the unit is shutdown. FSAR Chapter 7 (Ref. 1) describes MPS testing in more detail.

NuScale [US600] B 3.3.3-2 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE The Applicable Safety Analyses for the ESFAS are described in the SAFETY Bases of LCO 3.3.1, Module Protection System (MPS) Instrumentation.

ANALYSES, LCO and APPLICABILITY The LCO requires the ESFAS Logic and Actuation to be OPERABLE in the MODES listed in Table 3.3.3-1. The MODES or other specified conditions when the ESFAS safety functions are required to be OPERABLE are described below.

1. ECCS Actuation The ECCS is designed to mitigate postulated LOCAs and is used to maintain shutdown after other events. Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED. In MODE 4 the RVVs and RRVs are open providing passive cooling, and in MODE 5 shutdown cooling heat transfer is provided either by direct conduction and convection from the reactor vessel or the reactor fuel to the reactor pool.

2. DHRS Actuation The DHRS is designed to provide passive core cooling for events that do not transition to ECCS cooling. Therefore it is required to be OPERABLE in MODES 1 and 2, and in MODE 3 when not PASSIVELY COOLED. In MODE 4 the RVVs and RRVs are open providing passive shutdown cooling, and in MODE 5 shutdown cooling heat transfer is provided either by direct contact of the reactor vessel or the reactor fuel to the reactor pool.

3. CIS Actuation The CIS is designed to protect and limit releases from postulated RCS or secondary leaks and to support DHRS and ECCS operation.

Therefore it is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5 the function has been accomplished.

4. DWSI Actuation The DWSI is designed to limit and mitigate postulated reactivity events due to inadvertent boron dilution by isolating the supply of demineralized water to the CVCS. Therefore it is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5 the demineralized water supply is physically isolated from the module and therefore cannot affect the boron concentration and reactivity in the reactor.

NuScale [US600] B 3.3.3-3 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

5. CVCSI Actuation The CVCSI is designed to mitigate postulated events that result from overfilling the reactor coolant system. It also mitigates primary system high energy line breaks postulated to occur outside of the containment. The actuation is required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5 the CVCS is physically isolated from the module and therefore cannot affect the boron concentration and reactivity in the reactor nor can it overfill the RCS.

6. Pressurizer Heater Trip The PHT is designed to protect the pressurizer heaters from uncovering, overheating, and potentially compromising the RCS pressure boundary. The PHT is required to be OPERABLE when the pressurizer heaters are, or may be energized. The trip is required to be OPERABLE in MODE 1, and in MODES 2 and 3 if a pressurizer heater breaker is closed. In MODES 4 and 5 the power supply to the pressurizer heaters are physically isolated from the module and therefore cannot be energized.

7. LTOP Actuation The LTOP is designed to protect the reactor vessel integrity from postulated overpressure events that occur below the nil ductility transition (NDT) temperature below which the fracture toughness of the reactor vessel is reduced. Therefore the system must be OPERABLE in MODE 3 if the reactor coolant is below the NDT as specified in the PTLR and established as the LTOP enable temperature, the T-1 interlock. Alternatively, the function is satisfied if two RVVs are open. In MODES 1 and 2, the reactor vessel temperature is above the NDT temperature and the reactor safety valves provide overpressure protection. In MODE 4 the RVVs are de-energized and open which prevents pressurization of the reactor vessel. In MODE 5 the reactor coolant system is in open contact with the ultimate heat sink and cannot be pressurized.

NuScale [US600] B 3.3.3-4 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

8. Secondary System Isolation The Secondary System Isolation is designed to isolate the steam generators from the feedwater and main steam systems. The system limits releases of radioactive materials via these flowpaths. It also provides boundaries to preserve the inventory of the DHRS ensuring that capability to transfer decay heat to the UHS remains available.

Therefore it is required to be OPERABLE in MODES 1, 2, and 3.

The ESFAS logic and actuation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

Operability requirements for manual ESFAS actuation are described in LCO 3.3.4.

ACTIONS When the required ESFAS logic for the Actuation Functions listed in Table 3.3.3-1 are inoperable, the unit is outside the safety analysis, if applicable in the current MODE of operation. Required Actions must be initiated to limit the duration of operation or to place the unit in a MODE or other applicable condition in which the Condition no longer applies.

A Note has been added to the ACTIONS to clarify the application of the Completion Time rules. The Conditions of this Specification may be entered independently for each Actuation Function. The Completion Time for the inoperable Function will be tracked separately for each Function, starting from the time the Condition was entered for that Actuation Function.

A.1 Condition A applies if one or more divisions of the LTOP Logic and Actuation Function are inoperable. The Required Action is to open two reactor vent valves (RVVs) within one hour. This places the unit in a condition in which the LCO no longer applies. The one hour Completion Time provides adequate time to either immediately restore the inoperable logic or take manual action to open the RVVs, which establishes an RCS vent flow path sufficient to ensure low temperature overpressure protection.

NuScale [US600] B 3.3.3-5 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)

B.1 Condition B applies if one division of an ESFAS actuation logic Function is inoperable. This Condition is not applicable to LTOP actuation logic.

The redundant signal paths and logic of the OPERABLE division provides sufficient capability to automatically actuate the required ESFAS function with a single division of logic OPERABLE.

If one division of actuation Function logic cannot be restored to OPERABILITY within six hours, then the Conditions listed in Table 3.3.3-1 must be entered to limit the duration of operation with an inoperable division and to place the unit in a MODE or other applicable condition in which the LCO no longer applies. The six hour limit provides a reasonable time during which the actuation system may be restored to OPERABILITY.

C.1 and C.2 If Required Action B.1 directs entry into Condition C as specified in Table 3.3.3-1, or if both divisions of ECCS, DHRS, or SSI are inoperable the unit is outside its design basis ability to automatically mitigate a postulated event.

With one division of actuation logic inoperable the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the ECCS, DHRS, or SSI if required.

C.1 requires the unit to be in MODE 2 within 6. This action limits the time the unit may continue to operate with limited or inoperable automatic actuation logic.

C.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months of entering the Condition. This Condition assures adequate passive decay heat transfer to the UHS and result in the unit being in a condition which assures passive cooling of the reactor core.

Completion Times are established considering the likelihood of a LOCA event that would require ECCS, DHRS, or SSI actuation. They also provide adequate time to permit evaluation of conditions and restoration of actuation logic OPERABILITY without challenging plant systems during a shutdown.

NuScale [US600] B 3.3.3-6 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)

D.1 and D.2 If Required Action B.1 directs entry into Condition D as specified in Table 3.3.3-1, or if both divisions of the containment isolation actuation Function are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the CIS if required.

D.1 requires the unit to be in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of entering the Condition. This action limits the time the unit may continue to operate with limited or inoperable CIS automatic actuation logic.

D.2 requires the unit to be placed in MODE 3 with RCS temperature below the T-2 interlock within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of entering the Condition. This condition assures the unit will maintain the RCS depressurized, and the unit being in a condition for which the LCO no longer applies.

Completion Times are established considering the low probability of a design basis event that would require CIS actuation during the period of inoperability. They also provide adequate time to permit evaluation of conditions and restoration of actuation logic OPERABILITY without challenging plant systems during a shutdown.

E.1 If Required Action B.1 directs entry into Condition E as specified in Table 3.3.3-1, or if both divisions of demineralized water supply isolation actuation are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the DWSI if required.

In this Condition the demineralized water supply flow path(s) to the RCS must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to preclude an inadvertent boron dilution event.

NuScale [US600] B 3.3.3-7 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)

Isolation can be accomplished by manually isolating the demineralized water isolation valve(s). Alternatively, the dilution path may be isolated by closing appropriate isolation valve(s) in the flow path(s) from the demineralized water storage tank to the RCS.

The Required Action is modified by a Note allowing the flow path(s) to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the main control room. In this way, the flow path can be isolated when a need for isolation is indicated.

F.1 If Required Action B.1 directs entry into Condition F as specified in Table 3.3.3-1, or if both divisions of the CVCS isolation actuation Function are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide robust capability to automatically actuate the CVCSI if required.

F.1 requires the isolation of all four CVCS flow paths to and from the reactor coolant system within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of entering the Condition. The Action is modified by a Note that permits the flow path(s) to be unisolated intermittently under administrative controls. This Note limits the likelihood of an event by requiring additional administrative control of the CVCS flow paths. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the main control room. In this way, the flow path(s) can be isolated when a need for isolation is indicated. This permits the unit to continue to operate while in the Condition.

G.1 If Required Action B.1 directs entry into Condition G as specified in Table 3.3.3-1, or if both divisions of the pressurizer heater trip actuation Function are inoperable then the unit is outside its design basis ability to automatically mitigate some design basis events.

With one division of actuation logic inoperable, the redundant signal paths and logic of the OPERABLE division provide sufficient capability to automatically actuate the PHT if required.

NuScale [US600] B 3.3.3-8 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES ACTIONS (continued)

G.1 requires de-energization of the pressurizer heaters within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of entering the Condition. This action limits the time the unit may continue to operate with limited or inoperable PHT automatic actuation logic. The Action is modified by a Note that permits the heaters to be energized intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the breaker controls, who is in continuous communication with the main control room. In this way, the pressurizer heaters can be de-energized when a need for de-energization is indicated. This permits the unit to continue to operate while in the Condition.

The Completion Time was established considering the likelihood of a design basis event that would require automatic de-energization.

SURVEILLANCE SR 3.3.3.1 REQUIREMENTS An ACTUATION LOGIC TEST on each ESFAS division is performed to ensure the division will perform its intended function when needed. These tests verify that the ESFAS actuation Functions are capable of performing their intended function, from the SVMs through actuation of the ESF Components.

MPS testing from the input sensors to the SVMs is addressed by surveillance requirements specified in LCO 3.3.1, Module Protection System (MPS) Instrumentation. The ESFAS logic and actuation circuitry functional testing is accomplished with continuous system self-testing features on the SVMs and EIMs and the communication between them.

The self-testing features are designed to perform complete functional testing of all circuits on the SVM and EIM, with the exception of the actuation and priority logic (APL) circuitry. The self-testing includes testing of the voting and interlock/permissive logic functions. The built-in self-testing will report a failure to the operator and place the SVM or EIM in a fail-safe state.

The only portion of the ESFAS logic and actuation circuitry that is not self-tested is the APL. The manual actuation switches, enable nonsafety control switches, main control room isolation switches, override switches, and operating bypass switches do not include self-testing features. The manual actuation switches are addressed by surveillance requirements specified in LCO 3.3.4, "Manual Actuation Functions."

NuScale [US600] B 3.3.3-9 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES SURVEILLANCE REQUIREMENTS (continued)

The ACTUATION LOGIC TEST includes testing of the APL on all ESFAS EIMs, the enable nonsafety control switches, the main control room isolation switches, the override switches, and the operating bypass switches. The ACTUATION LOGIC TEST includes a review of any alarms or failures reported by the self-testing features.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.2 This SR measures the pressurizer heater breaker opening ACTUATION RESPONSE TIMES. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. Individual component response times are not modeled in the analyses. The analyses model the overall or total elapsed time, from the point at which the process variable exceeds the trip setpoint value at the sensor to the time at which ESF component actuates. TOTAL RESPONSE TIME may be verified by any series of sequential, overlapping, or total division measurements.

CHANNEL RESPONSE TIMES are tested in accordance with LCO 3.3.1.

The maximum digital time response is described in the FSAR. This SR encompasses the response time of the ESFAS from the output of the equipment interface modules to the loss of voltage at the output of the pressurizer heater breaker.

The ACTUATION RESPONSE TIME of valves actuated by the ESFAS are verified in accordance with the IST program, and LCO 3.4.6, "Chemical and Volume Control System Isolation Valves," LCO 3.4.10, "LTOP Valves," LCO 3.5.1, "ECCS," LCO 3.5.2, "DHRS," LCO 3.6.2, "Containment Isolation Valves," LCO 3.7.1, "MSIVs," and LCO 3.7.2, "Feedwater Isolation."

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.3.3-10 Revision 4.1

ESFAS Logic and Actuation B 3.3.3 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.3.3 SR 3.3.3.3 is the performance of a CHANNEL CALIBRATION of the Class 1E isolation devices, as described in SR 3.3.1.4.

Class 1E isolation devices ensure that electrical power to the associated MPS circuitry and logic will not adversely affect the ability of the system to perform its safety functions. The devices de-energize and isolate the MPS components if such a condition is detected. This surveillance verifies the setpoints and functions of the isolation devices including associated alarms and indications by performing a CHANNEL CALIBRATION of required Class 1E isolation devices. The overcurrent and undervoltage setpoints of the Class 1E isolation devices are established and controlled in accordance with the Setpoint Program. The calibration parameters associated with the CHANNEL CALIBRATION of these Class 1E isolation devices are established to assure component OPERABILITY of the device electrical protection and isolation functions. There are no LSSSs associated with the Class 1E devices such that the establishment of a limiting trip setpoint (LTSP) or nominal trip setpoint (NTSP) is not governed by the Setpoint Program. However, the performance of a CHANNEL CALIBRATION implements sections of the Setpoint Program and includes the channel OPERABILITY determination based on the As-Found and As-Left settings for the Class 1E device calibration parameters.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.4 SR 3.3.3.4 verifies the pressurizer heater breaker actuates to the open position on an actual or simulated trip signal on each pressurizer heater breaker. This test verifies OPERABILITY by actuation of the end devices.

The pressurizer heater breaker test verifies the under voltage trip mechanism opens the breaker.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 7.

NuScale [US600] B 3.3.3-11 Revision 4.1

Manual Actuation Functions B 3.3.4 B 3.3 INSTRUMENTATION B 3.3.4 Manual Actuation Functions BASES BACKGROUND The Manual Actuation Function portion of the module protection system (MPS) provides means to manually initiate the automatic actuations provided by the system to protect against violating the core fuel design limits, maintaining reactor coolant pressure boundary integrity, and not exceeding radiological dose limits during anticipated operational occurrences (AOOs) and postulated accidents. This LCO applies to components and functions from the manual actuation switches in the control room to the RTS and ESFAS Equipment Interface Modules (EIMs). EIM logic and actuated equipment OPERABILITY is addressed in LCO 3.3.2, Reactor Trip System (RTS) Logic and Actuation and LCO 3.3.3, Engineered Safety Features Actuation System (ESFAS)

Logic and Actuation, as well as LCO applicable to individual actuated components and systems, e.g., LCO 3.5.1, Emergency Core Cooling System (ECCS).

Manual switches in the main control room allow the operator to initiate a reactor trip if necessary. The manual switches are connected to the RTS hardwired modules (HWM) of the MPS. The HWM converts the manual switch position to appropriate signals and routes them to the division RTS EIMs to cause a reactor trip (Ref. 1).

Manual switches in the main control room also include switches for each automatic ESF function at the division level. These manual switches are connected to the ESFAS HWM of the MPS. The HWM converts the manual switch position to appropriate signals and routes them to the division ESFAS EIMs to cause an actuation.

A description of the MPS Instrumentation that causes automatic initiation of MPS protective functions is provided in the Bases for LCO 3.3.1, Module Protection System (MPS) Instrumentation.

NuScale [US600] B 3.3.4-1 Revision 4.1

Manual Actuation Functions B 3.3.4 BASES APPLICABLE The MPS functions to maintain the SLs during all AOOs and mitigates SAFETY the consequences of DBAs in MODES 1, 2, and 3.

ANALYSES, LCOs, and APPLICABILITY The LCO requires each Manual Actuation Function division performing an RTS or ESFAS Function, listed in Table 3.3.4-1, to be OPERABLE.

The safety analyses, LCO OPERABILITY and applicability requirements of Manual Actuation Functions listed in Table 3.3.4-1 are discussed in the Bases for LCO 3.3.2, Reactor Trip System (RTS) Logic and Actuation, and LCO 3.3.3, Engineered Safety Features Actuation System (ESFAS)

Logic and Actuation. While not specifically credited in the safety analyses, manual actuation of the Functions provides defense in depth to mitigate postulated events, and provides operators with the ability to address other events that may occur with the assistance of the automatic actuation portions of the MPS.

The Manual Actuation Functions satisfy Criterion 4 of 10 CFR 50.36(c)(2)(ii).

ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. Separate Condition entry is allowed for each Function listed in Table 3.3.4-1. The Completion Time(s) of the inoperable Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.

A.1 Condition A applies if one or more Functions with one manual actuation division inoperable. Required Action A.1 requires the Condition associated with the inoperable Function listed in Table 3.3.4-1 to be corrected, or the Condition listed in Table 3.3.4-1 to be entered within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . In this Condition, one division of manual actuation remains OPERABLE and the automatic MPS actuation capabilities remain available to perform the safety function consistent with the limits of LCO 3.3.1, 3.3.2, and 3.3.3.

The Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is based on continued operation in conformance with the design basis for automatic actuation of protective functions, as well as an OPERABLE means of manually actuating the protective functions. The time also provides adequate opportunity to identify and implement corrective actions to restore a Manual Actuation Function without entering the Condition specified in Table 3.3.4-1.

NuScale [US600] B 3.3.4-2 Revision 4.1

Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued)

B.1 Condition B applies to the Manual Actuation Functions identified in Table 3.3.4-1. Condition B addresses the situation where one or more Functions have both manual actuation divisions inoperable. One manual actuation division consists of an actuation switch and the associated hardware (such as contacts and wiring) up to but not including the affected EIMs. EIM OPERABILITY is addressed in LCO 3.3.2 and LCO 3.3.3.

With both manual actuation divisions inoperable, the Condition listed in Table 3.3.4-1 must be entered in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . In this Condition, the automatic MPS actuations remain available to perform the design basis safety functions consistent with the limits of LCO 3.3.1, 3.3.2, and 3.3.3. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provides adequate opportunity to identify and implement corrective actions to restore a Manual Actuation Function without entering the Condition specified in Table 3.3.4-1.

C.1 If Required Actions A.1 or B.1 direct entry into Condition C as specified in Table 3.3.4-1, then the reactor trip breakers must be opened immediately.

Opening the reactor trip breakers satisfies the safety function of the system and places the unit in a MODE or specified conditions in which the LCO no longer applies.

The immediate Completion Time is consistent with the importance of the ability to initiate a manual reactor trip using the actuation Function.

D.1 and D.2 If Required Actions A.1 or B.1 direct entry into Condition D as specified in Table 3.3.4-1, then Condition D provides 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to restore the manual actuation capability to OPERABLE status before the unit must be in MODE 2. Required Action D.2 requires the unit be in MODE 3 and PASSIVELY COOLED within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of entering the Condition. The Completion Times provide opportunity for correction of the identified inoperability while maintaining the reactor coolant system closed, minimizing the transients and complexity of a return to operation when OPERABILITY is restored.

NuScale [US600] B 3.3.4-3 Revision 4.1

Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued)

The Completion Times are reasonable because the credited automatic actuation Function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

E.1 If Required Actions A.1 or B.1 direct entry into Condition E as specified in Table 3.3.4-1, then Action E.1 requires the dilution source flow paths to be isolated if the Manual Actuation Function is not restored within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

The Action includes a Note that permits the flow path to be opened intermittently under administrative controls. This permits operation of the unit while actions to restore the actuation Function are underway.

The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

F.1 If Required Actions A.1 or B.1 direct entry into Condition F as specified in Table 3.3.4-1, then Action F.1 requires the four CVCS flow paths to and from the reactor coolant system be isolated if the Manual Actuation Function is not restored within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The Action includes a Note that permits the flow path to be opened intermittently under administrative controls. This permits operation of the unit while actions to restore the actuation Function are underway.

The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

NuScale [US600] B 3.3.4-4 Revision 4.1

Manual Actuation Functions B 3.3.4 BASES ACTIONS (continued)

G.1 If Required Actions A.1 or B.1 direct entry into Condition G as specified in Table 3.3.4-1, then Action G.1 requires the pressurizer heaters to be de-energized if the Manual Actuation Function is not restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The Action includes a Note that permits the heaters to be energized intermittently under administrative controls. This permits operation of the unit while actions to restore the actuation Function are underway.

The Completion Times are reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

H.1 If Required Actions A.1 or B.1 direct entry into Condition H as specified in Table 3.3.4-1, then Condition H requires two RVVs to be opened immediately which places the facility in a configuration in which an overpressure event in the reactor vessel is not possible. The Completion Time is reasonable given the need to ensure overpressure protection to the reactor vessel.

I.1 and I.2 If Required Actions A.1 or B.1 direct entry into Condition I as specified in Table 3.3.4-1, then the unit must be placed in MODE 3 with the containment isolated within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . Isolating the containment places the unit in a MODE or specified condition in which the LCO no longer applies.

The Completion Time is reasonable because the credited automatic actuation function remains OPERABLE as specified in LCO 3.3.3, and alternative means of manually initiating the safety function remain available, e.g., manually initiating individual MPS division trip logic and component-level actuations.

NuScale [US600] B 3.3.4-5 Revision 4.1

Manual Actuation Functions B 3.3.4 BASES SURVEILLANCE SR 3.3.4.1 REQUIREMENTS SR 3.3.4.1 is the performance of an actuation device operational test of Manual Actuation Functions listed in Table 3.3.4-1. The test shall independently verify the OPERABILITY of the actuated devices that function as a result of the actuation Functions listed in Table 3.3.4-1.

These tests verify that the Manually Actuated Functions are capable of performing their intended functions.

This surveillance addresses testing of the MPS from and including the manual actuation switches located in the control room to the hardwired modules and the input signals to the associated equipment interface modules for the actuation Function in test. The EIM functions are tested in accordance with LCO 3.3.2 and 3.3.3.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 7.

NuScale [US600] B 3.3.4-6 Revision 4.1

RSS B 3.3.5 B 3.3 INSTRUMENTATION B 3.3.5 Remote Shutdown Station (RSS)

BASES BACKGROUND Instrumentation located in the RSS provides the control room operator with sufficient displays to ensure the unit reaches a safe shutdown condition at a location other than the control room. The RSS also ensures that control room signals are isolated preventing unintended signals from impacting indication of the unit conditions. This capability is necessary to protect against the possibility that the control room becomes inaccessible (Ref. 1). The passive core cooling systems provided by the Decay Heat Removal System, Emergency Core Cooling System, or an appropriate water level in the containment can be used to remove core decay heat.

The use of PASSIVE COOLING systems allows extended operation with no operator action required in MODE 3 once initiated.

The RSS has several video display units which can be used to monitor unit conditions. The video display units are comparable to those provided in the control room and the operator can display information on the video display units in a manner which is comparable to the way the information is displayed in the control room. The operator normally selects an appropriate set of displays based on the particular operational goals being monitored by the operator at the time.

The OPERABILITY of the remote shutdown display functions ensures there is sufficient information available on selected variables to verify that the unit transitions to MODE 3 and PASSIVE COOLING, and remains stable once this condition is reached should the control room become inaccessible. Activation of the RSS also ensures that control room signals are isolated when control room evacuation is required.

APPLICABLE The RSS is required to provide equipment at appropriate locations SAFETY outside the control room to monitor the safe shutdown condition of the ANALYSES unit, defined as MODE 3 with PASSIVE COOLING established. This is accomplished by providing instrumentation that displays unit conditions.

Passive core cooling systems actuated if the control room is evacuated can establish and maintain safe shutdown conditions for the unit.

NuScale [US600] B 3.3.5-1 Revision 4.1

RSS B 3.3.5 BASES APPLICABLE SAFETY ANALYSES (continued)

The criteria governing the design and the specific system requirements for achieving safe shutdown conditions are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 2), which NuScale implements as principal design criterion 19 described in FSAR Section 3.1 (Ref. 3). No additional operator actions are required after actuation of passive cooling and therefore the RSS only provides indication to monitor unit conditions.

The remote shutdown station satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

LCO The RSS LCO provides the OPERABILITY requirements of the displays necessary to monitor the passive cooling system performance, verify that the unit transitions to and remains stable once MODE 3 and PASSIVE COOLING is reached, while monitoring from a location other than the control room.

The appropriate instrumentation in the RSS is OPERABLE if the display instrument functions needed to support the required monitoring capability are OPERABLE.

The instrumentation located in the RSS covered by this LCO does not need to be energized or configured to perform its design function, to be considered OPERABLE. During normal operation, the RSS is in standby with the workstations powered and connected to the human machine interface network, but the displays not activated. This LCO is intended to ensure the instrumentation located in the RSS will be OPERABLE if unit conditions require that the RSS be placed in operation.

APPLICABILITY The instrumentation located in the RSS LCO is applicable in MODES 1, 2, and MODE 3 when not PASSIVELY COOLED. This is required so that the unit can be monitored to ensure the unit transitions to MODE 3 and PASSIVELY COOLED, and remains stable in MODE 3 and PASSIVELY COOLED for an extended period of time from a location other than the control room.

This LCO is not applicable in MODE 3 and PASSIVELY COOLED, 4, or

5. In these MODES, the unit is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument functions if actions are required.

NuScale [US600] B 3.3.5-2 Revision 4.1

RSS B 3.3.5 BASES ACTIONS A.1 Condition A addresses the situation where the instrumentation in the RSS is inoperable. The Required Action is to restore the instrumentation in the RSS to OPERABLE status within 30 days. The Completion Time is based on the system design for maintainability and the low probability of an event that would require evacuation of the control room.

B.1 and B.2 If the Required Action and associated Completion Time of Condition A is not met, the unit must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.

SURVEILLANCE SR 3.3.5.1 REQUIREMENTS SR 3.3.5.1 verifies that the transfer protocol can be performed and that it performs the required functions. This ensures that if the control room becomes inaccessible, from the RSS passive cooling system performance can be monitored and evaluated to verify that the unit is transitioning to MODE 3 and PASSIVE COOLING, and remains stable once MODE 3 and PASSIVELY COOLED condition is reached.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2 This Surveillance verifies that the workstations in the RSS receive indications from the Module Control System (MCS) and Plant Control System (PCS). The communication is accomplished by use of the MCS and PCS networks.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.3.5-3 Revision 4.1

RSS B 3.3.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.3 SR 3.3.5.3 verifies the OPERABILITY of the RSS hardware and software by performing diagnostics to show that operator displays are capable of being called up and displayed to an operator at the RSS. The instrumentation in the RSS has several video display units which can be used by the operator.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 7.

2. 10 CFR 50, Appendix A, GDC 19.

3. FSAR, Section 3.1.

NuScale [US600] B 3.3.5-4 Revision 4.1

RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.1 RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits BASES BACKGROUND These Bases address requirements for maintaining RCS pressure and temperature within the limits assumed in the safety analyses. The safety analyses (Ref. 1) of normal operating conditions and anticipated operational occurrences assume initial conditions within the normal steady state envelope of operating conditions. For a given RCS flow resistance, RCS pressure and temperature in combination with THERMAL POWER establish the flow through the RCS including the reactor core. The limits placed on RCS pressure and temperature, in combination with the reactor power, ensure that the minimum critical heat flux ratio (CHFR) will be met for each of the transients analyzed.

The RCS pressure limit is consistent with operation within the nominal operational envelope. Pressurizer pressure indications are used to determine a value for comparison to the limit. A pressure below the limit will cause the reactor core to approach CHFR limits.

The RCS coolant cold temperature limit is consistent with full power operation within the nominal operational envelope. Indications of cold coolant temperature are averaged to determine a value for comparison to the limit. An RCS cold temperature above the limit could cause the core to approach CHF limits.

RCS flow resistance above the limit could cause a reduction in RCS flow and cause the core to approach CHF limits. The RCS flow resistance limit is consistent with and assures that the flow rates assumed in the safety analyses will occur.

Operation for significant periods of time outside these CHF limits increases the likelihood of a fuel cladding failure in a CHF limited event.

APPLICABLE The requirements of this LCO represent the initial conditions for CHF SAFETY limited transients analyzed in the plant safety analyses (Ref. 1). The ANALYSES safety analyses have shown transients initiated within the requirements of this LCO will result in meeting the CHFR criterion. This is the acceptance limit for the RCS CHF parameters. Changes to the unit which could impact these parameters must be assessed for their impact on the CHFR criterion.

NuScale [US600] B 3.4.1-1 Revision 4.1

RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 BASES APPLICABLE SAFETY ANALYSES (continued)

The NSP2 and NSP4 correlation limits are used for comparison to conditions representative of normal operation, operational transients, anticipated operational occurrences, and accidents other than events that are initiated by rapid reductions in primary system inventory. The Extended Hench-Levy correlation is used to evaluate events for which analyses postulate a rapid reduction in primary system inventory. An assumption for the analysis of these events is that the core power distribution is within the limits of LCO 3.1.6, Regulating Bank Insertion Limits; LCO 3.2.1, "Enthalpy Rise Hot Channel Factor (FH)," and LCO 3.2.2, AXIAL OFFSET (AO).

The flow resistance in the RCS directly affects the reactor coolant natural circulation flow rate established by THERMAL POWER, RCS pressure, and RCS temperature. The safety analyses assume flow rates that are based on a conservative value of flow resistance through the RCS.

Therefore the resistance must be verified to ensure that the assumptions in the safety analyses remain valid.

The pressurizer pressure operating limit and the RCS temperature limit specified in the COLR, as shown on the Analytical Design Operating Limits in FSAR Tier 2, Figure 4.4-9 (Ref. 2), correspond to operating limits, with an allowance for steady state fluctuations and measurement errors. These are the analytical initial conditions assumed in transient and LOCA analyses.

The RCS CHF parameters satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO specifies limits on the monitored process variables, pressurizer pressure and RCS cold temperature to ensure the core operates within the limits assumed in the safety analyses. It also specifies the limit on RCS flow resistance to ensure that the RCS flow is consistent with the flow assumed in the safety analyses. These variables are contained in the COLR to provide operating and analysis flexibility from cycle to cycle.

Operating within these limits will result in meeting CHFR criterion in the event of a CHF-limited transient.

NuScale [US600] B 3.4.1-2 Revision 4.1

RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 BASES APPLICABILITY In MODE 1, the limits on pressurizer pressure and RCS cold temperature must be maintained during steady state unit operation in order to ensure CHFR criterion will be met in the event of a CHF-limiting transient. In all other MODES, the power level is low enough that CHF is not a concern.

The CHFR limit is provided in SL 2.1.1, Reactor Core SLs. The conditions which define the CHFR limit are less restrictive than the limits of this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Should a violation of this LCO occur, the operator must check whether a SL may have been exceeded.

ACTIONS A.1 RCS pressure and RCS cold temperature are controllable and measurable parameters. With one or both of these parameters not within LCO limits, action must be taken to restore parameter(s).

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for restoration of the parameters provides sufficient time to adjust unit parameters, to determine the cause for the off normal condition, and to restore the readings within limits.

B.1 RCS flow occurs due to the density differences in the RCS during operations with the flow rate limited by the flow resistance in the RCS.

Small changes in flow resistance may occur over the life of the unit, and the effect on RCS flow as a function of THERMAL POWER, RCS pressure, and RCS temperature must be verified to ensure that flow remains consistent with the flow rates assumed in the safety analyses.

B.1 addresses the condition of flow resistance that is not consistent with that assumed. The Required Action provides an opportunity to compare the measured flow rate to the safety analyses values to verify that the safety analysis assumptions are being met or to initiate action to otherwise restore the flow rate to that assumed. Seven days provides adequate time to perform the required analyses of the RCS flow resistance and establish an appropriate revised RCS flow rate.

C.1 If Required Action A.1 or B.1 is not met within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . In MODE 2, the subcritical condition eliminates the potential for violation of the accident analysis bounds. The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable to reach the required plant conditions in an orderly manner.

NuScale [US600] B 3.4.1-3 Revision 4.1

RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 BASES SURVEILLANCE SR 3.4.1.1 REQUIREMENTS This surveillance demonstrates that the pressurizer pressure remains greater than or equal to the limit specified in the COLR. Required Action A.1 allows a Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to restore parameters that are not within limits and the Surveillance Frequency is sufficient to ensure the pressure can be restored to a normal operation, steady state condition following load changes and other expected transient operations.

The surveillance frequency is sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.1.2 This surveillance demonstrates that the RCS cold temperature remains less than or equal to the limit specified in the COLR. Required Action A.1 allows a Completion Time of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to restore parameters that are not within limits, and the Surveillance Frequency is sufficient to ensure the temperature can be restored to a normal operation, steady state condition following load changes and other expected transient operations. The surveillance frequency is sufficient to regularly assess for potential degradation and to verify operation is within safety analysis assumptions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.1.3 Verification that the RCS flow resistance is less than that assumed in the safety analysis is accomplished by performing measurements of RCS flow rate under controlled conditions. Assuring the RCS flow resistance remains less than or equal to the limit specified in the COLR after each refueling provides assurance that the safety analysis assumptions regarding the relationship between expected RCS flow, reactor power, RCS pressure, and RCS temperature remains accurate. The flow rate used to determine RCS flow resistance may be determined by installed instrumentation, thermodynamic analyses, or by other methods.

The SR is modified by a Note that permits operation for up to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months at greater than 50% RTP to permit the unit to establish conditions that permit measurements of RCS flow that allow evaluation of the RCS flow resistance. This is acceptable because the testing must be completed NuScale [US600] B 3.4.1-4 Revision 4.1

RCS Pressure, Temperature, and Flow Resistance CHF Limits B 3.4.1 BASES SURVEILLANCE REQUIREMENTS (continued) before exceeding 75% RTP which provides margin to safety analysis limits that are established at 100% RTP, and due to the low likelihood of a design basis event during the time allowed to perform testing.

The frequency requires this surveillance to be performed once after each refueling. Inadvertent changes that might impact flow resistance are most likely to occur during refueling operations. Other credible changes to flow resistance are slow developing phenomena and unlikely to change significantly between performances of the surveillance.

REFERENCES 1. FSAR, Chapter 15.

2. FSAR, Section 4.4.

NuScale [US600] B 3.4.1-5 Revision 4.1

RCS Minimum Temperature for Criticality B 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.2 RCS Minimum Temperature for Criticality BASES BACKGROUND This LCO is based upon meeting several major considerations before the reactor can be made critical and while the reactor is critical.

The first consideration is moderator temperature coefficient, LCO 3.1.3, Moderator Temperature Coefficient (MTC). In the transient and accident analyses, the MTC is assumed to be in a range from zero to negative and the operating temperature is assumed to be within the nominal operating envelope while the reactor is critical. The LCO on minimum temperature for criticality helps ensure the unit is operated consistent with these assumptions.

The second consideration is the protective instrumentation. Because certain protective instrumentation (e.g., excore neutron detectors) can be affected by moderator temperature, a temperature value within the nominal operating envelope is selected to ensure proper indication and response while the reactor is critical.

The third consideration is the pressurizer operating characteristics. The transient and accident analyses assume that the pressurizer is within its normal startup and operating range (i.e., saturated conditions and steam bubble present). It is also assumed that the RCS temperature is within its normal expected range for startup and power operation. Since the density of the water, and hence the response of the pressurizer to transients, depends upon the initial temperature of the moderator, a minimum value for moderator temperature within the nominal operating envelope is chosen.

The fourth consideration is that the reactor vessel is above its minimum nil-ductility reference temperature when the reactor is critical.

APPLICABLE The RCS minimum temperature for criticality is an initial condition SAFETY assumed in Design Basis Accidents (DBAs), such as the control rod ANALYSES assembly (CRA) withdrawal, CRA ejection, and main steam line break accidents performed at zero power that either assume the failure of, or presents a challenge to, the integrity of a fission product barrier.

All low power safety analyses assume initial RCS temperatures 420 °F, as described in FSAR Chapter 15 (Ref. 1).

NuScale [US600] B 3.4.2-1 Revision 4.1

RCS Minimum Temperature for Criticality B 3.4.2 BASES APPLICABLE SAFETY ANALYSES (continued)

The RCS minimum temperature for criticality parameter satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO Compliance with the LCO ensures that the reactor will not be made or maintained critical (keff 1.0) at a temperature less than the minimum temperature assumed in the safety analysis. Failure to meet the requirements of this LCO may produce initial conditions inconsistent with the initial conditions assumed in the safety analysis.

APPLICABILITY In MODE 1 LCO 3.4.2 is applicable since the reactor can only approach critical (keff 1.0) in this MODE. In MODES 2, 3, 4, and 5, the reactor is maintained with keff < 0.99.

ACTIONS A.1 If the temperature cannot be restored, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 2 with keff < 0.99 within 30 minutes. Rapid reactor shutdown can be readily and practically achieved within a 30 minute period. The allowed time is reasonable to reach MODE 2 with keff < 0.99 in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.4.2.1 REQUIREMENTS RCS loop temperatures are required to be verified at or above 420 °F.

The SR to verify RCS temperatures takes into account indications and alarms that are continuously available to the operator in the control room.

In addition, operators are trained to be sensitive to RCS temperatures during approach to criticality and will ensure that the minimum temperature for criticality is met as criticality is approached.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 15.

NuScale [US600] B 3.4.2-2 Revision 4.1

RCS P/T Limits B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.3 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation.

The PTLR contains P/T limit curves for heatup, cooldown including containment flooding, inservice leak and hydrostatic testing, and data for the maximum rate of change of reactor coolant temperature. Also included is the maximum allowable RCS temperature for containment flooding.

Each P/T limit curve defines an acceptable region for normal operation.

The curves are used for operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region.

The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The reactor vessel consists of multiple regions, but the limiting region for brittle failure is the lower reactor vessel region which contains the reactor core. Therefore, the LCO limits are provided based on the lower reactor vessel region and the limits apply mainly to the vessel.

10 CFR 50, Appendix G (Ref. 1) requires the establishment of P/T limits for specific material fracture toughness requirements of the RCPB materials. An adequate margin to brittle failure must be provided during normal operation, anticipated operational occurrences, and system hydrostatic tests. Reference 1 references the use of the ASME Code,Section XI, Appendix G (Ref. 2).

The neutron embrittlement effect on the material toughness is reflected by increasing the nil ductility reference temperature (RTNDT) as exposure to neutron fluence increases.

NuScale [US600] B 3.4.3-1 Revision 4.1

RCS P/T Limits B 3.4.3 BASES BACKGROUND (continued)

The actual shift in the RTNDT of the vessel material will be established periodically by removing and evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 3) and Appendix H of 10 CFR 50 (Ref. 4). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Regulatory Guide 1.99 (Ref. 5).

The P/T limit curves are composite curves established by superimposing limits derived from stress and fracture mechanics analyses of those portions of the reactor vessel that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the P/T span of the limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions.

The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls. The thermal gradient due to containment flooding during cooldown is also captured since containment flooding introduces tensile stress on the outer diameter of the reactor vessel.

The criticality limit curve includes the Reference 1 requirements, for minimum temperature based on vessel pressure, above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for required testing.

The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a non-isolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.

ASME Code,Section XI, Appendix E (Ref. 6) provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits.

NuScale [US600] B 3.4.3-2 Revision 4.1

RCS P/T Limits B 3.4.3 BASES APPLICABLE The P/T limits are not derived from Design Basis Accident (DBA)

SAFETY analyses. They are prescribed during normal operation to avoid ANALYSES encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. Reference 7 establishes the methodology for determining the P/T limits. Although the P/T limits are not derived from any DBA, the P/T limits are acceptance limits since they preclude operation in an unanalyzed condition.

RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The elements of this LCO are established in the PTLR including:

a. The limit curves for heatup, cooldown;

b. Limits on the rate of change of temperature; and

c. Maximum RCS temperature for flooding of containment.

The LCO limits apply to all components of the RCS. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.

The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, and cooldown P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves.

Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follows:

a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;

b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and

c. The existences, sizes, and orientations of flaws in the vessel material.

NuScale [US600] B 3.4.3-3 Revision 4.1

RCS P/T Limits B 3.4.3 BASES APPLICABILITY The RCS P/T limits LCO provides a definition of acceptable operation for prevention of nonductile (brittle) failure in accordance with 10 CFR 50, Appendix G (Ref. 1). Although the P/T limits were developed to provide guidance for operation primarily during heatup or cooldown or required testing, they are applicable at all times in keeping with the concern for nonductile failure.

During MODE 1 other Technical Specifications provide limits for operation that can be more restrictive than, or can supplement these P/T limits.

LCO 3.4.1, RCS Pressure, Temperature, and Flow Resistance Critical Heat Flux (CHF) Limits. LCO 3.4.2, RCS Minimum Temperature for Criticality; and Safety Limit 2.1.2, Reactor Coolant System (RCS)

Pressure SL, also provide operational restrictions for pressure and temperature and maximum pressure. Furthermore, MODE 1 is above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.

ACTIONS The actions of this LCO consider the premise that a violation of the limits occurred during normal unit maneuvering. Severe violations caused by abnormal transients, at times accompanied by equipment failures, may also require additional actions from abnormal operating procedures.

A.1 and A.2 Operation outside the P/T limits must be restored to within the limits. The RCPB must be returned to a condition that has been verified by stress analyses. Restoration is in the proper direction to reduce RCPB stress.

The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 6) may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

NuScale [US600] B 3.4.3-4 Revision 4.1

RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable to accomplish the evaluation.

The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed before continuing to operate.

Condition A is modified by a Note requiring Required Action A.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration per Required Action A.1 alone is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the unit must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress, or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. In reduced pressure and temperature conditions, the possibility of propagation with undetected flaws is decreased.

If the required restoration activity cannot be accomplished in 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature.

If the required evaluation for continued operation cannot be accomplished within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or the results are indeterminate or unfavorable, action must proceed to reduce pressure and temperature as specified in Required Action B.1 and Required Action B.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions.

Pressure and temperature are reduced by bringing the unit to MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months , with RCS pressure

< 500 psia. The 500 psia is based on placing the RCS in a lower energy state and being less than the LTOP maximum pressure of 525 psia.

The allowed Completion Times are reasonable based on plant design, to reach the required unit conditions from full power condition in an orderly manner without challenging plant systems.

NuScale [US600] B 3.4.3-5 Revision 4.1

RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)

C.1 and C.2 Actions must be initiated immediately to correct operation outside of the P/T limits at times other than when in MODE 1, 2, or 3, so that the RCPB is returned to a condition that has been verified by stress analysis.

The immediate Completion Time reflects the urgency of initiating action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in a short period of time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 3. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action C.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

D.1, D.2 and D.3 Condition D is based on an unexpected containment flooding initiated when RCS temperature is in excess of the maximum allowable temperature limit for containment flooding specified in the PTLR. The containment flooding system transfers borated water between the ultimate heat sink and the containment vessel. It is expected to be used during refuel preparations and during select beyond design basis events.

Both of these functions are non-safety related.

The immediate Completion Time for Action D.1 is appropriate because the system is designed to be utilized for containment flooding when the module has already been shutdown. Allowing operation to flood containment in these MODES would place the unit in an unanalyzed condition.

NuScale [US600] B 3.4.3-6 Revision 4.1

RCS P/T Limits B 3.4.3 BASES ACTIONS (continued)

The 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months Completion Time for Action D.2 allows sufficient time to cool down the unit to a condition that containment flooding is allowed.

Action D.3 requires evaluation of the RCS for continued operation prior to returning to MODE 2 after MODE 3 was entered to comply with the Required Actions. This is necessary to ensure P-T limits and cool down rates were not exceeded or an engineering evaluation performed if they were.

SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within PTLR limits is required when RCS P/T conditions are undergoing planned changes. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Pressurizer pressure instrumentation is utilized to monitor vessel pressure during planned changes. Use of temperature monitoring instrumentation is based on evolution being performed and delineated in PTLR.

Surveillance for heatup and cooldown, may be discontinued when the definition given in the relevant plant procedure for ending the activity is satisfied.

This SR is modified by a Note that only requires this surveillance to be performed during system heatup and cooldown and inservice leak and hydrostatic testing.

REFERENCES 1. 10 CFR 50, Appendix G.

2. ASME, Boiler and Pressure Vessel Code,Section XI, Appendix G,

[2013 edition].

3. ASTM E 185-82.

4. 10 CFR 50, Appendix H.

5. Regulatory Guide 1.99, Revision 2, May 1988.

6. ASME, Boiler and Pressure Vessel Code,Section XI, Appendix E,

[2013 edition].

NuScale [US600] B 3.4.3-7 Revision 4.1

RCS P/T Limits B 3.4.3 BASES REFERENCES (continued)

7. TR-1015-18177, Pressure and Temperature Limits Methodology, Rev. [2].

NuScale [US600] B 3.4.3-8 Revision 4.1

RSVs B 3.4.4 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.4 Reactor Safety Valves (RSVs)

BASES BACKGROUND Two RSVs, in conjunction with the module protection system (MPS),

provide integrated overpressure protection for the RCS. The RSVs are pilot operated, self-contained, self-actuating valves located on the reactor pressure vessel head. The RSVs provide overpressure protection based on the ASME Code,Section III pressure limit (ASME pressure limit) of 110% design pressure of RCS (Ref. 1). The RSVs are designed to prevent RCS pressure from exceeding the pressure Safety Limit (SL),

2285 psia, which is based on preventing pressure from exceeding 110%

of the design pressure (2100 psia) at the bottom of the reactor pressure vessel of 2310 psia. The RSVs also prevent exceeding 110% of Steam Generator System (SGS) design pressure during design basis accidents and anticipated operational occurrences (AOO) that challenge this system. Both RSV's are 100% redundant, only one valve is required to function to provide overpressure protection.

Because the RSVs are self-contained and self-actuating, they are considered independent components. The minimum relief capacity for each valve is 63,360 lb/hr. This capacity is based on a postulated overpressure transient of a turbine trip without turbine bypass capability, resulting in rapid decrease in heat removal capability. This event results in the maximum volumetric surge rate into the pressurizer, and defines the minimum volumetric relief capacity for each of the RSVs. An actuation of a RSV is indicated by RSV open position indication and by an increase in containment temperature and pressure because the RSVs discharge into the containment environment.

Overpressure protection is required in MODES 1, 2, and 3; however, in MODE 3 when RCS cold temperature is below the low temperature overpressure protection (LTOP) enable interlock T-1 temperature, overpressure protection is provided by operating procedures and by meeting the requirements of the LCO 3.3.1, "Module Protection System (MPS) Instrumentation" LCO 3.3.3, "Engineered Safety Features Actuation System (ESFAS) Logic and Actuation," and LCO 3.4.10, "LTOP Valves." In MODE 4 and MODE 5 with the reactor vessel head on, overpressure protection is provided by the ECCS reactor vent valves being isolated electrically from their controls causing them to open.

The upper and lower pressure limits are based on the +/-1% setpoint tolerance requirement (Ref. 1) for lifting pressures above 1000 psig. The lift settings are based on the differential pressure between the reactor NuScale [US600] B 3.4.4-1 Revision 4.1

RSVs B 3.4.4 BASES BACKGROUND (continued) vessel and the containment atmospheric conditions associated with MODES 1, 2, and 3. All RSV testing is performed in accordance with INSERVICE TESTING PROGRAM.

OPERABILITY of the RSVs ensures that the RCS and SGS pressures will be limited to 110% of design pressures.

The consequences of exceeding the ASME pressure limit could include damage to RCS components, damage to SGS components, increased LEAKAGE, or a requirement to perform additional stress analyses prior to resumption of reactor operation.

APPLICABLE Accident, AOOs and safety analyses in FSAR Chapter 15 (Ref. 2) that SAFETY require safety valve actuation assume operation of one of two RSVs to ANALYSES limit increases in the RCS pressure. Accidents and AOOs that could result in overpressurization if not properly terminated include:

a. Uncontrolled rod withdrawal from full power;

b. Loss of external electrical load;

c. Loss of AC power/loss of normal feedwater;

d. Turbine trip without bypass capability;

e. Main Steam Isolation Valve closure;

f. Steam system piping failures inside or outside Containment;

g. Chemical and Volume Control System malfunction that increases Reactor Coolant System inventory;

h. Control rod ejection; and

i. Steam generator tube failure.

Detailed analyses of the above transients are contained in Reference 2.

Compliance with this LCO is consistent with the design bases and accident analyses assumptions.

RSVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

NuScale [US600] B 3.4.4-2 Revision 4.1

RSVs B 3.4.4 BASES LCO The setpoint of the two RSVs are established to ensure that the ASME pressure limit is satisfied. The ASME Code specifications require the lowest safety valve setpoint to be at or below vessel design pressure and the highest safety valve to be set so that the total accumulated pressure does not exceed 110% of the design pressure for overpressurization conditions. The upper and lower pressure limits are based on the +/- 1%

tolerance requirements for lifting pressures above 1000 psig (Ref. 1).

As-found acceptance criteria of +/- 3% meets the criteria of ASME OM code I-1320(c)(1) (Ref 4).

The limits protected by this Specification are the reactor coolant pressure boundary (RCPB) SL of 110% of design pressure and 110% of external design pressure for the SGS. Inoperability of both RSVs could result in exceeding the reactor pressure SL or the 110% design pressure limit of the SGS, if a transient were to occur. The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, damage to the SGS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation.

APPLICABILITY In MODES 1, 2, and MODE 3 when RCS cold temperature is greater than the LTOP enable interlock T-1 temperature specified in Pressure and Temperature Limits Report (PTLR), the RSVs are required because the RCS and SGS are pressurized and limiting design basis overpressure transients are postulated to occur in MODES 1 and 2. MODE 3 conditions are conservatively included although the FSAR Chapter 15 (Ref. 2) listed accidents and AOOs may not require the RSVs for protection. RCS cold temperature is considered to be greater than the LTOP enabling interlock T-1 temperature when three out of four RCS cold temperature instruments indicate greater than the LTOP enabling temperature specified in the PTLR. The T-1 interlock is described further in the Bases for LCO 3.3.1.

The LCO is not applicable in MODE 3 when RCS cold temperature is below the LTOP enable temperature because overpressure protection is ensured by LCO 3.3.1, "MPS Instrumentation," LCO 3.3.3, "ESFAS Logic and Actuation," and LCO 3.4.10, "LTOP Valves." In MODES 4 and 5, overpressure events are precluded by open ECCS reactor vent valves providing a relief path from the RCS to the containment and isolation of the module from credible sources of system overpressure (e.g., CVCS injection and pressurizer heaters).

NuScale [US600] B 3.4.4-3 Revision 4.1

RSVs B 3.4.4 BASES ACTIONS A.1 With one RSV inoperable, the remaining OPERABLE RSV is capable of providing the necessary overpressure protection. Because of additional design margin, the ASME pressure limit for the RCPB and SGS can also be satisfied with one RSV inoperable.

However, the overall reliability of the pressure relief system is reduced because additional failure of the remaining OPERABLE RSV could result in failure to adequately relieve primary or secondary system pressure during a limiting event. For this reason, continued operation is permitted for a limited time only.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time to restore the inoperable RSV to OPERABLE status is based on the relief capability of the remaining RSV and the low probability of an event requiring RSV actuation.

B.1 and B.2 If the Required Action of Condition A cannot be met within the required Completion Time or if two RSVs are inoperable, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 with RCS cold temperature below the LTOP enable interlock T-1 temperature within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . RCS cold temperature is considered below the LTOP enabling temperature when two or more RCS cold temperature instruments indicate below the LTOP enabling temperature specified in the PTLR.

The allowed Completion Times are reasonable based on time to reach the required unit conditions from full power conditions in an orderly manner. The change from MODE 1, or 2, to MODE 3 reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer in-surges, and thereby removes the need for overpressure protection by the RSVs.

SURVEILLANCE SR 3.4.4.1 REQUIREMENTS SRs are specified in the INSERVICE TESTING PROGRAM. RSVs are to be tested in accordance with the requirements of ASME OM Code (Ref. 3), which provides the activities and Frequencies necessary to satisfy the SRs. No additional requirements are specified.

The RSV setpoint is +/- 3% for OPERABILITY, and the values are reset to remain within +/- 1% during the surveillance to allow for drift.

NuScale [US600] B 3.4.4-4 Revision 4.1

RSVs B 3.4.4 BASES REFERENCES 1. ASME, Boiler and Pressure Vessel Code,Section III, Subarticles NB 7500 and NC 7500, [2013 edition].

2. FSAR, Chapter 15.

3. ASME, OM Code, [2012 edition].

NuScale [US600] B 3.4.4-5 Revision 4.1

RCS Operational LEAKAGE B 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.5 RCS Operational LEAKAGE BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core comprise the RCS. Component joints are made by welding, bolting, rolling, or pressure loading. Valves isolate connecting systems from the RCS.

During unit life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of RCS Operational LEAKAGE.

10 CFR 50, Appendix A, GDC 30 (Ref. 1), requires means for detecting and, to the extent practical, identifying the source of reactor coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems.

The safety significance of RCS Operational LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE outside of the reactor coolant pressure boundary (RCPB) is necessary. When possible, separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur that is detrimental to the safety of the facility and the public.

This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA).

APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses do not SAFETY address RCS Operational LEAKAGE. However, other forms of RCS ANALYSES Operational LEAKAGE are related to the safety analyses for LOCA. The amount of LEAKAGE can affect the probability of such an event.

The safety analysis for an event resulting in steam discharge to the atmosphere assumes a 150 gpd primary to secondary LEAKAGE as the initial condition.

NuScale [US600] B 3.4.5-1 Revision 4.1

RCS Operational LEAKAGE B 3.4.5 BASES APPLICABLE SAFETY ANALYSES (continued)

Primary to secondary LEAKAGE is a factor in the dose releases outside containment resulting from a steam line break (SLB) accident. To a lesser extent, other accidents or transients involve secondary steam release to the atmosphere, such as a steam generator tube failure (SGTF). The leak contaminates the secondary fluid.

The FSAR Chapter 15 (Ref. 3) analyses for the accidents involving secondary side releases assume 150 gpd primary to secondary LEAKAGE as an initial condition. The design basis radiological consequences resulting from a postulated SLB accident and SGTF are provided in Sections 15.1.5 and 15.6.3 of FSAR Chapter 15, respectively.

The RCS Operational LEAKAGE satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

b. Unidentified LEAKAGE 0.5 gpm of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the Containment Evacuation System (CES), condensate monitoring equipment required by LCO 3.4.7, "RCS Leakage Detection Instrumentation," can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.

NuScale [US600] B 3.4.5-2 Revision 4.1

RCS Operational LEAKAGE B 3.4.5 BASES LCO (continued)

c. Identified LEAKAGE Up to 2 gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS Makeup System. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary LEAKAGE. Violation of this LCO could result in continued degradation of a component or system.

d. Primary to Secondary LEAKAGE The limit of 150 gallons per day is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam Generator Program Guidelines (Ref. 4). The Steam Generator Program operational LEAKAGE performance criterion in NEI 97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be limited to 150 gallons per day." Current design does not support the ability to determine which one of the two steam generators has the primary to secondary leakage. Therefore total primary to secondary leakage will be conservatively attributed to one steam generator. The operational leakage rate criterion in conjunction with the implementation of the Steam Generator Program is an effective measure for minimizing the frequency of steam generator tube ruptures.

APPLICABILITY The potential for RCS Operational LEAKAGE is greatest when the RCS is pressurized In MODES 1 and 2. The potential also exists when elevated temperatures and pressures exist in MODE 3 when RCS hot temperature is 200 °F.

In MODE 3 the RCS temperature may be < 200 °F. In that circumstance RCS pressure is low and the potential for RCS Operational LEAKAGE is reduced so that monitoring is no longer required.

In MODE 4 or 5, RCS Operational LEAKAGE limits are not required because the RCPB is open to the containment or refueling pool.

The applicability requirements are modified by a Note indicating the LCO requirements are suspended if one or more ECCS valves is open. In that condition the RCS pressure is reduced, the system is open to the containment and leakage detection instrumentation is no longer OPERABLE.

NuScale [US600] B 3.4.5-3 Revision 4.1

RCS Operational LEAKAGE B 3.4.5 BASES ACTIONS A.1 Unidentified LEAKAGE or identified LEAKAGE in excess of the LCO limits must be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce RCS Operational LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.

B.1, B.2 If any pressure boundary LEAKAGE exists, or primary to secondary LEAKAGE is not within limits, or if unidentified or identified LEAKAGE cannot be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , the reactor must be brought to lower pressure conditions to reduce the severity of the RCS Operational LEAKAGE and its potential consequences. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and exit the Applicability in MODE 3 with RCS hot temperature 200 °F, within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.

SURVEILLANCE SR 3.4.5.1 REQUIREMENTS Verifying RCS Operational LEAKAGE is within the LCO limits ensures the integrity of the RCPB is maintained. Pressure boundary LEAKAGE would at first appear as unidentified LEAKAGE.

Unidentified LEAKAGE and identified LEAKAGE are determined by performance of a RCS water inventory balance. The RCS water inventory balance must be met with the reactor at steady state operating conditions.

Two Notes modify SR 3.4.5.1. The first Note states the SR is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation.

The 12 allowance provides sufficient time to collect and process all necessary data after stable unit conditions are established. The second Note states the SR is not applicable to primary to secondary LEAKAGE.

SR 3.4.5.2 verifies the primary to secondary LEAKAGE.

Steady state operation is required to perform a proper inventory balance since calculations during maneuvering are not useful. For RCS operational LEAKAGE determination by inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, and makeup or letdown.

NuScale [US600] B 3.4.5-4 Revision 4.1

RCS Operational LEAKAGE B 3.4.5 BASES SURVEILLANCE REQUIREMENTS (continued)

A warning of pressure boundary LEAKAGE or unidentified LEAKAGE is provided by the LEAKAGE detection systems specified in LCO 3.4.7, RCS Leakage Detection Instrumentation. The containment pressure RCS Operational LEAKAGE measurement is valid only after containment has been evacuated and residual moisture removed. The CES condensate monitor method of detecting leaks during MODES 1, 2, and 3 is not valid until containment has been evacuated and residual moisture removed.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.5.2 This SR verifies that primary to secondary LEAKAGE is less or equal to 150 gallons per day. Satisfying the primary to secondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Generator Program is met. Current design does not support the ability to determine which one of the two steam generators has the primary to secondary leakage. Therefore total primary to secondary leakage will be conservatively attributed to one steam generator. The 150 gallons per day limit is measured at room temperature as described in Reference 5.

The Surveillance is modified by a Note which states that the Surveillance is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishment of steady state operation. For RCS primary to secondary LEAKAGE determination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer level, makeup, and letdown flows.

Additionally Containment flooding is not in progress for steady state conditions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The primary to secondary LEAKAGE is determined using process radiation monitors or radiochemical grab sampling in accordance with the EPRI guidelines (Ref. 5).

NuScale [US600] B 3.4.5-5 Revision 4.1

RCS Operational LEAKAGE B 3.4.5 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 30.

2. Regulatory Guide 1.45, Revision 1, May 2008.

3. FSAR, Chapter 15.

4. NEI-97-06, Rev. [3].

5. EPRI, Pressurized Water Reactor Primary-to-Secondary Leak Guidelines, Rev. [4].

NuScale [US600] B 3.4.5-6 Revision 4.1

CVCS Isolation Valves B 3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.6 Chemical and Volume Control System (CVCS) Isolation Valves BASES BACKGROUND One of the principle functions of the CVCS system is to maintain the reactor coolant inventory by providing water makeup for reactor coolant system (RCS) Operational LEAKAGE, shrinkage of the reactor coolant during cooldowns, and RCS boron concentration changes.

Although the CVCS is not considered a safety related system, certain isolation functions of the system are considered safety related functions.

The eight CVCS isolation valves in four flow paths have been classified and designed as safety related. The safety related functions provided by the CVCS are the isolation of RCS makeup to prevent overfilling of the pressurizer during non-LOCA transients, the isolation of CVCS postulated breaks outside containment (thereby maintaining RCS inventory), and protecting against reverse RCS flow during low power startup conditions.

The protection against RCS reverse flow is achieved by closing the CVCS makeup line isolation valves. Protection of overfilling the pressurizer is achieved by closing the CVCS makeup line and spray line isolation valves. The isolation of postulated breaks outside of containment is achieved by closing the containment isolation valves (CIVs) on all four CVCS lines.

APPLICABLE One of the initial assumptions in the analysis of several non-LOCA SAFETY events and during a steam generator tube failure accident is ANALYSES that excessive CVCS makeup to the RCS may aggravate the consequences of the accident (Ref. 1). The need to isolate the CVCS from the RCS is detected by the pressurizer level instruments, pressurizer pressure instruments, containment pressure, or RCS flow instruments.

These instruments will supply a signal to their appropriate CVCS containment isolation valves causing these valves to close. Instrument signals generated during events prevent the overfilling of pressurizer during non-LOCA transients, provides the protection of CVCS postulated breaks outside of containment, and prevents the reverse RCS flow during low power startup conditions. Thus, the CVCS isolation valves are components which function to mitigate an accident.

CVCS isolation valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

NuScale [US600] B 3.4.6-1 Revision 4.1

CVCS Isolation Valves B 3.4.6 BASES LCO The requirement that two CVCS isolation valves be OPERABLE for each of the four flow path lines connected to the RCS assures that there will be redundant means available to isolate the CVCS from the RCS during a non-LOCA event or a steam generator tube failure accident should that become necessary. Also, the OPERABLE CVCS isolation valves provide isolation protection against postulated breaks outside of containment and reverse RCS flow events.

APPLICABILITY The requirement that two CVCS isolation valves for each of the four flow path lines connected to the RCS be OPERABLE is applicable in MODES 1, 2, and 3 because a pressurizer overfill event, steam generator tube failure accident, CVCS postulated break outside containment event, and reverse RCS flow event is considered possible in these MODES, and the automatic closure of these valves is assumed in the safety analysis.

In the applicable MODES, the need to isolate the CVCS makeup to the RCS is detected by the pressurizer level instruments, pressurizer pressure instruments, containment pressure, or RCS flow instruments.

This isolation function is not required in MODE 4 and 5. In these MODES, pressurizer overfill, steam generator overfill, CVCS breaks outside containment, and reverse RCS flow during startup is prevented by unit conditions.

ACTIONS The ACTIONS are modified by two notes. Note 1 allows isolated penetration flow paths to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated.

Note 2 provides clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation device. Complying with the Required Actions may allow for continued operation, and subsequent inoperable CVCS isolation valves are governed by subsequent Condition entry and application of associated Required Actions.

NuScale [US600] B 3.4.6-2 Revision 4.1

CVCS Isolation Valves B 3.4.6 BASES ACTIONS (continued)

A.1 and A.2 In the event one CVCS isolation valve in one or more CVCS flow paths is inoperable the affected flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and deactivated automatic containment isolation valve, a closed manual valve, and blind flange. For CVCS flow paths isolated in accordance with Required Actions A.1, the device used to isolate the penetration should be the closest available one to containment. Required Action A.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, considering the time required to isolate the flowpath and the relative importance of supporting containment OPERABILITY during MODES 1, 2, and MODE 3 with RCS hot temperature 200 °F.

For affected CVCS flow paths that cannot be restored to OPERABLE status within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time and that have been isolated in accordance with Required Action A.1, the affected CVCS flow paths must be verified to be isolated on a periodic basis. This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of being automatically isolated will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of once per 31 days for isolation devices is appropriate considering the fact that the devices are operated under administrative controls and the probability of misalignment is low.

Required Action A.2 is modified by two Notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position is small.

NuScale [US600] B 3.4.6-3 Revision 4.1

CVCS Isolation Valves B 3.4.6 BASES ACTIONS (continued)

B.1 With two CVCS isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation device that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and deactivated automatic valve, a closed manual valve, and a blind flange.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.2. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the devices are operated under administrative controls and the probability of the misalignment is low.

C.1 and C.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE or condition in which containment isolation requirement no longer applies. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 with RCS hot temperature < 200 °F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . The allowed Completion Times are reasonable to reach the required unit conditions from full power conditions in an orderly manner.

SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for CVCS isolation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM. The Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.4.6-4 Revision 4.1

CVCS Isolation Valves B 3.4.6 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.4.6.2 Verifying that the isolation ACTUATION RESPONSE TIME of each automatic power operated CVCS isolation valve is within limits is required to demonstrate OPERABILITY. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. Isolation time is measured from output of the module protection system equipment interface module until the valves are isolated.

The Surveillance Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

SR 3.4.6.3 This Surveillance demonstrates that each automatic CVCS isolation valve actuates to the isolated position on an actual or simulated actuation signal. This Surveillance is not required for valves that are locked sealed, or otherwise secured in the isolated position under administrative controls. The actuation logic is tested as part of Engineered Safety Features Actuation System Actuation and Logic testing.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 15.

NuScale [US600] B 3.4.6-5 Revision 4.1

RCS Leakage Detection Instrumentation B 3.4.7 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.7 RCS Leakage Detection Instrumentation BASES BACKGROUND GDC 30 of Appendix A to 10 CFR 50 (Ref. 1) requires means for detecting, and, to the extent practical, identifying the source of RCS LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting LEAKAGE detection systems.

LEAKAGE detection systems must have the capability to detect significant reactor coolant pressure boundary (RCPB) degradation as soon after occurrence as practical to minimize the potential for propagation to a gross failure. Thus, an early indication or warning signal is necessary to permit proper evaluation of all unidentified LEAKAGE.

Industry practice has shown that leakage of 0.5 gpm can be readily detected in contained volumes by monitoring changes in water level. The containment evacuation system (CES) sample vessel is used to collect and quantify water vapor that is from the containment that may be indicative of RCS LEAKAGE. The sample vessel is instrumented to alarm for increases in the normal flow rates to the vessel. This system sensitivity is acceptable for detecting unexpected increases in condensate that may indicate unidentified LEAKAGE.

Containment pressure is also used as an indicator to detect RCS LEAKAGE. The containment pressure monitoring is performed by CES inlet pressure instrumentation and provides indication in the main control room. The minimum pressure accuracy of the containment pressure monitoring instrumentation can detect a pressure change corresponding to a leak rate of < 1 gpm in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and a minimum detectable leak rate of

< 0.05 gpm.

OPERABILITY of the CES condensate collection and inlet pressure monitoring instrument channels requires the containment atmosphere to be maintained within a pressure-temperature range that prevents atmospheric saturation conditions from existing. These conditions ensure that leakage into the containment will result in vaporization of the water and changes in the measured containment pressure. Conditions are maintained by continuously ensuring that the containment pressure does not approach the saturation pressure of water that could be present in the containment. The pressure limit is conservatively chosen and based on the ultimate heat sink pool water temperature. A description of the acceptable operating region is provided in FSAR Section 5.2 (Ref. 3).

NuScale [US600] B 3.4.7-1 Revision 4.1

RCS Leakage Detection Instrumentation B 3.4.7 BASES BACKGROUND (continued)

The reactor coolant contains radioactivity that, when released, can be detected by radiation monitoring instrumentation in the CES gas discharage line. Reactor coolant radioactivity can therefore be used for leak detection. The CES system has a gaseous effluent monitor to detect isotopes that provide indication of LEAKAGE.

In addition to meeting the OPERABILITY requirements, the monitoring instrumentation is typically set to provide the most sensitive response without causing an excessive number of spurious alarms.

APPLICABLE The need to evaluate the severity of an alarm or an indication is SAFETY important to the operators, and the ability to compare and verify ANALYSES with indications from other systems is necessary. The system response times and sensitivities are described in FSAR Sections 5.2, 3.6, and 11.5 (Refs. 3, 4, and 5).

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring RCS LEAKAGE into the containment area is necessary. Separating the identified LEAKAGE from the unidentified LEAKAGE provides quantitative information to the operators, to take corrective action should a leak occur.

RCS LEAKAGE detection instrumentation satisfies Criterion 1 of 10 CFR 50.36(c)(2)(ii).

LCO One method of protecting against large RCS LEAKAGE derives from the ability of instruments to rapidly detect extremely small leaks that indicate a possible RCPB degradation. This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide a high degree of confidence that small leaks are detected in time to allow actions to place the unit in a safe condition.

The LCO is satisfied when monitors of diverse measurement means are available. Thus, the CES sample vessel level monitors, in combination with CES inlet pressure channels and a CES gas discharge radioactivity monitor, provides five channels of leakage detection using three diverse methods. The specification requires two of the three diverse methods to be OPERABLE. CES inlet pressure monitoring is performed by two redundant, seismically qualified pressure instruments.

NuScale [US600] B 3.4.7-2 Revision 4.1

RCS Leakage Detection Instrumentation B 3.4.7 BASES APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1 and 2, and the potential for elevated temperature and pressure in MODE 3 when RCS hot temperature is 200 °F, RCS leakage detection instrumentation is required to be OPERABLE.

In MODE 3 with RCS hot temperature < 200 °F the RCS pressure is low and the RCPB no longer requires monitoring because pressurization is due to operation of the CVCS, and the likelihood of leakage and crack propagation is much smaller.

In MODE 4 or 5, the RCPB is open to the containment or refueling pool and pressure is maintained low or at atmospheric pressure. Since the temperatures and pressures are far lower than those for MODES 1 and 2, or when applicable in MODE 3, the likelihood of leakage and crack propagation is much smaller. Therefore, the requirements of this LCO are also not applicable in MODES 4 and 5.

The applicability requirements are modified by two Notes. The first Note states that the LCO requirements are not applicable if one or more ECCS valves is open. In that condition the RCS is open to the containment and leakage detection no longer indicates a potential degradation of the RCPB.

The second Note states that the LCO is not applicable in MODE 3 when containment flood operations are in progress. Containment flooding operations include actively adding water to the containment, when the containment is flooded, during draining of the containment, while removing residual water from the containment by establishing a vacuum to place leakage monitoring instrumentation in service.

In MODE 3 when containment flooding is in progress, the RCS is rapidly cooled to less than 200 °F and the LCO Applicability will be exited. In this condition, the RCS leakage detection instrumentation is unavailable and the rapidly reduced RCS pressure reduces the likelihood of leakage and crack propagation. During restoration of operating conditions, the containment must be drained and residual water removed by establishment of a vacuum in the containment. Leakage detection instrumentation is not available until containment is drained and the requisite conditions are restored. Required leakage detection instrumentation is required prior to entry into MODE 2.

NuScale [US600] B 3.4.7-3 Revision 4.1

RCS Leakage Detection Instrumentation B 3.4.7 BASES ACTIONS The ACTIONS table is modified by a Note indicating that a separate Condition entry is allowed for each condensate channel and each pressure channel. This is acceptable because the Required Actions for each Condition provide appropriate compensatory actions for each inoperable condensate and pressure channel. With an inoperable channel the method of detection remains capable of identifying RCS leakage with any OPERABLE channel.

A.1 and A.2 With one required leakage detection channels inoperable, the remaining OPERABLE channel(s) will provide indication of changes in leakage.

Additionally, the periodic surveillance for RCS water inventory balance, SR 3.4.5.1, must be performed at an increased frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to provide information that is adequate to detect leakage. A Note is added allowing that SR 3.4.5.1 is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishing steady state operation (stable temperature, power level, pressurizer and makeup tank levels, makeup and letdown). The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable unit conditions are established.

Restoration of the channel to OPERABLE status is required to regain the function in a Completion Time of 14 days after the channel's failure. This time is acceptable considering the frequency and adequacy of the RCS water inventory balance required by Required Action A.1.

B.1 With one required leakage detection method inoperable, the remaining OPERABLE method will provide indication of changes in leakage.

Additionally, Action A.1 will continue to apply and the periodic surveillance for RCS water inventory balance, SR 3.4.5.1, must be performed at an increased frequency of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to provide information that is adequate to detect leakage.

However diversity of leakage detection instrumentation is not available. In addition to the Required Actions of Condition A, the required leakage method is required to regain the function in a Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months after the method's failure. This time is acceptable considering the frequency and adequacy of the RCS water inventory balance required by Required Action A.1.

NuScale [US600] B 3.4.7-4 Revision 4.1

RCS Leakage Detection Instrumentation B 3.4.7 BASES ACTIONS (continued)

C.1 and C.2 If the Required Action cannot be met within the required Completion Time or if all required leakage detection methods are inoperable, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 with RCS hot temperature < 200 °F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . This action will place the RCS in a low pressure state which reduces the likelihood of leakage and crack propagation. The allowed Completion Times are reasonable, based on operating requirements and normal cooling capabilities, to reach the required unit conditions from full power conditions in an orderly manner.

SURVEILLANCE SR 3.4.7.1, SR 3.4.7.2, and SR 3.4.7.3 REQUIREMENTS These SRs require the performance of a CHANNEL CHECK for each of the required RCS leakage detection instrumentation channels. The check gives reasonable confidence that the channel is operating properly. The CHANNEL CHECK of the CES condensate and inlet pressure channels includes instrumentation used to assure the containment is operating within the acceptable pressure-temperature region necessary for instrument OPERABILITY. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.7.4 and SR 3.4.7.5 These SRs require the performance of a COT on the CES gaseous radioactivity monitor and each required CES condensate channel when they are required to be OPERABLE. The test ensures that the monitor or channel can perform its function in the desired manner. A successful test may be performed by the verification of the change of state of an output of the channel. This is acceptable because all of the other required channel outputs are verified by the CHANNEL CALIBRATION. The test verifies the alarm setpoint and relative accuracy of the instrument string when applicable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.4.7-5 Revision 4.1

RCS Leakage Detection Instrumentation B 3.4.7 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.4.7.6, SR 3.4.7.7, and SR 3.4.7.8 These SRs require the performance of a CHANNEL CALIBRATION for each of the required RCS leakage detection instrumentation channels.

The calibration verifies the accuracy of the instrument string. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 30.

2. Regulatory Guide 1.45, Revision 1, May 2008.

3. FSAR, Section 5.2.

4. FSAR, Section 3.6.

5. FSAR, Section 11.5.

NuScale [US600] B 3.4.7-6 Revision 4.1

RCS Specific Activity B 3.4.8 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.8 RCS Specific Activity BASES BACKGROUND The limits on RCS specific activity ensure that the doses due to postulated accidents are within the doses reported in FSAR Chapter 15.

The RCS specific activity LCO limits the allowable concentration of iodines and noble gases in the reactor coolant. The LCO limits are established based on a fuel defect level of 0.066% assumed by the NuScale operating source term and to ensure that unit operation remains within the conditions assumed for Design Basis Accident (DBA) release analyses.

The LCO contains specific activity limits for both DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133. The allowable levels are intended to limit the doses due to postulated accidents to within the values calculated in the radiological consequences analyses (as reported in FSAR Chapter 15).

APPLICABLE The LCO limits on the reactor coolant specific activity are a factor in SAFETY accident analyses that assume a release of primary coolant to the ANALYSES environment either directly as in a small line break outside containment or indirectly by way of LEAKAGE to the secondary coolant system and then to the environment (the Steam Line Break).

The events which incorporate the LCO values for primary coolant specific activity in the radiological consequence analysis include the following:

Steam generator tube failure,

Control rod ejection,

Steam Line Break (SLB), and

Small line break outside containment The limiting event for release of primary coolant activity is the small line break. The small line break dose analysis considers the possibility of a pre-existing iodine spike (in which case the maximum LCO of 2.2 Ci/gm DOSE EQUIVALENT I-131 is assumed) as well as the more likely initiation of an iodine spike due to the reactor trip and depressurization. In the latter case, the LCO of 3.7E-2 Ci/gm DOSE EQUIVALENT I-131 is assumed at the initiation of the accident, but the primary coolant NuScale [US600] B 3.4.8-1 Revision 4.1

RCS Specific Activity B 3.4.8 BASES APPLICABLE SAFETY ANALYSES (continued) specific activity is assumed to increase with time due to the elevated iodine appearance rate in the coolant. The reactor coolant noble gas specific activity for both cases is assumed to be the LCO of 10 Ci/gm DOSE EQUIVALENT XE-133.

The LCO limits ensure that, in either case, the doses reported in FSAR Chapter 15 remain bounding.

The RCS specific activity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The specific iodine activity is limited to 3.7E-2 Ci/gm DOSE EQUIVALENT I-131, and the specific noble gas activity is limited to 10 Ci/gm DOSE EQUIVALENT XE-133. These limits ensure that the doses resulting from a DBA will be within the values reported in FSAR Chapter 15.

The accident analyses (Ref. 1) show that the offsite doses are within acceptance limits. Violation of the LCO may result in reactor coolant radioactivity levels that could, in the event of small line break accident, lead to doses that exceed those reported FSAR Chapter 15.

APPLICABILITY In MODES 1 and 2, operation within the LCO limits for DOSE EQUIVALENT I-131 and DOSE EQUIVALENT XE-133 specific activity are necessary to contain the potential consequences of applicable safety analysis events to within the calculated site boundary dose values.

For operation in MODES 3, 4, and 5, the release of radioactivity in the event is limited by the reduced pressures and temperatures in the primary and secondary systems.

ACTIONS A.1 and A.2 With the DOSE EQUIVALENT I-131 greater than the LCO limit, samples at intervals of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months must be taken to verify that DOSE EQUIVALENT I-131 is 2.2 Ci/gm. The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is required to obtain and analyze a sample. Sampling is to continue to provide a trend.

NuScale [US600] B 3.4.8-2 Revision 4.1

RCS Specific Activity B 3.4.8 BASES ACTIONS (continued)

The DOSE EQUIVALENT I-131 must be restored to normal within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . If the concentration cannot be restored to within the LCO limit in 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , it is assumed that the LCO violation is not the result of normal iodine spiking.

A Note to the Required Action of Condition A states that LCO 3.0.4.c is applicable. This exception allows entry into the applicable MODE(S) when an allowance is stated in the ACTIONS even though the ACTIONS may eventually require unit shutdown. This exception is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the unit remains at, or proceeds to power operation.

B.1 With the DOSE EQUIVALENT XE-133 greater than the LCO limit, DOSE EQUIVALENT XE-133 must be restored to within limit within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

The allowed Completion Time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months is acceptable since it is expected that, if there were a noble gas spike, the normal coolant noble gas concentration would be restored within this time period. Also, there is a low probability of a small line break occurring during this time period.

A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODES, relying on Required Action B.1 while the DOSE EQUIVALENT XE-133 LCO limit is not met. This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the unit remains at, or proceeds to, power operation.

C.1 and C.2 If a Required Action and associated Completion Time of Condition A or B is not met, or if the DOSE EQUIVALENT I-131 is > 2.2 Ci/gm, the reactor must be brought to MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating requirements, to reach the required unit conditions from full power conditions in an orderly manner.

NuScale [US600] B 3.4.8-3 Revision 4.1

RCS Specific Activity B 3.4.8 BASES SURVEILLANCE SR 3.4.8.1 REQUIREMENTS SR 3.4.8.1 requires performing a gamma isotopic analysis and calculating the DOSE EQUIVALENT XE-133 using the dose conversion factors in the DOSE EQUIVALENT XE-133 definition. This measurement is the sum of the degassed gamma activities and the gaseous gamma activities in the sample taken. This Surveillance provides an indication of any increase in the noble gas specific activity.

Trending the results of this Surveillance allows proper remedial action to be taken before reaching the LCO limit under normal operating conditions.

If a specific noble gas nuclide listed in the definition of DOSE EQUIVALENT XE-133 is not detected, it should be assumed to be present at the minimum detectable activity.

The Surveillance Frequency is based on industry operating experience, equipment reliability, and unit risk and is controlled under the Surveillance Frequency Control Program.

SR 3.4.8.2 This Surveillance is performed to ensure iodine specific activity, calculated using the dose conversion factors in the DOSE EQUIVALENT I-131 definition, remains within the LCO limit during normal operation and following fast power changes when iodine spiking is more likely to occur.

The normal Surveillance Frequency is based on industry operating experience, equipment reliability, and unit risk and is controlled under the Surveillance Frequency Control Program.

The conditional Frequency, between 2 and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a power change 15% RTP within a 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months period, is established because the iodine levels peak during this time following iodine spike initiation; samples at other times would provide inaccurate results.

REFERENCES 1. FSAR, Chapter 15.

NuScale [US600] B 3.4.8-4 Revision 4.1

SG Tube Integrity B 3.4.9 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.9 Steam Generator (SG) Tube Integrity BASES BACKGROUND Steam generator (SG) tubes are small diameter, thin walled tubes that carry secondary coolant through the primary to secondary heat exchangers. The SG tubes have a number of important safety functions.

Steam generator tubes are an integral part of the reactor coolant pressure boundary (RCPB) and, as such, are relied on to maintain the primary systems pressure and inventory. The SG tubes isolate the radioactive fission products in the primary coolant from the secondary system. In addition, as part of the RCPB, the SG tubes are unique in that they act as the heat transfer surface between the primary and secondary systems to remove heat from the primary system. This Specification addresses only the RCPB integrity function of the SG. The SG heat removal function is addressed by LCO 3.5.2, "Decay Heat Removal System (DHRS).

SG tube integrity means that the tubes are capable of performing their intended RCPB safety function consistent with the licensing basis, including applicable regulatory requirements.

Steam generator tubing is subject to a variety of degradation mechanisms. Steam generator tubes may experience tube degradation related to corrosion phenomena, such as pitting, intergranular attack, and stress corrosion cracking, along with other mechanically induced phenomena such as wear. These degradation mechanisms can impair tube integrity if they are not managed effectively. The SG performance criteria are used to manage SG tube degradation.

Specification 5.5.4, Steam Generator (SG) Program, requires that a program be established and implemented to ensure that SG tube integrity is maintained. Pursuant to Specification 5.5.4, tube integrity is maintained when the SG performance criteria are met. There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. The SG performance criteria are described in Specification 5.5.4. Meeting the SG performance criteria provides reasonable assurance of maintaining tube integrity at normal and accident conditions.

The processes used to meet the SG performance criteria are defined by the Steam Generator Program Guidelines (Ref. 1).

NuScale [US600] B 3.4.9-1 Revision 4.1

SG Tube Integrity B 3.4.9 BASES APPLICABLE The steam generator tube failure (SGTF) accident is the limiting design SAFETY basis event for SG tubes and avoiding an SGTF is the basis for this ANALYSES Specification. The analysis of a SGTF event assumes a bounding primary to secondary LEAKAGE rate equal to the operational LEAKAGE rate limits in LCO 3.4.5, RCS Operational LEAKAGE, plus the leakage rate associated with a double-ended failure of a single tube. The accident analysis for a SGTF assumes the contaminated secondary fluid is only briefly released to the atmosphere via safety valves and the majority is discharged to the main condenser.

The analysis for design basis accidents and transients other than a SGTF assume the SG tubes retain their structural integrity (i.e., they are assumed not to fail). In these analyses, the steam discharge to the atmosphere is based on the total primary to secondary LEAKAGE from all SGs. For accidents that do not involve fuel damage, the primary coolant activity level of DOSE EQUIVALENT I-131 is assumed to be equal to the LCO 3.4.8, RCS Specific Activity, limits. For accidents that assume fuel damage, the primary coolant activity is a function of the amount of activity released from the damaged fuel. The dose consequences of these events are within the limits of GDC 19 (Ref. 2) which NuScale implements as principal design criterion 19 described in FSAR section 3.1 (Ref. 3),

10 CFR 50.34 (Ref. 4) or the NRC approved licensing basis (e.g., a small fraction of these limits).

Steam generator tube integrity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requires that SG tube integrity be maintained. The LCO also requires that all SG tubes that satisfy the plugging criteria be plugged in accordance with the Steam Generator Program.

During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging.

If a tube was determined to satisfy the plugging criteria but was not plugged, the tube may still have tube integrity.

In the context of this Specification, a SG tube is defined as the entire length of the tube, including the tube wall, between the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesheet weld at the tube outlet.

The tube-to-tubesheet weld is not considered part of the tube.

A SG tube has tube integrity when it satisfies the SG performance criteria.

The SG performance criteria are defined in Specification 5.5.4, Steam Generator Program, and describe acceptable SG tube performance.

The Steam Generator Program also provides the evaluation process for determining conformance with the SG performance criteria.

NuScale [US600] B 3.4.9-2 Revision 4.1

SG Tube Integrity B 3.4.9 BASES LCO (continued)

There are three SG performance criteria: structural integrity, accident induced leakage, and operational LEAKAGE. Failure to meet any one of these criteria is considered failure to meet the LCO.

The structural integrity performance criterion provides a margin of safety against tube failure or collapse under normal and accident conditions, and ensures structural integrity of the SG tubes under all anticipated transients included in the design specification. Tube failure is defined as, The gross structural failure of the tube wall. The condition typically corresponds to an unstable opening displacement (e.g., opening area increased in response to constant pressure) accompanied by ductile (plastic) tearing of the tube material at the ends of the degradation. Tube collapse is defined as, For the load displacement curve for a given structure, collapse occurs at the top of the load versus displacement curve where the slope of the curve becomes zero. The structural integrity performance criterion provides guidance on assessing loads that have a significant effect on burst or collapse. In that context, the term significant is defined as An accident loading condition other than differential pressure is considered significant when the addition of such loads in the assessment of the structural integrity performance criterion could cause a lower structural limit or limiting failure/collapse condition to be established. For tube integrity evaluations, except for circumferential degradation, axial thermal loads are classified as secondary loads. For circumferential degradation, the classification of axial thermal loads as primary or secondary loads will be evaluated on a case-by-case basis.

The division between primary and secondary classifications will be based on detailed analysis and/or testing.

Structural integrity and the accident induced leakage performance criteria ensures that calculated stress intensity in a SG tube not exceed ASME Code,Section III (Ref. 5) limits for Design and all Service Level A, B, C and D Conditions included in the design specification. SG tube Service Level D represents limiting accident loading conditions. Additionally, NEI 97-06 Tube Structural Integrity Performance Criterion establishes safety factors for tubes with characteristic defects (axial and longitudinal cracks and wear defects), including normal operating pressure differential and accident pressure differential, in addition to other associated accident loads consistent with guidance in Draft Regulatory Guide 1.121 (Ref. 6).

Therefore in addition to meeting the structural integrity criteria, no additional accident induced primary-to-secondary LEAKAGE is assumed to occur as the result of a postulated design basis accident other than a SGTF.

NuScale [US600] B 3.4.9-3 Revision 4.1

SG Tube Integrity B 3.4.9 BASES LCO (continued)

The operational LEAKAGE performance criterion provides an observable indication of SG tube conditions during unit operation. The limit on operational LEAKAGE is contained in LCO 3.4.5, RCS Operational LEAKAGE, and limits primary to secondary LEAKAGE to 150 gallons per day. This limit is based on the assumption that a single crack leaking this amount would not propagate to a SGTF under the stress conditions of a LOCA or a main steam line break. If this amount of LEAKAGE is due to more than one crack, the cracks are very small, and the above assumption is conservative.

APPLICABILITY Steam generator tube integrity is challenged when the pressure differential across the tubes is large. Large differential pressures across SG tubes can only be experienced in MODE 1, 2, or 3 and not PASSIVELY COOLED.

RCS conditions are far less challenging in MODE 3 and PASSIVELY COOLED, MODES 4 and 5 than during MODES 1, 2, and 3 and not PASSIVELY COOLED. In MODE 3 and PASSIVELY COOLED, MODES 4 and 5, primary to secondary differential pressure is low, resulting in lower stresses and reduced potential for LEAKAGE.

ACTIONS The ACTIONS are modified by a Note clarifying that the Conditions may be entered independently for each SG tube. This is acceptable because the Required Actions provide appropriate compensatory actions for each affected SG tube. Complying with the Required Actions may allow for continued operation, and subsequent affected SG tubes are governed by subsequent Condition entry and application of associated Required Actions.

A.1 and A.2 Condition A applies if it is discovered that one or more SG tubes examined in an inservice inspection satisfy the tube plugging criteria but were not plugged in accordance with the Steam Generator Program as required by SR 3.4.9.2. An evaluation of SG tube integrity of the affected tube(s) must be made. Steam generator tube integrity is based on meeting the SG performance criteria described in the Steam Generator Program. The SG plugging criteria define limits on SG tube degradation that allow for flaw growth between inspections while still providing assurance that the SG performance criteria will continue to be met. In order to determine if a SG tube that should have been plugged has tube integrity, an evaluation must be completed that demonstrates that the SG NuScale [US600] B 3.4.9-4 Revision 4.1

SG Tube Integrity B 3.4.9 BASES ACTIONS (continued) performance criteria will continue to be met until the next refueling outage or SG tube inspection. The tube integrity determination is based on the estimated condition of the tube at the time the situation is discovered and the estimated growth of the degradation prior to the next SG tube inspection. If it is determined that tube integrity is not being maintained, Condition B applies.

A Completion Time of 7 days is sufficient to complete the evaluation while minimizing the risk of unit operation with a SG tube that may not have tube integrity.

If the evaluation determines that the affected tube(s) have tube integrity, Required Action A.2 allows unit operation to continue until the next refueling outage or SG inspection provided the inspection interval continues to be supported by an operational assessment that reflects the affected tubes. However, the affected tube(s) must be plugged prior to entering MODE 3 following the next unit refueling outage or SG inspection. This Completion Time is acceptable since operation until the next inspection is supported by the operational assessment.

B.1 and B.2 If the Required Actions and associated Completion Times of Condition A are not met or if SG tube integrity is not being maintained, the reactor must be brought to MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating requirements, to reach the desired unit conditions from full power conditions in an orderly manner.

SURVEILLANCE SR 3.4.9.1 REQUIREMENTS During shutdown periods the SGs are inspected as required by this SR and the Steam Generator Program. NEI 97-06, Steam Generator Program Guidelines (Ref. 1), and its referenced EPRI Guidelines, establish the content of the Steam Generator Program. Use of the Steam Generator Program ensures that the inspection is appropriate and consistent with accepted industry practices.

During SG inspections a condition monitoring assessment of the SG tubes is performed. The condition monitoring assessment determines the NuScale [US600] B 3.4.9-5 Revision 4.1

SG Tube Integrity B 3.4.9 BASES SURVEILLANCE REQUIREMENTS (continued) as found condition of the SG tubes. The purpose of the condition monitoring assessment is to ensure that the SG performance criteria have been met for the previous operating period.

The Steam Generator Program determines the scope of the inspection and the methods used to determine whether the tubes contain flaws satisfying the tube plugging criteria. Inspection scope (i.e., which tubes or areas of tubing within the SG are to be inspected) is a function of existing and potential degradation locations. The Steam Generator Program also specifies the inspection methods to be used to find potential degradation.

Inspection methods are a function of degradation morphology, non-destructive examination (NDE) technique capabilities, and inspection locations.

The Steam Generator Program defines the Frequency of SR 3.4.9.1. The Frequency is determined by the operational assessment and other limits in the SG examination guidelines (Ref. 7). The Steam Generator Program uses information on existing degradations and growth rates to determine an inspection Frequency that provides reasonable assurance that the tubing will meet the SG performance criteria at the next scheduled inspection. In addition, Specification 5.5.4 contains prescriptive requirements concerning inspection intervals to provide added assurance that the SG performance criteria will be met between scheduled inspections.

If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected unit SGs is restricted by Specification 5.5.4 until subsequent inspections support extending the inspection interval.

SR 3.4.9.2 During an SG inspection, any inspected tube that satisfies the Steam Generator Program plugging criteria is removed from service by plugging.

The tube plugging criteria delineated in Specification 5.5.4 are intended to ensure that tubes accepted for continued service satisfy the SG performance criteria with allowance for error in the flaw size measurement and for future flaw growth. In addition, the tube plugging criteria, in conjunction with other elements of the Steam Generator Program, ensure that the SG performance criteria will continue to be met until the next inspection of the subject tube(s). Reference 1 provides guidance for performing operational assessments to verify that the tubes remaining in service will continue to meet the SG performance criteria.

NuScale [US600] B 3.4.9-6 Revision 4.1

SG Tube Integrity B 3.4.9 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency of prior to entering MODE 3 following a SG inspection ensures that the Surveillance has been completed and all tubes meeting the plugging criteria are plugged prior to subjecting the SG tubes to significant primary to secondary pressure differential.

REFERENCES 1. NEI 97-06, Rev. [3].

2. 10 CFR 50, Appendix A, GDC 19.

3. FSAR, Section 3.1.

4. 10 CFR 50.34.

5. ASME, Boiler and Pressure Vessel Code,Section III, Subsection NB,

[2013 edition].

6. Draft Regulatory Guide 1.121, August 1976.

7. EPRI, Pressurized Water Reactor Steam Generator Examination Guidelines, Rev. [4].

NuScale [US600] B 3.4.9-7 Revision 4.1

LTOP Valves B 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10 Low Temperature Overpressure Protection (LTOP) Valves BASES BACKGROUND The emergency core cooling system (ECCS) reactor vent valves (RVVs) serving as LTOP valves in combination with the module protection system (MPS) LTOP actuation function limit the RCS pressure at low temperatures. Together the MPS function and the valves limit the RCS pressure so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the pressure and temperature (P/T) limits of 10 CFR 50, Appendix G (Ref. 1). The PTLR provides the maximum allowable actuation setpoints for MPS actuation of the RVVs to limit the maximum RCS pressure for the existing RCS temperature to meet the Reference 1 requirements. The NuScale design limits potential LTOP conditions to MODE 3 with ECCS valves closed.

The reactor vessel material is less tough at low temperatures than at normal operating temperature. As the vessel neutron exposure accumulates, the material toughness decreases and becomes less resistant to pressure stress at low temperatures (Ref. 2). RCS pressure, therefore, is maintained low at low temperatures and is increased only as temperature is increased.

Exceeding the RCS P/T limits by a significant amount could cause brittle cracking of the reactor vessel. LCO 3.4.3, RCS Pressure and Temperature (P/T) Limits, requires administrative control of RCS pressure and temperature during heatup and cooldown to prevent exceeding the PTLR limits.

If RCS pressure exceeds the established setpoint while the RCS temperature is approaching or below the nil ductility temperature of the limiting components of the reactor pressure boundary, the MPS will actuate to open the RVVs. Detection of this condition and the actuation are required in Technical Specifications 3.3.1, MPS Instrumentation, and 3.3.3, ESFAS Logic and Actuation. Automatic LTOP is enabled by the MPS during RCS operations at reduced temperatures.

Each RVV includes a mechanical actuation block to reduce the likelihood of inadvertent operation of the valve during power operations. Valve actuation is blocked when the difference between the containment pressure and RCS pressure is greater than could exist when LTOP is required to function. Therefore the inadvertent actuation block will not prevent immediate opening of the RVVs if an LTOP actuation occurs.

NuScale [US600] B 3.4.10-1 Revision 4.1

LTOP Valves B 3.4.10 BASES BACKGROUND (continued)

With at least two RVVs open, the valves provide a vent path from the RCS to containment, preventing potential RCS low temperature overpressure conditions.

APPLICABLE Safety analyses (Ref. 3) demonstrate that the reactor vessel is SAFETY adequately protected against exceeding the Reference 1 P/T limits. In ANALYSES MODES 1 and 2, and MODE 3 with RCS cold temperature exceeding LTOP arming temperature specified in the PTLR T-1, the reactor safety valves will prevent RCS pressure from exceeding the Reference 1 limits.

Below the T-1 temperature specified in the PTLR, overpressure prevention falls to three OPERABLE or two open ECCS RVVs.

The actual temperature at which the pressure in the P/T limit curve falls below the pressurizer safety valve setpoint increases as the reactor vessel material toughness decreases due to neutron embrittlement. Each time the PTLR curves are revised, the LTOP System must be reevaluated to ensure its functional requirements can still be met using the RCS relief valve method or the depressurized and vented RCS condition.

The PTLR contains the acceptance limits that define the LTOP requirements including the setpoint for the T-1 LTOP enable interlock.

Any change to the RCS must be evaluated against the Reference 3 analyses to determine the impact of the change on the LTOP acceptance limits.

Transients that are capable of overpressurizing the RCS are categorized as either mass or heat input transients, examples of which follow:

a. Inadvertent operation of the module heatup system,

b. Excessive CVCS makeup, or

c. Spurious actuation of the pressurizer heaters.

The Reference 3 analyses demonstrate that two open RVVs can maintain RCS pressure below limits. Thus, the LCO requires each RVV to be OPERABLE or two RVVs open during the conditions when a low temperature overpressure condition could occur.

NuScale [US600] B 3.4.10-2 Revision 4.1

LTOP Valves B 3.4.10 BASES APPLICABLE SAFETY ANALYSES (continued)

Fracture mechanics analyses established the temperature of LTOP Applicability at the LTOP enabling interlock specified in the PTLR.

The fracture mechanics analyses show that the vessel is protected when the RVVs are set to open at or below the limit shown in the PTLR. The setpoints are derived by analyses that model the performance of the MPS instrumentation and actuation and the RVVs assuming the limiting low temperature overpressure transient of spurious actuation of the pressurizer heaters in the RCS. These analyses consider pressure overshoot resulting from signal processing and valve stroke times. The LTOP setpoints at or below the derived limit ensures the Reference 1 P/T limits will be met.

The MPS setpoints in the PTLR will be updated when the revised P/T limits conflict with the LTOP analysis limits. The P/T limits are periodically modified as the reactor vessel material toughness decreases due to neutron embrittlement caused by neutron irradiation. Revised limits are determined using neutron fluence projections and the results of examinations of the reactor vessel material irradiation surveillance specimens. The Bases for LCO 3.4.3, RCS Pressure and Temperature (P/T) Limits, discuss these examinations.

The RVVs are considered active components. Thus, the failure of one RVV is assumed to represent the worst case, single active failure.

An open RVV is passive and is not subject to active failure.

The LTOP valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires that each closed LTOP valve (RVV) be OPERABLE.

The valves are OPERABLE when the RVVs are capable of opening in response to an LTOP actuation signal from the MPS. Violation of this LCO could lead to the loss of low temperature overpressure mitigation and violation of the Reference 1 limits as a result of an operational transient.

NuScale [US600] B 3.4.10-3 Revision 4.1

LTOP Valves B 3.4.10 BASES APPLICABILITY This LCO is applicable in MODE 3 when RCS cold temperature is below LTOP enable interlock T-1 specified in the PTLR. The pressurizer safety valves provide overpressure protection that meets the Reference 1 P/T limits above LTOP enable interlock T-1 specified in the PTLR.

When two or more RVVs are open, or when the module is in MODE 4 or MODE 5, it is disconnected from its operating position and the RCS is open to the containment atmosphere. In MODES 4 or 5 the ECCS RVVs are de-energized and open providing a vent path.

LCO 3.3.1, Module Protection System Instrumentation, and LCO 3.3.3, ESFAS Logic Actuation provide the OPERABILITY requirements for the instrumentation to detect and actuate each RVVs in response to an LTOP condition. LTOP is enabled when two of four wide range RCS cold temperatures indicate a temperature below the T-1 interlock setpoint established by the PTLR. The T-1 interlock is described in the Bases for LCO 3.3.1, "Module Protection System Instrumentation."

LCO 3.4.3 provides the operational P/T limits at all times.

LCO 3.4.4, Reactor Safety Valves, requires the OPERABILITY of the reactor safety valves that provide overpressure protection during MODES 1 and 2, and MODE 3 above the LTOP enable interlock T-1 specified in the PTLR.

ACTIONS A.1 and A.2 With one RVV closed and inoperable, two RVVs remain available to mitigate an LTOP condition. A Note is provided which indicates the Condition does not apply when two RVVs are open because LTOP protection has been established. The Required Action is to restore the inoperable RVV or to open the inoperable RVV so that it is performing the safety function of providing a vent path from the RCS to the containment atmosphere.

The Completion Time considers that only two of the RVVs are required to mitigate an overpressure transient and that the likelihood of initiating event and an active failure of a remaining OPERABLE RVV during this time period is very low.

NuScale [US600] B 3.4.10-4 Revision 4.1

LTOP Valves B 3.4.10 BASES ACTIONS (continued)

B.1 and B.2 With two closed RVVs inoperable, overpressurization is possible. Four hours to restore the closed RVV to OPERABILITY or open the RVV permits evaluation of the condition and completion of the action required to assure an LTOP condition cannot occur in a deliberate manner. The RCS vent to the containment atmosphere with two RVVs open prevents an overpressure condition from occurring.

C.1 and C.2 With three closed inoperable RVVs the RCS does not have overpressure protection. The Completion Time considers the urgency of removing the RCS from this condition, the time required to place the plant in this Condition in an orderly manner without challenging plant systems, and the relatively low probability of an overpressure event during this time period.

SURVEILLANCE A Note is provided to indicate that the surveillance requirements are not REQUIREMENTS required to be met for valves that are open. This merely clarifies the intent of the surveillance testing applicability and is consistent with the LCO requirement that each closed RVV be OPERABLE.

SR 3.4.10.1, SR 3.4.10.2, and SR 3.4.10.3 The ability of the RVVs to perform their LTOP safety function requires the same testing as required for them to perform their ECCS function. The bases for these surveillance requirements are the same as those specified in LCO 3.5.1, Emergency Core Cooling System however they only apply to the RVVs.

ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are open.

The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis.

NuScale [US600] B 3.4.10-5 Revision 4.1

LTOP Valves B 3.4.10 BASES SURVEILLANCE REQUIREMENTS (continued)

In addition to verification that the RVVs will perform as designed, the inadvertent actuation block must be verified to function such that it will not prevent LTOP actuation if needed.

The Frequencies are controlled under the Surveillance Frequency Control Program or the INSERVICE TESTING PROGRAM consistent with the testing required by LCO 3.5.1.

REFERENCES 1. 10 CFR 50, Appendix G.

2. Generic Letter 88-11.

3. FSAR, Chapter 5.

NuScale [US600] B 3.4.10-6 Revision 4.1

ECCS B 3.5.1 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.1 Emergency Core Cooling System (ECCS) - Operating BASES BACKGROUND The ECCS provides decay heat removal for a postulated steam generator tube failure event or Loss of Coolant Accident (LOCA) event that exceeds the makeup capacity of the Chemical and Volume Control System (CVCS). The ECCS is designed to bring the reactor coolant system (RCS) to a low temperature and low pressure safe shutdown condition.

The ECCS consists of three reactor vent valves (RVVs) located on the reactor head, two RRVs located above the reactor flange, and associated controls and instrumentation. The RVVs are connected to the vapor space of the pressurizer region of the reactor vessel. The reactor recirculation valves (RRVs) penetrate the reactor vessel above the top of the reactor core and open into the downcomer region of the reactor vessel. The ECCS valves form a portion of the reactor coolant pressure boundary.

ECCS actuation occurs when the Module Protection System (MPS) de-energizes solenoid trip valves in the hydraulic controls of the RVVs and RRVs. MPS is designed to actuate the ECCS on high containment water level. In addition to the solenoid trip valve actuation, the ECCS valves are hydraulically interlocked in the closed position until the differential pressure between the RCS and containment vessel is reduced by flow from a postulated break. Even with an open signal present the valves do not actuate open until the differential pressure has fallen to the credited differential pressure. The differential pressure interlock will not prevent the ECCS system from performing its design function, it just reduces the likelihood of inadvertent actuation during power operations.

ECCS actuation and function, including the differential pressure interlock, do not require electrical power. The solenoid trip valves are designed to actuate upon loss of electrical power. The differential pressure interlock is mechanical and does not require external power, depending only on the pressure sources of the reactor vessel and of the containment environment to function. No operator action is required to establish and maintain long term core cooling when the system is actuated.

Note that in certain loss of power events, the ECCS actuation solenoid trip valves are supplied battery power to prevent inadvertent actuation.

If an ECCS actuation signal occurs during this time, the solenoid trip valves will be deenergized and result in ECCS valve actuation when NuScale [US600] B 3.5.1-1 Revision 4.1

ECCS B 3.5.1 BASES BACKGROUND (continued) the mechanical pressure interlock permits. Although uncredited in the safety analyses, after 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months on battery power, ECCS will actuate if electrical power has not been restored. Additionally, the ECCS mechanical pilot valve design will result in the ECCS valves opening if the RCS and containment pressures approach the same values regardless of the ECCS actuation signal status. This behavior is not credited however is a function of the design of the valve actuators.

RCS vapor is vented from the pressurizer space through the RVVs into the containment vessel when the RVVs are opened. This steam condenses on the inner walls of the containment vessel and flows to the bottom of the vessel where it accumulates with any other leakage that is in the containment vessel from a postulated break. The RRVs open simultaneously with the RVVs to provide a flow path for this condensate from the containment vessel to flow back into the reactor vessel. The design of the reactor and containment vessel geometries and the total RCS liquid volume is such that upon ECCS actuation, liquid levels in both the reactor and containment vessel will stabilize above the top of the core. The containment water level will be higher than the RCS level providing the driving force for natural circulation flow of cooler RCS water in containment back into the reactor vessel.

This natural circulation flow will maintain core submersion and cooling.

Heat is transferred to the containment by steam condensation on the containment interior, and then removed from containment by condensate heat conduction through the containment vessel wall. In addition to mass transfer, heat is removed by conduction through the reactor vessel walls during ECCS operation because the lower portions of the reactor vessel walls are submerged and wetted by coolant on both sides. Heat is removed from the containment wall through contact with the reactor pool which acts as the ultimate heat sink (UHS).

The ECCS valves are sized to ensure that sufficient pressure equalization exist to support core cooling when at least two RVVs and at least one RRV have opened.

In MODES 1, 2 and MODE 3 when the RCS hot temperature is greater than the T-3 interlock (approximately 350 °F) or pressurizer level is less than the pressurizer L-2 setpoint (approximately 20%), the ECCS is actuated on high level in the containment vessel. The high containment level actuation set point of the ECCS was chosen to ensure that sufficient level exists within the containment vessel prior to actuation of the ECCS to ensure the core remains covered as a result of ECCS actuation.

NuScale [US600] B 3.5.1-2 Revision 4.1

ECCS B 3.5.1 BASES BACKGROUND (continued)

In MODES 1 and 2 when the containment pressure is above the P-1 interlock (approximately 1 psia) and the narrow range RCS hot temperature is above the T-6 interlock (approximately 475 °F) the ECCS is actuated on low RCS pressure at about 800 psia. The setpoint was chosen to ensure that actuation occurs before significant accumulation of water with a reduced boron concentration can occur in the different regions of the RCS and the containment. This ensures an unanalyzed reactivity transient will not occur during small loss of coolant events in the containment.

Specification 3.3.1 describes the instrumentation and actuation logic for ECCS actuation. In applicable design basis accident scenarios, the actuation setpoints and the mechanical pressure interlock operation are sufficient to ensure the core remains cooled and covered.

In MODE 3 the RVVs provide Low Temperature Over-Pressure (LTOP) protection for the RCS as described in LCO 3.4.10.

In MODE 3 in PASSIVE COOLING, the ECCS is either performing its design function to support the transfer of decay heat from the reactor core to the containment vessel so the system or alternative means of removing decay heat have been established and the system is no longer required to be OPERABLE.

In MODE 4 the ECCS is not required because the ECCS valves are open and de-energized, and the unit is being passively cooled which ensures decay heat removal is being accomplished. Additionally, in MODE 4 during module relocation between the containment tool and the reactor tool, the de-energized and opened RRVs are open between the UHS water inside the containment and the RCS. In MODE 5, core cooling is accomplished by conduction through the RPV wall to the ultimate heat sink until the upper containment and upper RPV are separated from the lower RPV and the reactor core. Once the RPV is separated at the flange during disassembly the lower RPV internals and reactor core are in direct contact with the reactor pool thereby ensuring adequate cooling by direct contact with the ultimate heat sink. Therefore the ECCS is not required to be OPERABLE in MODE 5.

The ECCS valves are OPERABLE when they are closed and capable of opening, including the operation of the mechanical pressure interlock, upon receipt of an actuation signal, or are open performing their intended function. FSAR Section 6.3 describes the ECCS design (Ref. 1).

NuScale [US600] B 3.5.1-3 Revision 4.1

ECCS B 3.5.1 BASES APPLICABLE The ECCS is designed to provide core cooling following postulated SAFETY Loss of Coolant Accident design basis events as described in the ANALYSES FSAR Chapter 15 (Ref. 2).

The system establishes a path for heat transfer to the UHS via conduction and convection of condensed coolant in the containment vessel and by the condensation of steam vapor on the upper portions of the containment vessel. The design ensures that in the event of a loss of primary coolant to the containment vessel, sufficient coolant will be returned to the reactor vessel to ensure that the core remains cooled and covered at all times. Actuation of the system ensures that pressure differences between the containment vessel and the reactor pressure vessel are minimized sufficiently to allow hydraulic head of the fluid in containment to establish flow to the reactor vessel via an open RRV. Actuation also prevents significant differences in RCS boron concentration in the various regions of the RCS and the containment. This ensures an unanalyzed reactivity transient will not occur during small loss of coolant events in the containment.

The ECCS system includes an inadvertent actuation block (IAB) feature. The IAB safety function is to permit the RVVs and RRVs to open only when appropriate conditions exist as described in the safety analysis.

ECCS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO establishes the minimum conditions necessary to ensure that ECCS valves will be available to meet the initial conditions assumed in the safety analyses. Two RVVs and one RRV provide the safety function of the safety analyses for LOCA and SGTF events.

Loss of any system component eliminates the redundancy provided to meet its safety function.

APPLICABILITY The ECCS is relied upon to provide a passive response to loss of coolant accidents in MODES 1 and 2, and in MODE 3 when the RCS hot temperature is greater than the T-3 interlock (approximately 350 °F) or pressurizer level is less than the pressurizer L-2 setpoint (approximately 20%). Additionally, the valves are ensured to open when power is removed when the module is disconnected at the operating position as part of the refueling process. In MODE 4 and 5 core cooling is provided by passive conduction through the containment vessel or direct communication and contact of the core with the ultimate heat sink. Therefore the ECCS valves are not required to be OPERABLE in MODE 4 or 5.

NuScale [US600] B 3.5.1-4 Revision 4.1

ECCS B 3.5.1 BASES ACTIONS A.1 To meet the ECCS safety function at least two RVVs must open. If a single RVV is inoperable it eliminates the redundancy of this safety system. The valve must be restored to OPERABLE. A Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable based on the probability of a LOCA or LTOP condition occurring during this period, the reliability of the other RVVs, and the ability of the system to cope with this event using the chemical volume control system and the containment flooding and drain system.

B.1 To meet the ECCS safety function at least one RRV must open. If a single RRV is inoperable it eliminates the redundancy of the of this safety system. The valve must be restored to OPERABLE. A Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable based on the probability of a LOCA condition occurring during this period, the reliability of the other RRV, and the ability of the system to cope with this event using the chemical volume control system and the containment flooding and drain system.

C.1 and C.2 If the Required Actions cannot be completed within the associated Completion Times, if two or more RVVs, or both RRVs are inoperable the unit must be placed in a condition that does not rely on the ECCS valves opening. To accomplish this, the unit must be shutdown and placed in a safe condition. This is accomplished by Required Actions C.1 and C.2.

Required Action C.1 places the unit in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

Required Action C.2 places the unit in MODE 3 and passively cooled within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

Completion Times are established considering the likelihood of a LOCA event that would require ECCS actuation. They also provide adequate time to reach the required unit condition from full power conditions in an orderly manner.

NuScale [US600] B 3.5.1-5 Revision 4.1

ECCS B 3.5.1 BASES SURVEILLANCE SR 3.5.1.1 REQUIREMENTS Verification that the RVVs and RRVs are OPERABLE by stroking the valves open ensures that each train of ECCS will function as designed when these valves are actuated. One RVV is designed to be actuated by either division of the MPS and it must be verified to open from each division without dependence on the other. The RVVs and RRVs safety function is to open as described in the safety analysis. When an ECCS valve is open it has performed its safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.2 Verifying that the open ACTUATION RESPONSE TIME of each RVV and RRV is within limits is required to demonstrate OPERABILITY.

The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. The opening times are as specified in the INSERVICE TESTING PROGRAM. One RVV is designed to be actuated by either division of the MPS and its actuation time must be tested from each division without dependence on the other.

ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are open.

When an ECCS valve is open it has performed its safety function.

Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

SR 3.5.1.3 Verification that the inadvertent actuation block setpoints are within limits, and the inadvertent actuation block function is OPERABLE ensures that opening of the RVVs and RRVs is blocked when elevated RCS to CNV differential pressure conditions exist.

Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

NuScale [US600] B 3.5.1-6 Revision 4.1

ECCS B 3.5.1 BASES REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15.

NuScale [US600] B 3.5.1-7 Revision 4.1

DHRS B 3.5.2 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.2 Decay Heat Removal System (DHRS)

BASES BACKGROUND The Decay Heat Removal System (DHRS) is a passive heat removal system that is used whenever the normal unit feedwater and steam systems are unavailable due to failure or loss of normal AC power.

The system is comprised of two loops; one connected to each of the two steam generators.

Each loop of decay heat removal includes a steam generator submersed in the reactor coolant system fluid, and a heat exchanger that is attached to the outside of the containment vessel and submerged in the reactor pool. The heat exchanger is located above midline of the steam generator. The top inlet of the DHRS heat exchanger is attached to the main steam line upstream of the main steam isolation valve of the associated steam generator. The bottom of the heat exchanger is attached to the feedwater line downstream of the feedwater isolation valve to the associated steam generator. Each DHR heat exchanger is normally isolated from the main steam lines by two valves, the DHRS Actuation valves, in parallel on the line between the top of the heat exchanger and the main steam line from the associated steam generator.

During normal operation the DHR heat exchanger is filled and maintained pressurized by the feedwater system. When decay heat removal is required to perform its design function the feedwater and main steam isolation valves are closed, and the DHRS Actuation valves open. The closed feedwater and main steam isolation valves form part of the DRHS pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1). This allows the water stored in the heat exchanger and piping to enter the steam generator via gravity as steam flows into the heat exchanger from the main steam line. Steam condenses on the inside of the tubes and continues to drain back to the steam generator in a closed loop. The inventory of the decay heat removal system, associated SG, and piping is sufficient to support the operation of the system.

Only one loop of DHRS is required to meet the decay heat removal requirements of the power module, and only one DHRS Actuation valve is required to open to ensure operation of a decay heat removal train. As a result there is no single active failure that will prevent a single loop of DHRS from performing its design function.

NuScale [US600] B 3.5.2-1 Revision 4.1

DHRS B 3.5.2 BASES BACKGROUND (continued)

The closed feedwater and main steam isolation valves form part of the DHRS loop pressure boundary, these valves are described in FSAR Section 5.4 (Ref. 1) and FSAR Section 10.3 (Ref. 2).

APPLICABLE The DHRS is designed to ensure that adequate decay heat removal is SAFETY provided to ensure core integrity. The system function is bounded by ANALYSIS loss of normal AC power event, as described in FSAR Chapter 15 (Ref. 3). A loss of normal AC power will result in a loss of feedwater and a loss of condenser vacuum. Both of these anticipated operational occurrences (AOOs) require actuation of the DHRS.

DHRS is actuated by MPS upon receipt of any of the following:

a. High Pressurizer Pressure

b. High RCS Hot Temperature

c. Low AC Voltage

d. High Steam Pressure These actuations cover the range of events that indicate inadequate heat removal from the Reactor Coolant System.

DHRS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO ensures that sufficient DHRS equipment is OPERABLE to meet the initial conditions assumed in the safety analyses. One loop of DHRS is required to function to meet the safety function of the system.

Each loop of DHRS includes one SG, one heat exchanger, and redundant valves that actuate for the system to meet its safety function. Inoperability of individual redundant valves do not affect the overall redundancy of the DHRS. However, both redundant valves are needed to ensure that the DHRS loop is capable of meeting its safety function if a single active failure occurs.

NuScale [US600] B 3.5.2-2 Revision 4.1

DHRS B 3.5.2 BASES APPLICABILITY The DHRS is relied upon to provide a passive means of decay heat removal in MODES 1 and 2. The DHRS must remain OPERABLE in MODE 3 until PASSIVE COOLING. In MODE 4, DHRS is not required because conductive shutdown cooling through the containment vessel to the ultimate heat sink (UHS) has been established. When being disassembled in MODE 4 and in MODE 5 when one or more reactor vessel flange bolts are less than fully tensioned, but before the upper module and lower reactor vessel are separated, the containment lower shell has been removed and the reactor vessel and RCS are cooled by direct contact with the UHS. In MODE 5 decay heat removal is by direct transfer to the refueling pool water which is in contact with the reactor fuel.

ACTIONS A.1 To meet the DHR safety function at least one loop must function. If a single loop of DHR is inoperable it eliminates the redundancy of this safety system. The system must be restored to OPERABLE.

A Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable based on the probability of the DHR system being needed during this period, the reliability of the other loop of DHR including redundant actuation and isolation valves, and the ability of the unit to cope with this condition using the ECCS.

B.1 and B.2 If the Required Actions cannot be completed within the associated Completion Time, or if both loops of DHRS are declared inoperable the unit must be placed in a mode that does not rely on the DHRS. This is accomplished by Required Actions B.1 and B.2.

Required Action B.1 places the unit in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

Required Action B.2 places the unit in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

Completion Times are established considering the likelihood of an event that would require DHRS actuation. They also provide adequate time to reach the required unit condition from full power conditions in an orderly manner.

NuScale [US600] B 3.5.2-3 Revision 4.1

DHRS B 3.5.2 BASES SURVEILLANCE SR 3.5.2.1 REQUIREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for DHRS actuation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM. The Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2 Verification that the DHRS including the heat exchanger is filled ensures that there is sufficient inventory in the loop to fulfill its design function, and that non-condensable gases have not accumulated in the system. Each loop of the DHRS has four level sensors - two located on the DHRS piping below each of the two actuation valves that would indicate a reduced water level in the DHRS heat exchanger leg. Any level switch indicating a reduced water level is sufficient to determine the DHRS heat exchanger leg is not filled. The DHRS is filled with feedwater during startup, and during normal operation it is maintained filled by feedwater pressure. Feedwater flow through the DHRS loop does not occur because the DHRS actuation valves are closed.

Dissolved gas concentrations are maintained very low in feedwater during startup and operations by secondary water chemistry requirements. Therefore, significant levels of noncondensable gases are not expected to accumulate in the DHRS piping. However, maintaining the required DHRS inventory using the level sensors protects against buildup of noncondensable gases which could adversely affect DHRS operation. Monitoring the level switches ensures the system remains filled and non-condensable gas accumulation has not occurred.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.5.2-4 Revision 4.1

DHRS B 3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.5.2.3 Verification that the level in a steam generator (SG) is > [5]% and

[65]% when its associated feedwater isolation valve is closed assures that the SG contains inventory adequate to support actuation and OPERABILITY of the associated decay heat removal system loop if it is required.

A Note is provided indicating that the surveillance is not required to be performed when the associated FWIV is open. In those conditions, the normal feedwater system controls ensure that the SG will support DHRS OPERABILITY if it is required.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.4 Verification that the DHRS actuation valves are OPERABLE by stroking the valves open ensures that each loop of DHRS will function as designed when these valves are actuated. The DHRS actuation valves safety function is to open as described in the safety analysis.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.5 Verifying that the open ACTUATION RESPONSE TIME of each DHRS actuation valve is within limits is required to demonstrate OPERABILITY. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. The opening times are as specified in the INSERVICE TESTING PROGRAM. Each loop of DHRS contains two actuation valves, one actuated from each division of the MPS ESFAS actuation logic.

ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are open.

Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

NuScale [US600] B 3.5.2-5 Revision 4.1

DHRS B 3.5.2 BASES REFERENCES 1. FSAR, Section 5.4.

2. FSAR, Section 10.3.

3. FSAR, Chapter 15.

NuScale [US600] B 3.5.2-6 Revision 4.1

Ultimate Heat Sink B 3.5.3 B 3.5 PASSIVE CORE COOLING SYSTEMS (PCCS)

B 3.5.3 Ultimate Heat Sink BASES BACKGROUND The ultimate heat sink (UHS) consists of three areas identified as the reactor pool (RP), refueling pool (RFP), and spent fuel pool (SFP). The pool areas are open to each other with a weir wall partially separating the SFP from the RP and RFP. The UHS water level indicates the depth of water in the UHS from the reactor pool floor (25 ft building elevation). The UHS supports or provides multiple safety and important functions including:

a. Acts as ultimate heat sink during postulated design basis events,

b. Provides cooling and shielding of irradiated fuel in the spent fuel storage racks,

c. Limits releases from postulated fuel handling accidents,

d. Provides a reserve of borated water for filling the containment vessel in MODE 3,

e. Limits the temperature of the containment vessel and module during operations,

f. Provides shielding of radiation emitted from the core of an operating module, and

g. Provides buoyancy during module movement in MODE 4.

The UHS function is performed by providing a sufficient heat sink to receive decay heat from a module via the decay heat removal system (DHRS) heat exchangers and conduction through the containment vessel walls (Ref. 1) after a postulated Emergency Core Cooling System (ECCS) actuation and after transition to long-term shutdown cooling (Ref. 2).

Irradiated fuel is stored in the SFP portion of the UHS that is separated from the balance of the pool by a submerged wall. The submerged wall includes a weir that permits movement of new and irradiated fuel from the storage areas to a reactor during refueling, and also provides a means of inventory communication between the pool areas. The SFP provides cooling and shielding of the irradiated fuel in the storage racks, and provides sufficient water level to retain iodine fission product activity in the event of a fuel handling accident. Sufficient iodine activity NuScale [US600] B 3.5.3-1 Revision 4.1

Ultimate Heat Sink B 3.5.3 BASES BACKGROUND (continued) will be retained to limit offsite doses from the accident to within the values reported in FSAR Chapter 15 (Ref. 2).

During transients and shutdowns which are not associated with design basis events in which DHRS or ECCS is actuated, water from the RP is added to the containment vessel by the Containment Flood and Drain System (CFDS). After reaching an appropriate level in the containment, the reactor vent valves (RVVs) and reactor recirculation valves (RRVs) are opened to permit improved heat transfer from the reactor coolant system (RCS) to the containment vessel walls.

During normal operations, the RP limits temperatures of the module by maintaining the containment vessel partially submerged in water. The water also provides shielding above and around the region of the core during reactor operations, limiting exposure to personnel and equipment in the area.

In MODE 4, the module is transported from the operating position to the RFP area of the UHS. The UHS provides buoyancy as the module displaces pool water during the movement, thereby reducing the load on the reactor building crane.

APPLICABLE During all MODES of operation and storage of irradiated fuel, the UHS SAFETY supports multiple safety functions.

ANALYSIS The UHS level is assumed and credited in a number of transient analyses. The 68 ft level provides buoyancy assumed in the reactor building crane analysis and design to ensure its single-failure proof capacity during module movement in MODE 4. A UHS level of 65 ft provides margin above the minimum level required to support DHRS and ECCS operation in response to LOCA and non-LOCA design basis events. The 65 ft level also assures the containment vessel wall temperature initial condition assumed in the peak containment pressure analysis.

The UHS bulk average temperature is assumed and credited, directly or indirectly in design basis accidents including those that require DHRS and ECCS operation such as LOCA and non-LOCA design basis events. The bulk average temperature is also assumed as an initial condition of the peak containment pressure analysis, and the minimum pool temperature is an assumption used in long-term cooling analyses.

Note that the UHS sensible heat needed to heat the pool to boiling is not credited in the UHS safety analyses for pool inventory. Additionally, NuScale [US600] B 3.5.3-2 Revision 4.1

Ultimate Heat Sink B 3.5.3 BASES APPLICABLE SAFETY ANALYSIS (continued) the UHS bulk average temperature is assumed in the buoyancy calculation of the reactor building crane load during movement of the module.

The UHS bulk average boron concentration lower limit is established to ensure adequate shutdown margin during unit shut downs that are not associated with events resulting in DHRS or ECCS actuation, when the module is filled with RP inventory using the CFDS and the RRVs are opened. It also ensures adequate shutdown margin when the module is configured with the UHS inventory in contact with the reactor core, specifically in MODE 4 when the containment vessel is disassembled for removal, and in MODE 5.

The upper limit on boron concentration is established to limit the effect of moderator temperature coefficient (MTC) during localized or UHS bulk average temperature changes while the module and core are in contact with UHS water. The upper limit also provides assurance for criticality and boron dilution analyses.

The ultimate heat sink level, temperature, and boron concentration parameters satisfy Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii).

LCO The UHS must provide an adequate heat sink to perform its UHS function. This is accomplished by providing sufficient submersion of the module and the mass of water that can be heated, and vaporized to steam if necessary, to remove decay heat via the decay heat removal system or conduction through the containment vessel walls and heat from irradiated fuel in the pool. The UHS level limits ensure that this level of module submersion and mass of water is available.

The UHS bulk average temperature is an initial assumption of safety analyses. The limits on temperature preserve the analyses assumptions and permit crediting the pool to mitigate these events. They also provide margin for performance of the UHS function in that the pool must be heated before vaporization of the contents will begin.

Determination of the UHS bulk average temperature is in accordance with approved procedures.

The boron concentration must be within limits when the UHS contents are in communication with the RCS to preserve core reactivity assumptions and analyses. Determination of the bulk average boron concentration is in accordance with approved plant procedures.

NuScale [US600] B 3.5.3-3 Revision 4.1

Ultimate Heat Sink B 3.5.3 BASES APPLICABILITY The limits on UHS level, bulk average temperature and bulk average boron concentration are applicable at all times. The supported safety functions are applicable in all MODES and when irradiated fuel is being handled. The applicability is conservative and recognizes the passive nature and resistance to changes that are inherent in the pool design and operation.

ACTIONS A.1, A.2, and A.3 With the UHS level < 68 ft but > 65 ft the UHS safety function is preserved, however the margin in the safety analyses of events related to handling of spent fuel is reduced. Also, the assumed buoyancy provided by the water volume displaced by the module is reduced.

Required Actions A.1 and A.2 immediately suspend module movement and the movement of irradiated fuel assemblies. This reduces the likelihood of an event that would be adversely affected by the reduced water level. Suspension of movement does not preclude movement of a module or fuel assembly to a safe position.

Additionally, Required Action A.3, the UHS level must be restored to within limits within 30 days to restore the margin and assumptions of the safety analyses related to long-term cooling of the module and irradiated fuel. The 30 days is appropriate because the UHS safety function continues to be met even if a leak results in sudden draining of the pool to refill the dry dock. The level of > 65 ft ensures adequate submersion of the containment vessel walls and more than 3 days of decay heat removal without further action.

B.1 and B.2 If the UHS level is 65 ft, an initial condition assumption of the safety analysis regarding peak containment pressure may not be met. Action must be immediately initiated and continued to restore the UHS level to > 65 ft.

NuScale [US600] B 3.5.3-4 Revision 4.1

Ultimate Heat Sink B 3.5.3 BASES ACTIONS (continued)

C.1, C.2, and C.3 If the UHS bulk average temperature is < 65 °F or > 110 °F, actions must be taken to restore the UHS bulk average temperature to within limits. 110 °F is the initial temperature assumed in the peak containment pressure analysis calculations, and is conservative with respect to the RB Crane lifting capacity calculation. The minimum UHS bulk average temperature is an assumption used in long-term cooling analyses. The SFPC system in conjunction with the RFP cooling system is designed to maintain a UHS bulk average temperature of 110 °F.

D.1 and D.2 If the UHS level or bulk average temperature cannot be returned to within limits within the associated Completion Time, the unit must be brought to a condition where the decay heat of the unit with the potential to be rejected to the UHS is minimized. To achieve this status, the unit must be brought to MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating requirements, to reach the required unit conditions from full power conditions in an orderly manner.

E.1, E.2, E.3, E.4, and E.5 If the UHS bulk average boron concentration is not within limits, actions must be initiated and continued to restore the concentration immediately.

Additionally, activities that could place pool inventory in communication with the reactor core must be suspended. Therefore, CFDS flow into the containment must be immediately terminated, and disassembly of the containment vessel that would open the RCS to communication with the UHS also suspended. Additionally, module movement must be suspended and the movement of irradiated fuel suspended.

The suspension of module and/or fuel movement shall not preclude completion of movement to safe position.

NuScale [US600] B 3.5.3-5 Revision 4.1

Ultimate Heat Sink B 3.5.3 BASES SURVEILLANCE SR 3.5.3.1 REQUIREMENTS Verification that the UHS level is above the required minimum level will ensure that the assumed heat capacity of the pool is available and the pool will provide the credited mitigation if an irradiated fuel handling accident occurs. Indication of UHS level including alarms when not within limits are available in the main control room.

The Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.2 Verification that the UHS bulk average temperature is within limits ensures that the safety analyses assumptions and margins provided by the UHS remain valid. Key UHS temperatures are monitored and alarmed in the control room.

The Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.3 Verification that the UHS bulk average boron concentration is within limits ensures that the assumed safety analyses assumptions and margins provided by the UHS boron concentration remain available.

Plant operations with potential to significantly affect the UHS boron concentration are controlled and indicated in the control room.

The Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

NuScale [US600] B 3.5.3-6 Revision 4.1

Containment B 3.6.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1 Containment BASES BACKGROUND The containment is a free standing steel pressure vessel. The containment vessel, including all its penetrations, is a low-leakage steel vessel designed to contain radioactive material that may be released from the reactor core following a Design Basis Accident (DBA) such that offsite radiation exposures are maintained within limits. The containment provides a level of shielding from the fission products that may be present in the containment atmosphere following accident conditions. The containment also functions to preserve coolant and provide ECCS pressure boundary and heat transfer path during LOCAs.

The containment vessel is a steel pressure vessel with torispherical upper and lower heads. The containment utilizes the steel shell, which is partially submerged in the ultimate heat sink, for passive containment cooling when filled with water.

Containment penetrations provide for the passage of process and service into the containment vessel while maintaining containment integrity.

The steel containment and its penetrations establish the low-leakage containment boundary. Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment. The containment also functions to preserve coolant and provide ECCS pressure boundary and heat transfer path during LOCAs.

SR 3.6.1.1 leakage rate Surveillance Requirements conform with 10 CFR 50, Appendix J (Ref. 1), as modified by approved exemptions.

The isolation devices for the penetrations of the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:

a. All penetrations required to be closed during accident conditions are either:

1. Capable of being closed by an OPERABLE automatic isolation system;

2. Closed by manual valves, blind flanges; NuScale [US600] B 3.6.1-1 Revision 4.1

Containment B 3.6.1 BASES BACKGROUND (continued)

b. De-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.2, Containment Isolation Valves; and

c. The sealing mechanism associated with each containment penetration (e.g. welds, flanges, or o-rings) is OPERABLE (i.e.,

OPERABLE such that the containment leakage limits are met).

APPLICABLE The safety design basis for the containment is that the containment SAFETY must withstand the pressures and temperatures of the limiting Design ANALYSES Basis Accident (DBA) without exceeding the design leakage rates.

The DBAs that result in a challenge to containment OPERABILITY from high pressures and temperatures are a loss of coolant accident (LOCA), a steam line break, and a rod ejection accident (REA) (Ref. 2). In addition, release of significant fission product radioactivity within containment can occur from a LOCA or REA. The DBA analyses assume that the containment is OPERABLE such that, for the DBAs involving release of fission product radioactivity, release to the environment is controlled by the rate of containment leakage. The containment is designed with an allowable leakage rate of 0.20% of containment air weight after a DBA per day (Ref. 3). This leakage rate, used in the evaluation of offsite doses resulting from accidents, is defined in 10 CFR 50, Appendix J (Ref. 1), as La: the maximum allowable containment leakage rate at the calculated peak containment internal pressure 994 psia (Pa) resulting from the limiting DBA. The allowable leakage rate represented by La forms the basis for the acceptance criteria imposed on containment leakage rate testing. La is assumed to be 0.20% per day in the safety analysis.

Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.

The containment satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The containment is designed to maintain leakage integrity < 1.0 La.

Leakage integrity is assured by performing local leak rate testing (LLRT) and containment inservice inspection. Total LLRT leakage is maintained

< 0.60 La in accordance with 10 CFR 50, Appendix J (Ref. 1). Satisfactory LLRT and ISI examination are required for containment OPERABILITY.

NuScale [US600] B 3.6.1-2 Revision 4.1

Containment B 3.6.1 BASES LCO (continued)

Compliance with this LCO will ensure a containment configuration, including maintenance access manways, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analysis.

APPLICABILITY In MODES 1, 2, and 3 with RCS hot temperature 200 °F, the RCS contains sufficient energy such that DBA could cause a release of radioactive material into containment. The containment limits the postulated release of radioactive fission products that could be released from the containment from the reactor core and reactor vessel. The containment supports the emergency core cooling system (ECCS) by providing a part of the means of passive heat transfer from the reactor core, coolant, and vessel to the reactor cooling pool. ECCS OPERABILITY is required as described in LCO 3.5.1, Emergency Core Cooling.

In MODE 3 with the RCS hot temperature < 200 °F, MODES 4 and 5, the probability and consequences of these events are reduced due to unit conditions in these MODES. Therefore, containment is not required to be OPERABLE in these MODES.

ACTIONS A.1 In the event containment is inoperable, it must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment OPERABLE during MODES 1, 2, and 3 with the RCS hot temperature 200 °F. This time period also ensures that the probability of an accident (requiring containment OPERABILITY) occurring during periods when containment is inoperable is minimal.

B.1 and B.2 If containment cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 3 with RCS hot temperature < 200 °F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (Ref. 3). The allowed Completion Times are reasonable, to reach the required unit conditions from full power conditions in an orderly manner.

NuScale [US600] B 3.6.1-3 Revision 4.1

Containment B 3.6.1 BASES SURVEILLANCE SR 3.6.1.1 REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the inservice inspection (ISI) examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program. Total leakage is maintained < 0.60 (La) in accordance with 10 CFR 50, Appendix J (Ref.1). At all other times between required leakage rate tests, the acceptance criteria is based on an overall leakage limit of < 1.0 La. At

< 1.0 La, the offsite dose consequences are bounded by the assumptions of the safety analysis.

SR Frequencies are as required by the Containment Leakage Rate Testing Program. These periodic testing requirements verify that the containment leakage rate does not exceed the leakage rate assumed in the safety analysis.

REFERENCES 1. 10 CFR 50, Appendix J.

2. FSAR, Chapter 15.

3. FSAR, Section 6.2.

NuScale [US600] B 3.6.1-4 Revision 4.1

Containment Isolation Valves B 3.6.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Isolation Valves BASES BACKGROUND Containment isolation valves and closed loops form part of the containment pressure boundary and provide a means for isolating penetration flow paths. These boundaries are either passive or active.

Closed loops are considered passive components. Automatic, power-operated valves designed to close without operator action following an accident, are considered active components. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation of leakage that exceeds limits assumed in the safety analysis.

Containment isolation is designed to provide isolation capability following a Design Basis Accident (DBA) for fluid lines that penetrate containment.

The containment isolation valve closure occurs upon receipt of signals from either the High Containment Pressure, Low Low Pressurizer Level, High Under-the-Bioshield Temperature or Low AC Voltage isolation signals. High Containment Pressure or Low Low Pressurizer Level are both signals indicating a loss of RCS coolant. Penetrations that are required to be isolated during accident conditions are isolated by containment isolation valves. As a result, the containment isolation valves and closed loops help ensure that the containment atmosphere will be isolated in the event of a release of fission products to the containment atmosphere from the RCS following a DBA.

The OPERABILITY requirements of containment isolation valves help ensure that containment is isolated within the time limits and within the leakage rates assumed in the safety analysis. Therefore, the OPERABILITY requirements provide assurance that the containment leakage limits assumed in the accident analysis will not be exceeded in a DBA.

APPLICABLE The containment isolation valve LCO was derived from the assumptions SAFETY related to minimizing the loss of reactor coolant inventory and ANALYSES establishing the containment boundary during major accidents. As part of the containment boundary, containment isolation valve OPERABILITY supports leak tightness of the containment. Therefore, the safety analysis of any event requiring isolation of containment is applicable to this LCO.

The DBA that results in the largest release of radioactive material within containment is a design basis source term (DBST). In the analyses of DBAs, it is assumed that containment is OPERABLE, such that release of NuScale [US600] B 3.6.2-1 Revision 4.1

Containment Isolation Valves B 3.6.2 BASES APPLICABLE SAFETY ANALYSES (continued) fission products to the environment is controlled by the rate of containment leakage. The allowable leakage rate for the CNTS is 0.20%

of containment air weight of the original content of containment air the first day after the DBA, which thereafter the CNTS leakage rate is 0.1%

per day. This leakage rate is defined in 10 CFR 50, Appendix J (Ref. 1),

as La, the maximum allowable containment leakage rate at the calculated peak containment internal pressure Pa following a DBA. This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with containment penetrations.

It is assumed that, within 7 seconds after the accident, isolation of the containment is complete and leakage terminated except for the design leakage rate La. The containment isolation of 7 seconds includes signal delay, and containment isolation valve stroke times (Refs. 2 and 3).

The containment isolation valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO Containment isolation valves form a part of the containment boundary.

The containment isolation valve safety function is to minimize the loss of reactor coolant inventory and establish the containment boundary during a DBA.

Containment isolation valves consist of automatic, power-operated isolation valves. The ACTION Statements allow the use of manual valves and blind flanges to restore containment isolation. Containment isolation valves are categorized as active containment isolation devices that, following an accident, either receive a containment isolation signal to close, or close as a result from a differential pressure.

The automatic isolation valves are required to have isolation times within limits and to actuate upon a containment isolation signal or loss of power.

Isolation valves are verified OPERABLE through the INSERVICE TESTING PROGRAM. Containment isolation valve OPERABILITY requires any associated nitrogen accumulator to be maintained at a pressure that is adequate to close the valve within the specified time.

The normally closed isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and secured in the closed position or blind flanges are in place, and closed systems are intact.

NuScale [US600] B 3.6.2-2 Revision 4.1

Containment Isolation Valves B 3.6.2 BASES LCO (continued)

This LCO provides assurance that the containment isolation valves will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the containment boundary during accidents.

APPLICABILITY In MODES 1, 2, and 3 with RCS hot temperature 200 °F, a DBA could cause a release of radioactive material to containment. In MODE 3 with the RCS hot temperature < 200 °F, MODES 4 and 5, the probability and consequences of these events are reduced due to unit conditions in these MODES. Therefore, the containment isolation valves are not required to be OPERABLE in MODE 3 with RCS hot temperature < 200 °F and MODES 4 and 5.

ACTIONS The ACTIONS are modified by four notes. Note 1 allows isolated penetration flow paths to be unisolated intermittently under administrative controls. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated.

Note 2 provides clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation device. Complying with the Required Actions may allow for continued operation, and subsequent inoperable containment isolation valves are governed by subsequent Condition entry and application of associated Required Actions.

Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inoperable containment isolation device.

Note 4 requires entry into the applicable Conditions and Required Actions of LCO 3.6.1 when leakage results in exceeding the overall containment leakage limit.

A.1 and A.2 Condition A has been modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two containment isolation valves.

NuScale [US600] B 3.6.2-3 Revision 4.1

Containment Isolation Valves B 3.6.2 BASES ACTIONS (continued)

In the event one containment isolation valve in one or more penetration flow paths is inoperable the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and de-activated automatic containment isolation valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For penetrations isolated in accordance with Required Actions A.1, the device used to isolate the penetration should be the closest available one to containment. Required Action A.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES 1, 2, and MODE 3 with RCS hot temperature 200 °F.

For affected penetration flow paths that cannot be restored to OPERABLE status within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time and that have been isolated in accordance with Required Action A.1, the affected penetration flow paths must be verified to be isolated on a periodic basis.

This is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of being automatically isolated will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of once per 31 days for isolation devices outside containment is appropriate considering the fact that the devices are operated under administrative controls and the probability of misalignment is low.

Required Action A.2 is modified by two Notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position, is small.

NuScale [US600] B 3.6.2-4 Revision 4.1

Containment Isolation Valves B 3.6.2 BASES ACTIONS (continued)

B.1 Condition B has been modified by a note indicating that this Condition is only applicable to those penetration flow paths with two containment isolation valves.

With two containment isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation device that cannot be adversely affected by a single active failure. Isolation devices that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, or a blind flange.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the devices are operated under administrative controls and the probability of the misalignment is low.

C.1 and C.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE or condition in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 with RCS hot temperature < 200 °F within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

Completion Times are established considering the likelihood of an event that would require CIS actuation. They also provide adequate time to reach the required unit condition from full power conditions in an orderly manner.

NuScale [US600] B 3.6.2-5 Revision 4.1

Containment Isolation Valves B 3.6.2 BASES SURVEILLANCE SR 3.6.2.1 REQUIREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for containment isolation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM. The Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.2.2 This SR requires verification that each manual containment isolation valve and blind flange located outside containment, and not locked, sealed, or otherwise secured in position, and required to be closed during accident conditions, is closed. The SR helps to ensure that post accident leakage of fission products outside the containment boundary is within design limits. This SR does not require any testing or device manipulation. Rather, it involves verification that those containment isolation devices outside containment and capable of being mispositioned are in the correct position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR does not apply to devices that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.

The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted in MODES 1, 2, and 3 with RCS hot temperature 200 °F for ALARA reasons.

Therefore, the probability of misalignment of these containment isolation valves, since they have been verified to be in the proper position, is small.

NuScale [US600] B 3.6.2-6 Revision 4.1

Containment Isolation Valves B 3.6.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.2.3 Verifying that the isolation ACTUATION RESPONSE TIME of each automatic containment isolation valve is within the limits is required to demonstrate OPERABILITY. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis. Isolation ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are isolated.

The isolation time and Frequency of this SR are in accordance with the INSERVICE TESTING PROGRAM.

SR 3.6.2.4 Automatic containment isolation valves close on a containment isolation signal to minimize leakage of fission products from containment and to maintain required RCS inventory following a DBA. This SR ensures each automatic containment isolation valve will actuate to its isolation position on an actual or simulated actuation signal. The Surveillance is not required for valves that are locked, sealed, or otherwise secured in the required position under administrative controls.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix J.

2. FSAR, Section 6.2.

3. FSAR, Chapter 15.

NuScale [US600] B 3.6.2-7 Revision 4.1

MSIVs B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Isolation Valves (MSIVs)

BASES BACKGROUND Each steam generator (SG) supplies one main steam line. Each main steam line includes four isolation valves that isolate steam flow to support decay heat removal system (DHRS) operation or containment system function. Two safety-related valves are located outside of and close to the containment. A description of the safety-related MSIVs is found in FSAR Section 6.2 (Ref. 1). Two non-safety related backup isolation valves are located downstream of the removable pipe spool between the module and balance of the main steam system. A description of the nonsafety-related backup MSIVs is found in FSAR Section 10.3. (Ref. 2).

The four valves are arranged so that each MSIV is provided with a bypass line that includes a MSIV bypass valve, one safety related and one non-safety related, arranged in parallel with the corresponding MSIVs.

The safety-related MSIVs and non-safety related secondary MSIVs, as well as the normally-closed MSIV bypass valves, will receive and close upon receipt of a Secondary System Isolation (SSI), Decay Heat Removal System (DHRS), or Containment Isolation System actuation as described in Specification 3.3.1. Each of the MSIV and MSIV Bypass Valves is designed to close upon loss of power.

Closing the MSIVs and MSIV bypass valves isolates the Turbine Bypass System and other steam flows from the SG to the balance of plant. The MSIVs isolate steam flow from the secondary side of the associated SG following a high-energy line break and preserves the reactor coolant system (RCS) inventory in the event of a steam generator tube failure (SGTF). The MSIVs and MSIV bypass valves also form part of the boundary of the safety-related, closed-loop, DHRS described in FSAR Section 5.4 (Ref. 3).

NuScale [US600] B 3.7.1-1 Revision 4.1

MSIVs B 3.7.1 BASES APPLICABLE The MSIVs and MSIV Bypass Isolation Valves close to isolate the SAFETY SGs from the power conversion system. Isolation limits ANALYSES postulated releases of radioactive material from the SGs in the event of a SG tube failure (Ref. 4) and terminates flow from SGs for postulated steam line breaks outside containment (Ref. 5). This minimizes radiological contamination of the secondary plant systems and components, and minimizes associated potential for activity releases to the environment, and preserves RCS inventory in the event of a SGTF.

The isolation of steam lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of an unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss-of-coolant accident (non-LOCA) design basis events when normal secondary-side cooling is unavailable or otherwise not utilized. The DHRS removes post-reactor trip residual and core decay heat and allows transition of the reactor to safe shutdown conditions.

The safety-related and nonsafety-related MSIV and MSIV bypass valves satisify Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires four isolation valves on each SG steam line to be OPERABLE. This includes safety related and non-safety related MSIVs and MSIV bypass valves in each steam line. The valves are considered OPERABLE when they will close on an isolation actuation signal, their isolation times are within limits, and valve leakage is within limits.

This LCO provides assurance that the safety related and non-safety related MSIVs and MSIV bypass valves will be available to perform their design safety function to limit consequences of accidents that could result in offsite exposures comparable to the 10 CFR 50.34 limits or the NRC staff approved licensing basis.

APPLICABILITY The safety related and non-safety related MSIVs and MSIV Bypass Valves must be OPERABLE in MODE 1, 2, and MODE 3 when not PASSIVELY COOLED. Under these conditions, the isolation of the MSIVs ensures the DHRS can perform its design function and the valves provide a barrier to limit the release of radioactive material to the environment.

Closure of the MSIVs also preserves the RCS inventory in the event of a SGTF. Therefore, these valves must be OPERABLE or the flow path through the valve isolated. When these valves are closed or their flow path is isolated, the required function has been satisfied. In MODES 4 and 5, the unit is shutdown, the SGs do not contain significant energy or inventory, and the valves do not perform any credited safety function.

NuScale [US600] B 3.7.1-2 Revision 4.1

MSIVs B 3.7.1 BASES ACTIONS The ACTIONS are modified by a Note indicating that steam line flow paths may be unisolated intermittently under administrative control. These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the MSIV flow path can be rapidly isolated when a need is indicated.

A.1 and A.2 Condition A is modified by a Note stating that a separate Condition entry is allowed for each valve. This is acceptable because the Required Actions provide appropriate compensatory actions for each inoperable isolation valve. The series-parallel valve arrangement could result in multiple valves being inoperable and the redundant capability to isolate the steam line maintained.

With a required valve open and inoperable, isolation of the main steam flow using that valve to perform the credited isolation function can no longer be assured. The isolation function could be susceptible to a single failure because only the redundant isolation valves on the affected steam line maintain the ability to isolate the effected steam flow.

Action A.1 requires isolation of the inoperable valve flow path within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Some repairs may be accomplished within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months period to restore OPERABILITY and exit the Condition. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable because the inoperable isolation valve only affects the capability of one of the two redundant isolation valves to function. Only if a single failure occurs that affects the remaining capability to isolate the steam flow path will the safety function be affected.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable considering the availability of other means of mitigating design basis events, including Emergency Core Cooling System and the low probability of an accident occurring during this time period that would require closure of the specific flow path.

Alternatively, if the valve flow path can be isolated by closing the inoperable valve within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months then its function is being accomplished.

The capability to isolate steam flow if a single failure occurs remains unaffected.

An inoperable MSIV may be utilized to isolate the flow path only if its leak tightness has not been compromised. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable to adjust unit conditions and take action to isolate the flowpath.

NuScale [US600] B 3.7.1-3 Revision 4.1

MSIVs B 3.7.1 BASES ACTIONS (continued)

Required Action A.2 is modified by two notes. Note 1 applies to isolation devices located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is acceptable, since access to these areas is typically restricted. Note 2 applies to isolation devices that are locked, sealed, or otherwise secured in position and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable since the function of locking, sealing, or securing components is to ensure that these devices are not inadvertently repositioned. Therefore, the probability of misalignment of these devices once they have been verified to be in the proper position is small.

For inoperable components that are not restored to OPERABLE status prior to the required Completion Time in Required Action A.1 and now have their flow path isolated, Required Action A.2 is applicable.

Action A.2 requires that the flow path be verified isolated on a periodic basis. The 7 day Completion Time is reasonable based on engineering judgement, valve and system status indications available in the control room, and other administrative controls, to ensure these flow paths remain isolated.

B.1 With a steam line that cannot be manually or automatically isolated the supported safety functions can no longer be met. This Condition applies when two or more inoperable isolation valves prevent automatic or manual isolation of steam flow from the steam generator. This condition exists when a flow path through the safety related MSIV and MSIV bypass valve exists, and a flow path through the non-safety related secondary MSIV and MSIV bypass valve exists, that cannot be manually or automatically isolated.

For example, one MSIV bypass valve inoperable and open, and one non-safety related secondary MSIV inoperable and open could prevent isolation of the steam flow from the associated steam generator. In this condition a steam line flow could exist through the MSIV bypass valve and the secondary MSIV that could not be isolated.

Action B.1 requires isolation of the main steam line by closure of valves so that the safety function of the steam line isolation is accomplished.

Some repairs may be accomplished within the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is reasonable because the inoperable isolation valves only affect the capability of one of the two redundant DHRS trains to function.

NuScale [US600] B 3.7.1-4 Revision 4.1

MSIVs B 3.7.1 BASES ACTIONS (continued)

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is reasonable considering the availability of other means of mitigating design basis events, including Emergency Core Cooling System and the low probability of an accident occurring during this time period that would require isolation of the steam line.

If the main steam line can be isolated within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months then its safety function is being accomplished. An inoperable MSIV or bypass valve may be utilized to isolate the steam line only if its leak tightness has not been compromised.

C.1 and C.2 With Required Actions and associated Completion Times not met, isolation capability of the main steam line(s) is not maintained. The associated DHRS and the ability to isolate postulated releases from the SGs are affected. The unit must be placed in a condition in which the LCO does not apply.

Required Action C.1 requires the unit to be in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

Required Action C.2 requires the unit to be in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The Completion Times are reasonable based on operational activities required to reach these conditions in an orderly manner. The time permits use of normal means to exit the conditions of Applicability. It is also consistent with the Completion Times for an inoperable train of the DHRS.

SURVEILLANCE SR 3.7.1.1 REQUREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for MSIV and main steam line bypass isolation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM.

The Frequency is controlled under the Surveillance Frequency Control Program.

NuScale [US600] B 3.7.1-5 Revision 4.1

MSIVs B 3.7.1 BASES SURVEILLANCE REQUREMENTS (continued)

SR 3.7.1.2 This SR measures the safety related and non-safety related MSIV and MSIV Bypass Valve closure ACTUATION RESPONSE TIMES on an actual or simulated actuation signal. Isolation ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are isolated. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis.

The isolation time is assumed in the accident and containment analyses.

The MSIVs and MSIV Bypass Valves are not tested at power to reduce the likelihood of an unplanned transient due to valve closure when the unit is generating power. As the MSIVs are not tested at power, they are exempt from the ASME OM Code (Ref. 6) requirements during operation in MODES 1 and 2.

The Frequency is in accordance with the INSERVICE TESTING PROGRAM.

This test is typically conducted during shutdown conditions or with the unit at reduced operating temperatures and pressures before their OPERABILITY is required by the Applicability of this LCO.

SR 3.7.1.3 This SR verifies the safety related and non-safety related MSIV and MSIV Bypass Valves leakage are within limits. The MSIVs and MSIV Bypass Valves serve as a boundary for the DHRS and route steam from the steam generator to the DHR condenser when the DHR system is actuated.

The Frequency is in accordance with the INSERVICE TESTING PROGRAM.

NuScale [US600] B 3.7.1-6 Revision 4.1

MSIVs B 3.7.1 BASES REFERENCES 1. FSAR, Section 6.2.

2. FSAR, Section 10.3.

3. FSAR, Section 5.4.

4. FSAR, Section 15.6.

5. FSAR, Section 15.1.

6. ASME, OM Code, [2012 edition].

NuScale [US600] B 3.7.1-7 Revision 4.1

Feedwater Isolation B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Feedwater Isolation BASES BACKGROUND Each Feedwater line has one safety-related feedwater isolation valve (FWIV) to isolate feedwater flow when required to support decay heat removal system (DHRS) operation or the containment system (CNTS).

The safety-related FWIVs are located outside of and close to containment. Each feedwater line includes a non-safety related feedwater regulating valve (FWRV) located upstream of the removable pipe spool between the module and the balance of the feedwater system. A description of the safety-related FWIVs is found in FSAR Section 6.2 (Ref. 1). A description of the non-safety related FWRVs is found in FSAR Section 10.4 (Ref. 2).

The safety related FWIVs and non-safety related FWRV are closed on Secondary System Isolation (SSI), Decay Heat Removal System (DHRS),

or Containment Isolation System actuation as described in Specification 3.3.1. Each FWIV and FWRV closes on loss of power.

Closing of the FWIVs and FWRVs isolates each Steam Generator (SG) from the other SG and isolates the feedwater flows to the SGs from the balance of plant.

The FWIV and FWRV isolate the feedwater flow from the secondary side of the associated SG following a high energy line break and preserve RCS inventory in the event of a steam generator tube failure (SGTF). The FWIVs and FWRVs form part of the boundary of the safety-related DHRS closed loop, as described in FSAR Section 5.4 (Ref. 3) and applicable requirements in Specification 3.5.2.

APPLICABLE The FWIVs and FWRVs close to isolate the SGs from the balance of SAFETY plant feedwater system. Isolation limits postulated releases of ANALYSES radioactive material from the SG in the event of a SG tube failure and terminates flow to the SGs in postulated feedwater line breaks inside and outside containment (Ref. 4). This minimizes radiological contamination of the secondary plant systems and components, and minimizes any associated potential for activity releases to the environment and preserves safety RCS inventory levels.

The isolation of the feedwater lines is also required for the operation of the DHRS. Isolation valve closure precludes blowdown of more than one SG, preserving the heat transfer capability of the unaffected SG if a concurrent single failure occurs. The DHRS provides cooling for non-loss of coolant accident (non-LOCA) design basis events when normal NuScale [US600] B 3.7.2-1 Revision 4.1

Feedwater Isolation B 3.7.2 BASES APPLICABLE SAFETY ANALYSES (continued) secondary side cooling is unavailable or otherwise not utilized. The DHRS removes post-reactor trip residual and core decay heat and allows transition of the reactor to safe shutdown conditions. The FWIV and FWRV have a specific leakage criteria to maintain DHRS inventory.

The FWIV and FWRV satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires the FWIVs and FWRV in each of the two feedwater lines to be OPERABLE. The valves are considered OPERABLE when their isolation times are within limits and they close on an isolation actuation signal and their leakage is within limits.

This LCO provides assurance that the FWIVs will perform their design safety function and the FWRVs their non-safety function to limit consequences of accidents that could result in offsite exposures comparable to the 10 CFR 50.34 limits or the NRC staff approved licensing basis.

APPLICABILITY The FWIVs and FWRVs must be OPERABLE whenever there is significant mass and energy in the Reactor Coolant System and the steam generators. This ensures that, in the event of a high energy line break, a single failure cannot result in the blowdown of more than one steam generator, an inoperability of the DHRS, or a containment bypass path in the event of a steam generator tube failure. In MODE 1 and 2 FWIVs and FWRVs are required to be OPERABLE to limit the amount of available fluid that could be added to containment in case of a secondary system pipe break inside containment. In MODE 3 and not PASSIVELY COOLED, the FWIVs and FWRV are required to be OPERABLE, to support DHRS operability.

In MODES 4 and 5 the steam generators energy is low. Therefore, the MFIVs and MFRVs are normally closed since MFW system is not required.

ACTIONS The ACTIONS table is modified by two Notes. The first being that separate entry is allowed for each valve. This is acceptable because the ACTIONS table provide actions for individual component entry. The second indicating that FWIV flow path may be unisolated intermittently under administrative control.

NuScale [US600] B 3.7.2-2 Revision 4.1

Feedwater Isolation B 3.7.2 BASES ACTIONS (continued)

These administrative controls consist of stationing a dedicated operator at the device controls, who is in continuous communication with the control room. In this way, the FWIV flow path can be rapidly isolated when a need is indicated.

A.1, A.2, B.1, and B.2 With one or two FWIVs, or one or two FWRVs inoperable, isolate inoperable affected flow path in 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . When the FWIV flow path is isolated, the FWIVs are performing their required safety function and when the FWRV flow path is isolated, the FWRVs are performing their non-safety related function.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the redundancy afforded by the remaining OPERABLE valves, and the low probability of an event that would require isolation of the main feedwater flow paths occurring during this period. If the Feedwater line can be isolated by closing the inoperable FWIV/FWRV valve within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months then its function is being performed. The capability to isolate feedwater flow if a single failure occurs remains unaffected. If the FWIV or FWRV is inoperable and cannot be closed, then the Feedwater line should be isolated by the other FWIV/FWRV valve closed and deactivated, closed manual valve, or blind flange. An inoperable FWIV/FWRV may be utilized to isolate the line only if its leak tightness has not been compromised.

For inoperable FWIVs and FWRVs valves that cannot be restored to OPERABLE status within the specified Completion Time but are closed or isolated, the flow paths must be verified on a periodic basis to be closed or isolated. This is necessary to ensure that the assumptions in the safety analyses remain valid. The 7 day Completion Time is reasonable based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.

C.1 With two inoperable valves in the same flow path there may be no redundant system to operate automatically and perform the required safety function. Under these conditions, one valve in the affected flow path must be restored to OPERABLE status, or the affected flow path isolated within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . If the Feedwater line can be isolated by closing the inoperable FWIV/FWRV valve within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months then its safety function is being performed. If the FWIV and FWRV valves are inoperable and cannot be closed, then the Feedwater line should be isolated by a closed NuScale [US600] B 3.7.2-3 Revision 4.1

Feedwater Isolation B 3.7.2 BASES ACTIONS (continued) and deactivated automatic valve, closed manual valve, or blind flange. An inoperable FWIV/FWRV may be utilized to isolate the line only if its leak tightness has not been compromised. This action returns the system to a condition in which at least one valve in the affected flow path is performing the required safety function. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is a reasonable amount of time to complete the actions required to close the FWIV, or FWRV, which includes performing a controlled unit shutdown without challenging plant systems.

D.1, and D.2 If the FWIVs and FWRVs cannot be restored to OPERABLE status, or closed, or isolated within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , in MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, to reach the required unit conditions from full power conditions in an orderly manner.

SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR [applies to valves with actuators that incorporate pressurized accumulators as a source of stored energy. The SR] verifies adequate pressure in the accumulators required for feedwater isolation valve OPERABILITY. The pressure limits required for OPERABILITY, including consideration of temperature effects on those limits, applicable to the valve accumulators are established and maintained in accordance with the INSERVICE TESTING PROGRAM. The Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.2.2 This SR measures the closure ACTUATION RESPONSE TIME of each FWIV and FWRV on an actual or simulated actuation signal. Isolation ACTUATION RESPONSE TIME is measured from output of the module protection system equipment interface module until the valves are isolated. The ACTUATION RESPONSE TIME is combined with the allocated MPS digital time response and the CHANNEL RESPONSE TIME to determine and verify the TOTAL RESPONSE TIME is less than or equal to the maximum values assumed in the safety analysis.

NuScale [US600] B 3.7.2-4 Revision 4.1

Feedwater Isolation B 3.7.2 BASES SURVEILLANCE REQUIREMENTS (continued)

The FWIV and FWRV isolation times are assumed in the accident and containment analyses. This Surveillance is normally performed upon returning the unit to operation following a refueling outage. These valves are tested when the unit is in a shutdown condition, since even a part stroke exercise increases the risk of a valve closure when the unit is generating power. Because the isolation valves are not tested when the unit is in a shutdown condition, they are exempt from ASME OM Code (Ref. 5) requirements during operation in MODE 1. The Frequency is in accordance with the INSERVICE TESTING PROGRAM.

SR 3.7.2.3 This SR verifies FWIV and FWRV valves leakage are within limits. The FWIV and FWRV valves serve as a boundary isolation for the DHRS operation, when the DHR system is actuated.

The Frequency is in accordance with the INSERVICE TESTING PROGRAM.

REFERENCES 1. FSAR, Section 6.2.

2. FSAR, Section 10.4.

3. FSAR, Section 5.4.

4. FSAR, Section 15.6.

5. ASME, OM Code, [2012 edition].

NuScale [US600] B 3.7.2-5 Revision 4.1

In-Containment Secondary Piping Leakage B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 In-Containment Secondary Piping Leakage BASES BACKGROUND A limit on leakage from the secondary piping inside containment is required to limit secondary system operation in the presence of excessive leakage. Leakage is limited to an amount which would not compromise safety consistent with the Leak-Before-Break (LBB) analysis discussed in FSAR Chapter 3 (Ref. 1). This leakage limit ensures appropriate action can be taken before the integrity of the lines is impaired.

LBB is an argument which allows elimination of design for dynamic load effects of postulated pipe breaks. The fundamental premise of LBB is that the materials used in nuclear plant piping are strong enough that even a large through wall crack leaking well in excess of rates detectable by present leak detection systems would remain stable, and would not result in a double-ended guillotine break under maximum loading conditions. The benefit of LBB is the elimination of pipe whip restraints, jet impingement effects, and internal system blowdown loads.

As described in FSAR Section 3.6 (Ref. 1), LBB has been applied to the main steam and feedwater piping inside containment. Hence, the potential safety significance of secondary side leaks inside containment requires detection and monitoring of leakage inside containment. This LCO protects the secondary system lines inside containment against undetected degradation. The consequences of violating this LCO include the possibility of further degradation of the secondary system piping, which may lead to pipe break if a seismic event occurs that could adversely affect safety-related components inside of the containment.

APPLICABLE The safety significance of plant leakage inside containment varies SAFETY depending on its source, rate, and duration. Therefore, detection and ANALYSES monitoring of plant leakage inside containment are necessary. This is accomplished via the instrumentation required by LCO 3.4.7, RCS Leakage Detection Instrumentation, and the Reactor Coolant System (RCS) water inventory balance (SR 3.4.5.1). Subtracting identified leakage into the containment vessel from the total detected leakage inside containment provides qualitative information to the operators regarding possible main steam or feedwater line leakage. This allows the operators to take action should leakage occur which would be detrimental to the safety of the facility if a seismic event occurred.

NuScale [US600] B 3.7.3-1 Revision 4.1

In-Containment Secondary Piping Leakage B 3.7.3 BASES APPLICABLE SAFETY ANALYSES (continued)

This specification has been included in Technical Specifications because if a seismic event occurs when the in-containment secondary leakage is greater than the LCO limit, a main steam or feedwater pipe break could occur. This could result in an adverse interaction between the affected in-containment secondary system piping and other safety related equipment located inside the containment.

LCO In-containment secondary piping leakage is defined as leakage inside containment in any portion of the main steam line or feedwater pipe walls.

Up to 1.5 gallons per hour (gph) of leakage is allowable because it is below the leak rate for LBB analyzed cases of a secondary line crack twice as long as a crack leaking at the detectable leak rate under normal operating conditions including the stress imposed by postulated seismic events. Violation of this LCO could result in continued degradation of the main steam line or feedwater piping inside the containment vessel.

APPLICABILITY Because of elevated secondary system temperatures and pressures, the potential for in-containment secondary system piping leakage is greatest in MODES 1, 2, and MODE 3 when not PASSIVELY COOLED.

In MODE 3 when PASSIVELY COOLED, and in MODES 4 and 5 an in-containment secondary system piping leakage limit is not provided. In MODE 3 when PASSIVELY COOLED, the secondary system temperatures and pressures are rapidly reducing, resulting in lower stresses and reduced potential for leakage or adverse effects from a postulated secondary system pipe rupture. In MODES 4 and 5 the secondary system piping is depressurized.

ACTIONS A.1 and A.2 With in-containment secondary system piping leakage in excess of the LCO limit, the unit must be brought to lower secondary system pressure conditions to reduce the severity of the leakage and its potential consequences if a seismic event occurs.

The reactor must be placed in MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and MODE 3 and PASSIVELY COOLED within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This action reduces the in-containment secondary system piping pressure and leakage, and also reduces the factors which tend to degrade the secondary system lines if a seismic event occurs.

NuScale [US600] B 3.7.3-2 Revision 4.1

In-Containment Secondary Piping Leakage B 3.7.3 BASES ACTIONS (continued)

The Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to reach MODE 2, and 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months to reach MODE 3 and PASSIVELY COOLED without challenging plant systems is reasonable based on the time to reach required unit conditions in an orderly manner. In MODE 3 with PASSIVE COOLING established, the pressure stresses acting on the in-containment secondary system piping are being rapidly and passively reduced. Further deterioration of the in-containment secondary system piping if a seismic event occurs is less likely.

SURVEILLANCE SR 3.7.3.1 REQUIREMENTS A Note to SR 3.7.3.1 states the SR is not required to be performed until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after establishing steady state operation. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance provides sufficient time for water to be removed from the containment after it has been flooded and stable unit conditions established so that secondary piping leakage may be monitored. This allowance is reasonable based on the low likelihood of a seismic event occurring during the limited time provided by the note.

Verifying that in-containment secondary piping leakage is within the LCO limit assures the integrity of those lines inside containment is maintained.

An early warning of line leakage is provided by the systems that monitor the containment pressure and containment evacuation system condensate collection. In-containment secondary system piping leakage would appear as unidentified leakage inside containment via these systems. Performance of an RCS water inventory balance (SR 3.4.5.1),

radiological analysis of containment evacuation system condensate and gases, and evaluation of the cooling water system inside containment, may determine whether the in-containment secondary piping is the potential source of unidentified leakage inside containment.

The Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 3.6.

NuScale [US600] B 3.7.3-3 Revision 4.1

Nuclear Instrumentation B 3.8.1 B 3.8 REFUELING OPERATIONS B 3.8.1 Nuclear Instrumentation BASES BACKGROUND Three refueling neutron flux channels are provided to monitor the core reactivity during refueling operations. These detectors are located external to the reactor vessel below the reactor vessel flange and detect neutrons leaking from the core with the ability to be extended and retracted to facilitate module disassembly and reassembly.

The refueling neutron flux detectors are proportional counters. The detectors monitor the neutron flux in counts per second. The instrument range covers five decades of neutron flux (from 1E0 cps to 1E5 cps) with a 5% instrument accuracy. The refueling neutron flux channels also provide continuous visual indication in the control room and continuous visual and audible indication at the refueling panel located in the reactor building at elevation 100 ft in close proximity to the refueling area.

After the RPV is placed on the RPV refueling stand, a retractable support mechanism positions the refuel neutron monitors in the detector sleeves on the RPV. This ensures the refuel neutron monitors are placed in the same position for each refueling. The refuel neutron monitors are located in the refuel pool bay area and are separate from the normal excore detectors used during operation. These are the only neutron monitors utilized during refueling.

APPLICABLE Two OPERABLE refueling neutron flux channels are required to SAFETY provide a signal to alert the operator to unexpected changes in core ANALYSES reactivity. During initial fuel loading, or when otherwise required, temporary neutron detectors may be used to provide additional reactivity monitoring (Ref. 1).

The audible count rate from the refueling neutron flux channels provides prompt and definite indication of any change in reactivity. The count rate increase is proportional to subcritical multiplication and allows operators to promptly recognize any change in reactivity. Prompt recognition of unintended reactivity changes is consistent with the assumptions of the safety analysis and is necessary to assure sufficient time is available to initiate action before SHUTDOWN MARGIN is lost (Ref. 1). The refueling neutron flux channels satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).

NuScale [US600] B 3.8.1-1 Revision 4.1

Nuclear Instrumentation B 3.8.1 BASES LCO This LCO requires two of the three refueling neutron flux channels to be OPERABLE to ensure that redundant monitoring capability is available to detect changes in core reactivity during removal of the upper reactor vessel assembly and during fuel movement in the reactor vessel. To be OPERABLE, each channel must provide visual indication in the control room. In addition, at least one of the two required channels must provide an OPERABLE audible count rate function to alert the operators to the initiation of a boron dilution event.

APPLICABILITY In MODE 5 when the reactor vessel upper assembly is not seated on the reactor vessel flange, the refueling neutron flux channels are required to be OPERABLE to determine possible unexpected changes in core reactivity. There are no other direct means available to monitor the core reactivity conditions. The Applicability allows the retractable refueling neutron flux channels to be installed on the lower reactor vessel assembly following entry into MODE 5 (i.e., after detensioning the first reactor vessel flange bolt) and prior to the reactor vessel upper assembly lift. In MODES 1, 2, and 3 the Module Protection System neutron detectors and associated circuitry are required to be OPERABLE by LCO 3.3.1, Module Protection System (MPS) Instrumentation. In MODE 4, the module is disconnected from unborated water sources and the module Neutron Monitoring System. No changes to the core reactivity can occur in MODE 4 because a boron dilution event or fuel loading error cannot occur in this condition. Therefore, neutron monitoring is not required in MODE 4.

ACTIONS A.1 and A.2 Redundancy has been lost if only one refueling neutron flux channel is OPERABLE. In addition, if the required refueling neutron flux audible count rate channel is inoperable, prompt and definite indication of a boron dilution event, consistent with the assumptions of the safety analysis, is lost. Since these instruments are the only direct means of monitoring core reactivity conditions, positive reactivity additions, and introduction of water into the ultimate heat sink (UHS) with boron concentration less than required to meet the minimum boron concentration of LCO 3.5.3, Ultimate Heat Sink, must be suspended immediately. Suspending positive reactivity additions that could result in failure to meet the minimum boron concentration limit is required to assure continued safe operation.

Introduction of water inventory must be from sources that have a boron concentration greater than that which would be required in the UHS for minimum refueling boron concentration. This may result in an overall reduction in UHS boron concentration, but provides acceptable margin to maintaining subcritical conditions. Performance of Required Action A.1 shall not preclude completion of actions to establish a safe condition.

NuScale [US600] B 3.8.1-2 Revision 4.1

Nuclear Instrumentation B 3.8.1 BASES ACTIONS (continued)

B.1 and B.2 If no refueling neutron flux channels are OPERABLE, actions to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, actions shall be continued until a refueling neutron flux channel is restored to OPERABLE status.

If no refueling neutron flux channels are OPERABLE, there is no direct means of detecting changes in core reactivity. However, since positive reactivity additions are discontinued, the core reactivity condition is stabilized and no changes are permitted until the refueling neutron flux channels are restored to OPERABLE status. This stabilized condition is confirmed by performing SR 3.5.3.3 to verify that the required boron concentration exists.

The Completion Time of once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that unplanned changes in boron concentration would be identified. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable considering the low probability of a change in core reactivity during this time period and the volume of the UHS.

SURVEILLANCE SR 3.8.1.1 REQUIREMENTS SR 3.8.1.1 is the performance of a CHANNEL CHECK, which is the comparison of the indicated parameter values monitored by each of these instruments. It is based on the assumption that the two required indication channels should be consistent for the existing core conditions. Changes in core geometry due to fuel loading can result in significant differences between the refueling neutron flux monitor channels, however each channel should be consistent with its local conditions.

The Frequency specified in the Surveillance Frequency Control Program is consistent with the CHANNEL CHECK Frequency specified for similar instruments in LCO 3.3.1, Module Protection System (MPS)

Instrumentation."

NuScale [US600] B 3.8.1-3 Revision 4.1

Nuclear Instrumentation B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.1.2 SR 3.8.1.2 is the performance of a CHANNEL CALIBRATION. This SR is modified by a Note stating that neutron detectors are excluded from the CHANNEL CALIBRATION. The CHANNEL CALIBRATION for the refueling neutron flux channels consists of obtaining the detector plateau or preamp discriminator curves, evaluating those curves, and comparing the curves to the manufacturer's data. The CHANNEL CALIBRATION also includes verification of the audible alarm count rate function of the one required audible channel.

The Frequency specified in the Surveillance Frequency Control Program is consistent with the CHANNEL CALIBRATION Frequency specified for similar instruments in LCO 3.3.1.

REFERENCES 1. FSAR, Chapter 15.

NuScale [US600] B 3.8.1-4 Revision 4.1

Decay Time B 3.8.2 B 3.8 REFUELING OPERATIONS B 3.8.2 Decay Time BASES BACKGROUND The movement of irradiated fuel assemblies requires allowing at least 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months for radioactive decay before initiating handling of irradiated fuel.

During fuel handling, this LCO ensures that sufficient radioactive decay has occurred in the event of a fuel handling accident (Refs. 1 and 2).

Sufficient radioactive decay of short lived fission products would have occurred to limit offsite doses from the accident to within the values reported in FSAR Chapter 15 (Ref. 2).

APPLICABLE The minimum radioactivity decay time is an initial condition assumed SAFETY in the analysis of a fuel handling accident, as postulated by Regulatory ANALYSES Guide 1.183 (Ref. 1) and described in Reference 3.

It is assumed that all of the fuel rods in one irradiated fuel assembly are damaged to the extent that all the gap activity in the rods is released instantaneously. The damaged fuel assembly is assumed to be the assembly with the highest fission product inventory. The fission product inventories from which the highest is selected are those inventories present 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after the reactor becomes subcritical.

The decay time requirement satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).

LCO This LCO requires the reactor be subcritical for at least 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months prior to commencing movement of irradiated fuel within the reactor pressure vessel. This LCO does not preclude core movement associated with module movement. A minimum radioactive decay time ensures that the radiological consequences of a postulated fuel handling accident are within the values calculated in Reference 2.

APPLICABILITY This LCO is applicable when moving irradiated fuel assemblies in the reactor pressure vessel. The LCO minimizes the possibility of radioactive release due to a fuel handling accident that is beyond the assumptions of the safety analysis. If irradiated fuel assemblies are not being moved, a postulated fuel handling accident is precluded. Requirements for fuel handling accidents in the spent fuel pool are also covered by LCO 3.5.3, Ultimate Heat Sink.

NuScale [US600] B 3.8.2-1 Revision 4.1

Decay Time B 3.8.2 BASES ACTIONS A.1 With the reactor subcritical for less than 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , there shall be no operations involving movement of irradiated fuel assemblies within the reactor pressure vessel. This will preclude a fuel handling accident with fuel containing more fission product radioactivity than assumed in the safety analysis.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. Suspension of irradiated fuel assemblies should be completed as quickly as possible in order to minimize the time during which the unit is outside the initial assumptions of the fuel handling accident.

The suspension of irradiated fuel movement shall not preclude completion of movement to a safe position, nor does it preclude the movement of irradiated fuel assemblies that have not been exposed to a critical core within the previous 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

SURVEILLANCE SR 3.8.2.1 REQUIREMENTS Verification that the reactor has been subcritical for at least 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months prior to movement of irradiated fuel in the reactor pressure vessel ensures that the design basis for the analysis of the postulated fuel handling accident during refueling operations is met. This SR may be performed by verifying the date and time of subcriticality prior to first irradiated fuel movement within the reactor pressure vessel. Specifying a minimum radioactive decay time limits the consequences of fuel rod damage that is postulated to result from a fuel handling accident (Ref. 2).

REFERENCES 1. Regulatory Guide 1.183, Revision 0, July 2000.

2. FSAR, Chapter 15.

3. TR-0915-17565-P, "Accident Source Term Methodology," Rev. [3].

NuScale [US600] B 3.8.2-2 Revision 4.1

ML20197A420

Text

Navigation menu

Search